Analysis Overview
SHA256
8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2
Threat Level: Known bad
The file 8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2 was found to be: Known bad.
Malicious Activity Summary
BitRAT payload
BitRAT
Bitrat family
Loads dropped DLL
UPX packed file
Executes dropped EXE
Checks computer location settings
ACProtect 1.3x - 1.4x DLL software
Uses Tor communications
Looks up external IP address via web service
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies system certificate store
Suspicious use of SetWindowsHookEx
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-04-26 06:45
Signatures
BitRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Bitrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-26 06:44
Reported
2024-04-26 06:56
Platform
win10v2004-20240412-en
Max time kernel
595s
Max time network
601s
Command Line
Signatures
BitRAT
BitRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe | N/A |
Executes dropped EXE
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
Uses Tor communications
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
"C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe"
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.32.209.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 172.98.193.43:443 | tcp | |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| FR | 86.105.212.130:443 | tcp | |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| N/A | 127.0.0.1:54900 | tcp | |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| FR | 193.70.112.165:443 | tcp | |
| US | 8.8.8.8:53 | 165.112.70.193.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| FI | 37.27.67.176:443 | tcp | |
| DE | 89.163.164.202:443 | tcp | |
| US | 8.8.8.8:53 | 202.164.163.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.67.27.37.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.143.109.104.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 153.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.32.209.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:55057 | tcp | |
| US | 128.31.0.13:443 | tcp | |
| FI | 37.27.67.176:443 | tcp | |
| MD | 185.250.148.190:443 | tcp | |
| US | 8.8.8.8:53 | 190.148.250.185.in-addr.arpa | udp |
| N/A | 127.0.0.1:55093 | tcp | |
| US | 8.8.8.8:53 | 13.0.31.128.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:55170 | tcp | |
| DE | 62.141.38.69:443 | tcp | |
| FI | 37.27.67.176:443 | tcp | |
| US | 135.148.53.55:443 | tcp | |
| N/A | 127.0.0.1:55204 | tcp | |
| US | 8.8.8.8:53 | 55.53.148.135.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.192.11.51.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| NL | 77.247.181.162:443 | tcp | |
| US | 135.148.53.55:443 | tcp | |
| N/A | 127.0.0.1:55289 | tcp | |
| FI | 37.27.67.176:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| BG | 94.156.175.120:443 | tcp | |
| US | 8.8.8.8:53 | 120.175.156.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | myexternalip.com | udp |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| US | 8.8.8.8:53 | 44.118.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.190.18.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:55371 | tcp | |
| CZ | 31.31.78.49:443 | tcp | |
| N/A | 127.0.0.1:55400 | tcp | |
| US | 135.148.53.55:443 | tcp | |
| FI | 37.27.67.176:443 | tcp | |
| US | 8.8.8.8:53 | 49.78.31.31.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:55474 | tcp | |
| N/A | 127.0.0.1:55497 | tcp | |
| FR | 93.118.34.246:443 | tcp | |
| US | 135.148.53.55:443 | tcp | |
| US | 8.8.8.8:53 | 246.34.118.93.in-addr.arpa | udp |
| FI | 37.27.67.176:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:55553 | tcp | |
| FR | 37.187.102.108:443 | tcp | |
| N/A | 127.0.0.1:55580 | tcp | |
| US | 135.148.53.55:443 | tcp | |
| FI | 37.27.67.176:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| BG | 94.156.175.120:443 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:55639 | tcp | |
| N/A | 127.0.0.1:55662 | tcp | |
| DE | 81.7.13.84:443 | tcp | |
| US | 135.148.53.55:443 | tcp | |
| FI | 37.27.67.176:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| BG | 94.156.175.120:443 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| US | 199.184.246.250:443 | tcp | |
| N/A | 127.0.0.1:55731 | tcp | |
| FI | 37.27.67.176:443 | tcp | |
| US | 135.148.53.55:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:55796 | tcp | |
| DE | 37.120.174.249:443 | tcp | |
| N/A | 127.0.0.1:55818 | tcp | |
| FI | 37.27.67.176:443 | tcp | |
| US | 8.8.8.8:53 | 249.174.120.37.in-addr.arpa | udp |
| BG | 94.156.175.120:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 135.148.53.55:443 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:55873 | tcp | |
| N/A | 127.0.0.1:55900 | tcp | |
| AT | 37.252.187.111:443 | tcp | |
| FI | 37.27.67.176:443 | tcp | |
| US | 135.148.53.55:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| BG | 94.156.175.120:443 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:55963 | tcp | |
| RO | 185.225.17.3:443 | tcp | |
| US | 135.148.53.55:443 | tcp | |
| FI | 37.27.67.176:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| BG | 94.156.175.120:443 | tcp |
Files
memory/4812-0-0x0000000000400000-0x0000000000FBD000-memory.dmp
memory/4812-1-0x0000000075110000-0x0000000075149000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
C:\Users\Admin\AppData\Local\8123e463\tor\libcrypto-1_1.dll
| MD5 | 2384a02c4a1f7ec481adde3a020607d3 |
| SHA1 | 7e848d35a10bf9296c8fa41956a3daa777f86365 |
| SHA256 | c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369 |
| SHA512 | 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503 |
memory/432-20-0x0000000000210000-0x0000000000614000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\libwinpthread-1.dll
| MD5 | d407cc6d79a08039a6f4b50539e560b8 |
| SHA1 | 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71 |
| SHA256 | 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e |
| SHA512 | 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c |
C:\Users\Admin\AppData\Local\8123e463\tor\torrc
| MD5 | 22ec9e4c1cdf6aca7b2997be93f46645 |
| SHA1 | df0a0e3373fc514518b70adfebc86c23c3f04bf8 |
| SHA256 | b2c53ffa29d2c7207304ba7dbc81429d36cdc2542ff701bf2a386ad07aacfdb4 |
| SHA512 | d96b3ee219aa5fac241415237ec3c0523b7c02b27ca77089d5a6530c32d398741c911b496c44b6217c42afbdb13d95aa565cae7c6562410978684e51e235fd94 |
memory/432-35-0x00000000741F0000-0x00000000742BE000-memory.dmp
memory/432-34-0x00000000742C0000-0x0000000074388000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\zlib1.dll
