Malware Analysis Report

2024-10-18 21:10

Sample ID 240410-n5rdyaeg87
Target 9cba67b5a3086744c0d4f831079b319b
SHA256 28323ee7a1adaee55fe254d8a6fad742294a4e7e0ad89589707da2a1a9e32486
Tags
bitrat persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

28323ee7a1adaee55fe254d8a6fad742294a4e7e0ad89589707da2a1a9e32486

Threat Level: Known bad

The file 9cba67b5a3086744c0d4f831079b319b was found to be: Known bad.

Malicious Activity Summary

bitrat persistence trojan upx

BitRAT

Modifies WinLogon for persistence

UPX packed file

Executes dropped EXE

Checks computer location settings

ACProtect 1.3x - 1.4x DLL software

Loads dropped DLL

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-10 11:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-10 11:59

Reported

2024-04-10 12:04

Platform

win7-20240319-en

Max time kernel

298s

Max time network

303s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe"

Signatures

BitRAT

trojan bitrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\chrome\\google\\chrome.exe\"," C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1900 set thread context of 2944 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1900 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Windows\SysWOW64\WScript.exe
PID 1900 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Windows\SysWOW64\WScript.exe
PID 1900 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Windows\SysWOW64\WScript.exe
PID 1900 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Windows\SysWOW64\WScript.exe
PID 2600 wrote to memory of 2448 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2600 wrote to memory of 2448 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2600 wrote to memory of 2448 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2600 wrote to memory of 2448 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1900 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 1900 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 1900 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 1900 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 1900 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 1900 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 1900 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 1900 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 1900 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 1900 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 1900 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 1900 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 1900 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 2944 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 2944 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 2944 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 2944 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 2944 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 2944 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 2944 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 2944 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 2944 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 2944 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 2944 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 2944 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 2944 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 2944 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 2944 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 2944 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 2944 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 2944 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 2944 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 2944 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 2944 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 2944 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 2944 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 2944 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 2944 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 2944 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 2944 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 2944 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 2944 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 2944 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 2944 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 2944 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 2944 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 2944 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 2944 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 2944 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 2944 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 2944 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 2944 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 2944 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 2944 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 2944 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 2944 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

"C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Hvpysyhfnmjvko.vbs"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\chrome\google\chrome.exe'

C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe

"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc

C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe

"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc

C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe

"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc

C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe

"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc

C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe

"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc

C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe

"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc

C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe

"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc

C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe

"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc

C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe

"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc

C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe

"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc

C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe

"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc

Network

Country Destination Domain Proto
DE 5.189.169.190:8080 tcp
SE 193.11.164.243:9001 tcp
IS 89.147.109.91:443 tcp
US 198.251.76.239:443 tcp
N/A 127.0.0.1:49285 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:49373 tcp
DE 46.38.255.10:1443 tcp
GB 144.21.52.220:9282 tcp
N/A 127.0.0.1:49416 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:49492 tcp
N/A 127.0.0.1:49535 tcp
DE 185.162.251.122:9001 tcp
FR 163.172.76.56:9001 tcp
NL 50.118.225.160:444 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:49594 tcp
N/A 127.0.0.1:49626 tcp
FI 65.108.198.216:443 tcp
PL 95.214.53.96:8445 tcp
FR 163.172.76.56:9001 tcp
FI 65.108.198.216:443 tcp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 myexternalip.com udp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:49707 tcp
N/A 127.0.0.1:49746 tcp
DE 31.185.104.20:443 tcp
FR 163.172.76.56:9001 tcp
FI 65.108.198.216:443 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:49800 tcp
N/A 127.0.0.1:49833 tcp
US 66.111.2.16:9001 tcp
FR 163.172.76.56:9001 tcp
FI 65.108.198.216:443 tcp
N/A 127.0.0.1:45808 tcp

Files

memory/1900-1-0x00000000749E0000-0x00000000750CE000-memory.dmp

memory/1900-0-0x0000000000CC0000-0x00000000011E0000-memory.dmp

memory/1900-2-0x0000000004C10000-0x0000000004C50000-memory.dmp

memory/1900-3-0x0000000000300000-0x000000000030A000-memory.dmp

memory/1900-4-0x0000000000510000-0x000000000052E000-memory.dmp

memory/1900-5-0x00000000749E0000-0x00000000750CE000-memory.dmp

memory/1900-6-0x0000000004C10000-0x0000000004C50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_Hvpysyhfnmjvko.vbs

MD5 ed6d432bdbf28ed6ac0cf59692f5e0fe
SHA1 29b388b1b2cf5d2fea4d80088093ec6ea2575ca7
SHA256 452fac0c3baa72fa34a9089c390659b7438da3bc0e3e36a2e54de253492d61fe
SHA512 9879be1e14bc9b16a4743baf730261e474b3916fe84ea95d3b58ef57d924ec573434fc2530860ef74786e69d0480552b15049a276d88cf769a26b94a9c73446e

memory/2944-12-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2944-14-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2944-16-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2944-17-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2944-19-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2944-21-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2944-23-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2944-25-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2944-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2944-28-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/1900-32-0x00000000749E0000-0x00000000750CE000-memory.dmp

memory/2944-33-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2448-34-0x0000000071120000-0x00000000716CB000-memory.dmp

memory/2448-35-0x0000000000210000-0x0000000000250000-memory.dmp

memory/2448-36-0x0000000071120000-0x00000000716CB000-memory.dmp

memory/2944-37-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2448-38-0x0000000000210000-0x0000000000250000-memory.dmp

\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\c3b89bbf\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

memory/2944-58-0x00000000044C0000-0x00000000048C4000-memory.dmp

memory/2944-59-0x00000000044C0000-0x00000000048C4000-memory.dmp

memory/1920-60-0x0000000000D30000-0x0000000001134000-memory.dmp

C:\Users\Admin\AppData\Local\c3b89bbf\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

memory/1920-66-0x0000000072010000-0x0000000072059000-memory.dmp

memory/1920-63-0x00000000707F0000-0x0000000070ABF000-memory.dmp

C:\Users\Admin\AppData\Local\c3b89bbf\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

memory/1920-69-0x0000000071900000-0x00000000719C8000-memory.dmp

C:\Users\Admin\AppData\Local\c3b89bbf\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

memory/1920-75-0x00000000717F0000-0x00000000718FA000-memory.dmp

memory/2448-74-0x0000000071120000-0x00000000716CB000-memory.dmp

memory/2448-76-0x0000000071120000-0x00000000716CB000-memory.dmp

C:\Users\Admin\AppData\Local\c3b89bbf\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\c3b89bbf\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

memory/2944-81-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/1920-77-0x0000000071760000-0x00000000717E8000-memory.dmp

\Users\Admin\AppData\Local\c3b89bbf\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\c3b89bbf\tor\torrc

