Analysis Overview
SHA256
8c05da461e90984671ffd87f0e4e28e057cca4d32a0569764dcdcce2d545fac2
Threat Level: Known bad
The file 75bff99becc32bcbe56efbe7a75f4d45 was found to be: Known bad.
Malicious Activity Summary
Detect ZGRat V1
ZGRat
Modifies WinLogon for persistence
BitRAT
ACProtect 1.3x - 1.4x DLL software
UPX packed file
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-26 14:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-26 14:31
Reported
2024-01-06 17:11
Platform
win10v2004-20231222-en
Max time kernel
68s
Max time network
150s
Command Line
Signatures
BitRAT
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"," | C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe | N/A |
ZGRat
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3964 set thread context of 3076 | N/A | C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe | C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
"C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe"
C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.109.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.5.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| BG | 213.183.60.21:443 | tcp | |
| NL | 192.87.28.82:9001 | tcp | |
| US | 128.31.0.13:443 | tcp | |
| US | 8.8.8.8:53 | 82.28.87.192.in-addr.arpa | udp |
| RO | 185.225.17.3:443 | tcp | |
| US | 128.31.0.39:9101 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 96.253.78.108:443 | tcp | |
| US | 52.111.227.14:443 | tcp | |
| SE | 193.11.114.43:9001 | tcp | |
| DE | 193.23.244.244:443 | tcp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.110.18.2.in-addr.arpa | udp |
| US | 66.206.0.138:443 | tcp | |
| PL | 45.138.16.44:110 | tcp | |
| US | 8.8.8.8:53 | 138.0.206.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.16.138.45.in-addr.arpa | udp |
Files
memory/3964-0-0x0000000074870000-0x0000000075020000-memory.dmp
memory/3964-2-0x0000000005CF0000-0x0000000006294000-memory.dmp
memory/3964-3-0x0000000005660000-0x00000000056F2000-memory.dmp
memory/3964-1-0x0000000000560000-0x0000000000C68000-memory.dmp
memory/3964-4-0x0000000005870000-0x0000000005880000-memory.dmp
memory/3964-5-0x0000000005700000-0x000000000570A000-memory.dmp
memory/3964-6-0x0000000074870000-0x0000000075020000-memory.dmp
memory/3964-7-0x0000000007E70000-0x0000000008390000-memory.dmp
memory/3964-8-0x00000000050E0000-0x0000000005162000-memory.dmp
memory/3964-18-0x00000000050E0000-0x000000000515C000-memory.dmp
memory/3964-34-0x00000000050E0000-0x000000000515C000-memory.dmp
memory/3964-50-0x00000000050E0000-0x000000000515C000-memory.dmp
memory/3964-66-0x00000000050E0000-0x000000000515C000-memory.dmp
memory/3964-72-0x00000000050E0000-0x000000000515C000-memory.dmp
memory/3964-70-0x00000000050E0000-0x000000000515C000-memory.dmp
memory/3964-68-0x00000000050E0000-0x000000000515C000-memory.dmp
memory/3964-64-0x00000000050E0000-0x000000000515C000-memory.dmp
memory/3964-62-0x00000000050E0000-0x000000000515C000-memory.dmp
memory/3964-60-0x00000000050E0000-0x000000000515C000-memory.dmp
memory/3964-58-0x00000000050E0000-0x000000000515C000-memory.dmp
memory/3964-56-0x00000000050E0000-0x000000000515C000-memory.dmp
memory/3964-54-0x00000000050E0000-0x000000000515C000-memory.dmp
memory/3964-52-0x00000000050E0000-0x000000000515C000-memory.dmp
memory/3964-48-0x00000000050E0000-0x000000000515C000-memory.dmp
memory/3964-293-0x0000000005870000-0x0000000005880000-memory.dmp
memory/3964-46-0x00000000050E0000-0x000000000515C000-memory.dmp
memory/3964-44-0x00000000050E0000-0x000000000515C000-memory.dmp
memory/3964-42-0x00000000050E0000-0x000000000515C000-memory.dmp
memory/3964-40-0x00000000050E0000-0x000000000515C000-memory.dmp