| MD5 | add33041af894b67fe34e1dc819b7eb6 |
| SHA1 | 6db46eb021855a587c95479422adcc774a272eeb |
| SHA256 | 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183 |
| SHA512 | bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa |
C:\Users\Admin\AppData\Local\8123e463\tor\libgcc_s_sjlj-1.dll
| MD5 | b0d98f7157d972190fe0759d4368d320 |
| SHA1 | 5715a533621a2b642aad9616e603c6907d80efc4 |
| SHA256 | 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5 |
| SHA512 | 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496 |
C:\Users\Admin\AppData\Local\8123e463\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
C:\Users\Admin\AppData\Local\8123e463\tor\libssl-1_1.dll
| MD5 | c88826ac4bb879622e43ead5bdb95aeb |
| SHA1 | 87d29853649a86f0463bfd9ad887b85eedc21723 |
| SHA256 | c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f |
| SHA512 | f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3 |
C:\Users\Admin\AppData\Local\8123e463\tor\libevent-2-1-6.dll
| MD5 | 099983c13bade9554a3c17484e5481f1 |
| SHA1 | a84e69ad9722f999252d59d0ed9a99901a60e564 |
| SHA256 | b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838 |
| SHA512 | 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2 |
memory/432-39-0x00000000741A0000-0x00000000741E9000-memory.dmp
memory/432-40-0x0000000074090000-0x000000007419A000-memory.dmp
memory/432-41-0x0000000074060000-0x0000000074084000-memory.dmp
memory/432-43-0x0000000001560000-0x00000000015E8000-memory.dmp
memory/432-42-0x0000000073FD0000-0x0000000074058000-memory.dmp
memory/432-44-0x0000000074390000-0x000000007465F000-memory.dmp
memory/4812-45-0x0000000073BC0000-0x0000000073BF9000-memory.dmp
memory/432-46-0x0000000000210000-0x0000000000614000-memory.dmp
memory/432-47-0x00000000742C0000-0x0000000074388000-memory.dmp
memory/432-49-0x00000000741F0000-0x00000000742BE000-memory.dmp
memory/4812-54-0x0000000000400000-0x0000000000FBD000-memory.dmp
memory/432-55-0x0000000000210000-0x0000000000614000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdesc-consensus.tmp
| MD5 | e0c532df4b63edb19c242ef478980308 |
| SHA1 | e62c4db641e976bac705db9d547d213ff2c49217 |
| SHA256 | 895abba685d7e4ee4c67e8ac6e9e6971144f3dfa00f83a8a40cecd07705f2cf7 |
| SHA512 | da0d4d4fb18d3276a659e21801b77e70cbe72432e5e6e89b4f0228524ca99107745463b37ce78bed46fe48a4d6cc9b52076f58b0ebb11a1c82961b10598c9d6e |
memory/432-64-0x0000000000210000-0x0000000000614000-memory.dmp
memory/432-72-0x0000000001560000-0x00000000015E8000-memory.dmp
memory/432-73-0x0000000000210000-0x0000000000614000-memory.dmp
memory/432-81-0x0000000000210000-0x0000000000614000-memory.dmp
memory/4812-90-0x0000000075130000-0x0000000075169000-memory.dmp
memory/432-91-0x0000000000210000-0x0000000000614000-memory.dmp
memory/432-102-0x0000000000210000-0x0000000000614000-memory.dmp
memory/432-110-0x0000000000210000-0x0000000000614000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new
| MD5 | fa0c55d44672e60bb75938e14b14fb1e |
| SHA1 | 4fda728eae4d894c4ba386c1eafd6d41a3aea700 |
| SHA256 | 5bfc40e29452e93c9a9a32d62f9001bba610bfc4a6635ec7dce700cf374158a1 |
| SHA512 | e50993f37830b83d9984a9446b06e94af91b11c6977ece1c08e7434f60dae37c6b0320be745fa37bcb678e6fb713e09427c4ab35759a4cccbef38eb319c46ef6 |
memory/432-124-0x0000000000210000-0x0000000000614000-memory.dmp
memory/3212-149-0x0000000000210000-0x0000000000614000-memory.dmp
memory/3212-151-0x0000000074390000-0x000000007465F000-memory.dmp
memory/432-150-0x0000000000210000-0x0000000000614000-memory.dmp
memory/3212-152-0x00000000742C0000-0x0000000074388000-memory.dmp
memory/3212-153-0x00000000741F0000-0x00000000742BE000-memory.dmp
memory/3212-157-0x0000000074060000-0x0000000074084000-memory.dmp
memory/3212-156-0x00000000741A0000-0x00000000741E9000-memory.dmp
memory/3212-159-0x0000000074090000-0x000000007419A000-memory.dmp
memory/3212-161-0x0000000073FD0000-0x0000000074058000-memory.dmp
memory/3212-167-0x0000000000210000-0x0000000000614000-memory.dmp
memory/3212-170-0x00000000741F0000-0x00000000742BE000-memory.dmp
memory/3212-169-0x00000000742C0000-0x0000000074388000-memory.dmp
memory/3212-168-0x0000000074390000-0x000000007465F000-memory.dmp
memory/1288-184-0x0000000074210000-0x0000000074234000-memory.dmp
memory/1288-177-0x0000000074360000-0x0000000074428000-memory.dmp
memory/1288-183-0x0000000074240000-0x0000000074289000-memory.dmp
memory/1288-185-0x0000000074100000-0x000000007420A000-memory.dmp
memory/1288-186-0x0000000074070000-0x00000000740F8000-memory.dmp
memory/1288-191-0x0000000074430000-0x00000000746FF000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-certs
| MD5 | 4e28cad3a1fb25fadbade03b6b187c9c |
| SHA1 | 9c36c72b384eace1797c5a8e47b36516073a038e |
| SHA256 | 78477407e5d820c6b951ad6953ca2eea0af6048c8a3c37d78d03d35ab2d0053d |
| SHA512 | 91ab9690f62af49b0f6c46c483edbea790efea0529e1cb38090d5e07de99861f61743062fc85df80573d9b15500aed22aa19248f171f150f15098542884d3216 |
C:\Users\Admin\AppData\Local\8123e463\tor\data\state
| MD5 | 9345ffe91563b01c1f0a8c85d7dcd890 |
| SHA1 | 25bfb64a03f927e05761116a91ddaac55a3945d3 |
| SHA256 | 8d27becd1d7df23e7dddfced108abf16f51a43a45c53eac54d64b3b34380b9e6 |
| SHA512 | 259318d17a8f01e5aaf3296a8b56ec4f067aae8d1da7ecb47d9c7dec265caaf893ed53800c0404d300de820e9ad356f7cfddf701b7bae0ea5a6c6033bc9aebc4 |
memory/1288-192-0x0000000074290000-0x000000007435E000-memory.dmp
memory/4812-210-0x0000000073E30000-0x0000000073E69000-memory.dmp
memory/1288-211-0x0000000000210000-0x0000000000614000-memory.dmp
memory/1288-212-0x0000000074360000-0x0000000074428000-memory.dmp
memory/3124-248-0x0000000074360000-0x0000000074428000-memory.dmp
memory/1288-249-0x0000000000210000-0x0000000000614000-memory.dmp
memory/3124-247-0x0000000074430000-0x00000000746FF000-memory.dmp
memory/3124-245-0x0000000000210000-0x0000000000614000-memory.dmp
memory/3124-251-0x0000000074290000-0x000000007435E000-memory.dmp
memory/3124-252-0x0000000074240000-0x0000000074289000-memory.dmp
memory/3124-256-0x0000000074100000-0x000000007420A000-memory.dmp
memory/3124-258-0x0000000074070000-0x00000000740F8000-memory.dmp
memory/3124-254-0x0000000074210000-0x0000000074234000-memory.dmp
memory/3124-264-0x0000000074430000-0x00000000746FF000-memory.dmp
memory/3124-266-0x0000000074290000-0x000000007435E000-memory.dmp
memory/3124-265-0x0000000074360000-0x0000000074428000-memory.dmp
memory/3124-267-0x0000000000210000-0x0000000000614000-memory.dmp
memory/2440-279-0x0000000000210000-0x0000000000614000-memory.dmp
memory/2440-280-0x0000000074430000-0x00000000746FF000-memory.dmp