MD5 10e4369f9761d5401203f24a43aec777
SHA1 f6237d60d66f0bdc642836387c2e9adaf60114d2
SHA256 1936b09146613154cc18a4889276cb2de96a5fd24a2c86d34a778be90f965976
SHA512 7159148f7584cd188d7f030ac1be482ebad86cba6e964fdf2d6e673823027ebbb049ad9fdac15ed556976760953216a999c5145a0816d67072ed232bdc9e4abb

memory/1920-86-0x00000000720D0000-0x00000000720F4000-memory.dmp

memory/1920-85-0x0000000070720000-0x00000000707EE000-memory.dmp

memory/2448-87-0x0000000071120000-0x00000000716CB000-memory.dmp

C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\cached-microdesc-consensus.tmp

MD5 381cc5ba2ce158b71214b0d01a0b1a5c
SHA1 d7c546b983b31d2785f46e3b097992f96445074d
SHA256 ad8060faee1771ee0547d651d4cceee52263e534b0cf84efa75f6c0bab1187ec
SHA512 8fc885b883e058bb907a3eb8d2a88bfa6729d114f926db80c15af03aa01f2e8833727c80e77903a730c7721f9e3730e6a95cd4d938c7da24c0848ff34691f8b4

memory/2944-96-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2944-97-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2944-98-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2944-99-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2944-100-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2944-101-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2944-105-0x00000000044C0000-0x00000000048C4000-memory.dmp

memory/2944-106-0x00000000044C0000-0x00000000048C4000-memory.dmp

memory/1920-108-0x0000000000D30000-0x0000000001134000-memory.dmp

C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\cached-microdescs.new

MD5 e4290bd7c7531ee4b542641a8581f479
SHA1 b4cde4a7e68aefb561f3e46a05ddc7687def778a
SHA256 98587230d3791c2e215d208bf7f86df16c1137a4853f1885912f01d67312e821
SHA512 6a53d53bba32d0ccae7707301f4507266096e92b5ba62dd2d3249eca4d5e5f3f80b1522836c97180da6b9cec3089cbfc312c54b7d1d45fc64496214b081f8e70

memory/1920-111-0x0000000000D30000-0x0000000001134000-memory.dmp

memory/1920-116-0x0000000071760000-0x00000000717E8000-memory.dmp

memory/1920-115-0x00000000717F0000-0x00000000718FA000-memory.dmp

memory/1920-114-0x0000000071900000-0x00000000719C8000-memory.dmp

memory/1920-113-0x0000000072010000-0x0000000072059000-memory.dmp

memory/1920-112-0x00000000707F0000-0x0000000070ABF000-memory.dmp

memory/1920-122-0x0000000000D30000-0x0000000001134000-memory.dmp

memory/1920-130-0x0000000000D30000-0x0000000001134000-memory.dmp

memory/1920-138-0x0000000000D30000-0x0000000001134000-memory.dmp

memory/1920-146-0x0000000000D30000-0x0000000001134000-memory.dmp

memory/2944-154-0x00000000056B0000-0x0000000005AB4000-memory.dmp

memory/2044-163-0x00000000707F0000-0x0000000070ABF000-memory.dmp

memory/2044-166-0x0000000072010000-0x0000000072059000-memory.dmp

memory/2044-168-0x0000000000D30000-0x0000000001134000-memory.dmp

memory/2044-169-0x0000000071900000-0x00000000719C8000-memory.dmp

memory/2044-172-0x00000000717F0000-0x00000000718FA000-memory.dmp

memory/2044-175-0x0000000071760000-0x00000000717E8000-memory.dmp

memory/2044-178-0x0000000070720000-0x00000000707EE000-memory.dmp

memory/2044-181-0x00000000720D0000-0x00000000720F4000-memory.dmp

memory/2044-185-0x00000000707F0000-0x0000000070ABF000-memory.dmp

memory/2044-186-0x0000000072010000-0x0000000072059000-memory.dmp

memory/800-203-0x0000000074E00000-0x00000000750CF000-memory.dmp

C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\state

MD5 87efacea8413608842844330a7272b88
SHA1 8760cdd15e8fa0e491cfa8af702a22884f000c67
SHA256 869a1594ffde3535eb8efdc889d60ef1ae907b43f13f60c48b9f67f75e40d49c
SHA512 ede750897dd2f1b9b673940c72d9a9b708592d2a5c916807f5dae2747ed02514a37be62f1d0ecc1bf62632e67dda2aa2ea583d674765b14e6a3bcae7edd48253

memory/800-210-0x0000000074C20000-0x0000000074D2A000-memory.dmp

memory/800-211-0x0000000074B90000-0x0000000074C18000-memory.dmp

memory/800-212-0x0000000074AC0000-0x0000000074B8E000-memory.dmp

memory/800-213-0x0000000075190000-0x00000000751B4000-memory.dmp

memory/800-214-0x0000000000D30000-0x0000000001134000-memory.dmp

C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\cached-certs

MD5 afb4ebba291acd8241d9ef38d034b42a
SHA1 acbe1508585f11196b5dd64ce97b880e334032df
SHA256 f8c2c08a40583f6d71deb62c347c33e853ea2b06c8fc136915f9b2ea271aa4ea
SHA512 2ef2ee732ae1d2e98e22d4af7dfeb5fc0c61fed925ae1e1c788436bde9f09bca7c01236797c31b7445228f69a73b08b73b46fd297c53e3bb56ac2d16f64cfa2f

memory/800-207-0x0000000074D30000-0x0000000074DF8000-memory.dmp

memory/800-204-0x0000000075110000-0x0000000075159000-memory.dmp

C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\cached-microdescs.new

MD5 ec03d88e872cd14da81f9101d3bf6c04
SHA1 5d69a2f7acdf688b7a15108d63bfc74845ec6054
SHA256 f149647fe79a7de56865356b575af769f461e63f3eb4e918374f882b8c8cdcc7
SHA512 2e0f31eb6f7338e91853da9ba1d601a57838aab4cf108c1883bb7b67a6bd7a0d1d38fbecc6356202a621b6ba8c5ead984371651149ab6c068c55a2d20fa335aa

memory/2944-236-0x00000000056B0000-0x0000000005AB4000-memory.dmp

memory/2944-245-0x00000000056B0000-0x0000000005AB4000-memory.dmp

memory/800-246-0x0000000074E00000-0x00000000750CF000-memory.dmp

memory/800-247-0x0000000000D30000-0x0000000001134000-memory.dmp

memory/2944-264-0x00000000056B0000-0x0000000005AB4000-memory.dmp

memory/2748-273-0x0000000074E00000-0x00000000750CF000-memory.dmp

memory/2748-275-0x0000000075110000-0x0000000075159000-memory.dmp

memory/2748-278-0x0000000074D30000-0x0000000074DF8000-memory.dmp

memory/2748-281-0x0000000074C20000-0x0000000074D2A000-memory.dmp

memory/2748-284-0x0000000074B90000-0x0000000074C18000-memory.dmp

memory/2748-287-0x0000000074AC0000-0x0000000074B8E000-memory.dmp

memory/2748-290-0x0000000075190000-0x00000000751B4000-memory.dmp

memory/800-292-0x0000000000D30000-0x0000000001134000-memory.dmp

memory/2748-293-0x0000000000D30000-0x0000000001134000-memory.dmp

memory/2748-297-0x0000000074E00000-0x00000000750CF000-memory.dmp

memory/2748-298-0x0000000075110000-0x0000000075159000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-10 11:59

