Malware Analysis Report

2024-09-22 21:56

Sample ID 240425-qegsxsba4s
Target a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449
SHA256 a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449
Tags
bitrat persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449

Threat Level: Known bad

The file a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449 was found to be: Known bad.

Malicious Activity Summary

bitrat persistence trojan upx

Bitrat family

BitRAT

Checks computer location settings

Executes dropped EXE

ACProtect 1.3x - 1.4x DLL software

Loads dropped DLL

UPX packed file

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-04-25 13:10

Signatures

Bitrat family

bitrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-25 13:10

Reported

2024-04-25 13:15

Platform

win10-20240404-en

Max time kernel

298s

Max time network

305s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"

Signatures

BitRAT

trojan bitrat

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1\uff00" C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1ë°€" C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1瀀" C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1退" C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1" C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4960 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4960 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4960 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4960 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4960 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4960 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4960 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4960 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4960 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4960 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4960 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4960 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4960 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4960 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4960 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4960 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4960 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4960 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4960 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4960 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4960 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4960 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4960 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4960 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4960 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4960 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4960 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe

"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

Network

Country Destination Domain Proto
DE 185.244.193.141:9001 tcp
SE 109.105.109.162:60784 tcp
N/A 127.0.0.1:49806 tcp
US 8.8.8.8:53 162.109.105.109.in-addr.arpa udp
DE 87.106.159.40:443 tcp
US 185.150.189.243:9100 tcp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 243.189.150.185.in-addr.arpa udp
US 8.8.8.8:53 40.159.106.87.in-addr.arpa udp
DE 51.195.121.102:6672 tcp
US 8.8.8.8:53 102.121.195.51.in-addr.arpa udp
US 185.150.189.243:9100 tcp
DE 87.106.159.40:443 tcp
DE 51.195.121.102:6672 tcp
N/A 127.0.0.1:45808 tcp
US 52.111.229.48:443 tcp
US 8.8.8.8:53 myexternalip.com udp
US 34.117.118.44:443 myexternalip.com tcp
US 8.8.8.8:53 44.118.117.34.in-addr.arpa udp
US 8.8.8.8:53 227.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 80.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
N/A 127.0.0.1:49941 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
DE 45.142.176.96:9100 tcp
NL 5.253.84.137:9100 tcp
US 8.8.8.8:53 96.176.142.45.in-addr.arpa udp
US 8.8.8.8:53 137.84.253.5.in-addr.arpa udp
DE 164.68.113.149:9001 tcp
US 8.8.8.8:53 149.113.68.164.in-addr.arpa udp
N/A 127.0.0.1:49982 tcp
US 8.8.8.8:53 174.117.168.52.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
N/A 127.0.0.1:50049 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
CH 92.106.221.55:9001 tcp
US 8.8.8.8:53 55.221.106.92.in-addr.arpa udp
EE 95.153.32.22:9001 tcp
US 8.8.8.8:53 22.32.153.95.in-addr.arpa udp
N/A 127.0.0.1:50093 tcp
N/A 127.0.0.1:45808 tcp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
N/A 127.0.0.1:50161 tcp
CH 185.32.222.237:8443 tcp
N/A 127.0.0.1:50198 tcp
US 74.91.26.170:80 tcp
CH 92.106.221.55:9001 tcp
US 8.8.8.8:53 237.222.32.185.in-addr.arpa udp
US 8.8.8.8:53 170.26.91.74.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50249 tcp
GR 185.4.132.148:443 tcp
N/A 127.0.0.1:50275 tcp
CH 92.106.221.55:9001 tcp
US 8.8.8.8:53 148.132.4.185.in-addr.arpa udp
FI 85.23.104.222:443 tcp
US 8.8.8.8:53 222.104.23.85.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp

Files

memory/4960-0-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/4960-1-0x0000000073BF0000-0x0000000073C2A000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

memory/3344-31-0x0000000000350000-0x0000000000754000-memory.dmp

memory/3344-32-0x00000000731C0000-0x000000007328E000-memory.dmp

memory/3344-33-0x0000000073190000-0x00000000731B4000-memory.dmp

memory/3344-38-0x00000000014C0000-0x0000000001548000-memory.dmp

memory/3344-37-0x0000000072F20000-0x0000000072FA8000-memory.dmp

memory/3344-41-0x00000000014C0000-0x000000000178F000-memory.dmp

memory/3344-42-0x0000000072C50000-0x0000000072F1F000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\torrc

MD5 439cd73927f46fde28540391feee8477
SHA1 ee7fb2aeb7708378abda293b03f5c9ffb6dbc742
SHA256 d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75
SHA512 c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319

memory/3344-35-0x0000000072FB0000-0x00000000730BA000-memory.dmp

memory/3344-34-0x00000000730C0000-0x0000000073188000-memory.dmp

memory/3344-43-0x0000000073290000-0x00000000732D9000-memory.dmp

memory/4960-49-0x0000000072960000-0x000000007299A000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdesc-consensus.tmp

MD5 2980d648c78c4022d9424561f0995f00
SHA1 88b745a69b46a1a67cf43e759fbfe510af85dec5
SHA256 a69c5e427c091b1b429339c58b4ddb78c917cc719dc0401dd45361d716d1e29b
SHA512 1eec6a28547d1adf4564646dca7a19d8b6a503c0506f015b53a640a6edf17b12290ee128b60072cf0d86cd20c16798e724746a1771432b20255b9e3ad05c2e6b

memory/3344-57-0x0000000000350000-0x0000000000754000-memory.dmp

memory/3344-59-0x00000000731C0000-0x000000007328E000-memory.dmp

memory/3344-61-0x00000000730C0000-0x0000000073188000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 78e32487c4ba05dfd5aa6bdd2cd8f1ca
SHA1 5695c97c01e643a1f82225992bda97de8b2aa278
SHA256 1126807b3546c66eabba10c33e0d91f28f3e2d7f7b661daded14295a3bbde721
SHA512 f1a5ff1587ef1cff98f9c810271244f4abf34d23eb3f2d6e308052774a2bea435fcd2911d36d6df568202b5db12229ea038c727bc8313c0db9399990d76493a2

memory/3344-67-0x0000000000350000-0x0000000000754000-memory.dmp

memory/3344-68-0x0000000000350000-0x0000000000754000-memory.dmp

memory/3344-76-0x00000000014C0000-0x0000000001548000-memory.dmp

memory/3344-77-0x00000000014C0000-0x000000000178F000-memory.dmp

memory/3344-80-0x0000000000350000-0x0000000000754000-memory.dmp

memory/3344-99-0x0000000000350000-0x0000000000754000-memory.dmp

memory/4960-107-0x00000000734F0000-0x000000007352A000-memory.dmp

memory/3344-108-0x0000000000350000-0x0000000000754000-memory.dmp

memory/3344-116-0x0000000000350000-0x0000000000754000-memory.dmp

memory/3344-132-0x0000000000350000-0x0000000000754000-memory.dmp

memory/3344-141-0x0000000000350000-0x0000000000754000-memory.dmp

memory/712-151-0x0000000000350000-0x0000000000754000-memory.dmp

memory/712-160-0x0000000073290000-0x00000000732D9000-memory.dmp

memory/712-155-0x00000000730C0000-0x0000000073188000-memory.dmp

memory/712-161-0x0000000000350000-0x0000000000754000-memory.dmp

memory/712-157-0x00000000731C0000-0x000000007328E000-memory.dmp

memory/712-164-0x0000000073190000-0x00000000731B4000-memory.dmp

memory/712-154-0x0000000072C50000-0x0000000072F1F000-memory.dmp

memory/712-167-0x0000000072FB0000-0x00000000730BA000-memory.dmp

memory/712-169-0x0000000072F20000-0x0000000072FA8000-memory.dmp

memory/712-174-0x0000000072C50000-0x0000000072F1F000-memory.dmp

memory/712-176-0x00000000731C0000-0x000000007328E000-memory.dmp

memory/712-175-0x00000000730C0000-0x0000000073188000-memory.dmp

memory/4960-177-0x0000000073090000-0x00000000730CA000-memory.dmp

memory/2752-188-0x0000000072510000-0x00000000725D8000-memory.dmp

memory/2752-190-0x0000000072C90000-0x0000000072CD9000-memory.dmp

memory/2752-191-0x0000000072C60000-0x0000000072C84000-memory.dmp

memory/2752-192-0x0000000072400000-0x000000007250A000-memory.dmp

memory/2752-198-0x0000000072CE0000-0x0000000072FAF000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-certs

