Malware Analysis Report

2024-10-18 21:10

Sample ID 240407-jr6jgsgd3z
Target 6ec74da2134bd56250ca32be04b9b697
SHA256 1ab1a15e1e4a19c7d77a01f00de5d401bc7ab0ffaa33c332788aadeeedddc386
Tags
bitrat persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1ab1a15e1e4a19c7d77a01f00de5d401bc7ab0ffaa33c332788aadeeedddc386

Threat Level: Known bad

The file 6ec74da2134bd56250ca32be04b9b697 was found to be: Known bad.

Malicious Activity Summary

bitrat persistence trojan upx

Bitrat family

BitRAT

Executes dropped EXE

UPX packed file

Loads dropped DLL

ACProtect 1.3x - 1.4x DLL software

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 07:55

Signatures

Bitrat family

bitrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 07:55

Reported

2024-04-07 09:10

Platform

win7-20231129-en

Max time kernel

1800s

Max time network

1798s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6ec74da2134bd56250ca32be04b9b697.exe"

Signatures

BitRAT

trojan bitrat

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\java_update = "C:\\Users\\Admin\\AppData\\Local\\Java_update\\java_update.exe" C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6ec74da2134bd56250ca32be04b9b697.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2332 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\6ec74da2134bd56250ca32be04b9b697.exe C:\Users\Admin\AppData\Local\Temp\ttttt.exe
PID 2332 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\6ec74da2134bd56250ca32be04b9b697.exe C:\Users\Admin\AppData\Local\Temp\ttttt.exe
PID 2332 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\6ec74da2134bd56250ca32be04b9b697.exe C:\Users\Admin\AppData\Local\Temp\ttttt.exe
PID 2332 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\6ec74da2134bd56250ca32be04b9b697.exe C:\Users\Admin\AppData\Local\Temp\ttttt.exe
PID 2892 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2892 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2892 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2892 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2892 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2892 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2892 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2892 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2892 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2892 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2892 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2892 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2892 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2892 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2892 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2892 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2892 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2892 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2892 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2892 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2892 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2892 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2892 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2892 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6ec74da2134bd56250ca32be04b9b697.exe

"C:\Users\Admin\AppData\Local\Temp\6ec74da2134bd56250ca32be04b9b697.exe"

C:\Users\Admin\AppData\Local\Temp\ttttt.exe

"C:\Users\Admin\AppData\Local\Temp\ttttt.exe"

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

Network

Country Destination Domain Proto
FR 163.172.53.84:443 tcp
US 50.7.74.170:443 tcp
N/A 127.0.0.1:49231 tcp
DE 136.243.214.137:443 tcp
DE 37.120.174.249:443 tcp
N/A 127.0.0.1:45808 tcp
DE 188.68.33.200:443 tcp
DE 88.198.35.49:443 tcp
DE 188.68.33.200:443 tcp
DE 88.198.35.49:443 tcp
N/A 127.0.0.1:45808 tcp
US 50.7.74.170:443 tcp
DE 88.198.35.49:443 tcp
DE 188.68.33.200:443 tcp
N/A 127.0.0.1:49337 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:49418 tcp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 myexternalip.com udp
US 34.117.118.44:443 myexternalip.com tcp
US 50.7.74.172:443 tcp
DE 188.68.33.200:443 tcp
DE 88.198.35.49:443 tcp
N/A 127.0.0.1:49492 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:49558 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:49616 tcp
FR 95.128.43.164:443 tcp
DE 188.68.33.200:443 tcp
DE 88.198.35.49:443 tcp
DE 136.243.176.148:443 tcp

Files

memory/2332-1-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

memory/2332-0-0x0000000000DE0000-0x00000000015BC000-memory.dmp

memory/2332-2-0x000000001B3C0000-0x000000001B440000-memory.dmp

memory/2332-3-0x0000000000340000-0x0000000000348000-memory.dmp

memory/2332-4-0x000000001B3C0000-0x000000001B440000-memory.dmp

memory/2332-6-0x000000001B3C0000-0x000000001B440000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ttttt.exe

MD5 fb3275ed37c90f2157066dcb2a8e46cb
SHA1 9eca563f4a66414d05ae700bcd57dfbb06644a19
SHA256 b9a5fed33c62e470f337ee1da21e4b1abab7a4b5107aabb01e432d8b32eab9ab
SHA512 408661a5c3b10a46bac7d5f4f0cf20baa4f97da31d1c9e7b994710f5e00de9afd343d3e74f60337058b06530aaca95c66af7698b0da34e9592a49f67933c8671

memory/2332-13-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

memory/2892-34-0x0000000003EF0000-0x00000000042F4000-memory.dmp

memory/2528-33-0x0000000000B90000-0x0000000000F94000-memory.dmp

\Users\Admin\AppData\Local\a0d62031\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

memory/2528-41-0x0000000074570000-0x000000007483F000-memory.dmp

\Users\Admin\AppData\Local\a0d62031\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\a0d62031\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

memory/2528-46-0x0000000074390000-0x000000007449A000-memory.dmp

\Users\Admin\AppData\Local\a0d62031\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\a0d62031\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

