Analysis Overview
SHA256
28323ee7a1adaee55fe254d8a6fad742294a4e7e0ad89589707da2a1a9e32486
Threat Level: Known bad
The file 9cba67b5a3086744c0d4f831079b319b was found to be: Known bad.
Malicious Activity Summary
BitRAT
Modifies WinLogon for persistence
UPX packed file
Executes dropped EXE
Checks computer location settings
ACProtect 1.3x - 1.4x DLL software
Loads dropped DLL
Looks up external IP address via web service
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-10 11:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-10 11:59
Reported
2024-04-10 12:04
Platform
win7-20240319-en
Max time kernel
298s
Max time network
303s
Command Line
Signatures
BitRAT
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\chrome\\google\\chrome.exe\"," | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1900 set thread context of 2944 | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe |
Enumerates physical storage devices
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
"C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Hvpysyhfnmjvko.vbs"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\chrome\google\chrome.exe'
C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
Network
| Country | Destination | Domain | Proto |
| DE | 5.189.169.190:8080 | tcp | |
| SE | 193.11.164.243:9001 | tcp | |
| IS | 89.147.109.91:443 | tcp | |
| US | 198.251.76.239:443 | tcp | |
| N/A | 127.0.0.1:49285 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:49373 | tcp | |
| DE | 46.38.255.10:1443 | tcp | |
| GB | 144.21.52.220:9282 | tcp | |
| N/A | 127.0.0.1:49416 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:49492 | tcp | |
| N/A | 127.0.0.1:49535 | tcp | |
| DE | 185.162.251.122:9001 | tcp | |
| FR | 163.172.76.56:9001 | tcp | |
| NL | 50.118.225.160:444 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:49594 | tcp | |
| N/A | 127.0.0.1:49626 | tcp | |
| FI | 65.108.198.216:443 | tcp | |
| PL | 95.214.53.96:8445 | tcp | |
| FR | 163.172.76.56:9001 | tcp | |
| FI | 65.108.198.216:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | myexternalip.com | udp |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:49707 | tcp | |
| N/A | 127.0.0.1:49746 | tcp | |
| DE | 31.185.104.20:443 | tcp | |
| FR | 163.172.76.56:9001 | tcp | |
| FI | 65.108.198.216:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:49800 | tcp | |
| N/A | 127.0.0.1:49833 | tcp | |
| US | 66.111.2.16:9001 | tcp | |
| FR | 163.172.76.56:9001 | tcp | |
| FI | 65.108.198.216:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp |
Files
memory/1900-1-0x00000000749E0000-0x00000000750CE000-memory.dmp
memory/1900-0-0x0000000000CC0000-0x00000000011E0000-memory.dmp
memory/1900-2-0x0000000004C10000-0x0000000004C50000-memory.dmp
memory/1900-3-0x0000000000300000-0x000000000030A000-memory.dmp
memory/1900-4-0x0000000000510000-0x000000000052E000-memory.dmp
memory/1900-5-0x00000000749E0000-0x00000000750CE000-memory.dmp
memory/1900-6-0x0000000004C10000-0x0000000004C50000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_Hvpysyhfnmjvko.vbs
| MD5 | ed6d432bdbf28ed6ac0cf59692f5e0fe |
| SHA1 | 29b388b1b2cf5d2fea4d80088093ec6ea2575ca7 |
| SHA256 | 452fac0c3baa72fa34a9089c390659b7438da3bc0e3e36a2e54de253492d61fe |
| SHA512 | 9879be1e14bc9b16a4743baf730261e474b3916fe84ea95d3b58ef57d924ec573434fc2530860ef74786e69d0480552b15049a276d88cf769a26b94a9c73446e |
memory/2944-12-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/2944-14-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/2944-16-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/2944-17-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/2944-19-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/2944-21-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/2944-23-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/2944-25-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/2944-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2944-28-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/1900-32-0x00000000749E0000-0x00000000750CE000-memory.dmp
memory/2944-33-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/2448-34-0x0000000071120000-0x00000000716CB000-memory.dmp
memory/2448-35-0x0000000000210000-0x0000000000250000-memory.dmp
memory/2448-36-0x0000000071120000-0x00000000716CB000-memory.dmp
memory/2944-37-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/2448-38-0x0000000000210000-0x0000000000250000-memory.dmp
\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libcrypto-1_1.dll
| MD5 | 2384a02c4a1f7ec481adde3a020607d3 |
| SHA1 | 7e848d35a10bf9296c8fa41956a3daa777f86365 |
| SHA256 | c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369 |
| SHA512 | 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503 |
memory/2944-58-0x00000000044C0000-0x00000000048C4000-memory.dmp
memory/2944-59-0x00000000044C0000-0x00000000048C4000-memory.dmp
memory/1920-60-0x0000000000D30000-0x0000000001134000-memory.dmp
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
memory/1920-66-0x0000000072010000-0x0000000072059000-memory.dmp
memory/1920-63-0x00000000707F0000-0x0000000070ABF000-memory.dmp
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libevent-2-1-6.dll
| MD5 | 099983c13bade9554a3c17484e5481f1 |
| SHA1 | a84e69ad9722f999252d59d0ed9a99901a60e564 |
| SHA256 | b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838 |
| SHA512 | 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2 |
memory/1920-69-0x0000000071900000-0x00000000719C8000-memory.dmp
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libwinpthread-1.dll
| MD5 | d407cc6d79a08039a6f4b50539e560b8 |
| SHA1 | 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71 |
| SHA256 | 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e |
| SHA512 | 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c |
memory/1920-75-0x00000000717F0000-0x00000000718FA000-memory.dmp
memory/2448-74-0x0000000071120000-0x00000000716CB000-memory.dmp
memory/2448-76-0x0000000071120000-0x00000000716CB000-memory.dmp
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libssl-1_1.dll
| MD5 | c88826ac4bb879622e43ead5bdb95aeb |
| SHA1 | 87d29853649a86f0463bfd9ad887b85eedc21723 |
| SHA256 | c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f |
| SHA512 | f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3 |
C:\Users\Admin\AppData\Local\c3b89bbf\tor\zlib1.dll
| MD5 | add33041af894b67fe34e1dc819b7eb6 |
| SHA1 | 6db46eb021855a587c95479422adcc774a272eeb |