memory/3964-38-0x00000000050E0000-0x000000000515C000-memory.dmp
memory/3964-36-0x00000000050E0000-0x000000000515C000-memory.dmp
memory/3964-32-0x00000000050E0000-0x000000000515C000-memory.dmp
memory/3964-30-0x00000000050E0000-0x000000000515C000-memory.dmp
memory/3964-28-0x00000000050E0000-0x000000000515C000-memory.dmp
memory/3964-26-0x00000000050E0000-0x000000000515C000-memory.dmp
memory/3964-24-0x00000000050E0000-0x000000000515C000-memory.dmp
memory/3964-22-0x00000000050E0000-0x000000000515C000-memory.dmp
memory/3964-20-0x00000000050E0000-0x000000000515C000-memory.dmp
memory/3964-16-0x00000000050E0000-0x000000000515C000-memory.dmp
memory/3964-14-0x00000000050E0000-0x000000000515C000-memory.dmp
memory/3964-12-0x00000000050E0000-0x000000000515C000-memory.dmp
memory/3964-10-0x00000000050E0000-0x000000000515C000-memory.dmp
memory/3964-9-0x00000000050E0000-0x000000000515C000-memory.dmp
memory/3964-2441-0x0000000074870000-0x0000000075020000-memory.dmp
memory/3076-2442-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/3076-2444-0x0000000074780000-0x00000000747B9000-memory.dmp
C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
| MD5 | 0e446396fd3c299b95b794aec2077117 |
| SHA1 | bb28a267c961f1622b7fa1e04d1df18ca1ee972b |
| SHA256 | 58352b3b696cd3a07bedaff56a48b5db22e5c422e322afc618cd1639d60a9b78 |
| SHA512 | 00da19eca34be929df372a6fde4ca30754ecb564e073f31cc5b84d338709d9924648e024c746a5503e24d5b981f09e9e7c216f7d82a2d008c9dec94b197238cf |
C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
| MD5 | d419208b068da7a37fe174a4263ad261 |
| SHA1 | 5b63a0702f776badf7a537d45cd70587e63cc371 |
| SHA256 | 76bb4127b93115d6602a34de34e1f43dd22777ea86f6bc6ed0b4f344f1592d54 |
| SHA512 | ca5581b9789be8d7f05f23985cbcdd1d40b8395056cfab70db4efbb856096df80a2e067bbb7cb895a9cadd000838f53c9495fe942db7c32e801734ee26ff47fb |
memory/1008-2476-0x0000000073B10000-0x0000000073B59000-memory.dmp
memory/1008-2484-0x0000000000690000-0x0000000000718000-memory.dmp
memory/1008-2489-0x00000000735A0000-0x000000007386F000-memory.dmp
memory/1008-2488-0x0000000073B60000-0x0000000073C28000-memory.dmp
memory/1008-2487-0x0000000001400000-0x00000000016CF000-memory.dmp
memory/1008-2482-0x0000000073870000-0x00000000738F8000-memory.dmp
memory/1008-2481-0x0000000073900000-0x0000000073A0A000-memory.dmp
memory/1008-2480-0x0000000073A10000-0x0000000073A34000-memory.dmp
memory/1008-2479-0x0000000073A40000-0x0000000073B0E000-memory.dmp
memory/1008-2472-0x0000000000FF0000-0x00000000013F4000-memory.dmp
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libevent-2-1-6.dll
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libcrypto-1_1.dll
| MD5 | 0e959da0ee1d91809cff6a912bea97c0 |
| SHA1 | d055e9390d1dfcda415b3dee872d2e9e24728e48 |
| SHA256 | d355fdfd092ce8cf54554630c912564f2116db71a44bc3c7533dc112bea75f38 |
| SHA512 | e4ce340c1a5fb24396b0d761b6adfc31dbd0d3b6eb62cf3060ed2a327a57ae15bf0de7761a4a7b62c4b699468c8fba1041f06775412afe0a0dec67da27ecd016 |
memory/3076-2496-0x0000000073190000-0x00000000731C9000-memory.dmp
memory/3076-2505-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/1008-2507-0x0000000073B10000-0x0000000073B59000-memory.dmp
memory/1008-2506-0x0000000000FF0000-0x00000000013F4000-memory.dmp
memory/1008-2509-0x0000000000690000-0x0000000000718000-memory.dmp
memory/1008-2508-0x0000000073A40000-0x0000000073B0E000-memory.dmp
memory/3076-2534-0x0000000074340000-0x0000000074379000-memory.dmp
C:\Users\Admin\AppData\Local\d4f7be4f\tor\data\cached-microdesc-consensus.tmp
| MD5 | 48e5c7eb975dee05f7b3b773d7d1240c |
| SHA1 | 37d46708c4b7294ee03448c28b115efa28bc74ae |
| SHA256 | b920b3807ccbc52da87de3e8b9acd37d7a5ff265f3e55029dfabbb9307db8eba |