Reported

2024-04-10 12:04

Platform

win10-20240404-en

Max time kernel

310s

Max time network

322s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe"

Signatures

BitRAT

trojan bitrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3998431567-3716957556-781226098-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\chrome\\google\\chrome.exe\"," C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 956 set thread context of 1728 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3998431567-3716957556-781226098-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 956 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Windows\SysWOW64\WScript.exe
PID 956 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Windows\SysWOW64\WScript.exe
PID 956 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Windows\SysWOW64\WScript.exe
PID 4088 wrote to memory of 2188 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4088 wrote to memory of 2188 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4088 wrote to memory of 2188 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 956 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 956 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 956 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 956 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 956 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 956 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 956 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 956 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 956 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 956 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 956 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 956 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 1728 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 1728 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 1728 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 1728 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 1728 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 1728 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 1728 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 1728 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 1728 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 1728 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 1728 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 1728 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 1728 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 1728 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 1728 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 1728 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 1728 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 1728 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

"C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Hvpysyhfnmjvko.vbs"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\chrome\google\chrome.exe'

C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe

"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc

C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe

"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc

C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe

"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc

C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe

"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc

C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe

"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc

C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe

"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
FR 51.15.179.153:995 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
DE 178.254.7.88:8443 tcp
FR 51.254.147.57:443 tcp
N/A 127.0.0.1:49873 tcp
N/A 127.0.0.1:45808 tcp
NL 80.127.137.19:443 tcp
CA 199.58.81.140:443 tcp
US 8.8.8.8:53 140.81.58.199.in-addr.arpa udp
US 15.204.227.206:9000 tcp
US 147.135.6.69:443 tcp
US 8.8.8.8:53 206.227.204.15.in-addr.arpa udp
US 8.8.8.8:53 69.6.135.147.in-addr.arpa udp
US 199.184.215.11:9090 tcp
US 8.8.8.8:53 11.215.184.199.in-addr.arpa udp
US 147.135.6.69:443 tcp
US 15.204.227.206:9000 tcp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 myexternalip.com udp
US 34.117.118.44:443 myexternalip.com tcp
US 8.8.8.8:53 44.118.117.34.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 170.101.63.23.in-addr.arpa udp
N/A 127.0.0.1:50244 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50289 tcp
DE 136.243.147.91:9001 tcp
US 8.8.8.8:53 91.147.243.136.in-addr.arpa udp
DE 193.41.226.147:9000 tcp
US 8.8.8.8:53 147.226.41.193.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
N/A 127.0.0.1:50370 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50418 tcp
FR 212.129.62.232:443 tcp
DE 136.243.147.91:9001 tcp
US 8.8.8.8:53 232.62.129.212.in-addr.arpa udp
DE 85.215.67.227:8443 tcp
US 8.8.8.8:53 227.67.215.85.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:50490 tcp

Files

memory/956-0-0x0000000073D80000-0x000000007446E000-memory.dmp

memory/956-1-0x0000000000C90000-0x00000000011B0000-memory.dmp

memory/956-2-0x0000000005B30000-0x0000000005B40000-memory.dmp

memory/956-3-0x00000000034F0000-0x00000000034FA000-memory.dmp

memory/956-4-0x0000000005B10000-0x0000000005B2E000-memory.dmp

memory/956-5-0x0000000073D80000-0x000000007446E000-memory.dmp

memory/956-6-0x0000000005B30000-0x0000000005B40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_Hvpysyhfnmjvko.vbs

MD5 ed6d432bdbf28ed6ac0cf59692f5e0fe
SHA1 29b388b1b2cf5d2fea4d80088093ec6ea2575ca7
SHA256 452fac0c3baa72fa34a9089c390659b7438da3bc0e3e36a2e54de253492d61fe
SHA512 9879be1e14bc9b16a4743baf730261e474b3916fe84ea95d3b58ef57d924ec573434fc2530860ef74786e69d0480552b15049a276d88cf769a26b94a9c73446e

memory/1728-12-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2188-14-0x0000000073D80000-0x000000007446E000-memory.dmp

memory/956-18-0x0000000073D80000-0x000000007446E000-memory.dmp

memory/1728-17-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2188-20-0x0000000006840000-0x0000000006850000-memory.dmp

memory/1728-21-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2188-22-0x0000000006840000-0x0000000006850000-memory.dmp

memory/2188-19-0x0000000004180000-0x00000000041B6000-memory.dmp

memory/2188-23-0x0000000006E80000-0x00000000074A8000-memory.dmp

memory/1728-24-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2188-25-0x0000000006BD0000-0x0000000006BF2000-memory.dmp

memory/2188-27-0x0000000006C70000-0x0000000006CD6000-memory.dmp

memory/2188-26-0x00000000074B0000-0x0000000007516000-memory.dmp

memory/2188-28-0x00000000075E0000-0x0000000007930000-memory.dmp

memory/2188-29-0x0000000006E60000-0x0000000006E7C000-memory.dmp

memory/2188-30-0x00000000079F0000-0x0000000007A3B000-memory.dmp

memory/2188-31-0x0000000007D50000-0x0000000007DC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bmppylky.epu.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/1728-45-0x0000000070450000-0x000000007048A000-memory.dmp

C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\c3b89bbf\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\c3b89bbf\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\c3b89bbf\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

memory/1132-74-0x00000000013C0000-0x00000000017C4000-memory.dmp

\Users\Admin\AppData\Local\c3b89bbf\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

memory/1132-81-0x00000000704C0000-0x00000000704E4000-memory.dmp

memory/1132-82-0x000000006F9F0000-0x000000006FAB8000-memory.dmp

memory/1132-78-0x000000006F8D0000-0x000000006F99E000-memory.dmp

\Users\Admin\AppData\Local\c3b89bbf\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

memory/2188-83-0x0000000008B40000-0x0000000008B73000-memory.dmp

memory/1132-85-0x000000006F600000-0x000000006F8CF000-memory.dmp

memory/2188-84-0x0000000070AA0000-0x0000000070AEB000-memory.dmp

memory/2188-86-0x00000000067D0000-0x00000000067EE000-memory.dmp

memory/1132-93-0x0000000000880000-0x0000000000908000-memory.dmp

C:\Users\Admin\AppData\Local\c3b89bbf\tor\torrc

MD5 10e4369f9761d5401203f24a43aec777
SHA1 f6237d60d66f0bdc642836387c2e9adaf60114d2
SHA256 1936b09146613154cc18a4889276cb2de96a5fd24a2c86d34a778be90f965976
SHA512 7159148f7584cd188d7f030ac1be482ebad86cba6e964fdf2d6e673823027ebbb049ad9fdac15ed556976760953216a999c5145a0816d67072ed232bdc9e4abb

