Malware Analysis Report

2024-10-18 21:10

Sample ID 240215-c16ghsfc23
Target 9cba67b5a3086744c0d4f831079b319b
SHA256 28323ee7a1adaee55fe254d8a6fad742294a4e7e0ad89589707da2a1a9e32486
Tags
persistence bitrat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

28323ee7a1adaee55fe254d8a6fad742294a4e7e0ad89589707da2a1a9e32486

Threat Level: Known bad

The file 9cba67b5a3086744c0d4f831079b319b was found to be: Known bad.

Malicious Activity Summary

persistence bitrat trojan upx

BitRAT

Modifies WinLogon for persistence

UPX packed file

Loads dropped DLL

Executes dropped EXE

ACProtect 1.3x - 1.4x DLL software

Checks computer location settings

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-15 02:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-15 02:33

Reported

2024-02-15 02:36

Platform

win7-20231215-en

Max time kernel

118s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\chrome\\google\\chrome.exe\"," C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2492 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Windows\SysWOW64\WScript.exe
PID 2492 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Windows\SysWOW64\WScript.exe
PID 2492 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Windows\SysWOW64\WScript.exe
PID 2492 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Windows\SysWOW64\WScript.exe
PID 2224 wrote to memory of 1476 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1476 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1476 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1476 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2492 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

"C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Hvpysyhfnmjvko.vbs"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\chrome\google\chrome.exe'

C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

Network

N/A

Files

memory/2492-0-0x00000000000D0000-0x00000000005F0000-memory.dmp

memory/2492-1-0x00000000741B0000-0x000000007489E000-memory.dmp

memory/2492-2-0x0000000000980000-0x00000000009C0000-memory.dmp

memory/2492-3-0x00000000008A0000-0x00000000008AA000-memory.dmp

memory/2492-4-0x00000000008C0000-0x00000000008DE000-memory.dmp

memory/2492-5-0x00000000741B0000-0x000000007489E000-memory.dmp

memory/2492-6-0x0000000000980000-0x00000000009C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_Hvpysyhfnmjvko.vbs

MD5 ed6d432bdbf28ed6ac0cf59692f5e0fe
SHA1 29b388b1b2cf5d2fea4d80088093ec6ea2575ca7
SHA256 452fac0c3baa72fa34a9089c390659b7438da3bc0e3e36a2e54de253492d61fe
SHA512 9879be1e14bc9b16a4743baf730261e474b3916fe84ea95d3b58ef57d924ec573434fc2530860ef74786e69d0480552b15049a276d88cf769a26b94a9c73446e

memory/2492-14-0x00000000741B0000-0x000000007489E000-memory.dmp

memory/1476-15-0x0000000070920000-0x0000000070ECB000-memory.dmp

memory/1476-16-0x0000000070920000-0x0000000070ECB000-memory.dmp

memory/1476-17-0x0000000002650000-0x0000000002690000-memory.dmp

memory/1476-18-0x0000000002650000-0x0000000002690000-memory.dmp

memory/1476-19-0x0000000002650000-0x0000000002690000-memory.dmp

memory/1476-20-0x0000000070920000-0x0000000070ECB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-15 02:33

Reported

2024-02-15 02:36

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe"

Signatures

BitRAT

trojan bitrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\chrome\\google\\chrome.exe\"," C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3356 set thread context of 2552 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3356 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Windows\SysWOW64\WScript.exe
PID 3356 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Windows\SysWOW64\WScript.exe
PID 3356 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Windows\SysWOW64\WScript.exe
PID 3356 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 3356 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 3356 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 3356 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 3356 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 3356 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 2648 wrote to memory of 4396 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 4396 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 4396 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3356 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 3356 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 3356 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 3356 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 3356 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 3356 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 3356 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 3356 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 3356 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 3356 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 3356 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 3356 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 2552 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 2552 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 2552 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

"C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Hvpysyhfnmjvko.vbs"

C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\chrome\google\chrome.exe'

C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe

"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
RO 185.100.84.212:443 tcp
NL 5.200.21.144:443 tcp
N/A 127.0.0.1:50113 tcp
RO 185.225.17.3:443 tcp
N/A 127.0.0.1:45808 tcp
FI 185.100.86.182:8080 tcp
DE 131.188.40.189:443 tcp
US 8.8.8.8:53 189.40.188.131.in-addr.arpa udp
GB 158.220.81.45:443 tcp
DE 46.38.232.203:443 tcp
US 8.8.8.8:53 45.81.220.158.in-addr.arpa udp
US 8.8.8.8:53 203.232.38.46.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
GB 158.220.81.45:443 tcp
DE 46.38.232.203:443 tcp
DE 88.99.68.228:9001 tcp
US 8.8.8.8:53 228.68.99.88.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

memory/3356-0-0x0000000074BB0000-0x0000000075360000-memory.dmp

memory/3356-1-0x0000000000FA0000-0x00000000014C0000-memory.dmp

memory/3356-2-0x0000000005E60000-0x0000000005E70000-memory.dmp

memory/3356-3-0x00000000037C0000-0x00000000037CA000-memory.dmp

memory/3356-4-0x0000000005E40000-0x0000000005E5E000-memory.dmp

memory/3356-5-0x0000000074BB0000-0x0000000075360000-memory.dmp

memory/3356-6-0x0000000005E60000-0x0000000005E70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_Hvpysyhfnmjvko.vbs