memory/2528-53-0x00000000742C0000-0x000000007438E000-memory.dmp

memory/2528-49-0x0000000074A40000-0x0000000074AC8000-memory.dmp

memory/2528-54-0x0000000074B70000-0x0000000074B94000-memory.dmp

C:\Users\Admin\AppData\Local\a0d62031\tor\torrc

MD5 aed5236dc2f3c2c8244913bc771a0980
SHA1 24bf716687ea54e3f44f405da94acce3046aba2a
SHA256 69b07fcdeb4c47ad20869ac27c2b39dfe4afcba2e972500d24a5670904226f12
SHA512 ef367214b48860bd704eb52d35881f75cd18fe177be6d49c407e77b6b44dee46f717f578236a14f4028164beaaf616777aaef58b593b8f980a66c5241076c053

\Users\Admin\AppData\Local\a0d62031\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

memory/2528-43-0x00000000744A0000-0x0000000074568000-memory.dmp

memory/2528-42-0x0000000074AD0000-0x0000000074B19000-memory.dmp

\Users\Admin\AppData\Local\a0d62031\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

memory/2892-30-0x0000000003EF0000-0x00000000042F4000-memory.dmp

memory/2892-59-0x0000000003EF0000-0x00000000042F4000-memory.dmp

C:\Users\Admin\AppData\Local\a0d62031\tor\data\cached-microdesc-consensus.tmp

MD5 dfa55fd7926aaa64e863aef6e728410e
SHA1 b74f5e363e6aa070d85ef986d9905f1f5435f200
SHA256 04415cf26f3bdcc2c7aede2881ec215acae7696e001b19b18c8f0afd9800bcab
SHA512 abbf86bcc8eb0c169c2e278bc6f694ac80a69b32fd99aaf1fc2a6669414694322e08a8371b1c39dd25d777535e075ad3a1aed47c9dbc3ca3e05b643153e35313

memory/2528-71-0x0000000000B90000-0x0000000000F94000-memory.dmp

memory/2528-75-0x0000000074570000-0x000000007483F000-memory.dmp

memory/2528-80-0x00000000742C0000-0x000000007438E000-memory.dmp

memory/2892-82-0x0000000003EF0000-0x00000000042F4000-memory.dmp

memory/2528-79-0x0000000074A40000-0x0000000074AC8000-memory.dmp

memory/2528-78-0x0000000074390000-0x000000007449A000-memory.dmp

memory/2528-77-0x00000000744A0000-0x0000000074568000-memory.dmp

memory/2528-76-0x0000000074AD0000-0x0000000074B19000-memory.dmp

memory/2528-74-0x0000000000B90000-0x0000000000F94000-memory.dmp

C:\Users\Admin\AppData\Local\a0d62031\tor\data\cached-microdescs.new

MD5 6124a19d464b2eb12b747810830cd772
SHA1 65b92e91c46404798016b0c4cc6dd89e16d2596c
SHA256 4670a7e4bea2778b16d68db50848454ce2e270dbfe9f75d2b6dbb0d3113a97c0
SHA512 3e2d4821cd7e9a858ebb94e0543898768f78ee89281d74787c52ad7f0042c768a7549254bde690a6663f583fe46379ddc4bdcf1fbb2f760e8165268f4063a2a8

memory/2528-97-0x0000000000B90000-0x0000000000F94000-memory.dmp

memory/2528-108-0x0000000000B90000-0x0000000000F94000-memory.dmp

memory/2528-119-0x0000000000B90000-0x0000000000F94000-memory.dmp

memory/2528-127-0x0000000000B90000-0x0000000000F94000-memory.dmp

memory/2892-149-0x0000000004AE0000-0x0000000004EE4000-memory.dmp

memory/2044-154-0x0000000074570000-0x000000007483F000-memory.dmp

memory/2044-155-0x0000000074AD0000-0x0000000074B19000-memory.dmp

memory/2044-156-0x00000000744A0000-0x0000000074568000-memory.dmp

memory/2044-157-0x0000000074390000-0x000000007449A000-memory.dmp

memory/2044-158-0x0000000074A40000-0x0000000074AC8000-memory.dmp

memory/2044-159-0x00000000742C0000-0x000000007438E000-memory.dmp

memory/2044-161-0x0000000074B70000-0x0000000074B94000-memory.dmp

C:\Users\Admin\AppData\Local\a0d62031\tor\data\cached-certs

MD5 6a6cb6344dfbe700c7998f11ee66fda9
SHA1 eeb2b2ffffd53bb5c305be834c57435cfebc06b9
SHA256 11213f6d86496a5059f558b468673de9e1a77c57c5ebcdc2c77ee681ed2b325f
SHA512 bc02c0be27681f9e461321b95ce123e8f199a2620157ecbb67f61d2e3071df953f338cffc4665c0632908c0a06bc15a8b84ee955b3d2cff9266fb2561a56dad1