memory/1132-90-0x000000006F460000-0x000000006F4E8000-memory.dmp

memory/1132-89-0x00000000017D0000-0x0000000001A9F000-memory.dmp

C:\Users\Admin\AppData\Local\c3b89bbf\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\c3b89bbf\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

memory/1132-97-0x000000006F9A0000-0x000000006F9E9000-memory.dmp

memory/1132-98-0x000000006F4F0000-0x000000006F5FA000-memory.dmp

memory/2188-99-0x000000007EF40000-0x000000007EF50000-memory.dmp

memory/2188-100-0x0000000008C70000-0x0000000008D15000-memory.dmp

memory/2188-101-0x0000000006840000-0x0000000006850000-memory.dmp

memory/2188-102-0x00000000090D0000-0x0000000009164000-memory.dmp

memory/1728-277-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/1728-278-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/1728-280-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/1728-282-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/1728-284-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/1728-287-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/1728-294-0x000000006ED80000-0x000000006EDBA000-memory.dmp

memory/2188-302-0x0000000008F50000-0x0000000008F6A000-memory.dmp

memory/2188-307-0x0000000008F40000-0x0000000008F48000-memory.dmp

memory/2188-323-0x0000000073D80000-0x000000007446E000-memory.dmp

memory/1132-324-0x00000000013C0000-0x00000000017C4000-memory.dmp

memory/1132-326-0x000000006F8D0000-0x000000006F99E000-memory.dmp

memory/1132-328-0x000000006F9F0000-0x000000006FAB8000-memory.dmp

memory/1132-327-0x00000000704C0000-0x00000000704E4000-memory.dmp

memory/1132-329-0x000000006F600000-0x000000006F8CF000-memory.dmp

memory/1728-332-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/1132-333-0x00000000013C0000-0x00000000017C4000-memory.dmp

memory/1132-334-0x00000000013C0000-0x00000000017C4000-memory.dmp

memory/1132-342-0x0000000000880000-0x0000000000908000-memory.dmp

C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\cached-microdesc-consensus.tmp

MD5 6fcc4b924d58bbb8462b7ee1961c7977
SHA1 41e1e2d4561bb169144e7d1a08c6a7f3dc731c2d
SHA256 edbc99c46f9d6785d0cedf6fa6de99e6c7a20187a738e29d55258584db2660ed
SHA512 2d3539570f1a6024c291c25a3aed2f61668ec03aa614b92118380a60510fab72878539f0bc3d51e1c8ce20f3b26400c35cd714fcf146dd3288a8da861ee5a6fe

memory/1132-355-0x00000000013C0000-0x00000000017C4000-memory.dmp

C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\cached-microdescs.new

MD5 e1eb369d6008a51b10a5b4b1c59fb0d2
SHA1 f08b486431a0969a7b0bbfb5126282b8e9582591
SHA256 07d53f51caf305839e979e8b91dccac44355584ec67d29680b13f95cd9970200
SHA512 bd9af2688ba4ab95929ca50b5a92f5f679407e6d86592b715c86a06d7071a166cd2af3b7960e2af0576a56dc5501922d3eb350ba2570ba6b166935945ab53760

memory/1132-379-0x00000000013C0000-0x00000000017C4000-memory.dmp

memory/1728-387-0x00000000742E0000-0x000000007431A000-memory.dmp

memory/1132-388-0x00000000013C0000-0x00000000017C4000-memory.dmp

memory/1728-396-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/1132-397-0x00000000013C0000-0x00000000017C4000-memory.dmp

memory/1728-413-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/1728-415-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/1132-416-0x00000000013C0000-0x00000000017C4000-memory.dmp

memory/4112-428-0x00000000013C0000-0x00000000017C4000-memory.dmp

memory/4112-430-0x000000006F600000-0x000000006F8CF000-memory.dmp

memory/4112-431-0x000000006F9F0000-0x000000006FAB8000-memory.dmp

memory/4112-433-0x000000006F8D0000-0x000000006F99E000-memory.dmp

memory/4112-435-0x000000006F9A0000-0x000000006F9E9000-memory.dmp

memory/4112-437-0x00000000704C0000-0x00000000704E4000-memory.dmp

memory/4112-439-0x000000006F4F0000-0x000000006F5FA000-memory.dmp

memory/4112-441-0x000000006F460000-0x000000006F4E8000-memory.dmp

memory/4112-450-0x00000000704C0000-0x00000000704E4000-memory.dmp

memory/4112-451-0x000000006F4F0000-0x000000006F5FA000-memory.dmp

memory/4112-452-0x000000006F460000-0x000000006F4E8000-memory.dmp

memory/4112-453-0x00000000013C0000-0x00000000017C4000-memory.dmp

memory/4112-454-0x000000006F600000-0x000000006F8CF000-memory.dmp

memory/4112-455-0x000000006F9F0000-0x000000006FAB8000-memory.dmp

memory/4112-456-0x000000006F8D0000-0x000000006F99E000-memory.dmp

memory/4112-457-0x000000006F9A0000-0x000000006F9E9000-memory.dmp

memory/1728-458-0x0000000073890000-0x00000000738CA000-memory.dmp

C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\state

MD5 f94182b1743f2941a9d5d75c3d31f4ed
SHA1 d116b9ef97c179db3bd8727bd900c6f1a5494236
SHA256 22fdfa07f2d32d907a42cb2108a0d570b2d8680685dcde2210943e23291c86fc
SHA512 4c49a0811899e44b51dcfe10d9efd33da32dbff54944656f84cee178d2044aec4e3d74326a676fe21beb1768653542e69d8a18f873172b042d9aa4e9999a077b

C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\cached-certs

MD5 d233858696aa314b62366514bedd9603
SHA1 2cba9148f94de2a19bd81798fd4d21bd53ae8c42
SHA256 d16c721c3a15a9e1717fd0e8ae0dd9bd65a428ceb3367093afe65db9a62e477a
SHA512 ef738a63b30dd130df29e4ce60e9d0e5f6f87c8e53149ebc664c3bfb319b45e378f21d11d1f7108661191bf86b0505f7a1c55681c141e33e8b5a96cf4a1f5361

C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\cached-microdescs.new

MD5 4c06ddf56ef118c47388bf0b06363886
SHA1 4053d9db12e88ccfe28c94a512680c78647234c5
SHA256 be5866d5b22d720ca0e273f7b2d6e4f8b2378a9aa6be5fe8508d0451abe13717
SHA512 2df006987189508b576b972bacbcd8d84c32cc6997ffbe6c171ac10928cc73c3897cacf41f1f3fea8dd547c019cf451cdc6386a1de76530fe4e494025a506de0

