Malware Analysis Report

2024-10-18 21:10

Sample ID 240407-jrz2psgh28
Target 6ec74da2134bd56250ca32be04b9b697
SHA256 1ab1a15e1e4a19c7d77a01f00de5d401bc7ab0ffaa33c332788aadeeedddc386
Tags
bitrat persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1ab1a15e1e4a19c7d77a01f00de5d401bc7ab0ffaa33c332788aadeeedddc386

Threat Level: Known bad

The file 6ec74da2134bd56250ca32be04b9b697 was found to be: Known bad.

Malicious Activity Summary

bitrat persistence trojan upx

Bitrat family

BitRAT

Executes dropped EXE

UPX packed file

Loads dropped DLL

ACProtect 1.3x - 1.4x DLL software

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 07:54

Signatures

Bitrat family

bitrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 07:54

Reported

2024-04-07 08:21

Platform

win7-20240220-en

Max time kernel

1198s

Max time network

1203s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6ec74da2134bd56250ca32be04b9b697.exe"

Signatures

BitRAT

trojan bitrat

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\java_update = "C:\\Users\\Admin\\AppData\\Local\\Java_update\\java_update.exe" C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6ec74da2134bd56250ca32be04b9b697.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3036 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\6ec74da2134bd56250ca32be04b9b697.exe C:\Users\Admin\AppData\Local\Temp\ttttt.exe
PID 3036 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\6ec74da2134bd56250ca32be04b9b697.exe C:\Users\Admin\AppData\Local\Temp\ttttt.exe
PID 3036 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\6ec74da2134bd56250ca32be04b9b697.exe C:\Users\Admin\AppData\Local\Temp\ttttt.exe
PID 3036 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\6ec74da2134bd56250ca32be04b9b697.exe C:\Users\Admin\AppData\Local\Temp\ttttt.exe
PID 2044 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2044 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6ec74da2134bd56250ca32be04b9b697.exe

"C:\Users\Admin\AppData\Local\Temp\6ec74da2134bd56250ca32be04b9b697.exe"

C:\Users\Admin\AppData\Local\Temp\ttttt.exe

"C:\Users\Admin\AppData\Local\Temp\ttttt.exe"