| SHA256 | 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183 |
| SHA512 | bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa |
memory/2944-81-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/1920-77-0x0000000071760000-0x00000000717E8000-memory.dmp
\Users\Admin\AppData\Local\c3b89bbf\tor\libgcc_s_sjlj-1.dll
| MD5 | b0d98f7157d972190fe0759d4368d320 |
| SHA1 | 5715a533621a2b642aad9616e603c6907d80efc4 |
| SHA256 | 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5 |
| SHA512 | 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496 |
C:\Users\Admin\AppData\Local\c3b89bbf\tor\torrc
| MD5 | 10e4369f9761d5401203f24a43aec777 |
| SHA1 | f6237d60d66f0bdc642836387c2e9adaf60114d2 |
| SHA256 | 1936b09146613154cc18a4889276cb2de96a5fd24a2c86d34a778be90f965976 |
| SHA512 | 7159148f7584cd188d7f030ac1be482ebad86cba6e964fdf2d6e673823027ebbb049ad9fdac15ed556976760953216a999c5145a0816d67072ed232bdc9e4abb |
memory/1920-86-0x00000000720D0000-0x00000000720F4000-memory.dmp
memory/1920-85-0x0000000070720000-0x00000000707EE000-memory.dmp
memory/2448-87-0x0000000071120000-0x00000000716CB000-memory.dmp
C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\cached-microdesc-consensus.tmp
| MD5 | 381cc5ba2ce158b71214b0d01a0b1a5c |
| SHA1 | d7c546b983b31d2785f46e3b097992f96445074d |
| SHA256 | ad8060faee1771ee0547d651d4cceee52263e534b0cf84efa75f6c0bab1187ec |
| SHA512 | 8fc885b883e058bb907a3eb8d2a88bfa6729d114f926db80c15af03aa01f2e8833727c80e77903a730c7721f9e3730e6a95cd4d938c7da24c0848ff34691f8b4 |
memory/2944-96-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/2944-97-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/2944-98-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/2944-99-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/2944-100-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/2944-101-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/2944-105-0x00000000044C0000-0x00000000048C4000-memory.dmp
memory/2944-106-0x00000000044C0000-0x00000000048C4000-memory.dmp
memory/1920-108-0x0000000000D30000-0x0000000001134000-memory.dmp
C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\cached-microdescs.new
| MD5 | e4290bd7c7531ee4b542641a8581f479 |
| SHA1 | b4cde4a7e68aefb561f3e46a05ddc7687def778a |
| SHA256 | 98587230d3791c2e215d208bf7f86df16c1137a4853f1885912f01d67312e821 |
| SHA512 | 6a53d53bba32d0ccae7707301f4507266096e92b5ba62dd2d3249eca4d5e5f3f80b1522836c97180da6b9cec3089cbfc312c54b7d1d45fc64496214b081f8e70 |
memory/1920-111-0x0000000000D30000-0x0000000001134000-memory.dmp
memory/1920-116-0x0000000071760000-0x00000000717E8000-memory.dmp
memory/1920-115-0x00000000717F0000-0x00000000718FA000-memory.dmp
memory/1920-114-0x0000000071900000-0x00000000719C8000-memory.dmp
memory/1920-113-0x0000000072010000-0x0000000072059000-memory.dmp
memory/1920-112-0x00000000707F0000-0x0000000070ABF000-memory.dmp
memory/1920-122-0x0000000000D30000-0x0000000001134000-memory.dmp
memory/1920-130-0x0000000000D30000-0x0000000001134000-memory.dmp
memory/1920-138-0x0000000000D30000-0x0000000001134000-memory.dmp
memory/1920-146-0x0000000000D30000-0x0000000001134000-memory.dmp
memory/2944-154-0x00000000056B0000-0x0000000005AB4000-memory.dmp
memory/2044-163-0x00000000707F0000-0x0000000070ABF000-memory.dmp
memory/2044-166-0x0000000072010000-0x0000000072059000-memory.dmp
memory/2044-168-0x0000000000D30000-0x0000000001134000-memory.dmp
memory/2044-169-0x0000000071900000-0x00000000719C8000-memory.dmp
memory/2044-172-0x00000000717F0000-0x00000000718FA000-memory.dmp
memory/2044-175-0x0000000071760000-0x00000000717E8000-memory.dmp
memory/2044-178-0x0000000070720000-0x00000000707EE000-memory.dmp
memory/2044-181-0x00000000720D0000-0x00000000720F4000-memory.dmp
memory/2044-185-0x00000000707F0000-0x0000000070ABF000-memory.dmp
memory/2044-186-0x0000000072010000-0x0000000072059000-memory.dmp
memory/800-203-0x0000000074E00000-0x00000000750CF000-memory.dmp
C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\state
| MD5 | 87efacea8413608842844330a7272b88 |
| SHA1 | 8760cdd15e8fa0e491cfa8af702a22884f000c67 |
| SHA256 | 869a1594ffde3535eb8efdc889d60ef1ae907b43f13f60c48b9f67f75e40d49c |
| SHA512 | ede750897dd2f1b9b673940c72d9a9b708592d2a5c916807f5dae2747ed02514a37be62f1d0ecc1bf62632e67dda2aa2ea583d674765b14e6a3bcae7edd48253 |
memory/800-210-0x0000000074C20000-0x0000000074D2A000-memory.dmp
memory/800-211-0x0000000074B90000-0x0000000074C18000-memory.dmp
memory/800-212-0x0000000074AC0000-0x0000000074B8E000-memory.dmp
memory/800-213-0x0000000075190000-0x00000000751B4000-memory.dmp
memory/800-214-0x0000000000D30000-0x0000000001134000-memory.dmp
C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\cached-certs
| MD5 | afb4ebba291acd8241d9ef38d034b42a |
| SHA1 | acbe1508585f11196b5dd64ce97b880e334032df |
| SHA256 | f8c2c08a40583f6d71deb62c347c33e853ea2b06c8fc136915f9b2ea271aa4ea |
| SHA512 | 2ef2ee732ae1d2e98e22d4af7dfeb5fc0c61fed925ae1e1c788436bde9f09bca7c01236797c31b7445228f69a73b08b73b46fd297c53e3bb56ac2d16f64cfa2f |
memory/800-207-0x0000000074D30000-0x0000000074DF8000-memory.dmp
memory/800-204-0x0000000075110000-0x0000000075159000-memory.dmp
C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\cached-microdescs.new
| MD5 | ec03d88e872cd14da81f9101d3bf6c04 |
| SHA1 | 5d69a2f7acdf688b7a15108d63bfc74845ec6054 |
| SHA256 | f149647fe79a7de56865356b575af769f461e63f3eb4e918374f882b8c8cdcc7 |
| SHA512 | 2e0f31eb6f7338e91853da9ba1d601a57838aab4cf108c1883bb7b67a6bd7a0d1d38fbecc6356202a621b6ba8c5ead984371651149ab6c068c55a2d20fa335aa |
memory/2944-236-0x00000000056B0000-0x0000000005AB4000-memory.dmp
memory/2944-245-0x00000000056B0000-0x0000000005AB4000-memory.dmp
memory/800-246-0x0000000074E00000-0x00000000750CF000-memory.dmp
memory/800-247-0x0000000000D30000-0x0000000001134000-memory.dmp
memory/2944-264-0x00000000056B0000-0x0000000005AB4000-memory.dmp
memory/2748-273-0x0000000074E00000-0x00000000750CF000-memory.dmp
memory/2748-275-0x0000000075110000-0x0000000075159000-memory.dmp
memory/2748-278-0x0000000074D30000-0x0000000074DF8000-memory.dmp
memory/2748-281-0x0000000074C20000-0x0000000074D2A000-memory.dmp
memory/2748-284-0x0000000074B90000-0x0000000074C18000-memory.dmp
memory/2748-287-0x0000000074AC0000-0x0000000074B8E000-memory.dmp
memory/2748-290-0x0000000075190000-0x00000000751B4000-memory.dmp
memory/800-292-0x0000000000D30000-0x0000000001134000-memory.dmp
memory/2748-293-0x0000000000D30000-0x0000000001134000-memory.dmp
memory/2748-297-0x0000000074E00000-0x00000000750CF000-memory.dmp