C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\state

MD5 66082756a6c8caa27d02a25798af8a86
SHA1 7a56b6ce65c41fd94f4c0d308309b8e00dd3b728
SHA256 747297601504f782f2314017c1d838eb7fbe83c5c9f2843fe12f121232f38dc2
SHA512 99c1b20240b3a1db1edf5a1255e1fdc8ba2391d919b7291756851776e51a7798aba9065095ad07c0f7bece9a6a2d0d48c5dc3e308297aa830711139de45f3dad

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-10 11:59

Reported

2024-04-10 12:04

Platform

win10v2004-20240319-en

Max time kernel

301s

Max time network

307s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe"

Signatures

BitRAT

trojan bitrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\chrome\\google\\chrome.exe\"," C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3596 set thread context of 644 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3596 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Windows\SysWOW64\WScript.exe
PID 3596 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Windows\SysWOW64\WScript.exe
PID 3596 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Windows\SysWOW64\WScript.exe
PID 780 wrote to memory of 1716 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 780 wrote to memory of 1716 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 780 wrote to memory of 1716 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3596 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 3596 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 3596 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 3596 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 3596 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 3596 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 3596 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 3596 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 3596 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 3596 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 3596 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 3596 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 644 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 644 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 644 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 644 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 644 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 644 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 644 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 644 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 644 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 644 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 644 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 644 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 644 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 644 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 644 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 644 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 644 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 644 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

"C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4028 --field-trial-handle=2228,i,8155065313278028490,17854605419281052753,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Hvpysyhfnmjvko.vbs"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\chrome\google\chrome.exe'

C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe

"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc

C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe

"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc

C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe

"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc

C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe

"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc

C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe

"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc

C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe

"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 11.2.37.23.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
NL 142.250.179.202:443 tcp
IE 94.245.104.56:443 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
GB 51.140.242.104:443 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
GB 51.140.244.186:443 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
DE 81.7.11.186:443 tcp
NO 193.35.52.53:9001 tcp
DE 31.185.104.20:443 tcp
NL 45.66.33.45:443 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 50.7.74.170:9001 tcp
DE 131.188.40.189:443 tcp
US 8.8.8.8:53 189.40.188.131.in-addr.arpa udp
N/A 127.0.0.1:49936 tcp
US 51.81.56.228:443 tcp
US 135.148.53.59:443 tcp
US 8.8.8.8:53 228.56.81.51.in-addr.arpa udp
US 8.8.8.8:53 59.53.148.135.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
EE 195.50.212.15:8080 tcp
US 135.148.53.59:443 tcp
US 51.81.56.228:443 tcp
US 8.8.8.8:53 15.212.50.195.in-addr.arpa udp
US 8.8.8.8:53 myexternalip.com udp
US 34.117.118.44:443 myexternalip.com tcp
US 8.8.8.8:53 44.118.117.34.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 170.101.63.23.in-addr.arpa udp
N/A 127.0.0.1:50087 tcp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50133 tcp
ES 83.97.79.191:8443 tcp
MD 178.17.170.172:443 tcp
US 8.8.8.8:53 191.79.97.83.in-addr.arpa udp
US 8.8.8.8:53 172.170.17.178.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:50192 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:50285 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50324 tcp
DE 91.143.81.212:80 tcp
ES 83.97.79.191:8443 tcp
US 8.8.8.8:53 212.81.143.91.in-addr.arpa udp

Files

memory/3596-0-0x0000000074920000-0x00000000750D0000-memory.dmp

memory/3596-1-0x00000000009C0000-0x0000000000EE0000-memory.dmp

memory/3596-2-0x0000000005990000-0x00000000059A0000-memory.dmp

memory/3596-3-0x00000000019A0000-0x00000000019AA000-memory.dmp

memory/3596-4-0x0000000074920000-0x00000000750D0000-memory.dmp

memory/3596-5-0x00000000033A0000-0x00000000033BE000-memory.dmp

memory/3596-6-0x0000000005990000-0x00000000059A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_Hvpysyhfnmjvko.vbs

MD5 ed6d432bdbf28ed6ac0cf59692f5e0fe
SHA1 29b388b1b2cf5d2fea4d80088093ec6ea2575ca7
SHA256 452fac0c3baa72fa34a9089c390659b7438da3bc0e3e36a2e54de253492d61fe
SHA512 9879be1e14bc9b16a4743baf730261e474b3916fe84ea95d3b58ef57d924ec573434fc2530860ef74786e69d0480552b15049a276d88cf769a26b94a9c73446e

memory/1716-12-0x00000000051A0000-0x00000000051D6000-memory.dmp

memory/1716-14-0x0000000074920000-0x00000000750D0000-memory.dmp

memory/1716-16-0x0000000002E10000-0x0000000002E20000-memory.dmp

memory/1716-19-0x0000000002E10000-0x0000000002E20000-memory.dmp

memory/644-13-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/1716-15-0x0000000005810000-0x0000000005E38000-memory.dmp

memory/3596-20-0x0000000074920000-0x00000000750D0000-memory.dmp

memory/644-21-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/644-18-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/1716-22-0x0000000005760000-0x0000000005782000-memory.dmp

memory/644-23-0x0000000000400000-0x0000000000BD8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_beiaatfw.3n4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1716-24-0x0000000006030000-0x0000000006096000-memory.dmp

memory/1716-30-0x0000000006110000-0x0000000006176000-memory.dmp

memory/1716-35-0x0000000006180000-0x00000000064D4000-memory.dmp

memory/1716-36-0x0000000006720000-0x000000000673E000-memory.dmp

memory/1716-37-0x0000000006760000-0x00000000067AC000-memory.dmp

memory/1716-39-0x0000000002E10000-0x0000000002E20000-memory.dmp

memory/644-38-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/644-40-0x0000000070380000-0x00000000703B9000-memory.dmp

memory/1716-41-0x000000007EE70000-0x000000007EE80000-memory.dmp

memory/1716-42-0x0000000006CF0000-0x0000000006D22000-memory.dmp

memory/1716-43-0x00000000707C0000-0x000000007080C000-memory.dmp

memory/1716-53-0x00000000078F0000-0x000000000790E000-memory.dmp

memory/1716-54-0x0000000007910000-0x00000000079B3000-memory.dmp

memory/1716-64-0x0000000008070000-0x00000000086EA000-memory.dmp

memory/1716-65-0x0000000007A30000-0x0000000007A4A000-memory.dmp

C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\c3b89bbf\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\c3b89bbf\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\c3b89bbf\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

memory/568-84-0x0000000000880000-0x0000000000C84000-memory.dmp

C:\Users\Admin\AppData\Local\c3b89bbf\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\c3b89bbf\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

memory/568-92-0x000000006F5B0000-0x000000006F67E000-memory.dmp

memory/568-95-0x0000000001C50000-0x0000000001CD8000-memory.dmp

memory/568-94-0x000000006F3E0000-0x000000006F468000-memory.dmp

C:\Users\Admin\AppData\Local\c3b89bbf\tor\torrc

MD5 10e4369f9761d5401203f24a43aec777
SHA1 f6237d60d66f0bdc642836387c2e9adaf60114d2
SHA256 1936b09146613154cc18a4889276cb2de96a5fd24a2c86d34a778be90f965976
SHA512 7159148f7584cd188d7f030ac1be482ebad86cba6e964fdf2d6e673823027ebbb049ad9fdac15ed556976760953216a999c5145a0816d67072ed232bdc9e4abb