MD5 555ae3f1e738ed21bda3e71ac117d78b
SHA1 5aadd88a40dabaff5f83f1b00105d460f8af955c
SHA256 c67020b670ff97718224b8ad656845662e393eee28bd5f080de45b07fb2497c8
SHA512 f0e58af89accc1c2b664503c44f3ca742576025e4a92d2d6cf3b7c9ac9fd597d216133fb364f80f5b966695e74b01f59042a806867322350d659113fb794784a

memory/2752-199-0x00000000722A0000-0x000000007236E000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 f3902607e8722174922adc72e977ea7c
SHA1 f307612d35cfaae0d3396f3af1fa652b99921633
SHA256 0411042816f81960bed1782da5128037bd2dfbd7ca2e3ad3506249e30017ae38
SHA512 03a70399c7f0ad64d3cecb4cef92caf11b72f0057424aca8f8af783f634ef6f6e7e5b5271fcffd9eefa2a4b2493ef365d8b240c0d51c0d2d68122ac2c4c41341

memory/2752-193-0x0000000072370000-0x00000000723F8000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 97e6c637a35e2ea1e52b3eade593e8f1
SHA1 85235a0e7780a9e368abb469456dff61f4ad32b9
SHA256 62682d5f5a897a85b0bb114b9365dac4abda122dc1bfec4448468ef50d7986c8
SHA512 4096cda0d7b368f7f21f0e740cfbb6b83594288e643b0560e928fda4edffb79ffab851ef252b488a113a639cd885f441e5d8e04b7c95bda4d67179091a0ca0e7

memory/2752-215-0x0000000000350000-0x0000000000754000-memory.dmp

memory/2752-216-0x0000000072C90000-0x0000000072CD9000-memory.dmp

memory/2752-225-0x0000000072510000-0x00000000725D8000-memory.dmp

memory/2752-261-0x0000000000350000-0x0000000000754000-memory.dmp

memory/2644-264-0x0000000000350000-0x0000000000754000-memory.dmp

memory/2644-265-0x0000000072CE0000-0x0000000072FAF000-memory.dmp

memory/2644-268-0x0000000072510000-0x00000000725D8000-memory.dmp

memory/2644-270-0x00000000722A0000-0x000000007236E000-memory.dmp

memory/2644-271-0x0000000072C90000-0x0000000072CD9000-memory.dmp

memory/2644-273-0x0000000072C60000-0x0000000072C84000-memory.dmp

memory/2644-276-0x0000000072370000-0x00000000723F8000-memory.dmp

memory/2644-275-0x0000000072400000-0x000000007250A000-memory.dmp

memory/4588-289-0x0000000072C90000-0x0000000072CD9000-memory.dmp

memory/4588-288-0x0000000072510000-0x00000000725D8000-memory.dmp

memory/4588-290-0x0000000072C60000-0x0000000072C84000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 bc046b6bc6391e381756c2abc8c03dae
SHA1 f6a60b3daee18cbe2791070196b1db3fa2919ec4
SHA256 96b227718c7d44ba09063088edae9fa7f0774b464ba2c95bac09b1a8d49e660a
SHA512 647362d33afe5def2347f1c52097234b5ef7a712f00edb720b43919590aa6cf863bb3de6a44318e2027ccbac6e886b27a5472bd6397dfa298a227be39b9b77f1

memory/4588-292-0x0000000072370000-0x00000000723F8000-memory.dmp

memory/4588-295-0x00000000722A0000-0x000000007236E000-memory.dmp

memory/4588-294-0x0000000072400000-0x000000007250A000-memory.dmp

memory/4588-296-0x0000000072CE0000-0x0000000072FAF000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs

MD5 d97706f3e606d91881e9071653c8ea26
SHA1 553793d430deba3485ca6075bc5935ab257364b0
SHA256 81b337da399164c7f1f5ed2dc0cf3b148fb565e591c6035e017f91899e621ecf
SHA512 d45582e8cf2619dbe025e7a32b85106a77e2f6a16470f8897a174350f4b3a006de7cc1c511bdf4e12a3524789867571694c4d6d48e5c5c3a802ab78241c72155

memory/4960-300-0x0000000073BF0000-0x0000000073C2A000-memory.dmp

memory/4960-309-0x0000000072960000-0x000000007299A000-memory.dmp

memory/4588-310-0x0000000000350000-0x0000000000754000-memory.dmp

memory/4588-319-0x0000000072510000-0x00000000725D8000-memory.dmp

memory/4960-344-0x00000000734F0000-0x000000007352A000-memory.dmp

memory/2464-367-0x0000000000350000-0x0000000000754000-memory.dmp

memory/4588-365-0x0000000000350000-0x0000000000754000-memory.dmp

memory/2464-369-0x0000000072CE0000-0x0000000072FAF000-memory.dmp

memory/2464-371-0x0000000072510000-0x00000000725D8000-memory.dmp

memory/2464-373-0x00000000722A0000-0x000000007236E000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-25 13:10

Reported

2024-04-25 13:15

Platform

win10v2004-20240226-en

Max time kernel

291s

Max time network

308s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"

Signatures

BitRAT

trojan bitrat

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1" C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1456 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 1456 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 1456 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 1456 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 1456 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 1456 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 1456 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 1456 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 1456 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 1456 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 1456 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 1456 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 1456 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 1456 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 1456 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 1456 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 1456 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 1456 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 1456 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 1456 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 1456 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe