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

Network

Country Destination Domain Proto
US 96.253.78.108:443 tcp
N/A 127.0.0.1:49246 tcp
FR 37.187.102.108:443 tcp
FR 188.138.88.42:443 tcp
N/A 127.0.0.1:45808 tcp
FR 92.222.38.67:443 tcp
US 204.13.164.118:443 tcp
CH 213.144.135.21:443 tcp
FI 65.21.180.151:443 tcp
AT 217.196.147.77:443 tcp
N/A 127.0.0.1:45808 tcp
CH 213.144.135.21:443 tcp
FI 65.21.180.151:443 tcp
AT 217.196.147.77:443 tcp
N/A 127.0.0.1:49342 tcp
N/A 127.0.0.1:49379 tcp
US 51.81.56.74:443 tcp
US 23.82.136.232:443 tcp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 myexternalip.com udp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:49471 tcp
N/A 127.0.0.1:49514 tcp
NL 80.127.137.19:443 tcp
US 51.81.56.74:443 tcp
US 23.82.136.232:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:49577 tcp
N/A 127.0.0.1:49608 tcp
FI 65.21.251.26:443 tcp
US 51.81.56.74:443 tcp
US 23.82.136.232:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:49666 tcp
CZ 46.28.110.244:443 tcp
N/A 127.0.0.1:49700 tcp
US 51.81.56.74:443 tcp
US 23.82.136.232:443 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:49750 tcp
N/A 127.0.0.1:49786 tcp
FI 65.21.251.26:443 tcp
US 51.81.56.74:443 tcp
US 23.82.136.232:443 tcp
GB 144.48.81.141:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:49812 tcp
N/A 127.0.0.1:49846 tcp
SE 85.230.178.139:443 tcp
US 51.81.56.74:443 tcp
US 23.82.136.232:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:49866 tcp
N/A 127.0.0.1:49903 tcp
US 128.31.0.13:443 tcp
US 51.81.56.74:443 tcp
US 23.82.136.232:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:49928 tcp
SE 171.25.193.25:443 tcp
N/A 127.0.0.1:49964 tcp
US 23.82.136.232:443 tcp
US 51.81.56.74:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:49979 tcp
N/A 127.0.0.1:50023 tcp
FR 193.70.112.165:443 tcp
US 51.81.56.74:443 tcp
US 23.82.136.232:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
FR 193.70.112.165:443 tcp
N/A 127.0.0.1:50107 tcp
US 23.82.136.232:443 tcp
US 51.81.56.74:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50175 tcp
AT 37.252.187.111:443 tcp
N/A 127.0.0.1:50207 tcp
US 23.82.136.232:443 tcp
US 51.81.56.74:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50270 tcp
SE 171.25.193.25:443 tcp
N/A 127.0.0.1:50299 tcp
US 23.82.136.232:443 tcp
US 51.81.56.74:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50366 tcp
LU 92.38.163.21:443 tcp
US 51.81.56.74:443 tcp
US 23.82.136.232:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50430 tcp
FR 86.105.212.130:443 tcp
US 51.81.56.74:443 tcp
US 23.82.136.232:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50489 tcp
N/A 127.0.0.1:50525 tcp
US 199.184.246.250:443 tcp
US 51.81.56.74:443 tcp
US 23.82.136.232:443 tcp
GB 144.48.81.141:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50589 tcp
N/A 127.0.0.1:50619 tcp
FR 62.210.254.132:443 tcp
US 23.82.136.232:443 tcp
US 51.81.56.74:443 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:50673 tcp
N/A 127.0.0.1:50706 tcp
US 51.81.56.74:443 tcp
US 23.82.136.232:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
US 8.8.8.8:53 www.microsoft.com udp
N/A 127.0.0.1:50771 tcp
FR 185.13.39.197:443 tcp
N/A 127.0.0.1:50805 tcp
US 51.81.56.74:443 tcp
US 23.82.136.232:443 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:50864 tcp
N/A 127.0.0.1:50895 tcp
US 199.249.230.64:443 tcp
US 51.81.56.74:443 tcp
US 23.82.136.232:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50953 tcp
FR 212.47.244.38:443 tcp
N/A 127.0.0.1:50986 tcp
US 51.81.56.74:443 tcp
US 23.82.136.232:443 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:51045 tcp
N/A 127.0.0.1:51077 tcp
SE 171.25.193.25:443 tcp
US 51.81.56.74:443 tcp
US 23.82.136.232:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:51144 tcp
N/A 127.0.0.1:51175 tcp
FI 65.21.251.26:443 tcp
US 23.82.136.232:443 tcp
US 51.81.56.74:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:51231 tcp
N/A 127.0.0.1:51266 tcp
US 50.7.74.170:443 tcp
US 23.82.136.232:443 tcp
US 51.81.56.74:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
SE 171.25.193.20:443 tcp
N/A 127.0.0.1:51329 tcp
N/A 127.0.0.1:51361 tcp
US 23.82.136.232:443 tcp
US 51.81.56.74:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:51414 tcp
N/A 127.0.0.1:51457 tcp
FR 163.172.176.167:443 tcp
US 51.81.56.74:443 tcp
US 23.82.136.232:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:51511 tcp
N/A 127.0.0.1:51546 tcp
CZ 195.123.245.141:443 tcp
US 23.82.136.232:443 tcp
US 51.81.56.74:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:51598 tcp
N/A 127.0.0.1:51631 tcp
FR 212.129.62.232:443 tcp
US 23.82.136.232:443 tcp
US 51.81.56.74:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:51696 tcp
CZ 31.31.78.49:443 tcp
US 23.82.136.232:443 tcp
US 51.81.56.74:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:51745 tcp
N/A 127.0.0.1:51782 tcp
NL 77.247.181.166:443 tcp
US 51.81.56.74:443 tcp
US 23.82.136.232:443 tcp

Files

memory/3036-1-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

memory/3036-0-0x00000000013C0000-0x0000000001B9C000-memory.dmp

memory/3036-2-0x000000001B8B0000-0x000000001B930000-memory.dmp

memory/3036-3-0x0000000000250000-0x0000000000258000-memory.dmp

memory/3036-4-0x000000001B8B0000-0x000000001B930000-memory.dmp

memory/3036-6-0x000000001B8B0000-0x000000001B930000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ttttt.exe

MD5 fb3275ed37c90f2157066dcb2a8e46cb
SHA1 9eca563f4a66414d05ae700bcd57dfbb06644a19
SHA256 b9a5fed33c62e470f337ee1da21e4b1abab7a4b5107aabb01e432d8b32eab9ab
SHA512 408661a5c3b10a46bac7d5f4f0cf20baa4f97da31d1c9e7b994710f5e00de9afd343d3e74f60337058b06530aaca95c66af7698b0da34e9592a49f67933c8671

memory/3036-13-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\a0d62031\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

memory/2044-32-0x0000000003FF0000-0x00000000043F4000-memory.dmp

memory/2044-33-0x0000000003FF0000-0x00000000043F4000-memory.dmp

memory/2560-34-0x00000000000D0000-0x00000000004D4000-memory.dmp

C:\Users\Admin\AppData\Local\a0d62031\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

memory/2560-39-0x00000000742D0000-0x000000007459F000-memory.dmp

C:\Users\Admin\AppData\Local\a0d62031\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