MD5 ed6d432bdbf28ed6ac0cf59692f5e0fe
SHA1 29b388b1b2cf5d2fea4d80088093ec6ea2575ca7
SHA256 452fac0c3baa72fa34a9089c390659b7438da3bc0e3e36a2e54de253492d61fe
SHA512 9879be1e14bc9b16a4743baf730261e474b3916fe84ea95d3b58ef57d924ec573434fc2530860ef74786e69d0480552b15049a276d88cf769a26b94a9c73446e

memory/2552-12-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/3356-15-0x0000000074BB0000-0x0000000075360000-memory.dmp

memory/2552-14-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2552-16-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/4396-17-0x00000000050B0000-0x00000000050E6000-memory.dmp

memory/2552-18-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/4396-19-0x00000000057B0000-0x0000000005DD8000-memory.dmp

memory/4396-20-0x0000000074C50000-0x0000000075400000-memory.dmp

memory/4396-22-0x0000000005170000-0x0000000005180000-memory.dmp

memory/4396-21-0x0000000005170000-0x0000000005180000-memory.dmp

memory/4396-24-0x00000000056B0000-0x00000000056D2000-memory.dmp

memory/4396-26-0x0000000005E90000-0x0000000005EF6000-memory.dmp

memory/2552-25-0x0000000071920000-0x0000000071959000-memory.dmp

memory/4396-27-0x0000000006000000-0x0000000006066000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ofjduogs.rli.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4396-37-0x0000000006220000-0x0000000006574000-memory.dmp

C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\c3b89bbf\tor\libcrypto-1_1.dll

MD5 d9e7b8adf3a2770bc6fb0f46b0ab3489
SHA1 c27cb66aeb06f2d6541efc35d7b60995508917ef
SHA256 1cd18fd1cf0f0fbe2908b6c902634d7ce4bae06679e326a85121ca1a4fbf6a13
SHA512 9097e7160d4e2dcd636a344c16b6d131f721e5c1532e57d0ac93332f6f5c470e09daf503eff30c3f0d328bd74b083e59dd28e34999a4029291ad92fd795d701a

C:\Users\Admin\AppData\Local\c3b89bbf\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\c3b89bbf\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\c3b89bbf\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\c3b89bbf\tor\libgcc_s_sjlj-1.dll

MD5 286194f7bb8d17810ec88308a468f982
SHA1 57024593888925cf0d2655927b6b3beaeee94abf
SHA256 cf8dd839b61bfa8e8d2e3b4a053529c6be334f253ea705dc711a795ddbfc7ec0
SHA512 7069e10c34c2876ca2946474b3af730988efc9dad5c87abb6b2e3eb90bf0f2cb5158f254c600c6b01b64e4c3b41cbfc5161bc8456f9be69023432e39080588cb

C:\Users\Admin\AppData\Local\c3b89bbf\tor\libgcc_s_sjlj-1.dll

MD5 6c849b13401a6a2b7dde0a0a4c21443e
SHA1 c214cbb2902f5128cc374ee2f46eb8c2fb1bb35e
SHA256 aad4f5112b008d9c4d800cbb0885ea3f007b323aada7802cec5dc9f7329e9677
SHA512 e56a2fac68100888c8df4c38a33e1d432d24695ad924e259ff26f51c1f6934de8f54f8820099d7cef75cc4aecd67280fb62cb6826d9e95755d77d0df90bb8099

C:\Users\Admin\AppData\Local\c3b89bbf\tor\libwinpthread-1.dll

MD5 a66be4f3f9f8bd5a687c36244c9dd297
SHA1 dc0f5a3d1fd66efff485015d9eef442702f910a0
SHA256 120daa2b87c2b489014dc1763aa7816491c81df854dec2e8773dba4beda33b52
SHA512 eb0cfdacb705f93ae1f22f4a793be4c36197ec7c2cc5b406df23e69477bcca43d5a85c4ab6adacf188c25bc4d9467553fbf77901fa3a99e0133520e93f2188b1

C:\Users\Admin\AppData\Local\c3b89bbf\tor\libwinpthread-1.dll

MD5 5650cd491396e8e3b01d837590aa90cd
SHA1 5d97e0c3686e077852eb349b3ec94299bd558caf
SHA256 fc1c54a57b738bdb1edb718cb66a9417d15e3881a090ad5270bcdefb6549856a
SHA512 11a7e52a2a34b650f313ca656504c3771a97ffef61622bf553e217f9560cada0f845b32b0e8304cb98c62f9586e70fb85f12bdad969176f2aed99a6c2ac1073e

memory/4396-68-0x0000000006750000-0x000000000676E000-memory.dmp

memory/4396-71-0x0000000006780000-0x00000000067CC000-memory.dmp

C:\Users\Admin\AppData\Local\c3b89bbf\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