"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3772 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
PL 54.37.139.118:9001 tcp
US 8.8.8.8:53 118.139.37.54.in-addr.arpa udp
N/A 127.0.0.1:49876 tcp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
DE 88.99.31.186:34746 tcp
US 135.148.52.158:443 tcp
US 8.8.8.8:53 186.31.99.88.in-addr.arpa udp
US 8.8.8.8:53 158.52.148.135.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.212.202:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 202.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
DE 88.99.31.186:34746 tcp
US 135.148.52.158:443 tcp
US 8.8.8.8:53 myexternalip.com udp
US 34.117.118.44:443 myexternalip.com tcp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 44.118.117.34.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 34.56.20.217.in-addr.arpa udp
CH 77.109.152.87:143 tcp
US 8.8.8.8:53 87.152.109.77.in-addr.arpa udp
DE 5.9.24.169:9001 tcp
US 8.8.8.8:53 169.24.9.5.in-addr.arpa udp
N/A 127.0.0.1:50002 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
LU 107.189.28.139:9001 tcp
ES 217.76.159.216:443 tcp
US 8.8.8.8:53 139.28.189.107.in-addr.arpa udp
US 18.18.82.17:9001 tcp
US 8.8.8.8:53 216.159.76.217.in-addr.arpa udp
N/A 127.0.0.1:50084 tcp
US 8.8.8.8:53 17.82.18.18.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50149 tcp
US 8.8.8.8:53 91.242.123.52.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50195 tcp
DE 193.42.11.238:443 tcp
GB 37.143.61.132:9001 tcp
US 8.8.8.8:53 238.11.42.193.in-addr.arpa udp
FI 65.21.85.98:9001 tcp
US 8.8.8.8:53 132.61.143.37.in-addr.arpa udp
US 8.8.8.8:53 98.85.21.65.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:50263 tcp
N/A 127.0.0.1:50293 tcp
NL 192.87.28.28:9001 tcp
US 147.135.65.26:443 tcp
US 8.8.8.8:53 28.28.87.192.in-addr.arpa udp
US 172.96.172.157:443 tcp
US 8.8.8.8:53 26.65.135.147.in-addr.arpa udp
US 8.8.8.8:53 157.172.96.172.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
FR 212.47.233.250:9001 tcp
CZ 37.46.208.113:443 tcp
DE 162.55.131.67:9100 tcp
US 8.8.8.8:53 113.208.46.37.in-addr.arpa udp
US 8.8.8.8:53 67.131.55.162.in-addr.arpa udp

Files

memory/1456-0-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/1456-1-0x0000000074350000-0x0000000074389000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

memory/3908-22-0x0000000000800000-0x0000000000C04000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

memory/3908-28-0x00000000737A0000-0x00000000737C4000-memory.dmp

memory/3908-27-0x00000000737D0000-0x0000000073898000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

memory/3908-33-0x00000000736D0000-0x000000007379E000-memory.dmp

memory/3908-37-0x0000000073570000-0x000000007367A000-memory.dmp

memory/3908-36-0x0000000000F50000-0x0000000000F99000-memory.dmp

memory/3908-34-0x0000000073680000-0x00000000736C9000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

memory/3908-43-0x00000000732A0000-0x000000007356F000-memory.dmp

memory/3908-45-0x0000000073210000-0x0000000073298000-memory.dmp

memory/3908-44-0x0000000000F50000-0x0000000000FD8000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\torrc

MD5 439cd73927f46fde28540391feee8477
SHA1 ee7fb2aeb7708378abda293b03f5c9ffb6dbc742
SHA256 d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75
SHA512 c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319

memory/3908-42-0x00000000017D0000-0x0000000001A9F000-memory.dmp

memory/1456-49-0x0000000072E00000-0x0000000072E39000-memory.dmp

memory/3908-52-0x0000000000800000-0x0000000000C04000-memory.dmp

memory/3908-53-0x00000000737D0000-0x0000000073898000-memory.dmp

memory/3908-54-0x00000000737A0000-0x00000000737C4000-memory.dmp

memory/3908-55-0x00000000736D0000-0x000000007379E000-memory.dmp

memory/3908-56-0x0000000073680000-0x00000000736C9000-memory.dmp

memory/3908-57-0x0000000073570000-0x000000007367A000-memory.dmp

memory/3908-58-0x00000000732A0000-0x000000007356F000-memory.dmp

memory/3908-63-0x0000000000800000-0x0000000000C04000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdesc-consensus.tmp

MD5 84e49117ff2bdf43e685eb0c61e226aa
SHA1 f55d1a80c7c8c9435b787d5ea4764f3cb17a0771
SHA256 da63ec7df89f3f47fd25e7736764bdb67ba21093e1dc00e0059620b12caee426
SHA512 292011df58b6def6c267dfa8112848ce13b7a48820443bb87a82eb93cdcc957f0871086f713ce3697d452124c7b1de686b542139b5210a9f6ed193c6b730e822

memory/3908-71-0x0000000000F50000-0x0000000000F99000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 62edfd0316d3370f6c2977195a9bdf51
SHA1 483dd260a491e766f6feeeb88b4a7f8c061d025f
SHA256 6e296c79ce004aa00a4a57fda0b69d76cc3395f97902d113227fbb95a050e02a
SHA512 2f3114ead5b805c0605a3255d351f82a17653302ef65737a13b1ed2bed975763a7a268aa2c18ca73c78e6f56370bf6d31664ca0d9e4e34f2b311e8b233729f79

memory/3908-73-0x0000000000800000-0x0000000000C04000-memory.dmp

memory/3908-81-0x00000000017D0000-0x0000000001A9F000-memory.dmp

memory/3908-82-0x0000000000F50000-0x0000000000FD8000-memory.dmp

memory/3908-91-0x0000000000800000-0x0000000000C04000-memory.dmp

memory/3908-101-0x0000000000800000-0x0000000000C04000-memory.dmp

memory/3908-109-0x0000000000800000-0x0000000000C04000-memory.dmp

memory/3908-124-0x0000000000800000-0x0000000000C04000-memory.dmp

memory/3384-141-0x00000000732A0000-0x000000007356F000-memory.dmp

memory/3384-140-0x0000000000800000-0x0000000000C04000-memory.dmp

memory/3384-142-0x00000000737D0000-0x0000000073898000-memory.dmp

memory/3384-144-0x0000000073680000-0x00000000736C9000-memory.dmp

memory/3384-150-0x0000000073570000-0x000000007367A000-memory.dmp

memory/3384-151-0x0000000073210000-0x0000000073298000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-certs

MD5 55034a47e336a1c33a63874c07a4873b
SHA1 cec4d680b8d857ecfa29e25f2a8dec36f2070bb5
SHA256 f17597084ae8071aea8043897cd8884c8a9f5a554d9cd52d22dd2163f5c3fe4b
SHA512 4b57f0d6d146c310c68ca5bbc65e1cf85931879132ac114ef39ebbd3353adee87613200ecb1310b09a64afb6188ce6303dccd0c876267bc0f70d2ee87ff2360c

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 781bab4a82b3fcc5950252fb8cafbc6d
SHA1 af49fcd4168cab082e31169344d6717338d7cddf
SHA256 0581577076f0e4c435111828cdd8e3698978f72eb4d5a704d4a14417beca5720
SHA512 b1c3e304af4fd896f2b8eb453d73516b3d85955f5118881d651a9de6015d1a753ae58fd47efeaf2a85447ca0337c11d05a1cbf25f0abc3b4360a2fb6b7cf358e

memory/3384-149-0x00000000737A0000-0x00000000737C4000-memory.dmp

memory/3384-143-0x00000000736D0000-0x000000007379E000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 7aae9736515b4fd5f0d10da37fdcf904
SHA1 bfed7bbd5263c565e602295d5948d9f23803d9bd
SHA256 e1aad8c9b7cf816e093703a971e0a4cae8286cc9ef514e5f1db159d8cd9cece5
SHA512 63e1b89c915c44df91ddf291b70c6662ff2721ce9a36e36d34628341277bf0788d886ca4acd563526aec3291b6c6b992b8f31958319d94d1cdddb7c2e7b33979