memory/2748-298-0x0000000075110000-0x0000000075159000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-10 11:59
Reported
2024-04-10 12:04
Platform
win10-20240404-en
Max time kernel
310s
Max time network
322s
Command Line
Signatures
BitRAT
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3998431567-3716957556-781226098-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\chrome\\google\\chrome.exe\"," | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 956 set thread context of 1728 | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3998431567-3716957556-781226098-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
"C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Hvpysyhfnmjvko.vbs"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\chrome\google\chrome.exe'
C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| FR | 51.15.179.153:995 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| DE | 178.254.7.88:8443 | tcp | |
| FR | 51.254.147.57:443 | tcp | |
| N/A | 127.0.0.1:49873 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| NL | 80.127.137.19:443 | tcp | |
| CA | 199.58.81.140:443 | tcp | |
| US | 8.8.8.8:53 | 140.81.58.199.in-addr.arpa | udp |
| US | 15.204.227.206:9000 | tcp | |
| US | 147.135.6.69:443 | tcp | |
| US | 8.8.8.8:53 | 206.227.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.6.135.147.in-addr.arpa | udp |
| US | 199.184.215.11:9090 | tcp | |
| US | 8.8.8.8:53 | 11.215.184.199.in-addr.arpa | udp |
| US | 147.135.6.69:443 | tcp | |
| US | 15.204.227.206:9000 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | myexternalip.com | udp |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| US | 8.8.8.8:53 | 44.118.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.101.63.23.in-addr.arpa | udp |
| N/A | 127.0.0.1:50244 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50289 | tcp | |
| DE | 136.243.147.91:9001 | tcp | |
| US | 8.8.8.8:53 | 91.147.243.136.in-addr.arpa | udp |
| DE | 193.41.226.147:9000 | tcp | |
| US | 8.8.8.8:53 | 147.226.41.193.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| N/A | 127.0.0.1:50370 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50418 | tcp | |
| FR | 212.129.62.232:443 | tcp | |
| DE | 136.243.147.91:9001 | tcp | |
| US | 8.8.8.8:53 | 232.62.129.212.in-addr.arpa | udp |
| DE | 85.215.67.227:8443 | tcp | |
| US | 8.8.8.8:53 | 227.67.215.85.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:50490 | tcp |
Files
memory/956-0-0x0000000073D80000-0x000000007446E000-memory.dmp
memory/956-1-0x0000000000C90000-0x00000000011B0000-memory.dmp
memory/956-2-0x0000000005B30000-0x0000000005B40000-memory.dmp
memory/956-3-0x00000000034F0000-0x00000000034FA000-memory.dmp
memory/956-4-0x0000000005B10000-0x0000000005B2E000-memory.dmp
memory/956-5-0x0000000073D80000-0x000000007446E000-memory.dmp
memory/956-6-0x0000000005B30000-0x0000000005B40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_Hvpysyhfnmjvko.vbs
| MD5 | ed6d432bdbf28ed6ac0cf59692f5e0fe |
| SHA1 | 29b388b1b2cf5d2fea4d80088093ec6ea2575ca7 |
| SHA256 | 452fac0c3baa72fa34a9089c390659b7438da3bc0e3e36a2e54de253492d61fe |
| SHA512 | 9879be1e14bc9b16a4743baf730261e474b3916fe84ea95d3b58ef57d924ec573434fc2530860ef74786e69d0480552b15049a276d88cf769a26b94a9c73446e |
memory/1728-12-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/2188-14-0x0000000073D80000-0x000000007446E000-memory.dmp
memory/956-18-0x0000000073D80000-0x000000007446E000-memory.dmp
memory/1728-17-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/2188-20-0x0000000006840000-0x0000000006850000-memory.dmp
memory/1728-21-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/2188-22-0x0000000006840000-0x0000000006850000-memory.dmp
memory/2188-19-0x0000000004180000-0x00000000041B6000-memory.dmp
memory/2188-23-0x0000000006E80000-0x00000000074A8000-memory.dmp
memory/1728-24-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/2188-25-0x0000000006BD0000-0x0000000006BF2000-memory.dmp
memory/2188-27-0x0000000006C70000-0x0000000006CD6000-memory.dmp
memory/2188-26-0x00000000074B0000-0x0000000007516000-memory.dmp
memory/2188-28-0x00000000075E0000-0x0000000007930000-memory.dmp
memory/2188-29-0x0000000006E60000-0x0000000006E7C000-memory.dmp
memory/2188-30-0x00000000079F0000-0x0000000007A3B000-memory.dmp
memory/2188-31-0x0000000007D50000-0x0000000007DC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bmppylky.epu.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/1728-45-0x0000000070450000-0x000000007048A000-memory.dmp
C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libevent-2-1-6.dll
| MD5 | 099983c13bade9554a3c17484e5481f1 |
| SHA1 | a84e69ad9722f999252d59d0ed9a99901a60e564 |
| SHA256 | b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838 |
| SHA512 | 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2 |
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libcrypto-1_1.dll
| MD5 | 2384a02c4a1f7ec481adde3a020607d3 |
| SHA1 | 7e848d35a10bf9296c8fa41956a3daa777f86365 |
| SHA256 | c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369 |
| SHA512 | 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503 |
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libssl-1_1.dll
| MD5 | c88826ac4bb879622e43ead5bdb95aeb |
| SHA1 | 87d29853649a86f0463bfd9ad887b85eedc21723 |
| SHA256 | c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f |
| SHA512 | f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3 |
memory/1132-74-0x00000000013C0000-0x00000000017C4000-memory.dmp
\Users\Admin\AppData\Local\c3b89bbf\tor\libwinpthread-1.dll
| MD5 | d407cc6d79a08039a6f4b50539e560b8 |
| SHA1 | 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71 |
| SHA256 | 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e |
| SHA512 | 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c |
memory/1132-81-0x00000000704C0000-0x00000000704E4000-memory.dmp
memory/1132-82-0x000000006F9F0000-0x000000006FAB8000-memory.dmp
memory/1132-78-0x000000006F8D0000-0x000000006F99E000-memory.dmp
\Users\Admin\AppData\Local\c3b89bbf\tor\libgcc_s_sjlj-1.dll
| MD5 | b0d98f7157d972190fe0759d4368d320 |
| SHA1 | 5715a533621a2b642aad9616e603c6907d80efc4 |
| SHA256 | 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5 |
| SHA512 | 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496 |
memory/2188-83-0x0000000008B40000-0x0000000008B73000-memory.dmp
memory/1132-85-0x000000006F600000-0x000000006F8CF000-memory.dmp