| SHA512 | c22806fe31225e52cccf9eab984ce9ea5a5d50fda5def9a1a74acaa4659fed2e4b3b361d9810b96dc8a0eec42a5ce7fdb5d8a5bfc49c94069a3b4554ca690846 |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-26 14:31
Reported
2024-01-06 17:11
Platform
win7-20231215-en
Max time kernel
77s
Max time network
153s
Command Line
Signatures
BitRAT
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"," | C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe | N/A |
ZGRat
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2164 set thread context of 1924 | N/A | C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe | C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
"C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe"
C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
Network
| Country | Destination | Domain | Proto |
| US | 66.111.2.16:9001 | tcp | |
| US | 50.7.74.171:9001 | tcp | |
| DE | 178.254.7.88:8443 | tcp | |
| SK | 85.248.227.164:9002 | tcp | |
| AT | 86.59.21.38:443 | tcp | |
| FR | 37.187.115.157:9001 | tcp | |
| GB | 51.38.65.160:9001 | tcp | |
| FR | 51.254.147.57:443 | tcp | |
| US | 50.7.74.174:443 | tcp | |
| PL | 54.37.139.118:9001 | tcp | |
| FR | 51.254.96.208:9001 | tcp |
Files
memory/2164-1-0x0000000001000000-0x0000000001708000-memory.dmp
memory/2164-0-0x0000000074B70000-0x000000007525E000-memory.dmp
memory/2164-2-0x0000000005470000-0x00000000054B0000-memory.dmp
memory/2164-3-0x0000000074B70000-0x000000007525E000-memory.dmp
memory/2164-4-0x0000000009580000-0x0000000009AA0000-memory.dmp
memory/2164-5-0x0000000005470000-0x00000000054B0000-memory.dmp
memory/2164-6-0x0000000000750000-0x00000000007D2000-memory.dmp
memory/2164-7-0x0000000000750000-0x00000000007CC000-memory.dmp
memory/2164-20-0x0000000000750000-0x00000000007CC000-memory.dmp
memory/2164-34-0x0000000000750000-0x00000000007CC000-memory.dmp
memory/2164-42-0x0000000000750000-0x00000000007CC000-memory.dmp
memory/2164-56-0x0000000000750000-0x00000000007CC000-memory.dmp
memory/2164-68-0x0000000000750000-0x00000000007CC000-memory.dmp
memory/2164-70-0x0000000000750000-0x00000000007CC000-memory.dmp
memory/2164-66-0x0000000000750000-0x00000000007CC000-memory.dmp
memory/2164-64-0x0000000000750000-0x00000000007CC000-memory.dmp
memory/2164-62-0x0000000000750000-0x00000000007CC000-memory.dmp
memory/2164-60-0x0000000000750000-0x00000000007CC000-memory.dmp
memory/2164-58-0x0000000000750000-0x00000000007CC000-memory.dmp
memory/2164-54-0x0000000000750000-0x00000000007CC000-memory.dmp
memory/2164-52-0x0000000000750000-0x00000000007CC000-memory.dmp
memory/2164-50-0x0000000000750000-0x00000000007CC000-memory.dmp
memory/2164-48-0x0000000000750000-0x00000000007CC000-memory.dmp
memory/2164-46-0x0000000000750000-0x00000000007CC000-memory.dmp
memory/2164-44-0x0000000000750000-0x00000000007CC000-memory.dmp
memory/2164-40-0x0000000000750000-0x00000000007CC000-memory.dmp
memory/2164-38-0x0000000000750000-0x00000000007CC000-memory.dmp
memory/2164-36-0x0000000000750000-0x00000000007CC000-memory.dmp
memory/2164-32-0x0000000000750000-0x00000000007CC000-memory.dmp
memory/2164-30-0x0000000000750000-0x00000000007CC000-memory.dmp
memory/2164-28-0x0000000000750000-0x00000000007CC000-memory.dmp
memory/2164-26-0x0000000000750000-0x00000000007CC000-memory.dmp
memory/2164-24-0x0000000000750000-0x00000000007CC000-memory.dmp
memory/2164-22-0x0000000000750000-0x00000000007CC000-memory.dmp
memory/2164-18-0x0000000000750000-0x00000000007CC000-memory.dmp
memory/2164-16-0x0000000000750000-0x00000000007CC000-memory.dmp
memory/2164-14-0x0000000000750000-0x00000000007CC000-memory.dmp
memory/2164-12-0x0000000000750000-0x00000000007CC000-memory.dmp