C:\Users\Admin\AppData\Local\a0d62031\tor\data\state

MD5 a275984bfa0fd9d48dff5c39c0b8e545
SHA1 5d0ece0f787276a83a199377d376553a1cccc016
SHA256 4e23cc40c0d4c914a1d1cd471dea3ac8a90194fa83256627bb0457a9b706455a
SHA512 2b435c5da61082d76c1d39a99900b7644e0952c2cc29d8ddaaafe74fc91ff7469d4f31fe39a4254dc6ab06fcec0bc50342b128e243ced1054d83ab7acab5665a

memory/2044-162-0x0000000000B90000-0x0000000000F94000-memory.dmp

memory/2044-169-0x0000000000B90000-0x0000000000F94000-memory.dmp

memory/2892-177-0x0000000004AE0000-0x0000000004EE4000-memory.dmp

memory/2044-178-0x0000000000B90000-0x0000000000F94000-memory.dmp

memory/2044-186-0x0000000000B90000-0x0000000000F94000-memory.dmp

memory/2892-222-0x0000000004AE0000-0x0000000004EE4000-memory.dmp

memory/2032-223-0x0000000000B90000-0x0000000000F94000-memory.dmp

memory/2032-227-0x0000000074390000-0x000000007449A000-memory.dmp

memory/2032-231-0x00000000742C0000-0x000000007438E000-memory.dmp

memory/2032-230-0x0000000074A40000-0x0000000074AC8000-memory.dmp

memory/2032-239-0x0000000074570000-0x000000007483F000-memory.dmp

memory/2032-238-0x0000000074B70000-0x0000000074B94000-memory.dmp

memory/2032-225-0x00000000744A0000-0x0000000074568000-memory.dmp

memory/2032-241-0x0000000074AD0000-0x0000000074B19000-memory.dmp

memory/2032-240-0x0000000000B90000-0x0000000000F94000-memory.dmp

memory/2032-243-0x0000000074390000-0x000000007449A000-memory.dmp

memory/2032-242-0x00000000744A0000-0x0000000074568000-memory.dmp

memory/2032-224-0x0000000074AD0000-0x0000000074B19000-memory.dmp

memory/2892-252-0x0000000004AE0000-0x0000000004EE4000-memory.dmp

memory/2892-261-0x00000000003C0000-0x00000000003CA000-memory.dmp

memory/2892-262-0x00000000003C0000-0x00000000003CA000-memory.dmp

memory/2044-283-0x0000000000B90000-0x0000000000F94000-memory.dmp

memory/2400-292-0x0000000000B90000-0x0000000000F94000-memory.dmp

memory/2400-295-0x0000000074570000-0x000000007483F000-memory.dmp

memory/2400-296-0x0000000074AD0000-0x0000000074B19000-memory.dmp

memory/2400-297-0x00000000744A0000-0x0000000074568000-memory.dmp

memory/2400-298-0x0000000074390000-0x000000007449A000-memory.dmp

memory/2400-299-0x0000000074A40000-0x0000000074AC8000-memory.dmp

C:\Users\Admin\AppData\Local\a0d62031\tor\data\cached-microdescs

MD5 d3e066f2d616f7586161f65291445d03
SHA1 34f07ce68cf5910c8d3e0cea8ecbd2fdf92edb2d
SHA256 7285b4537fd74e3e2b0d3a17f605f3dc12eecb2fc1c8508c137344959e4c7c51
SHA512 160c169a3441393fabbd75c8ee1a9201fb027e36a14dc1674afa41d013ae0ded91cb50b4a1b531ff9a4586ad60ee5b0ce7a3c8705c3e60e6bd0ffe981b13207f

memory/2400-300-0x00000000742C0000-0x000000007438E000-memory.dmp

C:\Users\Admin\AppData\Local\a0d62031\tor\data\state

MD5 e776375dc85949186af1f0ecfab4a4d6
SHA1 f4d2e1c4a29d8e4182f2c0be7d741d694be4187e
SHA256 f83b7f50f838b96a1e10daf2c67a9063400553c9c70087400f6454686ef83412
SHA512 40756eccb81fe6b1a2ae3000e924c20b53af1d8b0d751113ba46593180f2341c1e39772ffadb2ac2761186eb1b4980c69be57c9a14c9c299a25ff9d62f7ac683

memory/2400-302-0x0000000074B70000-0x0000000074B94000-memory.dmp

memory/2892-313-0x00000000003C0000-0x00000000003CA000-memory.dmp

memory/2892-314-0x00000000003C0000-0x00000000003CA000-memory.dmp

memory/2400-323-0x0000000000B90000-0x0000000000F94000-memory.dmp

memory/2400-324-0x0000000074570000-0x000000007483F000-memory.dmp

memory/2892-362-0x00000000059A0000-0x0000000005DA4000-memory.dmp

memory/1508-363-0x0000000000B90000-0x0000000000F94000-memory.dmp

memory/1508-365-0x0000000074570000-0x000000007483F000-memory.dmp

memory/1508-367-0x0000000074AD0000-0x0000000074B19000-memory.dmp

memory/1508-369-0x00000000744A0000-0x0000000074568000-memory.dmp