memory/3220-73-0x000000006FE50000-0x000000006FE99000-memory.dmp

memory/3220-74-0x000000006FE20000-0x000000006FE44000-memory.dmp

memory/3220-72-0x0000000000D20000-0x0000000001124000-memory.dmp

memory/3220-75-0x000000006FD50000-0x000000006FE1E000-memory.dmp

memory/3220-79-0x000000006FC40000-0x000000006FD4A000-memory.dmp

C:\Users\Admin\AppData\Local\c3b89bbf\tor\torrc

MD5 10e4369f9761d5401203f24a43aec777
SHA1 f6237d60d66f0bdc642836387c2e9adaf60114d2
SHA256 1936b09146613154cc18a4889276cb2de96a5fd24a2c86d34a778be90f965976
SHA512 7159148f7584cd188d7f030ac1be482ebad86cba6e964fdf2d6e673823027ebbb049ad9fdac15ed556976760953216a999c5145a0816d67072ed232bdc9e4abb

C:\Users\Admin\AppData\Local\c3b89bbf\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\c3b89bbf\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

memory/3220-80-0x000000006FBB0000-0x000000006FC38000-memory.dmp

memory/3220-81-0x0000000001730000-0x00000000017B8000-memory.dmp

memory/3220-82-0x000000006F890000-0x000000006FB5F000-memory.dmp

memory/3220-83-0x0000000001730000-0x00000000019FF000-memory.dmp

memory/3220-84-0x000000006FEA0000-0x000000006FF68000-memory.dmp

memory/4396-85-0x0000000005170000-0x0000000005180000-memory.dmp

memory/4396-86-0x0000000007700000-0x0000000007732000-memory.dmp

memory/4396-87-0x000000006FB60000-0x000000006FBAC000-memory.dmp

memory/4396-97-0x0000000006CE0000-0x0000000006CFE000-memory.dmp

memory/4396-98-0x0000000007740000-0x00000000077E3000-memory.dmp

memory/4396-99-0x00000000080A0000-0x000000000871A000-memory.dmp

memory/4396-100-0x0000000007A50000-0x0000000007A6A000-memory.dmp

memory/4396-102-0x0000000007AC0000-0x0000000007ACA000-memory.dmp

memory/2552-101-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2552-103-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2552-104-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2552-105-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2552-106-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2552-107-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/4396-108-0x0000000007CD0000-0x0000000007D66000-memory.dmp

memory/2552-109-0x000000006F0D0000-0x000000006F109000-memory.dmp

memory/4396-110-0x0000000007C70000-0x0000000007C81000-memory.dmp

memory/4396-111-0x0000000007CA0000-0x0000000007CAE000-memory.dmp

memory/4396-112-0x0000000007CB0000-0x0000000007CC4000-memory.dmp

memory/4396-113-0x0000000007DB0000-0x0000000007DCA000-memory.dmp

memory/4396-114-0x0000000007D90000-0x0000000007D98000-memory.dmp

memory/3220-115-0x0000000000D20000-0x0000000001124000-memory.dmp

memory/3220-122-0x000000006FD50000-0x000000006FE1E000-memory.dmp

memory/4396-121-0x0000000074C50000-0x0000000075400000-memory.dmp

memory/2552-126-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/3220-127-0x0000000000D20000-0x0000000001124000-memory.dmp

memory/3220-135-0x0000000000D20000-0x0000000001124000-memory.dmp

memory/3220-136-0x0000000001730000-0x00000000017B8000-memory.dmp

memory/3220-137-0x0000000001730000-0x00000000019FF000-memory.dmp

C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\cached-microdesc-consensus.tmp

MD5 4381b56c5700a558e91289b68800afb7
SHA1 8a2bfa61aa11bb6c8c859e602a33eb3181cb8ae8
SHA256 a8d86f1825e4ac69a7639fe466b1289c323de0d69813117939d0549266e9f018
SHA512 5832c5188f17e3b05e2ff58734fca4753a92bda2b0f9cd456ecbfdb3b436031f3861c623fe963ba7b87ec9dbf208d07f2af140f789f3712a8e4153b2d1976751

C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\cached-microdescs.new

MD5 0e3edcc6353b1cb0a0b1de1d72e83e01
SHA1 8ff1413c5ab50ed2f815776271b0be733c64fff7
SHA256 ded7114c2e4b401b10c7ba528e70482f9e841a14064f4e7c6fbcbfa8e0470668
SHA512 302503a57b2ec3b760ba33e3523fb4c2e5dc6196d9fee8d4d1c6a9c6835a523838ef2ba6578b59874a6c0f086ec42801ccab22974825bc9efd4c96efefe6f1ba

memory/3220-154-0x0000000000D20000-0x0000000001124000-memory.dmp

memory/3220-170-0x0000000000D20000-0x0000000001124000-memory.dmp

memory/3220-178-0x0000000000D20000-0x0000000001124000-memory.dmp

memory/2552-186-0x0000000075200000-0x0000000075239000-memory.dmp

memory/3220-187-0x0000000000D20000-0x0000000001124000-memory.dmp

memory/3220-195-0x0000000000D20000-0x0000000001124000-memory.dmp