memory/2188-84-0x0000000070AA0000-0x0000000070AEB000-memory.dmp
memory/2188-86-0x00000000067D0000-0x00000000067EE000-memory.dmp
memory/1132-93-0x0000000000880000-0x0000000000908000-memory.dmp
C:\Users\Admin\AppData\Local\c3b89bbf\tor\torrc
| MD5 | 10e4369f9761d5401203f24a43aec777 |
| SHA1 | f6237d60d66f0bdc642836387c2e9adaf60114d2 |
| SHA256 | 1936b09146613154cc18a4889276cb2de96a5fd24a2c86d34a778be90f965976 |
| SHA512 | 7159148f7584cd188d7f030ac1be482ebad86cba6e964fdf2d6e673823027ebbb049ad9fdac15ed556976760953216a999c5145a0816d67072ed232bdc9e4abb |
memory/1132-90-0x000000006F460000-0x000000006F4E8000-memory.dmp
memory/1132-89-0x00000000017D0000-0x0000000001A9F000-memory.dmp
C:\Users\Admin\AppData\Local\c3b89bbf\tor\zlib1.dll
| MD5 | add33041af894b67fe34e1dc819b7eb6 |
| SHA1 | 6db46eb021855a587c95479422adcc774a272eeb |
| SHA256 | 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183 |
| SHA512 | bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa |
\Users\Admin\AppData\Local\c3b89bbf\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
memory/1132-97-0x000000006F9A0000-0x000000006F9E9000-memory.dmp
memory/1132-98-0x000000006F4F0000-0x000000006F5FA000-memory.dmp
memory/2188-99-0x000000007EF40000-0x000000007EF50000-memory.dmp
memory/2188-100-0x0000000008C70000-0x0000000008D15000-memory.dmp
memory/2188-101-0x0000000006840000-0x0000000006850000-memory.dmp
memory/2188-102-0x00000000090D0000-0x0000000009164000-memory.dmp
memory/1728-277-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/1728-278-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/1728-280-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/1728-282-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/1728-284-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/1728-287-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/1728-294-0x000000006ED80000-0x000000006EDBA000-memory.dmp
memory/2188-302-0x0000000008F50000-0x0000000008F6A000-memory.dmp
memory/2188-307-0x0000000008F40000-0x0000000008F48000-memory.dmp
memory/2188-323-0x0000000073D80000-0x000000007446E000-memory.dmp
memory/1132-324-0x00000000013C0000-0x00000000017C4000-memory.dmp
memory/1132-326-0x000000006F8D0000-0x000000006F99E000-memory.dmp
memory/1132-328-0x000000006F9F0000-0x000000006FAB8000-memory.dmp
memory/1132-327-0x00000000704C0000-0x00000000704E4000-memory.dmp
memory/1132-329-0x000000006F600000-0x000000006F8CF000-memory.dmp
memory/1728-332-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/1132-333-0x00000000013C0000-0x00000000017C4000-memory.dmp
memory/1132-334-0x00000000013C0000-0x00000000017C4000-memory.dmp
memory/1132-342-0x0000000000880000-0x0000000000908000-memory.dmp
C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\cached-microdesc-consensus.tmp
| MD5 | 6fcc4b924d58bbb8462b7ee1961c7977 |
| SHA1 | 41e1e2d4561bb169144e7d1a08c6a7f3dc731c2d |
| SHA256 | edbc99c46f9d6785d0cedf6fa6de99e6c7a20187a738e29d55258584db2660ed |
| SHA512 | 2d3539570f1a6024c291c25a3aed2f61668ec03aa614b92118380a60510fab72878539f0bc3d51e1c8ce20f3b26400c35cd714fcf146dd3288a8da861ee5a6fe |
memory/1132-355-0x00000000013C0000-0x00000000017C4000-memory.dmp
C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\cached-microdescs.new
| MD5 | e1eb369d6008a51b10a5b4b1c59fb0d2 |
| SHA1 | f08b486431a0969a7b0bbfb5126282b8e9582591 |
| SHA256 | 07d53f51caf305839e979e8b91dccac44355584ec67d29680b13f95cd9970200 |
| SHA512 | bd9af2688ba4ab95929ca50b5a92f5f679407e6d86592b715c86a06d7071a166cd2af3b7960e2af0576a56dc5501922d3eb350ba2570ba6b166935945ab53760 |
memory/1132-379-0x00000000013C0000-0x00000000017C4000-memory.dmp
memory/1728-387-0x00000000742E0000-0x000000007431A000-memory.dmp
memory/1132-388-0x00000000013C0000-0x00000000017C4000-memory.dmp
memory/1728-396-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/1132-397-0x00000000013C0000-0x00000000017C4000-memory.dmp
memory/1728-413-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/1728-415-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/1132-416-0x00000000013C0000-0x00000000017C4000-memory.dmp
memory/4112-428-0x00000000013C0000-0x00000000017C4000-memory.dmp
memory/4112-430-0x000000006F600000-0x000000006F8CF000-memory.dmp
memory/4112-431-0x000000006F9F0000-0x000000006FAB8000-memory.dmp
memory/4112-433-0x000000006F8D0000-0x000000006F99E000-memory.dmp
memory/4112-435-0x000000006F9A0000-0x000000006F9E9000-memory.dmp
memory/4112-437-0x00000000704C0000-0x00000000704E4000-memory.dmp
memory/4112-439-0x000000006F4F0000-0x000000006F5FA000-memory.dmp
memory/4112-441-0x000000006F460000-0x000000006F4E8000-memory.dmp
memory/4112-450-0x00000000704C0000-0x00000000704E4000-memory.dmp
memory/4112-451-0x000000006F4F0000-0x000000006F5FA000-memory.dmp
memory/4112-452-0x000000006F460000-0x000000006F4E8000-memory.dmp
memory/4112-453-0x00000000013C0000-0x00000000017C4000-memory.dmp
memory/4112-454-0x000000006F600000-0x000000006F8CF000-memory.dmp
memory/4112-455-0x000000006F9F0000-0x000000006FAB8000-memory.dmp
memory/4112-456-0x000000006F8D0000-0x000000006F99E000-memory.dmp
memory/4112-457-0x000000006F9A0000-0x000000006F9E9000-memory.dmp
memory/1728-458-0x0000000073890000-0x00000000738CA000-memory.dmp
C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\state
| MD5 | f94182b1743f2941a9d5d75c3d31f4ed |
| SHA1 | d116b9ef97c179db3bd8727bd900c6f1a5494236 |
| SHA256 | 22fdfa07f2d32d907a42cb2108a0d570b2d8680685dcde2210943e23291c86fc |
| SHA512 | 4c49a0811899e44b51dcfe10d9efd33da32dbff54944656f84cee178d2044aec4e3d74326a676fe21beb1768653542e69d8a18f873172b042d9aa4e9999a077b |
C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\cached-certs
| MD5 | d233858696aa314b62366514bedd9603 |
| SHA1 | 2cba9148f94de2a19bd81798fd4d21bd53ae8c42 |
| SHA256 | d16c721c3a15a9e1717fd0e8ae0dd9bd65a428ceb3367093afe65db9a62e477a |
| SHA512 | ef738a63b30dd130df29e4ce60e9d0e5f6f87c8e53149ebc664c3bfb319b45e378f21d11d1f7108661191bf86b0505f7a1c55681c141e33e8b5a96cf4a1f5361 |
C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\cached-microdescs.new
| MD5 | 4c06ddf56ef118c47388bf0b06363886 |
| SHA1 | 4053d9db12e88ccfe28c94a512680c78647234c5 |
| SHA256 | be5866d5b22d720ca0e273f7b2d6e4f8b2378a9aa6be5fe8508d0451abe13717 |
| SHA512 | 2df006987189508b576b972bacbcd8d84c32cc6997ffbe6c171ac10928cc73c3897cacf41f1f3fea8dd547c019cf451cdc6386a1de76530fe4e494025a506de0 |
C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\state
| MD5 | 66082756a6c8caa27d02a25798af8a86 |
| SHA1 | 7a56b6ce65c41fd94f4c0d308309b8e00dd3b728 |
