Malware Analysis Report

2025-01-03 05:02

Sample ID 231226-rvqlfaggh3
Target 75bff99becc32bcbe56efbe7a75f4d45
SHA256 8c05da461e90984671ffd87f0e4e28e057cca4d32a0569764dcdcce2d545fac2
Tags
bitrat zgrat persistence rat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8c05da461e90984671ffd87f0e4e28e057cca4d32a0569764dcdcce2d545fac2

Threat Level: Known bad

The file 75bff99becc32bcbe56efbe7a75f4d45 was found to be: Known bad.

Malicious Activity Summary

bitrat zgrat persistence rat trojan upx

Detect ZGRat V1

ZGRat

Modifies WinLogon for persistence

BitRAT

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-26 14:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-26 14:31

Reported

2024-01-06 17:11

Platform

win10v2004-20231222-en

Max time kernel

68s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe"

Signatures

BitRAT

trojan bitrat

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"," C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe N/A

ZGRat

rat zgrat

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3964 set thread context of 3076 N/A C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3964 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
PID 3964 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
PID 3964 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
PID 3964 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
PID 3964 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
PID 3964 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
PID 3964 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
PID 3964 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
PID 3964 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
PID 3964 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
PID 3964 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
PID 3964 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe

Processes

C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe

"C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe"

C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe

C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe

"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 148.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 167.109.18.2.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
BG 213.183.60.21:443 tcp
NL 192.87.28.82:9001 tcp
US 128.31.0.13:443 tcp
US 8.8.8.8:53 82.28.87.192.in-addr.arpa udp
RO 185.225.17.3:443 tcp
US 128.31.0.39:9101 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 96.253.78.108:443 tcp
US 52.111.227.14:443 tcp
SE 193.11.114.43:9001 tcp
DE 193.23.244.244:443 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 66.206.0.138:443 tcp
PL 45.138.16.44:110 tcp
US 8.8.8.8:53 138.0.206.66.in-addr.arpa udp
US 8.8.8.8:53 44.16.138.45.in-addr.arpa udp