\Users\Admin\AppData\Local\a0d62031\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

memory/2560-40-0x0000000074280000-0x00000000742C9000-memory.dmp

C:\Users\Admin\AppData\Local\a0d62031\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

memory/2560-47-0x00000000741B0000-0x0000000074278000-memory.dmp

\Users\Admin\AppData\Local\a0d62031\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\a0d62031\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

memory/2560-51-0x0000000074010000-0x0000000074098000-memory.dmp

memory/2560-50-0x00000000740A0000-0x00000000741AA000-memory.dmp

memory/2560-53-0x0000000073F40000-0x000000007400E000-memory.dmp

memory/2560-54-0x0000000074CF0000-0x0000000074D14000-memory.dmp

C:\Users\Admin\AppData\Local\a0d62031\tor\torrc

MD5 aed5236dc2f3c2c8244913bc771a0980
SHA1 24bf716687ea54e3f44f405da94acce3046aba2a
SHA256 69b07fcdeb4c47ad20869ac27c2b39dfe4afcba2e972500d24a5670904226f12
SHA512 ef367214b48860bd704eb52d35881f75cd18fe177be6d49c407e77b6b44dee46f717f578236a14f4028164beaaf616777aaef58b593b8f980a66c5241076c053

memory/2560-59-0x00000000000D0000-0x00000000004D4000-memory.dmp

memory/2560-60-0x00000000742D0000-0x000000007459F000-memory.dmp

memory/2560-65-0x0000000073F40000-0x000000007400E000-memory.dmp

memory/2560-64-0x0000000074010000-0x0000000074098000-memory.dmp

memory/2560-63-0x00000000740A0000-0x00000000741AA000-memory.dmp

memory/2560-62-0x00000000741B0000-0x0000000074278000-memory.dmp

memory/2560-61-0x0000000074280000-0x00000000742C9000-memory.dmp

memory/2044-67-0x0000000003FF0000-0x00000000043F4000-memory.dmp

memory/2044-68-0x0000000003FF0000-0x00000000043F4000-memory.dmp

memory/2560-69-0x00000000000D0000-0x00000000004D4000-memory.dmp

C:\Users\Admin\AppData\Local\a0d62031\tor\data\cached-microdesc-consensus.tmp

MD5 dfa55fd7926aaa64e863aef6e728410e
SHA1 b74f5e363e6aa070d85ef986d9905f1f5435f200
SHA256 04415cf26f3bdcc2c7aede2881ec215acae7696e001b19b18c8f0afd9800bcab
SHA512 abbf86bcc8eb0c169c2e278bc6f694ac80a69b32fd99aaf1fc2a6669414694322e08a8371b1c39dd25d777535e075ad3a1aed47c9dbc3ca3e05b643153e35313

C:\Users\Admin\AppData\Local\a0d62031\tor\data\cached-microdescs.new

MD5 24d11f9ec858ef8e9c5c8f63ef59e76f
SHA1 b6109c4c9932bbe9f66c4c323c1cf60edf977239
SHA256 532e9c26ffe79950a80c7c3efa719b5dfa75cab17e9fa029a63e6d8969e2afeb
SHA512 9d81a35529f2edda5d242fe5d5018c603bc46c1d6dd42818e4d79e593c63d077416aac4a6513d7c946b76549a1cd36c50faeff358dd5b4655ca9c9ce2818fa77

memory/2560-101-0x00000000000D0000-0x00000000004D4000-memory.dmp

memory/2560-109-0x00000000000D0000-0x00000000004D4000-memory.dmp

memory/2560-117-0x00000000000D0000-0x00000000004D4000-memory.dmp

memory/2044-126-0x0000000004C20000-0x0000000005024000-memory.dmp

memory/1264-136-0x00000000742D0000-0x000000007459F000-memory.dmp

memory/1264-138-0x0000000074280000-0x00000000742C9000-memory.dmp

memory/1264-142-0x00000000000D0000-0x00000000004D4000-memory.dmp

memory/1264-141-0x00000000741B0000-0x0000000074278000-memory.dmp

memory/1264-145-0x00000000742D0000-0x000000007459F000-memory.dmp

memory/1264-144-0x00000000740A0000-0x00000000741AA000-memory.dmp

memory/1264-148-0x0000000074280000-0x00000000742C9000-memory.dmp

memory/1264-147-0x0000000074010000-0x0000000074098000-memory.dmp

memory/1264-150-0x00000000741B0000-0x0000000074278000-memory.dmp

memory/1264-149-0x0000000073F40000-0x000000007400E000-memory.dmp

memory/1264-151-0x0000000074CF0000-0x0000000074D14000-memory.dmp

memory/2672-174-0x00000000000E0000-0x00000000004E4000-memory.dmp

C:\Users\Admin\AppData\Local\a0d62031\tor\data\state

MD5 76a6576d129f5496ec4f7a8f426b2411
SHA1 2698d9057194617dd4610aec7d201e47b6f9f274
SHA256 bd15882050e89e809514e7984017c498762faa047531cb22ef09a32519af17ae
SHA512 223ef60cca5f08ee084deac10579adadb2214569b9a597a26625e5c80302906e2281d9397fec6417f555bb7b8f54d96af63fc391640854dbadbcb55f207f54c5