| SHA256 | 747297601504f782f2314017c1d838eb7fbe83c5c9f2843fe12f121232f38dc2 |
| SHA512 | 99c1b20240b3a1db1edf5a1255e1fdc8ba2391d919b7291756851776e51a7798aba9065095ad07c0f7bece9a6a2d0d48c5dc3e308297aa830711139de45f3dad |
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-10 11:59
Reported
2024-04-10 12:04
Platform
win10v2004-20240319-en
Max time kernel
301s
Max time network
307s
Command Line
Signatures
BitRAT
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\chrome\\google\\chrome.exe\"," | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3596 set thread context of 644 | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
"C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4028 --field-trial-handle=2228,i,8155065313278028490,17854605419281052753,262144 --variations-seed-version /prefetch:8
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Hvpysyhfnmjvko.vbs"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\chrome\google\chrome.exe'
C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.2.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| NL | 142.250.179.202:443 | tcp | |
| IE | 94.245.104.56:443 | tcp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| GB | 51.140.242.104:443 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| GB | 51.140.244.186:443 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| DE | 81.7.11.186:443 | tcp | |
| NO | 193.35.52.53:9001 | tcp | |
| DE | 31.185.104.20:443 | tcp | |
| NL | 45.66.33.45:443 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 50.7.74.170:9001 | tcp | |
| DE | 131.188.40.189:443 | tcp | |
| US | 8.8.8.8:53 | 189.40.188.131.in-addr.arpa | udp |
| N/A | 127.0.0.1:49936 | tcp | |
| US | 51.81.56.228:443 | tcp | |
| US | 135.148.53.59:443 | tcp | |
| US | 8.8.8.8:53 | 228.56.81.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.53.148.135.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| EE | 195.50.212.15:8080 | tcp | |
| US | 135.148.53.59:443 | tcp | |
| US | 51.81.56.228:443 | tcp | |
| US | 8.8.8.8:53 | 15.212.50.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | myexternalip.com | udp |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| US | 8.8.8.8:53 | 44.118.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.101.63.23.in-addr.arpa | udp |
| N/A | 127.0.0.1:50087 | tcp | |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50133 | tcp | |
| ES | 83.97.79.191:8443 | tcp | |
| MD | 178.17.170.172:443 | tcp | |
| US | 8.8.8.8:53 | 191.79.97.83.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.170.17.178.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:50192 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:50285 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50324 | tcp | |
| DE | 91.143.81.212:80 | tcp | |
| ES | 83.97.79.191:8443 | tcp | |
| US | 8.8.8.8:53 | 212.81.143.91.in-addr.arpa | udp |
Files
memory/3596-0-0x0000000074920000-0x00000000750D0000-memory.dmp
memory/3596-1-0x00000000009C0000-0x0000000000EE0000-memory.dmp
memory/3596-2-0x0000000005990000-0x00000000059A0000-memory.dmp
memory/3596-3-0x00000000019A0000-0x00000000019AA000-memory.dmp
memory/3596-4-0x0000000074920000-0x00000000750D0000-memory.dmp
memory/3596-5-0x00000000033A0000-0x00000000033BE000-memory.dmp
memory/3596-6-0x0000000005990000-0x00000000059A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_Hvpysyhfnmjvko.vbs
| MD5 | ed6d432bdbf28ed6ac0cf59692f5e0fe |
| SHA1 | 29b388b1b2cf5d2fea4d80088093ec6ea2575ca7 |
| SHA256 | 452fac0c3baa72fa34a9089c390659b7438da3bc0e3e36a2e54de253492d61fe |
| SHA512 | 9879be1e14bc9b16a4743baf730261e474b3916fe84ea95d3b58ef57d924ec573434fc2530860ef74786e69d0480552b15049a276d88cf769a26b94a9c73446e |
memory/1716-12-0x00000000051A0000-0x00000000051D6000-memory.dmp
memory/1716-14-0x0000000074920000-0x00000000750D0000-memory.dmp
memory/1716-16-0x0000000002E10000-0x0000000002E20000-memory.dmp
memory/1716-19-0x0000000002E10000-0x0000000002E20000-memory.dmp
memory/644-13-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/1716-15-0x0000000005810000-0x0000000005E38000-memory.dmp
memory/3596-20-0x0000000074920000-0x00000000750D0000-memory.dmp
memory/644-21-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/644-18-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/1716-22-0x0000000005760000-0x0000000005782000-memory.dmp
memory/644-23-0x0000000000400000-0x0000000000BD8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_beiaatfw.3n4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1716-24-0x0000000006030000-0x0000000006096000-memory.dmp
memory/1716-30-0x0000000006110000-0x0000000006176000-memory.dmp
memory/1716-35-0x0000000006180000-0x00000000064D4000-memory.dmp
memory/1716-36-0x0000000006720000-0x000000000673E000-memory.dmp
memory/1716-37-0x0000000006760000-0x00000000067AC000-memory.dmp
memory/1716-39-0x0000000002E10000-0x0000000002E20000-memory.dmp
memory/644-38-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/644-40-0x0000000070380000-0x00000000703B9000-memory.dmp
memory/1716-41-0x000000007EE70000-0x000000007EE80000-memory.dmp
memory/1716-42-0x0000000006CF0000-0x0000000006D22000-memory.dmp
memory/1716-43-0x00000000707C0000-0x000000007080C000-memory.dmp
memory/1716-53-0x00000000078F0000-0x000000000790E000-memory.dmp
memory/1716-54-0x0000000007910000-0x00000000079B3000-memory.dmp
memory/1716-64-0x0000000008070000-0x00000000086EA000-memory.dmp
memory/1716-65-0x0000000007A30000-0x0000000007A4A000-memory.dmp
C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libcrypto-1_1.dll
| MD5 | 2384a02c4a1f7ec481adde3a020607d3 |
| SHA1 | 7e848d35a10bf9296c8fa41956a3daa777f86365 |
| SHA256 | c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369 |
| SHA512 | 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503 |
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libssl-1_1.dll
| MD5 | c88826ac4bb879622e43ead5bdb95aeb |
| SHA1 | 87d29853649a86f0463bfd9ad887b85eedc21723 |
| SHA256 | c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f |
| SHA512 | f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3 |
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
memory/568-84-0x0000000000880000-0x0000000000C84000-memory.dmp
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libgcc_s_sjlj-1.dll
| MD5 | b0d98f7157d972190fe0759d4368d320 |
| SHA1 | 5715a533621a2b642aad9616e603c6907d80efc4 |
| SHA256 | 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5 |
| SHA512 | 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496 |