memory/2440-281-0x0000000074360000-0x0000000074428000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\state
| MD5 | e4cfe13b3089c18e230f0b6c82a5affa |
| SHA1 | 5550f17a2d69b3a3c7138b4060e7042e0e21eb80 |
| SHA256 | 4800096fe43d30315fe9e0e9c01dee78e4236d03d9b1ca5ae67ce5c092330257 |
| SHA512 | 58c32819961b7328f3f960c9ff3c318c94e90e5fb47ea78870c8c063b303197bb62ff9f27938397c7402252e52b08a256d8b17cfd35db431480fa21d21579200 |
memory/2440-286-0x00000000741D0000-0x00000000742DA000-memory.dmp
memory/2440-287-0x0000000074140000-0x00000000741C8000-memory.dmp
memory/2440-288-0x0000000074070000-0x000000007413E000-memory.dmp
memory/2440-285-0x00000000742E0000-0x0000000074304000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs
| MD5 | 12f08dbfce1dc2fc90ebca01331b2cdb |
| SHA1 | 4aef85f4b022c3e20138ecb03a387a26ac22bce0 |
| SHA256 | a89d5e8be15212a756e999bc2f107b3ea09b1074233292be6cd7fdac98352edd |
| SHA512 | 0cc256afae4a439ca0eb8234a99e95fec181dcd4281ff26eb23ea947e8c9882e95309ac778f8ad381d65271bdfa59a67c9bf9bed227f38b465573e34ffae17ae |
memory/2440-284-0x0000000074310000-0x0000000074359000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new
| MD5 | c0fc79207b3463a808b1f43f9e5fb83d |
| SHA1 | 86da6ea945df4c80ea559059159f64618285ce95 |
| SHA256 | 8e9401edc4e5d1f1b8aa96249d8e5800a5f970264e37074d0e4caf5d62659ae9 |
| SHA512 | 4e42d597fb6989c33b492e9f624176784d4d7985d0b799ff3461fa2a911b2d822e17f4fc55737ab7ba38356f44c7213bc99e4b7aca84fc7a8938364e14e15b04 |
memory/4812-301-0x0000000073E30000-0x0000000073E69000-memory.dmp
memory/2440-311-0x0000000000210000-0x0000000000614000-memory.dmp
memory/2440-313-0x0000000074360000-0x0000000074428000-memory.dmp
memory/2440-312-0x0000000074430000-0x00000000746FF000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new
| MD5 | 70e6c315c01f78373298953557bcd31f |
| SHA1 | d1ed9da26d0de5c0a7f3fe8b6dd9508fc3e818f0 |
| SHA256 | a26a5ed697c8c3d136c9b55ceb08e9f87a0fd1428d7aacb88a7495d8d09acae1 |
| SHA512 | 36d88cebe702cef048f711355a624a448d7f7876d86db4486f616088cda497df6c632c9892435cbe32a0ad3b6a0da3672f63912380d659d3572f70e64cb0a8cf |
Analysis: behavioral5
Detonation Overview
Submitted
2024-04-26 06:44
Reported
2024-04-26 06:56
Platform
win11-20240412-en
Max time kernel
592s
Max time network
602s
Command Line
Signatures
BitRAT
BitRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
Uses Tor communications
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
"C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe"
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
Network
| Country | Destination | Domain | Proto |
| GR | 185.4.132.148:443 | tcp | |
| NL | 192.42.116.16:443 | tcp | |
| N/A | 127.0.0.1:49766 | tcp | |
| US | 8.8.8.8:53 | 148.132.4.185.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 198.24.168.226:443 | tcp | |
| DE | 194.163.178.164:443 | tcp | |
| US | 8.8.8.8:53 | 226.168.24.198.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| DE | 81.7.13.84:443 | tcp | |
| US | 198.24.168.226:443 | tcp | |
| US | 74.123.97.26:443 | tcp | |
| N/A | 127.0.0.1:49888 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| AT | 37.252.187.111:443 | tcp | |
| US | 198.24.168.226:443 | tcp | |
| US | 74.123.97.26:443 | tcp | |
| N/A | 127.0.0.1:49985 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| DK | 185.96.180.29:443 | tcp | |
| US | 198.24.168.226:443 | tcp | |
| US | 74.123.97.26:443 | tcp | |
| N/A | 127.0.0.1:50083 | tcp | |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:50173 | tcp | |
| US | 198.24.168.226:443 | tcp | |
| US | 74.123.97.26:443 | tcp | |
| US | 74.123.97.26:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| N/A | 127.0.0.1:50252 | tcp | |
| US | 204.8.156.142:443 | tcp | |
| US | 198.24.168.226:443 | tcp | |
| US | 74.123.97.26:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| FR | 163.172.149.122:443 | tcp | |
| N/A | 127.0.0.1:50316 | tcp | |
| US | 198.24.168.226:443 | tcp | |
| US | 74.123.97.26:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50375 | tcp | |
| N/A | 127.0.0.1:50403 | tcp | |
| CZ | 195.123.245.141:443 | tcp | |
| US | 198.24.168.226:443 | tcp | |
| US | 74.123.97.26:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50465 | tcp | |
| SE | 85.230.178.139:443 | tcp | |
| US | 74.123.97.26:443 | tcp | |
| US | 198.24.168.226:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| US | 204.8.96.83:443 | tcp | |
| N/A | 127.0.0.1:50530 | tcp | |
| US | 198.24.168.226:443 | tcp | |
| US | 74.123.97.26:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50592 | tcp | |
| DE | 81.7.16.182:443 | tcp | |
| US | 74.123.97.26:443 | tcp | |
| US | 198.24.168.226:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50657 | tcp | |
| NL | 77.247.181.162:443 | tcp | |
| US | 74.123.97.26:443 | tcp | |
| US | 198.24.168.226:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp |
Files
memory/4708-0-0x0000000000400000-0x0000000000FBD000-memory.dmp
memory/4708-1-0x0000000074340000-0x000000007437C000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
memory/2324-17-0x0000000000F90000-0x0000000001394000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\libcrypto-1_1.dll
| MD5 | 2384a02c4a1f7ec481adde3a020607d3 |
| SHA1 | 7e848d35a10bf9296c8fa41956a3daa777f86365 |
| SHA256 | c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369 |
| SHA512 | 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503 |
C:\Users\Admin\AppData\Local\8123e463\tor\libssl-1_1.dll
| MD5 | c88826ac4bb879622e43ead5bdb95aeb |
| SHA1 | 87d29853649a86f0463bfd9ad887b85eedc21723 |
| SHA256 | c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f |
| SHA512 | f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3 |
C:\Users\Admin\AppData\Local\8123e463\tor\zlib1.dll
| MD5 | add33041af894b67fe34e1dc819b7eb6 |
| SHA1 | 6db46eb021855a587c95479422adcc774a272eeb |
| SHA256 | 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183 |
| SHA512 | bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa |
C:\Users\Admin\AppData\Local\8123e463\tor\libgcc_s_sjlj-1.dll
| MD5 | b0d98f7157d972190fe0759d4368d320 |
| SHA1 | 5715a533621a2b642aad9616e603c6907d80efc4 |
| SHA256 | 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5 |
| SHA512 | 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496 |
C:\Users\Admin\AppData\Local\8123e463\tor\libwinpthread-1.dll
| MD5 | d407cc6d79a08039a6f4b50539e560b8 |
| SHA1 | 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71 |
| SHA256 | 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e |
| SHA512 | 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c |