memory/3384-159-0x0000000000800000-0x0000000000C04000-memory.dmp

memory/3384-160-0x00000000732A0000-0x000000007356F000-memory.dmp

memory/3384-162-0x00000000736D0000-0x000000007379E000-memory.dmp

memory/3384-161-0x00000000737D0000-0x0000000073898000-memory.dmp

memory/3384-167-0x0000000000800000-0x0000000000C04000-memory.dmp

memory/1456-175-0x0000000071F20000-0x0000000071F59000-memory.dmp

memory/3384-176-0x0000000000800000-0x0000000000C04000-memory.dmp

memory/2088-208-0x0000000000800000-0x0000000000C04000-memory.dmp

memory/2088-212-0x00000000736D0000-0x000000007379E000-memory.dmp

memory/2088-214-0x0000000073680000-0x00000000736C9000-memory.dmp

memory/2088-215-0x00000000737A0000-0x00000000737C4000-memory.dmp

memory/3384-213-0x0000000000800000-0x0000000000C04000-memory.dmp

memory/2088-211-0x00000000737D0000-0x0000000073898000-memory.dmp

memory/2088-216-0x0000000073570000-0x000000007367A000-memory.dmp

memory/2088-217-0x0000000073210000-0x0000000073298000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 1264126d786cb0279d5f3e3293f39be3
SHA1 aaf21b22c88c647bba9107d73f61e8c27ea013c0
SHA256 3beb918d31d91412aee3c1bbb5c0662fd394d9ef3cdb101901e8397cc27ee40b
SHA512 f73d96e63b40e6622571b82784b64001b5220ecceb1f21eeaf0660bd5f500c077e712cd0a29e5dc6784a091d97886041011bbec37e05d8168992fc4b663371e7

memory/2088-220-0x00000000732A0000-0x000000007356F000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs

MD5 994804e39802f8d8c9780b4da3e39d09
SHA1 41e5dd6987eab27f378c824e460ff8a099dac1f7
SHA256 d8b0ce4a52ea0387701746be80846400cef60c21a14919b69ec3abfb5c917689
SHA512 4d8f023dc7e91aba28d48afc7bf6595e78d7db1484df752058bb16aa9dc75ee129f8f677bc2da112117569785124c1315774dc91a9fd7dabcacdc1845750eb6f

memory/2088-240-0x0000000000800000-0x0000000000C04000-memory.dmp

memory/2088-241-0x00000000736D0000-0x000000007379E000-memory.dmp

memory/2088-242-0x00000000737D0000-0x0000000073898000-memory.dmp

memory/2088-243-0x00000000732A0000-0x000000007356F000-memory.dmp

memory/2772-267-0x00000000737D0000-0x0000000073898000-memory.dmp

memory/2772-271-0x0000000073680000-0x00000000736C9000-memory.dmp

memory/2088-272-0x0000000000800000-0x0000000000C04000-memory.dmp

memory/2772-273-0x00000000737A0000-0x00000000737C4000-memory.dmp

memory/2772-276-0x0000000073570000-0x000000007367A000-memory.dmp

memory/2772-269-0x00000000736D0000-0x000000007379E000-memory.dmp

memory/2772-277-0x0000000073210000-0x0000000073298000-memory.dmp

memory/2772-280-0x00000000732A0000-0x000000007356F000-memory.dmp

memory/2772-290-0x0000000000800000-0x0000000000C04000-memory.dmp

memory/2772-291-0x00000000737D0000-0x0000000073898000-memory.dmp

memory/2772-289-0x0000000073570000-0x000000007367A000-memory.dmp

memory/2772-288-0x00000000737A0000-0x00000000737C4000-memory.dmp

memory/2772-287-0x0000000073680000-0x00000000736C9000-memory.dmp

memory/2772-286-0x00000000736D0000-0x000000007379E000-memory.dmp

memory/1456-292-0x0000000074350000-0x0000000074389000-memory.dmp

memory/408-304-0x0000000073500000-0x00000000735C8000-memory.dmp

memory/408-306-0x00000000735D0000-0x000000007389F000-memory.dmp

memory/408-307-0x00000000734B0000-0x00000000734F9000-memory.dmp

memory/408-308-0x0000000073480000-0x00000000734A4000-memory.dmp

memory/408-310-0x00000000732E0000-0x0000000073368000-memory.dmp

memory/408-311-0x0000000073210000-0x00000000732DE000-memory.dmp

memory/408-312-0x0000000001200000-0x0000000001288000-memory.dmp

memory/408-309-0x0000000073370000-0x000000007347A000-memory.dmp

memory/1456-323-0x0000000072E00000-0x0000000072E39000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-04-25 13:10

Reported

2024-04-25 13:15

Platform

win11-20240412-en

Max time kernel

300s

Max time network

303s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"

Signatures

BitRAT

trojan bitrat

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1" C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2692 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2692 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2692 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2692 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2692 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2692 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2692 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2692 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2692 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2692 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2692 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2692 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2692 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2692 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2692 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2692 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2692 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2692 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2692 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2692 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2692 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2692 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2692 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2692 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2692 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2692 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2692 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2692 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2692 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2692 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe

"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 173.255.245.116:9001 tcp
N/A 127.0.0.1:49795 tcp
RU 37.153.1.10:9001 tcp
US 173.88.182.35:9001 tcp
DE 37.120.186.122:4711 tcp
N/A 127.0.0.1:45808 tcp
US 173.88.182.35:9001 tcp
DE 37.120.186.122:4711 tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 34.117.118.44:443 myexternalip.com tcp
US 8.8.8.8:53 80.190.18.2.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:49937 tcp
DE 136.243.154.74:9001 tcp
FR 94.23.168.79:9000 tcp
N/A 127.0.0.1:49972 tcp
NL 194.126.173.158:24752 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:50054 tcp
DE 185.232.68.32:9001 tcp
N/A 127.0.0.1:50095 tcp
DE 145.239.136.129:443 tcp
CA 192.99.228.114:666 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50164 tcp
FR 45.158.77.29:9000 tcp
N/A 127.0.0.1:50191 tcp
DE 185.232.68.32:9001 tcp
DE 80.241.220.57:443 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:50264 tcp
N/A 127.0.0.1:50283 tcp
SE 171.25.193.20:443 tcp
FI 65.108.3.114:1066 tcp
DE 185.232.68.32:9001 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
MD 178.17.174.14:9001 tcp
N/A 127.0.0.1:50340 tcp
DE 136.243.154.74:9001 tcp
US 18.18.82.19:9001 tcp
DE 185.232.68.32:9001 tcp

Files

memory/2692-0-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2692-1-0x0000000074AF0000-0x0000000074B2C000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

memory/1504-32-0x0000000073FF0000-0x0000000074039000-memory.dmp

memory/1504-35-0x0000000073F20000-0x0000000073FEE000-memory.dmp

memory/1504-36-0x0000000073E90000-0x0000000073F18000-memory.dmp

memory/1504-37-0x0000000073E60000-0x0000000073E84000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\torrc

MD5 439cd73927f46fde28540391feee8477
SHA1 ee7fb2aeb7708378abda293b03f5c9ffb6dbc742
SHA256 d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75
SHA512 c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319

memory/1504-38-0x0000000073D50000-0x0000000073E5A000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

memory/1504-29-0x0000000000020000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

memory/1504-42-0x0000000073A80000-0x0000000073D4F000-memory.dmp

memory/1504-43-0x0000000074040000-0x0000000074108000-memory.dmp

memory/1504-44-0x00000000016D0000-0x000000000199F000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdesc-consensus