memory/2164-10-0x0000000000750000-0x00000000007CC000-memory.dmp
memory/2164-8-0x0000000000750000-0x00000000007CC000-memory.dmp
memory/1924-2455-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/2164-2454-0x0000000074B70000-0x000000007525E000-memory.dmp
memory/2572-2476-0x0000000000830000-0x0000000000C34000-memory.dmp
memory/1924-2477-0x0000000004850000-0x0000000004C54000-memory.dmp
memory/1924-2475-0x0000000004850000-0x0000000004C54000-memory.dmp
C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
| MD5 | d419208b068da7a37fe174a4263ad261 |
| SHA1 | 5b63a0702f776badf7a537d45cd70587e63cc371 |
| SHA256 | 76bb4127b93115d6602a34de34e1f43dd22777ea86f6bc6ed0b4f344f1592d54 |
| SHA512 | ca5581b9789be8d7f05f23985cbcdd1d40b8395056cfab70db4efbb856096df80a2e067bbb7cb895a9cadd000838f53c9495fe942db7c32e801734ee26ff47fb |
memory/2572-2482-0x00000000749B0000-0x0000000074C7F000-memory.dmp
memory/2572-2486-0x00000000748E0000-0x00000000749A8000-memory.dmp
memory/2572-2483-0x0000000074F10000-0x0000000074F59000-memory.dmp
memory/2572-2489-0x00000000747D0000-0x00000000748DA000-memory.dmp
memory/2572-2497-0x0000000074E80000-0x0000000074F08000-memory.dmp
memory/1924-2502-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/1924-2505-0x0000000004850000-0x0000000004C54000-memory.dmp
memory/2572-2504-0x00000000746D0000-0x00000000746F4000-memory.dmp
memory/2572-2503-0x0000000074700000-0x00000000747CE000-memory.dmp
memory/2572-2509-0x0000000000830000-0x0000000000C34000-memory.dmp
memory/2572-2518-0x00000000749B0000-0x0000000074C7F000-memory.dmp
memory/2572-2519-0x0000000074F10000-0x0000000074F59000-memory.dmp
memory/2572-2520-0x00000000748E0000-0x00000000749A8000-memory.dmp
memory/2572-2521-0x00000000747D0000-0x00000000748DA000-memory.dmp
memory/2572-2530-0x0000000074E80000-0x0000000074F08000-memory.dmp
memory/2572-2531-0x0000000074700000-0x00000000747CE000-memory.dmp
memory/1596-2569-0x0000000074F10000-0x0000000074F59000-memory.dmp
memory/1596-2573-0x00000000747D0000-0x00000000748DA000-memory.dmp
memory/1596-2576-0x0000000074E80000-0x0000000074F08000-memory.dmp
memory/2572-2578-0x0000000000830000-0x0000000000C34000-memory.dmp
memory/1596-2583-0x0000000000830000-0x0000000000C34000-memory.dmp
memory/1596-2590-0x0000000074700000-0x00000000747CE000-memory.dmp
memory/1596-2594-0x00000000747D0000-0x00000000748DA000-memory.dmp
memory/1596-2593-0x00000000748E0000-0x00000000749A8000-memory.dmp
memory/1596-2592-0x0000000074F10000-0x0000000074F59000-memory.dmp
memory/1596-2591-0x00000000749B0000-0x0000000074C7F000-memory.dmp
memory/1596-2589-0x0000000074E80000-0x0000000074F08000-memory.dmp
memory/1596-2580-0x00000000746D0000-0x00000000746F4000-memory.dmp
memory/1596-2577-0x0000000074700000-0x00000000747CE000-memory.dmp
memory/1596-2571-0x00000000748E0000-0x00000000749A8000-memory.dmp
memory/1596-2567-0x00000000749B0000-0x0000000074C7F000-memory.dmp
memory/1924-2557-0x0000000005710000-0x0000000005B14000-memory.dmp
memory/2588-2614-0x0000000074BB0000-0x0000000074C78000-memory.dmp
memory/2588-2618-0x0000000074F30000-0x0000000074F54000-memory.dmp
memory/2588-2619-0x00000000746E0000-0x00000000749AF000-memory.dmp
memory/2588-2617-0x0000000074610000-0x00000000746DE000-memory.dmp
memory/2588-2616-0x0000000074A10000-0x0000000074A98000-memory.dmp
memory/2588-2615-0x0000000074AA0000-0x0000000074BAA000-memory.dmp
memory/2588-2611-0x0000000074EC0000-0x0000000074F09000-memory.dmp
memory/2588-2610-0x0000000000EA0000-0x00000000012A4000-memory.dmp
memory/1924-2609-0x0000000005710000-0x0000000005B14000-memory.dmp
memory/1924-2630-0x0000000005710000-0x0000000005B14000-memory.dmp
memory/1924-2631-0x0000000005710000-0x0000000005B14000-memory.dmp