memory/2672-177-0x0000000074000000-0x00000000742CF000-memory.dmp

C:\Users\Admin\AppData\Local\a0d62031\tor\data\cached-certs

MD5 b7ed4e4ac36ddd5b95d2f8fadc80f39c
SHA1 965abb9871594044f1ab861dbb7333a2b30135b8
SHA256 48693d0072c684c8576fb0829dee5bc10e99b05594818e6fba137705fc6a4297
SHA512 7537d44a0ae7b04f5804469f4fb2bd51b6f413fe69e030c4de52f20625028df1123ce07e363bca3bd235992173262ab6d1e65f063a2bb5b58e7559aab6b36cde

memory/2672-178-0x0000000074550000-0x0000000074599000-memory.dmp

memory/2672-179-0x0000000074480000-0x0000000074548000-memory.dmp

memory/2672-180-0x0000000074370000-0x000000007447A000-memory.dmp

memory/2672-181-0x00000000742E0000-0x0000000074368000-memory.dmp

C:\Users\Admin\AppData\Local\a0d62031\tor\data\cached-microdescs.new

MD5 3b7997bb124041c88ae1044286381201
SHA1 81ef031bf8bffb73638825e9c773fe42169b1eb1
SHA256 78c8c20a9cae17bed3defde1abe1ba2837848ed7fa046da4302b1d117c5ea40b
SHA512 78c5aaecf276743e1c13ef5c01d6a8a2480c0972cfc418433afe3632d6da94b2afbf8dfc92e50787b9e5405d137d7faa3a265eda676cf3a447eae4e766cfeee7

memory/2672-182-0x0000000073F30000-0x0000000073FFE000-memory.dmp

memory/2672-184-0x0000000073F00000-0x0000000073F24000-memory.dmp

memory/2672-193-0x00000000000E0000-0x00000000004E4000-memory.dmp

memory/2044-201-0x0000000004C20000-0x0000000005024000-memory.dmp

memory/2672-202-0x00000000000E0000-0x00000000004E4000-memory.dmp

memory/2672-210-0x00000000000E0000-0x00000000004E4000-memory.dmp

memory/2044-222-0x0000000000C90000-0x0000000000C9A000-memory.dmp

memory/2044-223-0x0000000000C90000-0x0000000000C9A000-memory.dmp

memory/2044-254-0x0000000005860000-0x0000000005C64000-memory.dmp

memory/2564-256-0x00000000000E0000-0x00000000004E4000-memory.dmp

memory/2564-259-0x0000000074000000-0x00000000742CF000-memory.dmp

memory/2564-262-0x0000000074550000-0x0000000074599000-memory.dmp

memory/2564-265-0x0000000074480000-0x0000000074548000-memory.dmp

memory/2564-268-0x0000000074370000-0x000000007447A000-memory.dmp

memory/2564-271-0x00000000742E0000-0x0000000074368000-memory.dmp

memory/2564-274-0x0000000073F30000-0x0000000073FFE000-memory.dmp

memory/2564-277-0x0000000073F00000-0x0000000073F24000-memory.dmp

memory/2672-276-0x00000000000E0000-0x00000000004E4000-memory.dmp

memory/2564-280-0x00000000000E0000-0x00000000004E4000-memory.dmp

memory/2564-281-0x0000000074000000-0x00000000742CF000-memory.dmp

memory/2380-296-0x0000000001150000-0x0000000001554000-memory.dmp

memory/2380-297-0x0000000074500000-0x0000000074549000-memory.dmp

memory/2380-298-0x0000000074430000-0x00000000744F8000-memory.dmp

memory/2380-299-0x0000000074320000-0x000000007442A000-memory.dmp

memory/2380-300-0x0000000074240000-0x00000000742C8000-memory.dmp

memory/2380-301-0x0000000074170000-0x000000007423E000-memory.dmp

memory/2380-302-0x0000000074570000-0x0000000074594000-memory.dmp

memory/2380-303-0x00000000733B0000-0x000000007367F000-memory.dmp

memory/2044-306-0x0000000000C90000-0x0000000000C9A000-memory.dmp

memory/2044-307-0x0000000000C90000-0x0000000000C9A000-memory.dmp

memory/2044-316-0x0000000005860000-0x0000000005C64000-memory.dmp

memory/2044-317-0x0000000005860000-0x0000000005C64000-memory.dmp

memory/2380-326-0x0000000001150000-0x0000000001554000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab6E11.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d