memory/568-96-0x000000006F110000-0x000000006F3DF000-memory.dmp

memory/568-93-0x000000006F470000-0x000000006F57A000-memory.dmp

C:\Users\Admin\AppData\Local\c3b89bbf\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

memory/568-85-0x000000006F680000-0x000000006F6C9000-memory.dmp

memory/568-100-0x000000006F6D0000-0x000000006F798000-memory.dmp

memory/1716-101-0x0000000007CB0000-0x0000000007D46000-memory.dmp

memory/568-102-0x000000006F580000-0x000000006F5A4000-memory.dmp

memory/568-103-0x0000000001C50000-0x0000000001F1F000-memory.dmp

memory/1716-79-0x0000000007AA0000-0x0000000007AAA000-memory.dmp

C:\Users\Admin\AppData\Local\c3b89bbf\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

memory/1716-104-0x0000000007C50000-0x0000000007C61000-memory.dmp

memory/1716-105-0x0000000007C80000-0x0000000007C8E000-memory.dmp

memory/1716-106-0x0000000007C90000-0x0000000007CA4000-memory.dmp

memory/1716-107-0x0000000007D90000-0x0000000007DAA000-memory.dmp

memory/1716-108-0x0000000007D70000-0x0000000007D78000-memory.dmp

memory/1716-111-0x0000000074920000-0x00000000750D0000-memory.dmp

memory/644-112-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/644-113-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/644-114-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/644-115-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/644-116-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/644-117-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/644-118-0x0000000075150000-0x0000000075189000-memory.dmp

memory/568-119-0x0000000000880000-0x0000000000C84000-memory.dmp

memory/568-122-0x000000006F5B0000-0x000000006F67E000-memory.dmp

memory/568-121-0x000000006F680000-0x000000006F6C9000-memory.dmp

memory/568-126-0x000000006F110000-0x000000006F3DF000-memory.dmp

memory/644-127-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/568-128-0x0000000000880000-0x0000000000C84000-memory.dmp

memory/568-136-0x0000000000880000-0x0000000000C84000-memory.dmp

memory/568-137-0x0000000001C50000-0x0000000001CD8000-memory.dmp

memory/568-143-0x0000000001C50000-0x0000000001F1F000-memory.dmp

C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\cached-microdesc-consensus.tmp

MD5 6fcc4b924d58bbb8462b7ee1961c7977
SHA1 41e1e2d4561bb169144e7d1a08c6a7f3dc731c2d
SHA256 edbc99c46f9d6785d0cedf6fa6de99e6c7a20187a738e29d55258584db2660ed
SHA512 2d3539570f1a6024c291c25a3aed2f61668ec03aa614b92118380a60510fab72878539f0bc3d51e1c8ce20f3b26400c35cd714fcf146dd3288a8da861ee5a6fe

memory/568-151-0x0000000000880000-0x0000000000C84000-memory.dmp

C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\cached-microdescs.new

MD5 f4446f40caefbbb3238c932584c30748
SHA1 328e9eb0ca860d22c325f4ce180a7f7589610794
SHA256 e4ee52381a050d151583dacbd9a57ed867f972db9081d9ded246c4002bb02262
SHA512 345d4631751bd7f926b97d9d190290499995eaff5d9aaf887c2e1d22a46781f64746d46d712579899455e644dbf354f80f52281927d7681097f4bf80425e0063

memory/568-174-0x0000000000880000-0x0000000000C84000-memory.dmp

memory/568-182-0x0000000000880000-0x0000000000C84000-memory.dmp

memory/644-190-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/644-197-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/644-199-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/568-200-0x0000000000880000-0x0000000000C84000-memory.dmp

memory/4108-214-0x000000006F6D0000-0x000000006F798000-memory.dmp

memory/4108-216-0x000000006F5B0000-0x000000006F67E000-memory.dmp

memory/4108-218-0x000000006F680000-0x000000006F6C9000-memory.dmp

memory/4108-221-0x000000006F470000-0x000000006F57A000-memory.dmp

memory/4108-223-0x000000006F3E0000-0x000000006F468000-memory.dmp

memory/4108-225-0x000000006F110000-0x000000006F3DF000-memory.dmp

memory/4108-224-0x0000000000880000-0x0000000000C84000-memory.dmp

memory/4108-220-0x000000006F580000-0x000000006F5A4000-memory.dmp

memory/4108-233-0x000000006F6D0000-0x000000006F798000-memory.dmp

memory/4108-234-0x000000006F5B0000-0x000000006F67E000-memory.dmp

memory/644-235-0x0000000073950000-0x0000000073989000-memory.dmp

memory/3156-250-0x0000000000880000-0x0000000000C84000-memory.dmp

memory/3156-252-0x00000000734D0000-0x0000000073598000-memory.dmp

C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\state

MD5 96d770fdcd464d015eb78b0d282971e8
SHA1 49df0e53202b854a32882e95a36e0fb9108ce481
SHA256 16dc388f18ea49fe66ac238c577cb4b2adc241e0558d79756d0c9d75f8a67aa2
SHA512 5df2954e83ea2c84bd7fcaacfd37807972932833c711357b6e440029c56e0764f942dfe1a56caa5a6119450a47a60fbeedfd3e5fd22deda8574c5e5160e8c9d7

C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\cached-certs

MD5 3f2585903616d7d7dda07d3f36501afd
SHA1 c3fb85f32a7c36a89c2034e67e6abdaf927e7eb0
SHA256 26a9ce15fcc0f0fde17cba542cefe893e72c080567818ccdafba59d9779134d3
SHA512 2b072b685669c7123a00369799ac4f0c4f6052606003e5a8b92ee86e2cacaf06ad796a87c2bdb07c38bc51ab98a225f9ffd3ac4508c01cad002f5b98360c5eb4

C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\cached-microdescs.new

MD5 0a0b04e69e5d6f074880b8b954100fe2
SHA1 b94eb8b2b978709920b70dd2bfc1b7bad743b5e6
SHA256 aec65894883057205eae83a5bbceae7cd19cdf68c3b7732ad274f36c74ed88d0
SHA512 1f7379b2a395906332a6eb5fbadb6ca6ab7712c56243169be05d2d5130f6853bdecbbdf14eda0b4f8e1a253fb7721e6109199a2c409626495b60dc2a212ddb88

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-10 11:59

Reported

2024-04-10 12:04

Platform

win11-20240221-en

Max time kernel

297s

Max time network

306s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe"