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libwinpthread-1.dll
| MD5 | d407cc6d79a08039a6f4b50539e560b8 |
| SHA1 | 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71 |
| SHA256 | 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e |
| SHA512 | 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c |
memory/568-92-0x000000006F5B0000-0x000000006F67E000-memory.dmp
memory/568-95-0x0000000001C50000-0x0000000001CD8000-memory.dmp
memory/568-94-0x000000006F3E0000-0x000000006F468000-memory.dmp
C:\Users\Admin\AppData\Local\c3b89bbf\tor\torrc
| MD5 | 10e4369f9761d5401203f24a43aec777 |
| SHA1 | f6237d60d66f0bdc642836387c2e9adaf60114d2 |
| SHA256 | 1936b09146613154cc18a4889276cb2de96a5fd24a2c86d34a778be90f965976 |
| SHA512 | 7159148f7584cd188d7f030ac1be482ebad86cba6e964fdf2d6e673823027ebbb049ad9fdac15ed556976760953216a999c5145a0816d67072ed232bdc9e4abb |
memory/568-96-0x000000006F110000-0x000000006F3DF000-memory.dmp
memory/568-93-0x000000006F470000-0x000000006F57A000-memory.dmp
C:\Users\Admin\AppData\Local\c3b89bbf\tor\zlib1.dll
| MD5 | add33041af894b67fe34e1dc819b7eb6 |
| SHA1 | 6db46eb021855a587c95479422adcc774a272eeb |
| SHA256 | 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183 |
| SHA512 | bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa |
memory/568-85-0x000000006F680000-0x000000006F6C9000-memory.dmp
memory/568-100-0x000000006F6D0000-0x000000006F798000-memory.dmp
memory/1716-101-0x0000000007CB0000-0x0000000007D46000-memory.dmp
memory/568-102-0x000000006F580000-0x000000006F5A4000-memory.dmp
memory/568-103-0x0000000001C50000-0x0000000001F1F000-memory.dmp
memory/1716-79-0x0000000007AA0000-0x0000000007AAA000-memory.dmp
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libevent-2-1-6.dll
| MD5 | 099983c13bade9554a3c17484e5481f1 |
| SHA1 | a84e69ad9722f999252d59d0ed9a99901a60e564 |
| SHA256 | b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838 |
| SHA512 | 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2 |
memory/1716-104-0x0000000007C50000-0x0000000007C61000-memory.dmp
memory/1716-105-0x0000000007C80000-0x0000000007C8E000-memory.dmp
memory/1716-106-0x0000000007C90000-0x0000000007CA4000-memory.dmp
memory/1716-107-0x0000000007D90000-0x0000000007DAA000-memory.dmp
memory/1716-108-0x0000000007D70000-0x0000000007D78000-memory.dmp
memory/1716-111-0x0000000074920000-0x00000000750D0000-memory.dmp
memory/644-112-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/644-113-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/644-114-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/644-115-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/644-116-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/644-117-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/644-118-0x0000000075150000-0x0000000075189000-memory.dmp
memory/568-119-0x0000000000880000-0x0000000000C84000-memory.dmp
memory/568-122-0x000000006F5B0000-0x000000006F67E000-memory.dmp
memory/568-121-0x000000006F680000-0x000000006F6C9000-memory.dmp
memory/568-126-0x000000006F110000-0x000000006F3DF000-memory.dmp
memory/644-127-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/568-128-0x0000000000880000-0x0000000000C84000-memory.dmp
memory/568-136-0x0000000000880000-0x0000000000C84000-memory.dmp
memory/568-137-0x0000000001C50000-0x0000000001CD8000-memory.dmp
memory/568-143-0x0000000001C50000-0x0000000001F1F000-memory.dmp
C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\cached-microdesc-consensus.tmp
| MD5 | 6fcc4b924d58bbb8462b7ee1961c7977 |
| SHA1 | 41e1e2d4561bb169144e7d1a08c6a7f3dc731c2d |
| SHA256 | edbc99c46f9d6785d0cedf6fa6de99e6c7a20187a738e29d55258584db2660ed |
| SHA512 | 2d3539570f1a6024c291c25a3aed2f61668ec03aa614b92118380a60510fab72878539f0bc3d51e1c8ce20f3b26400c35cd714fcf146dd3288a8da861ee5a6fe |
memory/568-151-0x0000000000880000-0x0000000000C84000-memory.dmp
C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\cached-microdescs.new
| MD5 | f4446f40caefbbb3238c932584c30748 |
| SHA1 | 328e9eb0ca860d22c325f4ce180a7f7589610794 |
| SHA256 | e4ee52381a050d151583dacbd9a57ed867f972db9081d9ded246c4002bb02262 |
| SHA512 | 345d4631751bd7f926b97d9d190290499995eaff5d9aaf887c2e1d22a46781f64746d46d712579899455e644dbf354f80f52281927d7681097f4bf80425e0063 |
memory/568-174-0x0000000000880000-0x0000000000C84000-memory.dmp
memory/568-182-0x0000000000880000-0x0000000000C84000-memory.dmp
memory/644-190-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/644-197-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/644-199-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/568-200-0x0000000000880000-0x0000000000C84000-memory.dmp
memory/4108-214-0x000000006F6D0000-0x000000006F798000-memory.dmp
memory/4108-216-0x000000006F5B0000-0x000000006F67E000-memory.dmp
memory/4108-218-0x000000006F680000-0x000000006F6C9000-memory.dmp
memory/4108-221-0x000000006F470000-0x000000006F57A000-memory.dmp
memory/4108-223-0x000000006F3E0000-0x000000006F468000-memory.dmp
memory/4108-225-0x000000006F110000-0x000000006F3DF000-memory.dmp
memory/4108-224-0x0000000000880000-0x0000000000C84000-memory.dmp
memory/4108-220-0x000000006F580000-0x000000006F5A4000-memory.dmp
memory/4108-233-0x000000006F6D0000-0x000000006F798000-memory.dmp
memory/4108-234-0x000000006F5B0000-0x000000006F67E000-memory.dmp
memory/644-235-0x0000000073950000-0x0000000073989000-memory.dmp
memory/3156-250-0x0000000000880000-0x0000000000C84000-memory.dmp
memory/3156-252-0x00000000734D0000-0x0000000073598000-memory.dmp
C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\state
| MD5 | 96d770fdcd464d015eb78b0d282971e8 |
| SHA1 | 49df0e53202b854a32882e95a36e0fb9108ce481 |
| SHA256 | 16dc388f18ea49fe66ac238c577cb4b2adc241e0558d79756d0c9d75f8a67aa2 |
| SHA512 | 5df2954e83ea2c84bd7fcaacfd37807972932833c711357b6e440029c56e0764f942dfe1a56caa5a6119450a47a60fbeedfd3e5fd22deda8574c5e5160e8c9d7 |
C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\cached-certs
| MD5 | 3f2585903616d7d7dda07d3f36501afd |
| SHA1 | c3fb85f32a7c36a89c2034e67e6abdaf927e7eb0 |
| SHA256 | 26a9ce15fcc0f0fde17cba542cefe893e72c080567818ccdafba59d9779134d3 |
| SHA512 | 2b072b685669c7123a00369799ac4f0c4f6052606003e5a8b92ee86e2cacaf06ad796a87c2bdb07c38bc51ab98a225f9ffd3ac4508c01cad002f5b98360c5eb4 |
C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\cached-microdescs.new
| MD5 | 0a0b04e69e5d6f074880b8b954100fe2 |
| SHA1 | b94eb8b2b978709920b70dd2bfc1b7bad743b5e6 |
| SHA256 | aec65894883057205eae83a5bbceae7cd19cdf68c3b7732ad274f36c74ed88d0 |