MD5 84e49117ff2bdf43e685eb0c61e226aa
SHA1 f55d1a80c7c8c9435b787d5ea4764f3cb17a0771
SHA256 da63ec7df89f3f47fd25e7736764bdb67ba21093e1dc00e0059620b12caee426
SHA512 292011df58b6def6c267dfa8112848ce13b7a48820443bb87a82eb93cdcc957f0871086f713ce3697d452124c7b1de686b542139b5210a9f6ed193c6b730e822

memory/2692-53-0x0000000073660000-0x000000007369C000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 c8ead1771542044a2549189c3ff62e53
SHA1 81f65a866596669bf38379bdee74c455d8e3413a
SHA256 686973775f5a4bf1a4efc97466cd5586a3f5d1774b1a7b7eb407762e2a219e55
SHA512 8f9d0421420fd1725138ef1b176155037e9c3cf1982af71651ce8f7355c32206e38fab2e9798faa0490158a84b6870d8600df1d02fbf0e204a24a57655bb51f5

memory/1504-69-0x0000000000020000-0x0000000000424000-memory.dmp

memory/1504-71-0x0000000073FF0000-0x0000000074039000-memory.dmp

memory/1504-72-0x0000000073F20000-0x0000000073FEE000-memory.dmp

memory/1504-77-0x0000000000020000-0x0000000000424000-memory.dmp

memory/1504-78-0x0000000000020000-0x0000000000424000-memory.dmp

memory/1504-86-0x00000000016D0000-0x000000000199F000-memory.dmp

memory/1504-87-0x0000000000020000-0x0000000000424000-memory.dmp

memory/1504-95-0x0000000000020000-0x0000000000424000-memory.dmp

memory/2692-109-0x0000000072B30000-0x0000000072B6C000-memory.dmp

memory/1504-110-0x0000000000020000-0x0000000000424000-memory.dmp

memory/1504-118-0x0000000000020000-0x0000000000424000-memory.dmp

memory/1504-126-0x0000000000020000-0x0000000000424000-memory.dmp

memory/1504-135-0x0000000000020000-0x0000000000424000-memory.dmp

memory/3504-151-0x0000000000020000-0x0000000000424000-memory.dmp

memory/3504-152-0x0000000073A80000-0x0000000073D4F000-memory.dmp

memory/3504-153-0x0000000074040000-0x0000000074108000-memory.dmp

memory/3504-155-0x0000000073F20000-0x0000000073FEE000-memory.dmp

memory/3504-157-0x0000000073E60000-0x0000000073E84000-memory.dmp

memory/3504-156-0x0000000073FF0000-0x0000000074039000-memory.dmp

memory/3504-162-0x0000000073E90000-0x0000000073F18000-memory.dmp

memory/3504-160-0x0000000073D50000-0x0000000073E5A000-memory.dmp

memory/3504-171-0x0000000073FF0000-0x0000000074039000-memory.dmp

memory/3504-170-0x0000000073F20000-0x0000000073FEE000-memory.dmp

memory/3504-172-0x0000000073E60000-0x0000000073E84000-memory.dmp

memory/3504-169-0x0000000074040000-0x0000000074108000-memory.dmp

memory/3504-168-0x0000000073A80000-0x0000000073D4F000-memory.dmp

memory/3504-173-0x0000000000020000-0x0000000000424000-memory.dmp

memory/4816-185-0x0000000000020000-0x0000000000424000-memory.dmp

memory/4816-186-0x0000000073D80000-0x0000000073E48000-memory.dmp

memory/4816-187-0x0000000073D30000-0x0000000073D79000-memory.dmp

memory/4816-191-0x0000000073D00000-0x0000000073D24000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-certs

MD5 aa0c08b930eee9ae383d130e397f8f87
SHA1 fda90d2b9ac6a852b36ec8e66e7a5034560662de
SHA256 e9550915e943d697bfc132223d83d78fc20fb838cc130dc71933b87e7ff83394
SHA512 caf35fc08231329e346d6baeb04bf31242ba0f2e6415540b7a1931ee14d06c34163a2555930a35c60970f6a8f7cd4bca887d0009e3961264025afd88827844a0

memory/4816-193-0x0000000073BF0000-0x0000000073CFA000-memory.dmp

memory/4816-194-0x0000000073B60000-0x0000000073BE8000-memory.dmp

memory/4816-195-0x0000000073A90000-0x0000000073B5E000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 85ee5c8303a1e54204f71672eb7aa95f
SHA1 bfe500e0a02ba9608bb60a387dfcce5c561d4f61
SHA256 abb01db30dec8d47c7def2aed46514b8c7b8c835736ea10e00becf43ea371bf2
SHA512 4fcdbfb8c478f8ca0b9361b22f616cd590e65adde84dd352df787408067dd0eb5955b6b8afa94231f02add79c33ab99772912c6862ccf957ff13d1f519094aa4

memory/4816-196-0x0000000073E50000-0x000000007411F000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 90d7f6bbd47690127aef77b24bdd46e7
SHA1 1dd78265266dfa07fa7a7def6b2a1d76eb03d5d5
SHA256 b7a9c09551280d13d127d9162837ac575b178e283a22108cc5f0a9c13c8d76d8
SHA512 ddbdfac6e314001c5ee5d8cbb6cc1280f25545d1d46bc48af404fb98ceeffbc8d9b7354058c9c5483cc6998ed8d2f846af2c415a852eb66748c6a8b71f71bec9

memory/4816-211-0x0000000000020000-0x0000000000424000-memory.dmp

memory/4816-220-0x0000000073D80000-0x0000000073E48000-memory.dmp

memory/788-258-0x0000000000020000-0x0000000000424000-memory.dmp

memory/788-261-0x0000000073E50000-0x000000007411F000-memory.dmp

memory/788-266-0x0000000073A90000-0x0000000073B5E000-memory.dmp

memory/4816-268-0x0000000000020000-0x0000000000424000-memory.dmp

memory/788-270-0x0000000073D00000-0x0000000073D24000-memory.dmp

memory/788-272-0x0000000073BF0000-0x0000000073CFA000-memory.dmp

memory/788-267-0x0000000073D30000-0x0000000073D79000-memory.dmp

memory/788-274-0x0000000073B60000-0x0000000073BE8000-memory.dmp

memory/788-263-0x0000000073D80000-0x0000000073E48000-memory.dmp

memory/788-280-0x0000000073A90000-0x0000000073B5E000-memory.dmp

memory/788-281-0x0000000000020000-0x0000000000424000-memory.dmp

memory/788-282-0x0000000073E50000-0x000000007411F000-memory.dmp

memory/788-283-0x0000000073D80000-0x0000000073E48000-memory.dmp

memory/4068-295-0x0000000073D80000-0x0000000073E48000-memory.dmp

memory/4068-296-0x0000000073CB0000-0x0000000073D7E000-memory.dmp

memory/4068-297-0x0000000073C60000-0x0000000073CA9000-memory.dmp

memory/4068-298-0x0000000073C30000-0x0000000073C54000-memory.dmp

memory/4068-299-0x0000000073B20000-0x0000000073C2A000-memory.dmp

memory/4068-300-0x0000000073A90000-0x0000000073B18000-memory.dmp

memory/4068-303-0x0000000073E50000-0x000000007411F000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 5b6d7b254d7445b5a19641098f3e1b78
SHA1 32c9106371d9fa861d6da30f814d26c609183e04
SHA256 2a7e06cc74bcd68a60fa0718aa1da736f210f7c46553e12a1c57284b3d35cf0c
SHA512 4b07f5e58d7f6b19fdca3ead1902e8a996dfffc2b0c02b824168794995c1643b54d5799616948fdd3c44840d1b65a8436592deb9e152c086f98e67d5876d83ba