memory/2324-32-0x0000000073910000-0x0000000073959000-memory.dmp
memory/2324-35-0x0000000073840000-0x0000000073908000-memory.dmp
memory/2324-37-0x0000000073740000-0x0000000073764000-memory.dmp
memory/2324-36-0x0000000073770000-0x000000007383E000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\torrc
| MD5 | 22ec9e4c1cdf6aca7b2997be93f46645 |
| SHA1 | df0a0e3373fc514518b70adfebc86c23c3f04bf8 |
| SHA256 | b2c53ffa29d2c7207304ba7dbc81429d36cdc2542ff701bf2a386ad07aacfdb4 |
| SHA512 | d96b3ee219aa5fac241415237ec3c0523b7c02b27ca77089d5a6530c32d398741c911b496c44b6217c42afbdb13d95aa565cae7c6562410978684e51e235fd94 |
C:\Users\Admin\AppData\Local\8123e463\tor\libevent-2-1-6.dll
| MD5 | 099983c13bade9554a3c17484e5481f1 |
| SHA1 | a84e69ad9722f999252d59d0ed9a99901a60e564 |
| SHA256 | b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838 |
| SHA512 | 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2 |
C:\Users\Admin\AppData\Local\8123e463\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
memory/2324-39-0x00000000736B0000-0x0000000073738000-memory.dmp
memory/2324-43-0x00000000732D0000-0x000000007359F000-memory.dmp
memory/2324-42-0x00000000735A0000-0x00000000736AA000-memory.dmp
memory/2324-44-0x0000000002200000-0x00000000024CF000-memory.dmp
memory/4708-45-0x0000000072EB0000-0x0000000072EEC000-memory.dmp
memory/2324-46-0x0000000000F90000-0x0000000001394000-memory.dmp
memory/2324-48-0x0000000073840000-0x0000000073908000-memory.dmp
memory/2324-47-0x0000000073910000-0x0000000073959000-memory.dmp
memory/2324-49-0x0000000073770000-0x000000007383E000-memory.dmp
memory/4708-54-0x0000000000400000-0x0000000000FBD000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdesc-consensus
| MD5 | e0c532df4b63edb19c242ef478980308 |
| SHA1 | e62c4db641e976bac705db9d547d213ff2c49217 |
| SHA256 | 895abba685d7e4ee4c67e8ac6e9e6971144f3dfa00f83a8a40cecd07705f2cf7 |
| SHA512 | da0d4d4fb18d3276a659e21801b77e70cbe72432e5e6e89b4f0228524ca99107745463b37ce78bed46fe48a4d6cc9b52076f58b0ebb11a1c82961b10598c9d6e |
memory/2324-66-0x0000000000F90000-0x0000000001394000-memory.dmp
memory/2324-67-0x0000000000F90000-0x0000000001394000-memory.dmp
memory/2324-75-0x0000000002200000-0x00000000024CF000-memory.dmp
memory/2324-76-0x0000000000F90000-0x0000000001394000-memory.dmp
memory/2324-84-0x0000000000F90000-0x0000000001394000-memory.dmp
memory/4708-95-0x0000000074310000-0x000000007434C000-memory.dmp
memory/2324-96-0x0000000000F90000-0x0000000001394000-memory.dmp
memory/2324-105-0x0000000000F90000-0x0000000001394000-memory.dmp
memory/2324-113-0x0000000000F90000-0x0000000001394000-memory.dmp
memory/2324-124-0x0000000000F90000-0x0000000001394000-memory.dmp
memory/2880-150-0x0000000000F90000-0x0000000001394000-memory.dmp
memory/2880-151-0x00000000732D0000-0x000000007359F000-memory.dmp
memory/2880-152-0x0000000073840000-0x0000000073908000-memory.dmp
memory/2880-157-0x0000000073770000-0x000000007383E000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-certs
| MD5 | d718cf7e25be82074d4f52ead4877158 |
| SHA1 | 9d039962ca73212ff4991a28eba039c1782441d2 |
| SHA256 | aeaf3a6c0182786d49eeaf44b924e45649276287b81a319f7d335d3038392d7e |
| SHA512 | 5fb62efd2bf2d1c4a8c4d5af9e55e389156e58beed5cf380e49ab6a1e900f7074fc9626468895eb0ae106ce9485154eaf44f7fdc85111ead7fd0f5d4438e01ed |
C:\Users\Admin\AppData\Local\8123e463\tor\data\state
| MD5 | 1ba243de6973024fb3277fa6a748b6d7 |
| SHA1 | 7d9a620d416415a4d5f255df0468a8e3a5df4b38 |
| SHA256 | c1944c99d0cb47f9156b2638a75efd69bbb56bff6ea3180855ea1fd9d20344d7 |
| SHA512 | ad5ec056b370893ed4aee564ede4c0896c859390603feea39005c775fc647e131ed1b14a8daef718cfe3b01394938ccd4483793c94dc146b4f05e45ee9af2822 |
memory/2324-149-0x0000000000F90000-0x0000000001394000-memory.dmp
memory/2880-158-0x0000000073910000-0x0000000073959000-memory.dmp
memory/2880-159-0x0000000073740000-0x0000000073764000-memory.dmp
memory/2880-160-0x00000000735A0000-0x00000000736AA000-memory.dmp
memory/2880-161-0x00000000736B0000-0x0000000073738000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new
| MD5 | 52934624f49badf6e158e206b41a1306 |
| SHA1 | 914e3b08e70306cb1cc5bc47dae76c9dee0e04ce |
| SHA256 | 437e929b65a7fe9b1cf91c81317dab9101319942781b38321a2f079ea728c0fa |
| SHA512 | b73ff7571ac1d5222f1faddfea50f13a513c7db3aabd9f96f679ab70dffb533c2c2c473d036a28e5a1ddd0eac5695c668b4695aa369d20a2bafbe370593d95ca |
memory/4708-184-0x0000000073140000-0x000000007317C000-memory.dmp
memory/2880-185-0x0000000000F90000-0x0000000001394000-memory.dmp
memory/2880-187-0x0000000073840000-0x0000000073908000-memory.dmp
memory/2880-186-0x00000000732D0000-0x000000007359F000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new
| MD5 | f09751657238e728e5d2553dd61e360a |
| SHA1 | 4c791ed031e28b9cb419f9997d075854aec6f547 |
| SHA256 | 0496928546526ca5ebe61b8d2de67ab21395b52a02ade9b91cfaea2d933a35ad |
| SHA512 | 4731cfd9410586f6ba1b92a8d1d7fdcee4cbc5313136416ccae564175578f129ce0fb23069e348cf390817c78ee99db9311ac7f1eea96c076ac87a8e247d8b1a |
memory/2880-240-0x0000000000F90000-0x0000000001394000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\state
| MD5 | 3fd1b66a9365e9c9d7ecec6f89551abb |
| SHA1 | 728e7cadea8daafb4a8c4e39eead626ea3e6d459 |
| SHA256 | 69228831bc90c5ceb447990967238375394c9aa1433868e66d6a1e1cb4c02b15 |
| SHA512 | 6277f3cd9e403b98d0c2db2d40bfd8f6ec1b8cdb2ccd3b82c2691f2cd1c121f73d432770cd4bf264ce2b7e0305da696f8325dde1582b634bc83600447c8b30aa |
memory/3672-245-0x0000000000F90000-0x0000000001394000-memory.dmp
memory/3672-246-0x00000000732D0000-0x000000007359F000-memory.dmp
memory/3672-247-0x0000000073840000-0x0000000073908000-memory.dmp
memory/3672-248-0x0000000073770000-0x000000007383E000-memory.dmp
memory/3672-249-0x0000000073910000-0x0000000073959000-memory.dmp
memory/3672-250-0x0000000073740000-0x0000000073764000-memory.dmp
memory/3672-251-0x00000000735A0000-0x00000000736AA000-memory.dmp
memory/3672-254-0x00000000736B0000-0x0000000073738000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs
| MD5 | 5c84a9cf4bf364dd11bfbd40c2f077e6 |
| SHA1 | 301f7f4a8d240dcc7e97cf707d987192358ff00a |
| SHA256 | 9e6c950dc81f60d6b4751986c1f6fa1d6837e5f312ca6c643ed7a4de74e261bc |
| SHA512 | 04c5502470003433d408a7e5d322a9f7d2e35382e289e308eb9426e1dcc91ade8d737c1063fbeea36e16d06b9926406e6b71c6f06aa4aa425f94d5ec5cf9b8c1 |
memory/4708-277-0x0000000073140000-0x000000007317C000-memory.dmp
memory/3672-280-0x0000000000F90000-0x0000000001394000-memory.dmp
memory/4708-281-0x0000000074340000-0x000000007437C000-memory.dmp
memory/4708-298-0x0000000072EB0000-0x0000000072EEC000-memory.dmp