Files

memory/3964-0-0x0000000074870000-0x0000000075020000-memory.dmp

memory/3964-2-0x0000000005CF0000-0x0000000006294000-memory.dmp

memory/3964-3-0x0000000005660000-0x00000000056F2000-memory.dmp

memory/3964-1-0x0000000000560000-0x0000000000C68000-memory.dmp

memory/3964-4-0x0000000005870000-0x0000000005880000-memory.dmp

memory/3964-5-0x0000000005700000-0x000000000570A000-memory.dmp

memory/3964-6-0x0000000074870000-0x0000000075020000-memory.dmp

memory/3964-7-0x0000000007E70000-0x0000000008390000-memory.dmp

memory/3964-8-0x00000000050E0000-0x0000000005162000-memory.dmp

memory/3964-18-0x00000000050E0000-0x000000000515C000-memory.dmp

memory/3964-34-0x00000000050E0000-0x000000000515C000-memory.dmp

memory/3964-50-0x00000000050E0000-0x000000000515C000-memory.dmp

memory/3964-66-0x00000000050E0000-0x000000000515C000-memory.dmp

memory/3964-72-0x00000000050E0000-0x000000000515C000-memory.dmp

memory/3964-70-0x00000000050E0000-0x000000000515C000-memory.dmp

memory/3964-68-0x00000000050E0000-0x000000000515C000-memory.dmp

memory/3964-64-0x00000000050E0000-0x000000000515C000-memory.dmp

memory/3964-62-0x00000000050E0000-0x000000000515C000-memory.dmp

memory/3964-60-0x00000000050E0000-0x000000000515C000-memory.dmp

memory/3964-58-0x00000000050E0000-0x000000000515C000-memory.dmp

memory/3964-56-0x00000000050E0000-0x000000000515C000-memory.dmp

memory/3964-54-0x00000000050E0000-0x000000000515C000-memory.dmp

memory/3964-52-0x00000000050E0000-0x000000000515C000-memory.dmp

memory/3964-48-0x00000000050E0000-0x000000000515C000-memory.dmp

memory/3964-293-0x0000000005870000-0x0000000005880000-memory.dmp

memory/3964-46-0x00000000050E0000-0x000000000515C000-memory.dmp

memory/3964-44-0x00000000050E0000-0x000000000515C000-memory.dmp

memory/3964-42-0x00000000050E0000-0x000000000515C000-memory.dmp

memory/3964-40-0x00000000050E0000-0x000000000515C000-memory.dmp

memory/3964-38-0x00000000050E0000-0x000000000515C000-memory.dmp

memory/3964-36-0x00000000050E0000-0x000000000515C000-memory.dmp

memory/3964-32-0x00000000050E0000-0x000000000515C000-memory.dmp

memory/3964-30-0x00000000050E0000-0x000000000515C000-memory.dmp

memory/3964-28-0x00000000050E0000-0x000000000515C000-memory.dmp

memory/3964-26-0x00000000050E0000-0x000000000515C000-memory.dmp

memory/3964-24-0x00000000050E0000-0x000000000515C000-memory.dmp

memory/3964-22-0x00000000050E0000-0x000000000515C000-memory.dmp

memory/3964-20-0x00000000050E0000-0x000000000515C000-memory.dmp

memory/3964-16-0x00000000050E0000-0x000000000515C000-memory.dmp

memory/3964-14-0x00000000050E0000-0x000000000515C000-memory.dmp

memory/3964-12-0x00000000050E0000-0x000000000515C000-memory.dmp

memory/3964-10-0x00000000050E0000-0x000000000515C000-memory.dmp

memory/3964-9-0x00000000050E0000-0x000000000515C000-memory.dmp

memory/3964-2441-0x0000000074870000-0x0000000075020000-memory.dmp

memory/3076-2442-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/3076-2444-0x0000000074780000-0x00000000747B9000-memory.dmp

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe

MD5 0e446396fd3c299b95b794aec2077117
SHA1 bb28a267c961f1622b7fa1e04d1df18ca1ee972b
SHA256 58352b3b696cd3a07bedaff56a48b5db22e5c422e322afc618cd1639d60a9b78
SHA512 00da19eca34be929df372a6fde4ca30754ecb564e073f31cc5b84d338709d9924648e024c746a5503e24d5b981f09e9e7c216f7d82a2d008c9dec94b197238cf

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe

MD5 d419208b068da7a37fe174a4263ad261
SHA1 5b63a0702f776badf7a537d45cd70587e63cc371
SHA256 76bb4127b93115d6602a34de34e1f43dd22777ea86f6bc6ed0b4f344f1592d54
SHA512 ca5581b9789be8d7f05f23985cbcdd1d40b8395056cfab70db4efbb856096df80a2e067bbb7cb895a9cadd000838f53c9495fe942db7c32e801734ee26ff47fb

memory/1008-2476-0x0000000073B10000-0x0000000073B59000-memory.dmp

memory/1008-2484-0x0000000000690000-0x0000000000718000-memory.dmp

memory/1008-2489-0x00000000735A0000-0x000000007386F000-memory.dmp

memory/1008-2488-0x0000000073B60000-0x0000000073C28000-memory.dmp

memory/1008-2487-0x0000000001400000-0x00000000016CF000-memory.dmp

memory/1008-2482-0x0000000073870000-0x00000000738F8000-memory.dmp

memory/1008-2481-0x0000000073900000-0x0000000073A0A000-memory.dmp

memory/1008-2480-0x0000000073A10000-0x0000000073A34000-memory.dmp

memory/1008-2479-0x0000000073A40000-0x0000000073B0E000-memory.dmp

memory/1008-2472-0x0000000000FF0000-0x00000000013F4000-memory.dmp

C:\Users\Admin\AppData\Local\d4f7be4f\tor\libevent-2-1-6.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\d4f7be4f\tor\libcrypto-1_1.dll

MD5 0e959da0ee1d91809cff6a912bea97c0
SHA1 d055e9390d1dfcda415b3dee872d2e9e24728e48
SHA256 d355fdfd092ce8cf54554630c912564f2116db71a44bc3c7533dc112bea75f38
SHA512 e4ce340c1a5fb24396b0d761b6adfc31dbd0d3b6eb62cf3060ed2a327a57ae15bf0de7761a4a7b62c4b699468c8fba1041f06775412afe0a0dec67da27ecd016

memory/3076-2496-0x0000000073190000-0x00000000731C9000-memory.dmp

memory/3076-2505-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/1008-2507-0x0000000073B10000-0x0000000073B59000-memory.dmp

memory/1008-2506-0x0000000000FF0000-0x00000000013F4000-memory.dmp

memory/1008-2509-0x0000000000690000-0x0000000000718000-memory.dmp

memory/1008-2508-0x0000000073A40000-0x0000000073B0E000-memory.dmp

memory/3076-2534-0x0000000074340000-0x0000000074379000-memory.dmp

C:\Users\Admin\AppData\Local\d4f7be4f\tor\data\cached-microdesc-consensus.tmp

MD5 48e5c7eb975dee05f7b3b773d7d1240c
SHA1 37d46708c4b7294ee03448c28b115efa28bc74ae
SHA256 b920b3807ccbc52da87de3e8b9acd37d7a5ff265f3e55029dfabbb9307db8eba
SHA512 c22806fe31225e52cccf9eab984ce9ea5a5d50fda5def9a1a74acaa4659fed2e4b3b361d9810b96dc8a0eec42a5ce7fdb5d8a5bfc49c94069a3b4554ca690846