Signatures

BitRAT

trojan bitrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\chrome\\google\\chrome.exe\"," C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1040 set thread context of 4428 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1040 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Windows\SysWOW64\WScript.exe
PID 1040 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Windows\SysWOW64\WScript.exe
PID 1040 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Windows\SysWOW64\WScript.exe
PID 5088 wrote to memory of 4976 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5088 wrote to memory of 4976 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5088 wrote to memory of 4976 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1040 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 1040 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 1040 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 1040 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 1040 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 1040 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 1040 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 1040 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 1040 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 1040 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 1040 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 1040 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 1040 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 1040 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 1040 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 1040 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 1040 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 1040 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 1040 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 1040 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 1040 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
PID 4428 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 4428 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 4428 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 4428 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 4428 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 4428 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 4428 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 4428 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 4428 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 4428 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 4428 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 4428 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 4428 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 4428 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 4428 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 4428 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 4428 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 4428 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 4428 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 4428 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 4428 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

"C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Hvpysyhfnmjvko.vbs"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\chrome\google\chrome.exe'

C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe

C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe

"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc

C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe

"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc

C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe

"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc

C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe

"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc

C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe

"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc

C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe

"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc

C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe

"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc

Network

Country Destination Domain Proto
DK 85.235.250.88:443 tcp
DE 185.220.101.48:20048 tcp
FR 178.33.183.251:443 tcp
N/A 127.0.0.1:49807 tcp
FR 92.222.38.67:443 tcp
N/A 127.0.0.1:45808 tcp
SE 193.11.114.43:9001 tcp
AT 86.59.21.38:443 tcp
US 8.8.8.8:53 43.114.11.193.in-addr.arpa udp
US 38.154.240.58:443 tcp
FR 141.95.146.50:443 tcp
US 8.8.8.8:53 58.240.154.38.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
FR 141.95.146.50:443 tcp
US 38.154.240.58:443 tcp
N/A 127.0.0.1:49980 tcp
DE 148.251.46.115:9001 tcp
FR 45.158.77.29:9300 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50071 tcp
N/A 127.0.0.1:50107 tcp
US 135.148.150.99:443 tcp
US 38.108.119.208:9001 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50175 tcp
N/A 127.0.0.1:50209 tcp
FI 95.216.19.41:9030 tcp
US 135.148.150.99:443 tcp
N/A 127.0.0.1:45808 tcp
CA 192.95.29.105:9001 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50269 tcp
US 50.7.74.172:443 tcp
FI 95.216.19.41:9030 tcp
US 135.148.150.99:443 tcp
N/A 127.0.0.1:45808 tcp

Files

memory/1040-0-0x0000000074AD0000-0x0000000075281000-memory.dmp

memory/1040-1-0x0000000000C20000-0x0000000001140000-memory.dmp

memory/1040-2-0x0000000005B90000-0x0000000005BA0000-memory.dmp

memory/1040-3-0x00000000034A0000-0x00000000034AA000-memory.dmp

memory/1040-4-0x0000000005BA0000-0x0000000005BBE000-memory.dmp

memory/1040-5-0x0000000074AD0000-0x0000000075281000-memory.dmp

memory/1040-6-0x0000000005B90000-0x0000000005BA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_Hvpysyhfnmjvko.vbs

MD5 ed6d432bdbf28ed6ac0cf59692f5e0fe
SHA1 29b388b1b2cf5d2fea4d80088093ec6ea2575ca7
SHA256 452fac0c3baa72fa34a9089c390659b7438da3bc0e3e36a2e54de253492d61fe
SHA512 9879be1e14bc9b16a4743baf730261e474b3916fe84ea95d3b58ef57d924ec573434fc2530860ef74786e69d0480552b15049a276d88cf769a26b94a9c73446e

memory/4976-14-0x00000000024A0000-0x00000000024D6000-memory.dmp

memory/4976-13-0x0000000074AD0000-0x0000000075281000-memory.dmp

memory/4976-16-0x0000000004920000-0x0000000004930000-memory.dmp

memory/4428-17-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/4428-12-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/4976-19-0x0000000004F60000-0x000000000558A000-memory.dmp

memory/4428-20-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/1040-21-0x0000000074AD0000-0x0000000075281000-memory.dmp

memory/4976-15-0x0000000004920000-0x0000000004930000-memory.dmp

memory/4976-22-0x0000000004E00000-0x0000000004E22000-memory.dmp

memory/4976-23-0x0000000005700000-0x0000000005766000-memory.dmp

memory/4976-24-0x0000000005770000-0x00000000057D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fnulhxo1.yvd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4976-33-0x0000000005860000-0x0000000005BB7000-memory.dmp

memory/4976-34-0x0000000005CC0000-0x0000000005CDE000-memory.dmp

memory/4976-35-0x0000000005CF0000-0x0000000005D3C000-memory.dmp

memory/4428-36-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/4428-38-0x00000000708C0000-0x00000000708FC000-memory.dmp

C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\c3b89bbf\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

memory/3844-58-0x0000000000EF0000-0x00000000012F4000-memory.dmp

C:\Users\Admin\AppData\Local\c3b89bbf\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\c3b89bbf\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\c3b89bbf\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

memory/3844-68-0x000000006FCA0000-0x000000006FD68000-memory.dmp

C:\Users\Admin\AppData\Local\c3b89bbf\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

memory/3844-74-0x00000000707E0000-0x0000000070804000-memory.dmp

memory/3844-75-0x000000006FC10000-0x000000006FC98000-memory.dmp

C:\Users\Admin\AppData\Local\c3b89bbf\tor\torrc

MD5 10e4369f9761d5401203f24a43aec777
SHA1 f6237d60d66f0bdc642836387c2e9adaf60114d2
SHA256 1936b09146613154cc18a4889276cb2de96a5fd24a2c86d34a778be90f965976
SHA512 7159148f7584cd188d7f030ac1be482ebad86cba6e964fdf2d6e673823027ebbb049ad9fdac15ed556976760953216a999c5145a0816d67072ed232bdc9e4abb

memory/3844-71-0x000000006FDC0000-0x000000006FE8E000-memory.dmp

memory/3844-79-0x0000000001DB0000-0x000000000207F000-memory.dmp

memory/3844-80-0x000000006F830000-0x000000006FAFF000-memory.dmp

memory/3844-81-0x000000006FB00000-0x000000006FC0A000-memory.dmp

C:\Users\Admin\AppData\Local\c3b89bbf\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

memory/4976-82-0x0000000004920000-0x0000000004930000-memory.dmp

C:\Users\Admin\AppData\Local\c3b89bbf\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