memory/3672-328-0x0000000000F90000-0x0000000001394000-memory.dmp
memory/1544-334-0x0000000000F90000-0x0000000001394000-memory.dmp
memory/1544-335-0x00000000732D0000-0x000000007359F000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\state
| MD5 | 99c6d85e9d85e0ebab0a2ea6dde6a39a |
| SHA1 | e5a73a6b8db77fe05d1bae3f3fe07abb3ef38a8e |
| SHA256 | 5c789ca94c42ad10b0b6de63123b17a613daba23a3cada4a78d5d94676904e7a |
| SHA512 | 78bb47b1529c56b07c66fbcdbcf75e95e5b9911f53d07bd41528378e84fde33fcf9279cd5ee07dc5cd8f33576f7f36bc346bb6e085daf194d89fbfe5128c3a35 |
memory/1544-336-0x0000000073840000-0x0000000073908000-memory.dmp
memory/1544-337-0x0000000073770000-0x000000007383E000-memory.dmp
memory/1544-338-0x0000000073910000-0x0000000073959000-memory.dmp
memory/1544-339-0x0000000073740000-0x0000000073764000-memory.dmp
memory/1544-340-0x00000000735A0000-0x00000000736AA000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs
| MD5 | 570c89598f8f10193ead291433574ea9 |
| SHA1 | 68a41bc86a20982f2acaa38ef323eca037b1fff4 |
| SHA256 | 5655071709771b7fbfd361f1ff69977df9ad40aaa2074d776e32a618a8386932 |
| SHA512 | 77558b6a3ba83b9414d8f457a311cdb4048d121eff3a67c6f545b61dfbcf45d25019ea392d228d180a1c285bcc0576903d3a3d9995e0587a64181ddea0608903 |
memory/1544-342-0x00000000736B0000-0x0000000073738000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new
| MD5 | 29279bda6d42b29b51a8f929a2791998 |
| SHA1 | 95bfbd3a1fc7ca8bdfdffa94ae4dfabe2cf3bfbf |
| SHA256 | 1240948d619b08825dea82bf483b04fb8877153695dac313ee79353c2cf3db87 |
| SHA512 | 308bb60a9a1ff50b42af4dad9f47594b548709ed7c59eb8fa74383c71652ffbc8f95854250b61b07d4bf3046e2a47f74c5bb97829ea6b5846a99819576d87b0f |
memory/4708-365-0x0000000073140000-0x000000007317C000-memory.dmp
memory/1544-367-0x0000000000F90000-0x0000000001394000-memory.dmp
memory/4708-368-0x0000000074310000-0x000000007434C000-memory.dmp
memory/1544-403-0x0000000000F90000-0x0000000001394000-memory.dmp
memory/3508-411-0x0000000000F90000-0x0000000001394000-memory.dmp
memory/3508-413-0x0000000073840000-0x0000000073908000-memory.dmp
memory/3508-412-0x00000000732D0000-0x000000007359F000-memory.dmp
memory/3508-414-0x0000000073770000-0x000000007383E000-memory.dmp
memory/3508-416-0x0000000073910000-0x0000000073959000-memory.dmp
memory/3508-417-0x0000000073740000-0x0000000073764000-memory.dmp
memory/3508-418-0x00000000735A0000-0x00000000736AA000-memory.dmp
memory/3508-419-0x00000000736B0000-0x0000000073738000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new
| MD5 | 947d33fe52eb99408ea98384eda3179c |
| SHA1 | ba2be5105d33c08c980fe3df07a9575e1af717df |
| SHA256 | 49008bba84cd625cfe8c35e2939e0317e244892601924cae5084d908336177f9 |
| SHA512 | db00450d332fb2db294be1b6994670f83b665f2ac9062d9ca55c9dbca3d1266eafbca3ff99c0d39054e06f9b1c754f84524fdd04c750e929c0d4a015222668d6 |
memory/4708-442-0x0000000073140000-0x000000007317C000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-26 06:44
Reported
2024-04-26 06:56
Platform
win10v2004-20240412-en
Max time kernel
597s
Max time network
604s
Command Line
Signatures
BitRAT
BitRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe | N/A |
Executes dropped EXE
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
Uses Tor communications
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
"C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe"
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.32.209.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| BG | 213.183.60.21:443 | tcp | |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| N/A | 127.0.0.1:51181 | tcp | |
| FR | 217.182.51.248:443 | tcp | |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| DE | 54.36.237.163:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| DE | 31.185.104.20:443 | tcp | |
| NL | 45.66.33.45:443 | tcp | |
| US | 8.8.8.8:53 | 153.97.55.23.in-addr.arpa | udp |
| US | 199.249.230.64:443 | tcp | |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.143.109.104.in-addr.arpa | udp |
| DE | 131.188.40.189:443 | tcp | |
| US | 172.98.193.43:443 | tcp | |
| US | 8.8.8.8:53 | 189.40.188.131.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| FR | 92.222.79.186:443 | tcp | |
| IT | 45.92.70.100:443 | tcp | |
| US | 8.8.8.8:53 | 100.70.92.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 186.79.222.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.251.17.2.in-addr.arpa | udp |
| DE | 82.165.76.126:443 | tcp | |
| BG | 82.118.242.103:443 | tcp | |
| US | 8.8.8.8:53 | 126.76.165.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.242.118.82.in-addr.arpa | udp |
| N/A | 127.0.0.1:51366 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 139.144.220.112:443 | tcp | |
| DE | 82.165.76.126:443 | tcp | |
| BG | 82.118.242.103:443 | tcp | |
| US | 8.8.8.8:53 | 112.220.144.139.in-addr.arpa | udp |
| N/A | 127.0.0.1:51509 | tcp | |
| US | 8.8.8.8:53 | 210.80.50.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| BE | 2.17.197.200:80 | tcp | |
| DE | 31.185.104.21:443 | tcp | |
| BG | 82.118.242.103:443 | tcp | |
| DE | 82.165.76.126:443 | tcp | |
| N/A | 127.0.0.1:51698 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| BG | 82.118.242.103:443 | tcp | |
| US | 8.8.8.8:53 | myexternalip.com | udp |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| US | 8.8.8.8:53 | 44.118.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.190.18.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:51884 | tcp | |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| N/A | 127.0.0.1:51915 | tcp | |
| LU | 92.38.163.21:443 | tcp | |
| BG | 82.118.242.103:443 | tcp | |
| DE | 82.165.76.126:443 | tcp | |
| US | 8.8.8.8:53 | 208.14.97.104.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:52036 | tcp | |
| N/A | 127.0.0.1:52068 | tcp | |
| DE | 81.7.14.253:443 | tcp | |
| DE | 82.165.76.126:443 | tcp | |
| US | 8.8.8.8:53 | 253.14.7.81.in-addr.arpa | udp |
| BG | 82.118.242.103:443 | tcp | |
| US | 8.8.8.8:53 | 17.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 139.144.220.112:443 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| FR | 212.47.244.38:443 | tcp | |
| N/A | 127.0.0.1:52174 | tcp | |
| DE | 82.165.76.126:443 | tcp | |
| BG | 82.118.242.103:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:52247 | tcp | |
| N/A | 127.0.0.1:52278 | tcp | |
| PL | 51.38.134.104:443 | tcp | |
| BG | 82.118.242.103:443 | tcp | |
| DE | 82.165.76.126:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:52331 | tcp | |
| N/A | 127.0.0.1:52359 | tcp | |