| SHA512 | 1f7379b2a395906332a6eb5fbadb6ca6ab7712c56243169be05d2d5130f6853bdecbbdf14eda0b4f8e1a253fb7721e6109199a2c409626495b60dc2a212ddb88 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-10 11:59
Reported
2024-04-10 12:04
Platform
win11-20240221-en
Max time kernel
297s
Max time network
306s
Command Line
Signatures
BitRAT
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\chrome\\google\\chrome.exe\"," | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1040 set thread context of 4428 | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
"C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Hvpysyhfnmjvko.vbs"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\chrome\google\chrome.exe'
C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
Network
| Country | Destination | Domain | Proto |
| DK | 85.235.250.88:443 | tcp | |
| DE | 185.220.101.48:20048 | tcp | |
| FR | 178.33.183.251:443 | tcp | |
| N/A | 127.0.0.1:49807 | tcp | |
| FR | 92.222.38.67:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| SE | 193.11.114.43:9001 | tcp | |
| AT | 86.59.21.38:443 | tcp | |
| US | 8.8.8.8:53 | 43.114.11.193.in-addr.arpa | udp |
| US | 38.154.240.58:443 | tcp | |
| FR | 141.95.146.50:443 | tcp | |
| US | 8.8.8.8:53 | 58.240.154.38.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| FR | 141.95.146.50:443 | tcp | |
| US | 38.154.240.58:443 | tcp | |
| N/A | 127.0.0.1:49980 | tcp | |
| DE | 148.251.46.115:9001 | tcp | |
| FR | 45.158.77.29:9300 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50071 | tcp | |
| N/A | 127.0.0.1:50107 | tcp | |
| US | 135.148.150.99:443 | tcp | |
| US | 38.108.119.208:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50175 | tcp | |
| N/A | 127.0.0.1:50209 | tcp | |
| FI | 95.216.19.41:9030 | tcp | |
| US | 135.148.150.99:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| CA | 192.95.29.105:9001 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50269 | tcp | |
| US | 50.7.74.172:443 | tcp | |
| FI | 95.216.19.41:9030 | tcp | |
| US | 135.148.150.99:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp |
Files
memory/1040-0-0x0000000074AD0000-0x0000000075281000-memory.dmp
memory/1040-1-0x0000000000C20000-0x0000000001140000-memory.dmp
memory/1040-2-0x0000000005B90000-0x0000000005BA0000-memory.dmp
memory/1040-3-0x00000000034A0000-0x00000000034AA000-memory.dmp
memory/1040-4-0x0000000005BA0000-0x0000000005BBE000-memory.dmp
memory/1040-5-0x0000000074AD0000-0x0000000075281000-memory.dmp
memory/1040-6-0x0000000005B90000-0x0000000005BA0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_Hvpysyhfnmjvko.vbs
| MD5 | ed6d432bdbf28ed6ac0cf59692f5e0fe |
| SHA1 | 29b388b1b2cf5d2fea4d80088093ec6ea2575ca7 |
| SHA256 | 452fac0c3baa72fa34a9089c390659b7438da3bc0e3e36a2e54de253492d61fe |
| SHA512 | 9879be1e14bc9b16a4743baf730261e474b3916fe84ea95d3b58ef57d924ec573434fc2530860ef74786e69d0480552b15049a276d88cf769a26b94a9c73446e |
memory/4976-14-0x00000000024A0000-0x00000000024D6000-memory.dmp
memory/4976-13-0x0000000074AD0000-0x0000000075281000-memory.dmp
memory/4976-16-0x0000000004920000-0x0000000004930000-memory.dmp
memory/4428-17-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/4428-12-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/4976-19-0x0000000004F60000-0x000000000558A000-memory.dmp
memory/4428-20-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/1040-21-0x0000000074AD0000-0x0000000075281000-memory.dmp
memory/4976-15-0x0000000004920000-0x0000000004930000-memory.dmp
memory/4976-22-0x0000000004E00000-0x0000000004E22000-memory.dmp
memory/4976-23-0x0000000005700000-0x0000000005766000-memory.dmp
memory/4976-24-0x0000000005770000-0x00000000057D6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fnulhxo1.yvd.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4976-33-0x0000000005860000-0x0000000005BB7000-memory.dmp
memory/4976-34-0x0000000005CC0000-0x0000000005CDE000-memory.dmp
memory/4976-35-0x0000000005CF0000-0x0000000005D3C000-memory.dmp
memory/4428-36-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/4428-38-0x00000000708C0000-0x00000000708FC000-memory.dmp
C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libcrypto-1_1.dll
| MD5 | 2384a02c4a1f7ec481adde3a020607d3 |
| SHA1 | 7e848d35a10bf9296c8fa41956a3daa777f86365 |
| SHA256 | c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369 |
| SHA512 | 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503 |
memory/3844-58-0x0000000000EF0000-0x00000000012F4000-memory.dmp
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libssl-1_1.dll
| MD5 | c88826ac4bb879622e43ead5bdb95aeb |
| SHA1 | 87d29853649a86f0463bfd9ad887b85eedc21723 |
| SHA256 | c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f |
| SHA512 | f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3 |
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libevent-2-1-6.dll
| MD5 | 099983c13bade9554a3c17484e5481f1 |
| SHA1 | a84e69ad9722f999252d59d0ed9a99901a60e564 |
| SHA256 | b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838 |
| SHA512 | 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2 |
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
memory/3844-68-0x000000006FCA0000-0x000000006FD68000-memory.dmp
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libgcc_s_sjlj-1.dll
| MD5 | b0d98f7157d972190fe0759d4368d320 |
| SHA1 | 5715a533621a2b642aad9616e603c6907d80efc4 |
| SHA256 | 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5 |
| SHA512 | 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496 |
memory/3844-74-0x00000000707E0000-0x0000000070804000-memory.dmp
memory/3844-75-0x000000006FC10000-0x000000006FC98000-memory.dmp
C:\Users\Admin\AppData\Local\c3b89bbf\tor\torrc
| MD5 | 10e4369f9761d5401203f24a43aec777 |
| SHA1 | f6237d60d66f0bdc642836387c2e9adaf60114d2 |
| SHA256 | 1936b09146613154cc18a4889276cb2de96a5fd24a2c86d34a778be90f965976 |
| SHA512 | 7159148f7584cd188d7f030ac1be482ebad86cba6e964fdf2d6e673823027ebbb049ad9fdac15ed556976760953216a999c5145a0816d67072ed232bdc9e4abb |
memory/3844-71-0x000000006FDC0000-0x000000006FE8E000-memory.dmp
memory/3844-79-0x0000000001DB0000-0x000000000207F000-memory.dmp
memory/3844-80-0x000000006F830000-0x000000006FAFF000-memory.dmp
memory/3844-81-0x000000006FB00000-0x000000006FC0A000-memory.dmp
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libwinpthread-1.dll
| MD5 | d407cc6d79a08039a6f4b50539e560b8 |
| SHA1 | 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71 |