memory/3844-63-0x000000006FD70000-0x000000006FDB9000-memory.dmp

memory/4976-83-0x000000007F190000-0x000000007F1A0000-memory.dmp

memory/4976-84-0x00000000062F0000-0x0000000006324000-memory.dmp

memory/4976-94-0x00000000062B0000-0x00000000062CE000-memory.dmp

memory/4976-85-0x0000000070D60000-0x0000000070DAC000-memory.dmp

memory/4976-95-0x0000000006D10000-0x0000000006DB4000-memory.dmp

memory/4976-96-0x00000000076C0000-0x0000000007D3A000-memory.dmp

memory/4976-97-0x0000000006330000-0x000000000634A000-memory.dmp

memory/4976-98-0x0000000007090000-0x000000000709A000-memory.dmp

memory/4976-99-0x00000000072A0000-0x0000000007336000-memory.dmp

memory/4976-100-0x0000000007220000-0x0000000007231000-memory.dmp

memory/4976-101-0x0000000007250000-0x000000000725E000-memory.dmp

memory/4976-102-0x0000000007260000-0x0000000007275000-memory.dmp

memory/4976-103-0x0000000007360000-0x000000000737A000-memory.dmp

memory/4976-104-0x0000000074AD0000-0x0000000075281000-memory.dmp

memory/4428-105-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/4428-106-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/4428-107-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/4428-108-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/4428-109-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/4976-110-0x0000000007350000-0x0000000007358000-memory.dmp

memory/4428-111-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/4976-112-0x0000000004920000-0x0000000004930000-memory.dmp

memory/4428-113-0x000000006EE60000-0x000000006EE9C000-memory.dmp

memory/4976-116-0x0000000074AD0000-0x0000000075281000-memory.dmp

memory/3844-117-0x0000000000EF0000-0x00000000012F4000-memory.dmp

memory/3844-118-0x000000006FDC0000-0x000000006FE8E000-memory.dmp

memory/3844-119-0x000000006FD70000-0x000000006FDB9000-memory.dmp

memory/3844-120-0x00000000707E0000-0x0000000070804000-memory.dmp

memory/3844-121-0x000000006FCA0000-0x000000006FD68000-memory.dmp

memory/4428-125-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/3844-126-0x0000000000EF0000-0x00000000012F4000-memory.dmp

memory/3844-127-0x0000000000EF0000-0x00000000012F4000-memory.dmp

memory/3844-135-0x0000000001DB0000-0x000000000207F000-memory.dmp

C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\cached-microdesc-consensus

MD5 381cc5ba2ce158b71214b0d01a0b1a5c
SHA1 d7c546b983b31d2785f46e3b097992f96445074d
SHA256 ad8060faee1771ee0547d651d4cceee52263e534b0cf84efa75f6c0bab1187ec
SHA512 8fc885b883e058bb907a3eb8d2a88bfa6729d114f926db80c15af03aa01f2e8833727c80e77903a730c7721f9e3730e6a95cd4d938c7da24c0848ff34691f8b4

memory/3844-144-0x0000000000EF0000-0x00000000012F4000-memory.dmp

C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\cached-microdescs.new

MD5 8a873e0ff34859d7e04f3b7cb765dadf
SHA1 c83a16d35c4955a0584feb18548fbc28007a74e9
SHA256 343c54d20d2f234e1db2cd0cff024801c2a4b96ee11c7fd19b44dfdb63a289d0
SHA512 3707d829d9711e76b4b11de270c7623a7d14339c7e27b35f84f4a84cef50d68c834281f8dd67a62d31172468a223e7d61276ed6dbc6be20ac18328442a94ffbf

memory/3844-159-0x0000000000EF0000-0x00000000012F4000-memory.dmp

memory/4428-167-0x00000000752E0000-0x000000007531C000-memory.dmp

memory/3844-177-0x0000000000EF0000-0x00000000012F4000-memory.dmp

memory/3844-185-0x0000000000EF0000-0x00000000012F4000-memory.dmp

memory/3844-193-0x0000000000EF0000-0x00000000012F4000-memory.dmp

memory/3844-226-0x0000000000EF0000-0x00000000012F4000-memory.dmp

memory/340-227-0x000000006F830000-0x000000006FAFF000-memory.dmp

memory/340-228-0x000000006FCA0000-0x000000006FD68000-memory.dmp

memory/340-230-0x0000000000EF0000-0x00000000012F4000-memory.dmp

memory/340-229-0x000000006FDC0000-0x000000006FE8E000-memory.dmp

memory/340-233-0x000000006FD70000-0x000000006FDB9000-memory.dmp

memory/340-237-0x000000006FB00000-0x000000006FC0A000-memory.dmp

memory/340-238-0x000000006FC10000-0x000000006FC98000-memory.dmp

memory/340-235-0x00000000707E0000-0x0000000070804000-memory.dmp

C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\cached-certs

MD5 6f17da946d9ea995a3eb6b162d4a09ef
SHA1 b6336bc4b109439d511099fe1d07a10e47b5f562
SHA256 30de01d1f4e6dd101905a2ed8723f1145fd47b5bc74343fc885e3f824fead344
SHA512 94c253c3fcee0766508755bda8e0934c31ab279af12e5b7887a2ab805c5363b83307c0b95a460cc65a92172e4ffe791d36e0479229653ceae9df0c44a210889d

C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\state

MD5 5c3178ffeb15569fbfaa129b7121a21b
SHA1 0ca3d373a4b8bcf5445550198c7e739daf7fe02d
SHA256 a41994a8db1cba579e24dbbec0eb297e8e5dbf77200a278c60826ff0c421221c
SHA512 5c606e7e7f604e074f235df8c28acec207a843910f7c5f89e687f0b1c4e7d0bdb6fd1a985facf307fda7ec2936107df60da8481db3f9b8cd03a7172fb47b5abd

C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\cached-microdescs.new

MD5 b8c9d2defc79e0478b0e0f4f8a2a08b7
SHA1 cd39caadacdc7d724a28ab41df2151d755252411
SHA256 ec45fbf67324f84c65b059d8c1bb69d09ca67e235556a4d19c06e118b84903a9
SHA512 b85a2894a7869125ea27e5c59abd5040c78e18671e1bd801ea812b92dbfac6dcb093c9016c1c8269f284893ea1174c29ff3328ecd4c8a32ca11641513f459bb4

memory/4428-261-0x0000000074C40000-0x0000000074C7C000-memory.dmp

memory/340-262-0x000000006F830000-0x000000006FAFF000-memory.dmp

C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\state

MD5 5e2088899713b3031968e25a89802651
SHA1 9a8bb7087a7fc68098496ba5b799e9673c83fe05
SHA256 d555c7f2ac4819a179ab2adce11f0b6342158d11abd35939afc328ed7d588c07
SHA512 5b417b7f68673dededdb0002eb6f2c5df75e962d1531a849afd39ec4c206c45327ea735ad77a38b1bb87b38f9b76c1a18d5e1e9d72e3a89e5bc1ec17384f7d8c

C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\cached-microdescs

MD5 1c35eb32d1c98e9472d986e0789a16bf
SHA1 3ce89c349e5ca5979ff8ec80b80a26763385ec84
SHA256 8e7e16689825032aa9bf518fd3563aa0c0b7666153fdbc2a8e4ee38b6aff4cd6
SHA512 92351f33d6598a347e884d958813f22a42cf9905f3237b0578a789c661b9f3f4b6c93bf778dd56191fd7dd95612b8f315511d6ce3d0189cc9fb40bf7b765fcd1