| US | 204.8.156.142:443 | tcp | |
| BG | 82.118.242.103:443 | tcp | |
| US | 8.8.8.8:53 | 142.156.8.204.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 139.144.220.112:443 | tcp | |
| DE | 82.165.76.126:443 | tcp | |
| N/A | 127.0.0.1:52429 | tcp | |
| DE | 193.23.244.244:443 | tcp | |
| DE | 82.165.76.126:443 | tcp | |
| US | 8.8.8.8:53 | 244.244.23.193.in-addr.arpa | udp |
| BG | 82.118.242.103:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:52498 | tcp | |
| N/A | 127.0.0.1:52525 | tcp | |
| NL | 185.246.152.22:443 | tcp | |
| DE | 82.165.76.126:443 | tcp | |
| BG | 82.118.242.103:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:52591 | tcp | |
| N/A | 127.0.0.1:52617 | tcp | |
| US | 50.7.74.170:443 | tcp | |
| DE | 82.165.76.126:443 | tcp | |
| BG | 82.118.242.103:443 | tcp |
Files
memory/952-0-0x0000000000400000-0x0000000000FBD000-memory.dmp
memory/952-1-0x00000000749A0000-0x00000000749D9000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
C:\Users\Admin\AppData\Local\8123e463\tor\libcrypto-1_1.dll
| MD5 | 2384a02c4a1f7ec481adde3a020607d3 |
| SHA1 | 7e848d35a10bf9296c8fa41956a3daa777f86365 |
| SHA256 | c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369 |
| SHA512 | 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503 |
memory/2176-19-0x0000000000BC0000-0x0000000000FC4000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\libssl-1_1.dll
| MD5 | c88826ac4bb879622e43ead5bdb95aeb |
| SHA1 | 87d29853649a86f0463bfd9ad887b85eedc21723 |
| SHA256 | c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f |
| SHA512 | f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3 |
C:\Users\Admin\AppData\Local\8123e463\tor\zlib1.dll
| MD5 | add33041af894b67fe34e1dc819b7eb6 |
| SHA1 | 6db46eb021855a587c95479422adcc774a272eeb |
| SHA256 | 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183 |
| SHA512 | bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa |
C:\Users\Admin\AppData\Local\8123e463\tor\libgcc_s_sjlj-1.dll
| MD5 | b0d98f7157d972190fe0759d4368d320 |
| SHA1 | 5715a533621a2b642aad9616e603c6907d80efc4 |
| SHA256 | 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5 |
| SHA512 | 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496 |
C:\Users\Admin\AppData\Local\8123e463\tor\libwinpthread-1.dll
| MD5 | d407cc6d79a08039a6f4b50539e560b8 |
| SHA1 | 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71 |
| SHA256 | 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e |
| SHA512 | 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c |
memory/2176-33-0x0000000073BD0000-0x0000000073C19000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\libevent-2-1-6.dll
| MD5 | 099983c13bade9554a3c17484e5481f1 |
| SHA1 | a84e69ad9722f999252d59d0ed9a99901a60e564 |
| SHA256 | b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838 |
| SHA512 | 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2 |
C:\Users\Admin\AppData\Local\8123e463\tor\torrc
| MD5 | 22ec9e4c1cdf6aca7b2997be93f46645 |
| SHA1 | df0a0e3373fc514518b70adfebc86c23c3f04bf8 |
| SHA256 | b2c53ffa29d2c7207304ba7dbc81429d36cdc2542ff701bf2a386ad07aacfdb4 |
| SHA512 | d96b3ee219aa5fac241415237ec3c0523b7c02b27ca77089d5a6530c32d398741c911b496c44b6217c42afbdb13d95aa565cae7c6562410978684e51e235fd94 |
C:\Users\Admin\AppData\Local\8123e463\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
memory/2176-37-0x0000000073B00000-0x0000000073BC8000-memory.dmp
memory/2176-38-0x0000000073AD0000-0x0000000073AF4000-memory.dmp
memory/2176-39-0x0000000073A00000-0x0000000073ACE000-memory.dmp
memory/2176-40-0x0000000073970000-0x00000000739F8000-memory.dmp
memory/2176-41-0x0000000073860000-0x000000007396A000-memory.dmp
memory/2176-42-0x0000000073C20000-0x0000000073EEF000-memory.dmp
memory/952-43-0x0000000073530000-0x0000000073569000-memory.dmp
memory/2176-44-0x0000000000BC0000-0x0000000000FC4000-memory.dmp
memory/952-52-0x0000000000400000-0x0000000000FBD000-memory.dmp
memory/2176-53-0x0000000000BC0000-0x0000000000FC4000-memory.dmp
memory/2176-54-0x0000000000BC0000-0x0000000000FC4000-memory.dmp
memory/2176-62-0x0000000000BC0000-0x0000000000FC4000-memory.dmp
memory/2176-70-0x0000000000BC0000-0x0000000000FC4000-memory.dmp
memory/952-78-0x0000000074280000-0x00000000742B9000-memory.dmp
memory/2176-79-0x0000000000BC0000-0x0000000000FC4000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdesc-consensus.tmp
| MD5 | e0c532df4b63edb19c242ef478980308 |
| SHA1 | e62c4db641e976bac705db9d547d213ff2c49217 |
| SHA256 | 895abba685d7e4ee4c67e8ac6e9e6971144f3dfa00f83a8a40cecd07705f2cf7 |
| SHA512 | da0d4d4fb18d3276a659e21801b77e70cbe72432e5e6e89b4f0228524ca99107745463b37ce78bed46fe48a4d6cc9b52076f58b0ebb11a1c82961b10598c9d6e |
memory/2176-95-0x0000000000BC0000-0x0000000000FC4000-memory.dmp
memory/2176-104-0x0000000000BC0000-0x0000000000FC4000-memory.dmp
memory/4036-120-0x0000000073B00000-0x0000000073BC8000-memory.dmp
memory/4036-127-0x0000000073AD0000-0x0000000073AF4000-memory.dmp
memory/4036-121-0x0000000073A00000-0x0000000073ACE000-memory.dmp
memory/4036-128-0x0000000073860000-0x000000007396A000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-certs
| MD5 | b793ecdee06448caf21f204c556dac74 |
| SHA1 | 630c11bd79a14b178b89d30ce49e01ffa9eed9f3 |
| SHA256 | 645fe8cfee1d7f6ce044831d1798b41a005af5e01cc851075d06cd9a3f57a811 |
| SHA512 | 07ce2dddb35a85a83c93480c33b991c04dddaf1628be157704d24330fc10936665b8b776926ef555ceb101233f90cef4c8d2bdb1a0a6c05cd5ba0189c8cc6170 |
memory/4036-129-0x0000000073970000-0x00000000739F8000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\state
| MD5 | 73a187e30c5c7977f2e23271edfba8fc |
| SHA1 | 3b10059a189852c8ad31f165b65f05f4f41aefe2 |
| SHA256 | e2d98bbb1e26adae2cf01b7bb68d49c4381bbdbc27b9ab10d0cbc7465afd6e50 |
| SHA512 | 844914a633f04e20db96fbe96166445730077d2172e5c3311b7758a3f34d725c62e04a79aa39775f41628bf83b4e7bd4acd20942c71a9e705fb886d7a85928a3 |
memory/4036-130-0x0000000073C20000-0x0000000073EEF000-memory.dmp
memory/4036-122-0x0000000073BD0000-0x0000000073C19000-memory.dmp
memory/4036-134-0x0000000000BC0000-0x0000000000FC4000-memory.dmp
memory/4036-136-0x0000000073B00000-0x0000000073BC8000-memory.dmp
memory/4036-137-0x0000000073A00000-0x0000000073ACE000-memory.dmp
memory/4036-145-0x0000000000BC0000-0x0000000000FC4000-memory.dmp
memory/952-154-0x0000000074040000-0x0000000074079000-memory.dmp
memory/4036-202-0x0000000000BC0000-0x0000000000FC4000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\state
| MD5 | c710a901b99992abfc7399821a703aa0 |
| SHA1 | c2423182b4329384dfd43fe0cf741de276b10bec |