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-26 14:31

Reported

2024-01-06 17:11

Platform

win7-20231215-en

Max time kernel

77s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe"

Signatures

BitRAT

trojan bitrat

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"," C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe N/A

ZGRat

rat zgrat

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2164 set thread context of 1924 N/A C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2164 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
PID 2164 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
PID 2164 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
PID 2164 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
PID 2164 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
PID 2164 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
PID 2164 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
PID 2164 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
PID 2164 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
PID 2164 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
PID 2164 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
PID 2164 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
PID 2164 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe

Processes

C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe

"C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe"

C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe

C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe

"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe

"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe

"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc

Network

Country Destination Domain Proto
US 66.111.2.16:9001 tcp
US 50.7.74.171:9001 tcp
DE 178.254.7.88:8443 tcp
SK 85.248.227.164:9002 tcp
AT 86.59.21.38:443 tcp
FR 37.187.115.157:9001 tcp
GB 51.38.65.160:9001 tcp
FR 51.254.147.57:443 tcp
US 50.7.74.174:443 tcp
PL 54.37.139.118:9001 tcp
FR 51.254.96.208:9001 tcp

Files

memory/2164-1-0x0000000001000000-0x0000000001708000-memory.dmp

memory/2164-0-0x0000000074B70000-0x000000007525E000-memory.dmp

memory/2164-2-0x0000000005470000-0x00000000054B0000-memory.dmp

memory/2164-3-0x0000000074B70000-0x000000007525E000-memory.dmp

memory/2164-4-0x0000000009580000-0x0000000009AA0000-memory.dmp

memory/2164-5-0x0000000005470000-0x00000000054B0000-memory.dmp

memory/2164-6-0x0000000000750000-0x00000000007D2000-memory.dmp

memory/2164-7-0x0000000000750000-0x00000000007CC000-memory.dmp

memory/2164-20-0x0000000000750000-0x00000000007CC000-memory.dmp

memory/2164-34-0x0000000000750000-0x00000000007CC000-memory.dmp

memory/2164-42-0x0000000000750000-0x00000000007CC000-memory.dmp

memory/2164-56-0x0000000000750000-0x00000000007CC000-memory.dmp

memory/2164-68-0x0000000000750000-0x00000000007CC000-memory.dmp

memory/2164-70-0x0000000000750000-0x00000000007CC000-memory.dmp

memory/2164-66-0x0000000000750000-0x00000000007CC000-memory.dmp

memory/2164-64-0x0000000000750000-0x00000000007CC000-memory.dmp

memory/2164-62-0x0000000000750000-0x00000000007CC000-memory.dmp

memory/2164-60-0x0000000000750000-0x00000000007CC000-memory.dmp

memory/2164-58-0x0000000000750000-0x00000000007CC000-memory.dmp

memory/2164-54-0x0000000000750000-0x00000000007CC000-memory.dmp

memory/2164-52-0x0000000000750000-0x00000000007CC000-memory.dmp

memory/2164-50-0x0000000000750000-0x00000000007CC000-memory.dmp

memory/2164-48-0x0000000000750000-0x00000000007CC000-memory.dmp

memory/2164-46-0x0000000000750000-0x00000000007CC000-memory.dmp

memory/2164-44-0x0000000000750000-0x00000000007CC000-memory.dmp

memory/2164-40-0x0000000000750000-0x00000000007CC000-memory.dmp

memory/2164-38-0x0000000000750000-0x00000000007CC000-memory.dmp

memory/2164-36-0x0000000000750000-0x00000000007CC000-memory.dmp

memory/2164-32-0x0000000000750000-0x00000000007CC000-memory.dmp

memory/2164-30-0x0000000000750000-0x00000000007CC000-memory.dmp

memory/2164-28-0x0000000000750000-0x00000000007CC000-memory.dmp

memory/2164-26-0x0000000000750000-0x00000000007CC000-memory.dmp

memory/2164-24-0x0000000000750000-0x00000000007CC000-memory.dmp

memory/2164-22-0x0000000000750000-0x00000000007CC000-memory.dmp

memory/2164-18-0x0000000000750000-0x00000000007CC000-memory.dmp

memory/2164-16-0x0000000000750000-0x00000000007CC000-memory.dmp

memory/2164-14-0x0000000000750000-0x00000000007CC000-memory.dmp

memory/2164-12-0x0000000000750000-0x00000000007CC000-memory.dmp

memory/2164-10-0x0000000000750000-0x00000000007CC000-memory.dmp

memory/2164-8-0x0000000000750000-0x00000000007CC000-memory.dmp

memory/1924-2455-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2164-2454-0x0000000074B70000-0x000000007525E000-memory.dmp