| SHA256 | 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e |
| SHA512 | 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c |
memory/4976-82-0x0000000004920000-0x0000000004930000-memory.dmp
C:\Users\Admin\AppData\Local\c3b89bbf\tor\zlib1.dll
| MD5 | add33041af894b67fe34e1dc819b7eb6 |
| SHA1 | 6db46eb021855a587c95479422adcc774a272eeb |
| SHA256 | 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183 |
| SHA512 | bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa |
memory/3844-63-0x000000006FD70000-0x000000006FDB9000-memory.dmp
memory/4976-83-0x000000007F190000-0x000000007F1A0000-memory.dmp
memory/4976-84-0x00000000062F0000-0x0000000006324000-memory.dmp
memory/4976-94-0x00000000062B0000-0x00000000062CE000-memory.dmp
memory/4976-85-0x0000000070D60000-0x0000000070DAC000-memory.dmp
memory/4976-95-0x0000000006D10000-0x0000000006DB4000-memory.dmp
memory/4976-96-0x00000000076C0000-0x0000000007D3A000-memory.dmp
memory/4976-97-0x0000000006330000-0x000000000634A000-memory.dmp
memory/4976-98-0x0000000007090000-0x000000000709A000-memory.dmp
memory/4976-99-0x00000000072A0000-0x0000000007336000-memory.dmp
memory/4976-100-0x0000000007220000-0x0000000007231000-memory.dmp
memory/4976-101-0x0000000007250000-0x000000000725E000-memory.dmp
memory/4976-102-0x0000000007260000-0x0000000007275000-memory.dmp
memory/4976-103-0x0000000007360000-0x000000000737A000-memory.dmp
memory/4976-104-0x0000000074AD0000-0x0000000075281000-memory.dmp
memory/4428-105-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/4428-106-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/4428-107-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/4428-108-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/4428-109-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/4976-110-0x0000000007350000-0x0000000007358000-memory.dmp
memory/4428-111-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/4976-112-0x0000000004920000-0x0000000004930000-memory.dmp
memory/4428-113-0x000000006EE60000-0x000000006EE9C000-memory.dmp
memory/4976-116-0x0000000074AD0000-0x0000000075281000-memory.dmp
memory/3844-117-0x0000000000EF0000-0x00000000012F4000-memory.dmp
memory/3844-118-0x000000006FDC0000-0x000000006FE8E000-memory.dmp
memory/3844-119-0x000000006FD70000-0x000000006FDB9000-memory.dmp
memory/3844-120-0x00000000707E0000-0x0000000070804000-memory.dmp
memory/3844-121-0x000000006FCA0000-0x000000006FD68000-memory.dmp
memory/4428-125-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/3844-126-0x0000000000EF0000-0x00000000012F4000-memory.dmp
memory/3844-127-0x0000000000EF0000-0x00000000012F4000-memory.dmp
memory/3844-135-0x0000000001DB0000-0x000000000207F000-memory.dmp
C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\cached-microdesc-consensus
| MD5 | 381cc5ba2ce158b71214b0d01a0b1a5c |
| SHA1 | d7c546b983b31d2785f46e3b097992f96445074d |
| SHA256 | ad8060faee1771ee0547d651d4cceee52263e534b0cf84efa75f6c0bab1187ec |
| SHA512 | 8fc885b883e058bb907a3eb8d2a88bfa6729d114f926db80c15af03aa01f2e8833727c80e77903a730c7721f9e3730e6a95cd4d938c7da24c0848ff34691f8b4 |
memory/3844-144-0x0000000000EF0000-0x00000000012F4000-memory.dmp
C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\cached-microdescs.new
| MD5 | 8a873e0ff34859d7e04f3b7cb765dadf |
| SHA1 | c83a16d35c4955a0584feb18548fbc28007a74e9 |
| SHA256 | 343c54d20d2f234e1db2cd0cff024801c2a4b96ee11c7fd19b44dfdb63a289d0 |
| SHA512 | 3707d829d9711e76b4b11de270c7623a7d14339c7e27b35f84f4a84cef50d68c834281f8dd67a62d31172468a223e7d61276ed6dbc6be20ac18328442a94ffbf |
memory/3844-159-0x0000000000EF0000-0x00000000012F4000-memory.dmp
memory/4428-167-0x00000000752E0000-0x000000007531C000-memory.dmp
memory/3844-177-0x0000000000EF0000-0x00000000012F4000-memory.dmp
memory/3844-185-0x0000000000EF0000-0x00000000012F4000-memory.dmp
memory/3844-193-0x0000000000EF0000-0x00000000012F4000-memory.dmp
memory/3844-226-0x0000000000EF0000-0x00000000012F4000-memory.dmp
memory/340-227-0x000000006F830000-0x000000006FAFF000-memory.dmp
memory/340-228-0x000000006FCA0000-0x000000006FD68000-memory.dmp
memory/340-230-0x0000000000EF0000-0x00000000012F4000-memory.dmp
memory/340-229-0x000000006FDC0000-0x000000006FE8E000-memory.dmp
memory/340-233-0x000000006FD70000-0x000000006FDB9000-memory.dmp
memory/340-237-0x000000006FB00000-0x000000006FC0A000-memory.dmp
memory/340-238-0x000000006FC10000-0x000000006FC98000-memory.dmp
memory/340-235-0x00000000707E0000-0x0000000070804000-memory.dmp
C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\cached-certs
| MD5 | 6f17da946d9ea995a3eb6b162d4a09ef |
| SHA1 | b6336bc4b109439d511099fe1d07a10e47b5f562 |
| SHA256 | 30de01d1f4e6dd101905a2ed8723f1145fd47b5bc74343fc885e3f824fead344 |
| SHA512 | 94c253c3fcee0766508755bda8e0934c31ab279af12e5b7887a2ab805c5363b83307c0b95a460cc65a92172e4ffe791d36e0479229653ceae9df0c44a210889d |
C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\state
| MD5 | 5c3178ffeb15569fbfaa129b7121a21b |
| SHA1 | 0ca3d373a4b8bcf5445550198c7e739daf7fe02d |
| SHA256 | a41994a8db1cba579e24dbbec0eb297e8e5dbf77200a278c60826ff0c421221c |
| SHA512 | 5c606e7e7f604e074f235df8c28acec207a843910f7c5f89e687f0b1c4e7d0bdb6fd1a985facf307fda7ec2936107df60da8481db3f9b8cd03a7172fb47b5abd |
C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\cached-microdescs.new
| MD5 | b8c9d2defc79e0478b0e0f4f8a2a08b7 |
| SHA1 | cd39caadacdc7d724a28ab41df2151d755252411 |
| SHA256 | ec45fbf67324f84c65b059d8c1bb69d09ca67e235556a4d19c06e118b84903a9 |
| SHA512 | b85a2894a7869125ea27e5c59abd5040c78e18671e1bd801ea812b92dbfac6dcb093c9016c1c8269f284893ea1174c29ff3328ecd4c8a32ca11641513f459bb4 |
memory/4428-261-0x0000000074C40000-0x0000000074C7C000-memory.dmp
memory/340-262-0x000000006F830000-0x000000006FAFF000-memory.dmp
C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\state
| MD5 | 5e2088899713b3031968e25a89802651 |
| SHA1 | 9a8bb7087a7fc68098496ba5b799e9673c83fe05 |
| SHA256 | d555c7f2ac4819a179ab2adce11f0b6342158d11abd35939afc328ed7d588c07 |
| SHA512 | 5b417b7f68673dededdb0002eb6f2c5df75e962d1531a849afd39ec4c206c45327ea735ad77a38b1bb87b38f9b76c1a18d5e1e9d72e3a89e5bc1ec17384f7d8c |
C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\cached-microdescs
| MD5 | 1c35eb32d1c98e9472d986e0789a16bf |
| SHA1 | 3ce89c349e5ca5979ff8ec80b80a26763385ec84 |
| SHA256 | 8e7e16689825032aa9bf518fd3563aa0c0b7666153fdbc2a8e4ee38b6aff4cd6 |
| SHA512 | 92351f33d6598a347e884d958813f22a42cf9905f3237b0578a789c661b9f3f4b6c93bf778dd56191fd7dd95612b8f315511d6ce3d0189cc9fb40bf7b765fcd1 |