| SHA256 | 61e8546cfbf3e15ca792312f573e0be655618c0ae5c0beb0dbef1fadcf871c33 |
| SHA512 | 635a98216f5c84f4bff2436e741ff7942785129218d2d3399a12ea3e5c0b0b4ad106a1c0b6195f1961ad97d0b205b5fae637c613c64007c69f04e9c4a77ea6e2 |
memory/1148-207-0x0000000000BC0000-0x0000000000FC4000-memory.dmp
memory/1148-208-0x0000000073C20000-0x0000000073EEF000-memory.dmp
memory/1148-209-0x0000000073B00000-0x0000000073BC8000-memory.dmp
memory/1148-210-0x0000000073A00000-0x0000000073ACE000-memory.dmp
memory/1148-211-0x0000000073BD0000-0x0000000073C19000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new
| MD5 | 4bf6a93bfb7eb821a71b235049fa4107 |
| SHA1 | bed27a52460122600912cc37962abc4e1ebff05c |
| SHA256 | 9dbd4937105eacb352d7baf5a0f31ec0c00a93caf1f5f8d0681086301c4ba16f |
| SHA512 | 13893dff521b6c4869c9bb489c5f9dc46584c425790eee91e09673b5b4ccf349571c78a8a96c8095febe1b5659ab16afe8bcef0c552cac89d490b37ed9bddd9c |
memory/1148-214-0x0000000073860000-0x000000007396A000-memory.dmp
memory/1148-215-0x0000000073970000-0x00000000739F8000-memory.dmp
memory/1148-213-0x0000000073AD0000-0x0000000073AF4000-memory.dmp
memory/952-237-0x0000000074040000-0x0000000074079000-memory.dmp
memory/1148-238-0x0000000000BC0000-0x0000000000FC4000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new
| MD5 | fbf2bafd1085164712e68c1e8b95905c |
| SHA1 | 1d82dc608a9abbff978965956412ed2b6597dc7f |
| SHA256 | 42ecb9451de71ac9917e04824f0fea095991825a6a955571926d35e21c12f8c9 |
| SHA512 | 066643a7d07c876f0a7aaa87eb0f9471d6228939182051b01d9f1d8f555e7414dedacc9694a2f1182343e3ee9e58cb403cb61de99f4f2a3d6659c848d7abaeff |
memory/952-260-0x00000000749A0000-0x00000000749D9000-memory.dmp
memory/952-269-0x0000000073530000-0x0000000073569000-memory.dmp
memory/1148-282-0x0000000000BC0000-0x0000000000FC4000-memory.dmp
memory/2688-293-0x0000000073F80000-0x000000007424F000-memory.dmp
memory/2688-294-0x0000000073EB0000-0x0000000073F78000-memory.dmp
memory/2688-295-0x0000000073DE0000-0x0000000073EAE000-memory.dmp
memory/2688-298-0x0000000073CD0000-0x0000000073DDA000-memory.dmp
memory/2688-299-0x0000000073C40000-0x0000000073CC8000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\state
| MD5 | 9842ca277bf863accebc0329083db9bc |
| SHA1 | 3ace8f437e5bd6b7216a9912a16fa899cce72606 |
| SHA256 | f9cb14d5f50652c78715be201ce9557979a50d89be110e8b8097bd88de0ef060 |
| SHA512 | 7464d8189956a8e6ea84d2a04267048478bc4740e68a39590228785955292a79d981c6fea4ebf6d1c11af2fdf2b77ff2d12c0493721189451ef076bb065cc3ad |
memory/2688-296-0x0000000074910000-0x0000000074959000-memory.dmp
memory/2688-297-0x0000000074A00000-0x0000000074A24000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs
| MD5 | fa21fd784c9682a94aeae03588be5b29 |
| SHA1 | 3686223649478603fb23b5053269dd1fc22143ca |
| SHA256 | c0f0fe8d6de6359172db57c083ce364cb83834609562e003cd5dec5dd9d38b92 |
| SHA512 | 2296fba30a4dac7c4df36650f44bbae00dd11c7aa5f21bfab64082e6d1009b448fbedc16da922c154b2232b745e1d5e5f981167dd84e0385cab345f221863855 |
memory/2688-325-0x0000000000BC0000-0x0000000000FC4000-memory.dmp
memory/952-326-0x0000000073950000-0x0000000073989000-memory.dmp
memory/2688-327-0x0000000073F80000-0x000000007424F000-memory.dmp
memory/2688-328-0x0000000073EB0000-0x0000000073F78000-memory.dmp
memory/2688-329-0x0000000073DE0000-0x0000000073EAE000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new
| MD5 | 0e8254adb790c60dea317d33f4505b55 |
| SHA1 | c753127692ea6d5052391747a870419eefe0379e |
| SHA256 | efdec03e301736775c35608dea8346cc70140c39067859eb5e1cb6a6fae8eb30 |
| SHA512 | 1509b4541c93e88e9cf6577c0e109954a4fbfdeb17c4dafa8bec48134acaf1f8270792144b6465c0dd9a9e8412104626a1cec7228595d8547a26aa704f9f6990 |
memory/952-344-0x0000000074280000-0x00000000742B9000-memory.dmp
memory/2372-394-0x0000000073EB0000-0x0000000073F78000-memory.dmp
memory/2372-396-0x0000000073DE0000-0x0000000073EAE000-memory.dmp
memory/2372-384-0x0000000000BC0000-0x0000000000FC4000-memory.dmp
memory/2372-398-0x0000000074910000-0x0000000074959000-memory.dmp
memory/2372-403-0x0000000073CD0000-0x0000000073DDA000-memory.dmp
memory/2372-404-0x0000000073C40000-0x0000000073CC8000-memory.dmp
memory/2688-400-0x0000000000BC0000-0x0000000000FC4000-memory.dmp
memory/2372-407-0x0000000073F80000-0x000000007424F000-memory.dmp
memory/2372-399-0x0000000074A00000-0x0000000074A24000-memory.dmp
memory/2372-414-0x0000000074A00000-0x0000000074A24000-memory.dmp
memory/2372-413-0x0000000074910000-0x0000000074959000-memory.dmp
memory/2372-415-0x0000000000BC0000-0x0000000000FC4000-memory.dmp
memory/2372-416-0x0000000073EB0000-0x0000000073F78000-memory.dmp
memory/2372-417-0x0000000073DE0000-0x0000000073EAE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-26 06:44
Reported
2024-04-26 06:56
Platform
win7-20240220-en
Max time kernel
599s
Max time network
601s
Command Line
Signatures
BitRAT
BitRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
Uses Tor communications
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
"C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe"
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:49225 | tcp | |
| US | 199.249.230.64:443 | tcp | |
| CZ | 195.123.245.141:443 | tcp | |
| US | 204.8.156.142:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| DE | 37.221.192.121:443 | tcp | |
| US | 135.148.52.158:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:49317 | tcp | |
| DK | 185.96.180.29:443 | tcp | |
| DE | 88.198.35.49:443 | tcp | |
| AU | 170.64.216.180:443 | tcp | |
| N/A | 127.0.0.1:49348 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:49417 | tcp | |
| FR | 163.172.157.213:443 | tcp | |
| FR | 163.172.182.26:443 | tcp | |
| US | 135.148.52.231:443 | tcp | |
| N/A | 127.0.0.1:49458 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:49506 | tcp | |
| N/A | 127.0.0.1:49540 | tcp | |
| FR | 62.210.254.132:443 | tcp | |
| ES | 82.223.114.35:443 | tcp | |
| NL | 5.2.70.140:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 135.148.52.158:443 | tcp | |
| N/A | 127.0.0.1:49599 | tcp | |
| N/A | 127.0.0.1:49631 | tcp | |
| FR | 92.222.38.67:443 | tcp | |
| FR | 163.172.182.26:443 | tcp | |
| US | 15.204.142.37:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:49685 | tcp | |
| N/A | 127.0.0.1:49719 | tcp | |
| DE | 5.45.111.149:443 | tcp | |
| ES | 82.223.114.35:443 | tcp | |
| NL | 5.2.70.140:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:49777 | tcp | |
| PL | 51.38.134.104:443 | tcp | |
| US | 135.148.52.231:443 | tcp | |
| DE | 37.221.192.121:443 | tcp | |
| N/A | 127.0.0.1:49809 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:49865 | tcp | |