memory/2572-2476-0x0000000000830000-0x0000000000C34000-memory.dmp

memory/1924-2477-0x0000000004850000-0x0000000004C54000-memory.dmp

memory/1924-2475-0x0000000004850000-0x0000000004C54000-memory.dmp

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe

MD5 d419208b068da7a37fe174a4263ad261
SHA1 5b63a0702f776badf7a537d45cd70587e63cc371
SHA256 76bb4127b93115d6602a34de34e1f43dd22777ea86f6bc6ed0b4f344f1592d54
SHA512 ca5581b9789be8d7f05f23985cbcdd1d40b8395056cfab70db4efbb856096df80a2e067bbb7cb895a9cadd000838f53c9495fe942db7c32e801734ee26ff47fb

memory/2572-2482-0x00000000749B0000-0x0000000074C7F000-memory.dmp

memory/2572-2486-0x00000000748E0000-0x00000000749A8000-memory.dmp

memory/2572-2483-0x0000000074F10000-0x0000000074F59000-memory.dmp

memory/2572-2489-0x00000000747D0000-0x00000000748DA000-memory.dmp

memory/2572-2497-0x0000000074E80000-0x0000000074F08000-memory.dmp

memory/1924-2502-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/1924-2505-0x0000000004850000-0x0000000004C54000-memory.dmp

memory/2572-2504-0x00000000746D0000-0x00000000746F4000-memory.dmp

memory/2572-2503-0x0000000074700000-0x00000000747CE000-memory.dmp

memory/2572-2509-0x0000000000830000-0x0000000000C34000-memory.dmp

memory/2572-2518-0x00000000749B0000-0x0000000074C7F000-memory.dmp

memory/2572-2519-0x0000000074F10000-0x0000000074F59000-memory.dmp

memory/2572-2520-0x00000000748E0000-0x00000000749A8000-memory.dmp

memory/2572-2521-0x00000000747D0000-0x00000000748DA000-memory.dmp

memory/2572-2530-0x0000000074E80000-0x0000000074F08000-memory.dmp

memory/2572-2531-0x0000000074700000-0x00000000747CE000-memory.dmp

memory/1596-2569-0x0000000074F10000-0x0000000074F59000-memory.dmp

memory/1596-2573-0x00000000747D0000-0x00000000748DA000-memory.dmp

memory/1596-2576-0x0000000074E80000-0x0000000074F08000-memory.dmp

memory/2572-2578-0x0000000000830000-0x0000000000C34000-memory.dmp

memory/1596-2583-0x0000000000830000-0x0000000000C34000-memory.dmp

memory/1596-2590-0x0000000074700000-0x00000000747CE000-memory.dmp

memory/1596-2594-0x00000000747D0000-0x00000000748DA000-memory.dmp

memory/1596-2593-0x00000000748E0000-0x00000000749A8000-memory.dmp

memory/1596-2592-0x0000000074F10000-0x0000000074F59000-memory.dmp

memory/1596-2591-0x00000000749B0000-0x0000000074C7F000-memory.dmp

memory/1596-2589-0x0000000074E80000-0x0000000074F08000-memory.dmp

memory/1596-2580-0x00000000746D0000-0x00000000746F4000-memory.dmp

memory/1596-2577-0x0000000074700000-0x00000000747CE000-memory.dmp

memory/1596-2571-0x00000000748E0000-0x00000000749A8000-memory.dmp

memory/1596-2567-0x00000000749B0000-0x0000000074C7F000-memory.dmp

memory/1924-2557-0x0000000005710000-0x0000000005B14000-memory.dmp

memory/2588-2614-0x0000000074BB0000-0x0000000074C78000-memory.dmp

memory/2588-2618-0x0000000074F30000-0x0000000074F54000-memory.dmp

memory/2588-2619-0x00000000746E0000-0x00000000749AF000-memory.dmp

memory/2588-2617-0x0000000074610000-0x00000000746DE000-memory.dmp

memory/2588-2616-0x0000000074A10000-0x0000000074A98000-memory.dmp

memory/2588-2615-0x0000000074AA0000-0x0000000074BAA000-memory.dmp

memory/2588-2611-0x0000000074EC0000-0x0000000074F09000-memory.dmp

memory/2588-2610-0x0000000000EA0000-0x00000000012A4000-memory.dmp

memory/1924-2609-0x0000000005710000-0x0000000005B14000-memory.dmp

memory/1924-2630-0x0000000005710000-0x0000000005B14000-memory.dmp

memory/1924-2631-0x0000000005710000-0x0000000005B14000-memory.dmp