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs

MD5 021ceff30e5fa0ccdf3405d4d2775f6b
SHA1 ee2afbcb2df676a178e8c14d2b1f1a1f3826fdda
SHA256 928a2e08d99097ea33447d2f4fa92e8fccfe81832136434ba048645e6b0c376a
SHA512 9091ea85a2d0db705143e4b3e12958c1f2894d7784303274e303555bf5738e051d8c819275bdb4823357228aaa26a0fd0319a8d06ba479960455fa0796f7ef6b

memory/4068-315-0x0000000000020000-0x0000000000424000-memory.dmp

memory/4068-324-0x0000000073D80000-0x0000000073E48000-memory.dmp

memory/4068-325-0x0000000073CB0000-0x0000000073D7E000-memory.dmp

memory/4068-326-0x0000000073E50000-0x000000007411F000-memory.dmp

memory/2692-343-0x0000000074AF0000-0x0000000074B2C000-memory.dmp

memory/2712-351-0x0000000000020000-0x0000000000424000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-25 13:10

Reported

2024-04-25 13:15

Platform

win10v2004-20240412-en

Max time kernel

295s

Max time network

300s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"

Signatures

BitRAT

trojan bitrat

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1" C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3080 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 3080 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 3080 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 3080 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 3080 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 3080 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 3080 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 3080 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 3080 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 3080 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 3080 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 3080 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 3080 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 3080 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 3080 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 3080 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 3080 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 3080 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 3080 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 3080 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 3080 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 3080 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 3080 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 3080 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 3080 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 3080 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 3080 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 3080 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 3080 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 3080 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 3080 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 3080 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 3080 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 3080 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 3080 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 3080 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe

"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 198.32.209.4.in-addr.arpa udp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
FR 51.254.136.195:443 tcp
N/A 127.0.0.1:61653 tcp
US 166.70.207.2:9101 tcp
CZ 31.31.78.49:443 tcp
US 8.8.8.8:53 2.207.70.166.in-addr.arpa udp
US 8.8.8.8:53 49.78.31.31.in-addr.arpa udp
GB 37.26.77.247:443 tcp
FR 178.32.41.33:8080 tcp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 247.77.26.37.in-addr.arpa udp
US 8.8.8.8:53 33.41.32.178.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
GB 37.26.77.247:443 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
FR 178.32.41.33:8080 tcp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 myexternalip.com udp
US 34.117.118.44:443 myexternalip.com tcp
US 8.8.8.8:53 44.118.117.34.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 80.190.18.2.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
US 8.8.8.8:53 49.15.97.104.in-addr.arpa udp
N/A 127.0.0.1:61790 tcp
CA 142.44.129.21:9001 tcp
US 8.8.8.8:53 21.129.44.142.in-addr.arpa udp
N/A 127.0.0.1:61819 tcp
US 18.18.82.19:9001 tcp
US 8.8.8.8:53 19.82.18.18.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:61908 tcp
NL 93.158.213.15:443 tcp
US 38.147.122.252:443 tcp
N/A 127.0.0.1:61944 tcp
US 8.8.8.8:53 252.122.147.38.in-addr.arpa udp
US 8.8.8.8:53 15.213.158.93.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:62003 tcp
DE 148.251.91.87:443 tcp
N/A 127.0.0.1:62024 tcp
US 147.135.65.87:8443 tcp
US 8.8.8.8:53 87.91.251.148.in-addr.arpa udp
US 8.8.8.8:53 87.65.135.147.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 65.49.20.11:443 tcp
US 8.8.8.8:53 11.20.49.65.in-addr.arpa udp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:62081 tcp
N/A 127.0.0.1:62104 tcp
CA 192.160.102.164:9001 tcp
DE 148.251.91.87:443 tcp
US 8.8.8.8:53 164.102.160.192.in-addr.arpa udp
FR 45.158.77.29:9300 tcp
US 8.8.8.8:53 29.77.158.45.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:62159 tcp
N/A 127.0.0.1:62182 tcp
FR 212.47.233.250:9001 tcp
DE 148.251.91.87:443 tcp
FR 5.196.64.99:39353 tcp
NL 93.158.213.15:443 tcp
US 8.8.8.8:53 99.64.196.5.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:62245 tcp
DE 78.47.18.110:80 tcp
DK 130.225.244.90:9001 tcp
US 8.8.8.8:53 90.244.225.130.in-addr.arpa udp
DE 148.251.91.87:443 tcp

Files

memory/3080-0-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/3080-1-0x0000000074610000-0x0000000074649000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

memory/60-19-0x0000000000940000-0x0000000000D44000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

memory/60-34-0x00000000739C0000-0x0000000073A88000-memory.dmp

memory/60-35-0x0000000073A90000-0x0000000073B5E000-memory.dmp

memory/60-36-0x00000000736A0000-0x00000000736E9000-memory.dmp

memory/60-38-0x0000000073670000-0x0000000073694000-memory.dmp

memory/60-37-0x00000000736F0000-0x00000000739BF000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

memory/60-40-0x00000000734D0000-0x0000000073558000-memory.dmp

memory/60-43-0x0000000001B00000-0x0000000001B88000-memory.dmp

memory/60-44-0x0000000073560000-0x000000007366A000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\torrc

MD5 439cd73927f46fde28540391feee8477
SHA1 ee7fb2aeb7708378abda293b03f5c9ffb6dbc742
SHA256 d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75
SHA512 c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319

memory/3080-45-0x00000000730C0000-0x00000000730F9000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdesc-consensus.tmp

MD5 84e49117ff2bdf43e685eb0c61e226aa
SHA1 f55d1a80c7c8c9435b787d5ea4764f3cb17a0771
SHA256 da63ec7df89f3f47fd25e7736764bdb67ba21093e1dc00e0059620b12caee426
SHA512 292011df58b6def6c267dfa8112848ce13b7a48820443bb87a82eb93cdcc957f0871086f713ce3697d452124c7b1de686b542139b5210a9f6ed193c6b730e822

memory/60-55-0x0000000000940000-0x0000000000D44000-memory.dmp

memory/60-56-0x00000000739C0000-0x0000000073A88000-memory.dmp

memory/60-57-0x0000000073A90000-0x0000000073B5E000-memory.dmp

memory/60-59-0x00000000736F0000-0x00000000739BF000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 f3b21c6769e227f72120184e8e0cbc6b
SHA1 379c82c427ccdec56024f018af7581e12e3a2b2f
SHA256 f6b3c423a90c410c7f6439241c94420586956528061fa3dd61a120af90b51ef7
SHA512 25a754f6fe5d7785d74ccb2393e6c30a57c2183a8a3908e55b6bc7c6793febd90a36cce87bb18571a91d97485ece3608fdb69fc341518bad23704dfb4af8c17b

memory/60-77-0x0000000000940000-0x0000000000D44000-memory.dmp

memory/60-78-0x0000000000940000-0x0000000000D44000-memory.dmp

memory/60-86-0x0000000001B00000-0x0000000001B88000-memory.dmp

memory/60-87-0x0000000000940000-0x0000000000D44000-memory.dmp

memory/60-101-0x0000000000940000-0x0000000000D44000-memory.dmp

memory/3080-109-0x00000000727F0000-0x0000000072829000-memory.dmp

memory/60-110-0x0000000000940000-0x0000000000D44000-memory.dmp

memory/60-118-0x0000000000940000-0x0000000000D44000-memory.dmp

memory/60-127-0x0000000000940000-0x0000000000D44000-memory.dmp

memory/2520-143-0x00000000736F0000-0x00000000739BF000-memory.dmp

memory/2520-145-0x0000000000940000-0x0000000000D44000-memory.dmp

memory/2520-146-0x00000000739C0000-0x0000000073A88000-memory.dmp

memory/2520-148-0x0000000000940000-0x0000000000D44000-memory.dmp

memory/2520-150-0x0000000073670000-0x0000000073694000-memory.dmp

memory/2520-149-0x00000000736A0000-0x00000000736E9000-memory.dmp

memory/2520-151-0x00000000736F0000-0x00000000739BF000-memory.dmp

memory/2520-153-0x0000000073560000-0x000000007366A000-memory.dmp

memory/2520-154-0x0000000073A90000-0x0000000073B5E000-memory.dmp

memory/2520-155-0x00000000734D0000-0x0000000073558000-memory.dmp

memory/2520-152-0x00000000739C0000-0x0000000073A88000-memory.dmp

memory/60-144-0x0000000001B00000-0x0000000001B88000-memory.dmp

memory/1468-171-0x0000000000940000-0x0000000000D44000-memory.dmp

memory/1468-172-0x0000000073890000-0x0000000073B5F000-memory.dmp

memory/1468-179-0x0000000073740000-0x0000000073764000-memory.dmp

memory/1468-178-0x0000000073770000-0x00000000737B9000-memory.dmp

memory/1468-180-0x0000000073630000-0x000000007373A000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-certs

MD5 cbb17373d7aba2c6ae68b4c7f2a1008d
SHA1 efb3967de11aa1605081a4d4a1a2e532d8773846
SHA256 8b4241b9f5e370893a5331ee2c340e27bea213cbcbba54ca6c7afa77dcdf5b6d
SHA512 5174bf64e262e84d84801464878b1afb32636e3def8cac6b0317757da7fa95bf9feca1ff6137a5923c4c05be7ce76da7b98f4557c99578e3b5590ea5deb90ca5

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 3162e683b98bcf23236b0bc95c3b804a
SHA1 a3165c56d7cbbb572272d3103eaa16ab09f25003
SHA256 a4a16f81fb6b79950be49a32972e5825128cf550621ab93ffd19a3973870293a
SHA512 98cc0cf32e97263500d0d80d8c6a3c87bcbc079fa65349f780d92e360e3571373787116a9a62f8e6e242a39d10e2317b618dc620b94a4888be15cc7b98374fea

memory/1468-173-0x00000000737C0000-0x0000000073888000-memory.dmp

memory/1468-181-0x00000000735A0000-0x0000000073628000-memory.dmp

memory/1468-182-0x00000000734D0000-0x000000007359E000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 79d673fd01a7ec522abe090ab4515e00
SHA1 305cae72e6eabc9567338dbf0725882120757743
SHA256 efb126b4976c2c77584d1b17d9f09da70d789d283fde5655e14b4fdb4520729a
SHA512 4de38b26da202a387fbe9ef0138bb0c5e67fca9c263a310b0fd8766edb68cc91ca0e545e8033c43e78aaba90f20e96c30b6886a1630409d28b3c9060e9e2f311

memory/1468-206-0x0000000000940000-0x0000000000D44000-memory.dmp

memory/1468-207-0x0000000073890000-0x0000000073B5F000-memory.dmp

memory/1468-208-0x00000000737C0000-0x0000000073888000-memory.dmp

memory/1988-238-0x0000000000940000-0x0000000000D44000-memory.dmp

memory/1988-242-0x00000000737C0000-0x0000000073888000-memory.dmp

memory/1988-241-0x0000000073890000-0x0000000073B5F000-memory.dmp

memory/1988-245-0x00000000734D0000-0x000000007359E000-memory.dmp

memory/1988-250-0x0000000073630000-0x000000007373A000-memory.dmp

memory/1468-248-0x0000000000940000-0x0000000000D44000-memory.dmp

memory/1988-252-0x00000000735A0000-0x0000000073628000-memory.dmp

memory/1988-249-0x0000000073740000-0x0000000073764000-memory.dmp

memory/1988-246-0x0000000073770000-0x00000000737B9000-memory.dmp

memory/1988-260-0x00000000734D0000-0x000000007359E000-memory.dmp

memory/1988-261-0x0000000000940000-0x0000000000D44000-memory.dmp

memory/1988-263-0x00000000737C0000-0x0000000073888000-memory.dmp

memory/1988-262-0x0000000073890000-0x0000000073B5F000-memory.dmp

memory/1072-279-0x0000000073740000-0x0000000073764000-memory.dmp

memory/1072-276-0x0000000073890000-0x0000000073B5F000-memory.dmp

memory/1072-280-0x0000000073630000-0x000000007373A000-memory.dmp

memory/1072-278-0x0000000073770000-0x00000000737B9000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 da155c1d4a3b1519e3991600a4281731
SHA1 742144f6fe0f9b24ccd8cf5452b14f67d5757eed
SHA256 57aa0bc159e2959f574e6ae86e33e212952860f8f69678b53d283162583a3bbd
SHA512 a5603c194b4d044e065c4a7cf52979e22b827d3663d2bdfe2fe317f78c20db2e3ecdc4ee207ca26b6654b34270b5e155b1827ed58c97f02da73bf591b548ada6

memory/1072-283-0x00000000734D0000-0x000000007359E000-memory.dmp

memory/1072-284-0x00000000015A0000-0x0000000001628000-memory.dmp

memory/1072-285-0x00000000735A0000-0x0000000073628000-memory.dmp

memory/1072-277-0x00000000737C0000-0x0000000073888000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs

MD5 e3a83b8e1f7067c0fd68682b8e32ab0e
SHA1 aa7280861ade2a2faaaff336b73064da6258d218
SHA256 a7172c4b10279133920323648dbb91cd9c38b2afea28dc0203041f509359802e
SHA512 5ffee37a25c2dc1173bc4f1f3c9488c7ac42b909149ec4dae32de154c4928083df0781a854e15d8194eca22cbe689f5120410c469cb81e2f4c852add5b89488a

memory/1072-305-0x0000000000940000-0x0000000000D44000-memory.dmp

memory/1072-306-0x0000000073890000-0x0000000073B5F000-memory.dmp

memory/1072-307-0x00000000737C0000-0x0000000073888000-memory.dmp

memory/1072-308-0x00000000015A0000-0x0000000001628000-memory.dmp

memory/4592-321-0x0000000000940000-0x0000000000D44000-memory.dmp

memory/4592-324-0x0000000073890000-0x0000000073B5F000-memory.dmp

memory/4592-328-0x00000000734D0000-0x000000007359E000-memory.dmp

memory/4592-326-0x00000000737C0000-0x0000000073888000-memory.dmp

memory/4592-330-0x0000000073770000-0x00000000737B9000-memory.dmp

memory/4592-331-0x0000000073740000-0x0000000073764000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-25 13:10

Reported

2024-04-25 13:15

Platform

win7-20240221-en

Max time kernel

298s

Max time network

305s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"

Signatures

BitRAT

trojan bitrat

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1" C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2444 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2444 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2444 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2444 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2444 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2444 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2444 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2444 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2444 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2444 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2444 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2444 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe

"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

Network

Country Destination Domain Proto
NL 192.87.28.28:9001 tcp
DE 92.60.38.166:443 tcp
DE 89.58.33.214:443 tcp
N/A 127.0.0.1:49245 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:49322 tcp
N/A 127.0.0.1:45808 tcp
US 23.29.119.122:9000 tcp
FI 95.217.71.73:9001 tcp
N/A 127.0.0.1:49464 tcp
US 23.29.119.122:9000 tcp
FI 95.217.71.73:9001 tcp

Files

memory/2444-0-0x0000000000400000-0x0000000000BD8000-memory.dmp

\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

memory/2444-29-0x0000000003BF0000-0x0000000003FF4000-memory.dmp

memory/2544-30-0x00000000001F0000-0x00000000005F4000-memory.dmp

memory/2544-31-0x0000000074650000-0x000000007491F000-memory.dmp

memory/2544-32-0x0000000074BA0000-0x0000000074BE9000-memory.dmp

\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

memory/2444-39-0x0000000003BF0000-0x0000000003FF4000-memory.dmp

memory/2544-35-0x0000000074B10000-0x0000000074B98000-memory.dmp

memory/2544-34-0x0000000074470000-0x000000007457A000-memory.dmp

memory/2544-40-0x0000000074EF0000-0x0000000074F14000-memory.dmp

memory/2544-33-0x0000000074580000-0x0000000074648000-memory.dmp

memory/2544-41-0x00000000743A0000-0x000000007446E000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\torrc

MD5 439cd73927f46fde28540391feee8477
SHA1 ee7fb2aeb7708378abda293b03f5c9ffb6dbc742
SHA256 d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75
SHA512 c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdesc-consensus.tmp

MD5 84e49117ff2bdf43e685eb0c61e226aa
SHA1 f55d1a80c7c8c9435b787d5ea4764f3cb17a0771
SHA256 da63ec7df89f3f47fd25e7736764bdb67ba21093e1dc00e0059620b12caee426
SHA512 292011df58b6def6c267dfa8112848ce13b7a48820443bb87a82eb93cdcc957f0871086f713ce3697d452124c7b1de686b542139b5210a9f6ed193c6b730e822

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 8654ca32afcb2449dc8f82895ac494f5
SHA1 a84d381e1376073de7157b81d5e25a20dac63ae3
SHA256 281189fcd650023fde52c1fcac44b9032a9fdcb3572b7c2f0a350a168ca2138e
SHA512 666316ff5c2717298f8996b49534589fd4f7b791eb8ff71465de19d4e3b584285e327b71c29a817d458390ef3475ac31795cf1ec1c2c6911a424c7e82160d2e2

memory/2544-58-0x00000000001F0000-0x00000000005F4000-memory.dmp

memory/2544-59-0x0000000074650000-0x000000007491F000-memory.dmp

memory/2544-60-0x0000000074BA0000-0x0000000074BE9000-memory.dmp

memory/2544-61-0x0000000074580000-0x0000000074648000-memory.dmp

memory/2544-62-0x0000000074470000-0x000000007457A000-memory.dmp

memory/2544-63-0x0000000074B10000-0x0000000074B98000-memory.dmp

memory/2544-64-0x00000000743A0000-0x000000007446E000-memory.dmp

memory/2444-66-0x0000000003BF0000-0x0000000003FF4000-memory.dmp

memory/2544-67-0x00000000001F0000-0x00000000005F4000-memory.dmp

memory/2544-75-0x00000000001F0000-0x00000000005F4000-memory.dmp

memory/2444-76-0x0000000003BF0000-0x0000000003FF4000-memory.dmp

memory/2544-77-0x00000000001F0000-0x00000000005F4000-memory.dmp

memory/2544-85-0x00000000001F0000-0x00000000005F4000-memory.dmp

memory/2544-94-0x00000000001F0000-0x00000000005F4000-memory.dmp

memory/2444-101-0x0000000004850000-0x0000000004C54000-memory.dmp

memory/1920-110-0x0000000074650000-0x000000007491F000-memory.dmp

memory/1920-111-0x0000000074BA0000-0x0000000074BE9000-memory.dmp

memory/1920-112-0x0000000074580000-0x0000000074648000-memory.dmp

memory/1920-114-0x0000000074470000-0x000000007457A000-memory.dmp

memory/1920-116-0x0000000074B10000-0x0000000074B98000-memory.dmp

memory/1920-115-0x00000000001F0000-0x00000000005F4000-memory.dmp

memory/1920-118-0x00000000743A0000-0x000000007446E000-memory.dmp

memory/1920-117-0x0000000074650000-0x000000007491F000-memory.dmp

memory/1920-120-0x0000000074BA0000-0x0000000074BE9000-memory.dmp

memory/1920-122-0x0000000074580000-0x0000000074648000-memory.dmp

memory/1920-124-0x0000000074470000-0x000000007457A000-memory.dmp

memory/1920-126-0x0000000074B10000-0x0000000074B98000-memory.dmp

memory/1920-130-0x0000000074EF0000-0x0000000074F14000-memory.dmp

memory/2452-242-0x0000000001010000-0x0000000001414000-memory.dmp

memory/2452-243-0x0000000074380000-0x000000007464F000-memory.dmp

memory/2452-247-0x0000000074850000-0x0000000074918000-memory.dmp

memory/2452-248-0x0000000074740000-0x000000007484A000-memory.dmp

memory/2452-250-0x0000000074BC0000-0x0000000074BE4000-memory.dmp

memory/2452-249-0x00000000746B0000-0x0000000074738000-memory.dmp

memory/2452-251-0x00000000741F0000-0x00000000742BE000-memory.dmp

memory/2452-244-0x0000000074B50000-0x0000000074B99000-memory.dmp

memory/2444-241-0x0000000004850000-0x0000000004C54000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 2e0cd8f40f8dceb3a001bed49bac220d
SHA1 1a0f08224b20c4225f8014912e7c8864e8f5efec
SHA256 4e2e93341ef6b9ee05ffd64c28385287fe584af3499a762314fdfa70ad60f5cb
SHA512 a90a0c0481dfa067ce7ad9a864b28b400055304bd8eadc84c84fc88c6a529fd827b141f59efb5dedf3d75054e0882161f54cdb166c373f2065df4275384a8fa9

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-certs

MD5 376b41fc4d8584cbb4c644179b5e705a
SHA1 733b1fc80f71e1dfc583476d93620587ba50bf78
SHA256 56d98710b2dfc720e40ed5b7025440832696dec5e2edc04075da256e0ab0b4a4
SHA512 d031106106df085e2615f468ad8f735e3628e1e82803cbf124d1df2c47c693a2aa4c40e5bce9984cb78cb73529cc4dceefa9aacbadeaae7d35f05f60674b5cf0

memory/2452-280-0x0000000074B50000-0x0000000074B99000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 597db4debb80a240fb497aef1ee62f9a
SHA1 9a3a2f4dbbea9d4b0b8a4a21dbbbc0bf33172a48
SHA256 404b48c14be21e7507cca57f4cc98f6a263986b72b2b8110d9d45a3cd81d9396
SHA512 2396d49b7598f02db3e3ac95c0af31ad5477573f578c453bae9388c4e46043695aed9144935292547956fc4b7af64d3a571b0bb9943787c57cc765d8ede0320f

memory/2444-285-0x0000000004850000-0x0000000004C54000-memory.dmp

memory/2452-286-0x0000000001010000-0x0000000001414000-memory.dmp

memory/2452-288-0x0000000074380000-0x000000007464F000-memory.dmp

memory/2452-289-0x0000000074850000-0x0000000074918000-memory.dmp

memory/2452-294-0x00000000741F0000-0x00000000742BE000-memory.dmp