| N/A | 127.0.0.1:49897 | tcp | |
| DE | 85.214.200.184:443 | tcp | |
| DE | 87.118.88.94:443 | tcp | |
| DE | 85.214.200.184:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:49952 | tcp | |
| N/A | 127.0.0.1:49984 | tcp | |
| NL | 77.247.181.166:443 | tcp | |
| DE | 85.214.200.184:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 198.24.168.226:443 | tcp | |
| N/A | 127.0.0.1:50038 | tcp | |
| N/A | 127.0.0.1:50071 | tcp | |
| DE | 31.185.104.21:443 | tcp | |
| DE | 85.214.200.184:443 | tcp | |
| US | 135.148.52.231:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | myexternalip.com | udp |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50144 | tcp | |
| SE | 171.25.193.25:443 | tcp | |
| N/A | 127.0.0.1:50175 | tcp | |
| DE | 85.214.200.184:443 | tcp | |
| US | 135.148.52.231:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:50228 | tcp | |
| DE | 31.185.104.21:443 | tcp | |
| N/A | 127.0.0.1:50262 | tcp | |
| DE | 85.214.200.184:443 | tcp | |
| US | 135.148.52.231:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50323 | tcp | |
| US | 199.184.246.250:443 | tcp | |
| US | 135.148.52.231:443 | tcp | |
| DE | 85.214.200.184:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:50385 | tcp | |
| N/A | 127.0.0.1:50418 | tcp | |
| DE | 81.7.16.182:443 | tcp | |
| DE | 85.214.200.184:443 | tcp | |
| US | 135.148.52.231:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 162.251.116.34:443 | tcp | |
| N/A | 127.0.0.1:50477 | tcp | |
| N/A | 127.0.0.1:50512 | tcp | |
| FR | 193.70.112.165:443 | tcp | |
| US | 135.148.52.231:443 | tcp | |
| DE | 85.214.200.184:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp |
Files
memory/2928-0-0x0000000000400000-0x0000000000FBD000-memory.dmp
\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
C:\Users\Admin\AppData\Local\8123e463\tor\libcrypto-1_1.dll
| MD5 | 2384a02c4a1f7ec481adde3a020607d3 |
| SHA1 | 7e848d35a10bf9296c8fa41956a3daa777f86365 |
| SHA256 | c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369 |
| SHA512 | 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503 |
memory/2928-17-0x00000000046D0000-0x0000000004AD4000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
C:\Users\Admin\AppData\Local\8123e463\tor\libevent-2-1-6.dll
| MD5 | 099983c13bade9554a3c17484e5481f1 |
| SHA1 | a84e69ad9722f999252d59d0ed9a99901a60e564 |
| SHA256 | b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838 |
| SHA512 | 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2 |
C:\Users\Admin\AppData\Local\8123e463\tor\libgcc_s_sjlj-1.dll
| MD5 | b0d98f7157d972190fe0759d4368d320 |
| SHA1 | 5715a533621a2b642aad9616e603c6907d80efc4 |
| SHA256 | 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5 |
| SHA512 | 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496 |
C:\Users\Admin\AppData\Local\8123e463\tor\libwinpthread-1.dll
| MD5 | d407cc6d79a08039a6f4b50539e560b8 |
| SHA1 | 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71 |
| SHA256 | 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e |
| SHA512 | 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c |
C:\Users\Admin\AppData\Local\8123e463\tor\libssl-1_1.dll
| MD5 | c88826ac4bb879622e43ead5bdb95aeb |
| SHA1 | 87d29853649a86f0463bfd9ad887b85eedc21723 |
| SHA256 | c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f |
| SHA512 | f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3 |
C:\Users\Admin\AppData\Local\8123e463\tor\zlib1.dll
| MD5 | add33041af894b67fe34e1dc819b7eb6 |
| SHA1 | 6db46eb021855a587c95479422adcc774a272eeb |
| SHA256 | 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183 |
| SHA512 | bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa |
memory/2868-33-0x0000000000B50000-0x0000000000F54000-memory.dmp
memory/2868-35-0x0000000073F90000-0x0000000074058000-memory.dmp
memory/2868-34-0x00000000745C0000-0x0000000074609000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\torrc
| MD5 | 22ec9e4c1cdf6aca7b2997be93f46645 |
| SHA1 | df0a0e3373fc514518b70adfebc86c23c3f04bf8 |
| SHA256 | b2c53ffa29d2c7207304ba7dbc81429d36cdc2542ff701bf2a386ad07aacfdb4 |
| SHA512 | d96b3ee219aa5fac241415237ec3c0523b7c02b27ca77089d5a6530c32d398741c911b496c44b6217c42afbdb13d95aa565cae7c6562410978684e51e235fd94 |
memory/2868-42-0x0000000074660000-0x0000000074684000-memory.dmp
memory/2868-41-0x0000000073DB0000-0x0000000073E7E000-memory.dmp
memory/2868-40-0x0000000074530000-0x00000000745B8000-memory.dmp
memory/2868-37-0x0000000073E80000-0x0000000073F8A000-memory.dmp
memory/2928-43-0x00000000046D0000-0x0000000004AD4000-memory.dmp
memory/2868-44-0x0000000074060000-0x000000007432F000-memory.dmp
memory/2868-47-0x0000000000B50000-0x0000000000F54000-memory.dmp
memory/2868-50-0x0000000073F90000-0x0000000074058000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdesc-consensus.tmp
| MD5 | e0c532df4b63edb19c242ef478980308 |
| SHA1 | e62c4db641e976bac705db9d547d213ff2c49217 |
| SHA256 | 895abba685d7e4ee4c67e8ac6e9e6971144f3dfa00f83a8a40cecd07705f2cf7 |
| SHA512 | da0d4d4fb18d3276a659e21801b77e70cbe72432e5e6e89b4f0228524ca99107745463b37ce78bed46fe48a4d6cc9b52076f58b0ebb11a1c82961b10598c9d6e |
memory/2928-61-0x0000000000400000-0x0000000000FBD000-memory.dmp
memory/2928-62-0x00000000046D0000-0x0000000004AD4000-memory.dmp
memory/2868-63-0x0000000000B50000-0x0000000000F54000-memory.dmp
memory/2868-64-0x0000000000B50000-0x0000000000F54000-memory.dmp
memory/2928-72-0x00000000046D0000-0x0000000004AD4000-memory.dmp
memory/2868-73-0x0000000000B50000-0x0000000000F54000-memory.dmp
memory/2868-81-0x0000000000B50000-0x0000000000F54000-memory.dmp
memory/2868-93-0x0000000000B50000-0x0000000000F54000-memory.dmp
memory/1248-112-0x00000000745C0000-0x0000000074609000-memory.dmp
memory/1248-111-0x0000000074060000-0x000000007432F000-memory.dmp
memory/1248-113-0x0000000073F90000-0x0000000074058000-memory.dmp
memory/1248-118-0x0000000073E80000-0x0000000073F8A000-memory.dmp
memory/1248-122-0x0000000073DB0000-0x0000000073E7E000-memory.dmp
memory/1248-123-0x0000000000B50000-0x0000000000F54000-memory.dmp
memory/1248-124-0x0000000074660000-0x0000000074684000-memory.dmp
memory/1248-120-0x0000000074530000-0x00000000745B8000-memory.dmp
memory/1248-127-0x0000000073F90000-0x0000000074058000-memory.dmp
memory/1248-130-0x0000000073DB0000-0x0000000073E7E000-memory.dmp
memory/1248-129-0x0000000074530000-0x00000000745B8000-memory.dmp
memory/1248-128-0x0000000073E80000-0x0000000073F8A000-memory.dmp
memory/1248-125-0x0000000074060000-0x000000007432F000-memory.dmp
memory/1248-126-0x00000000745C0000-0x0000000074609000-memory.dmp
memory/2928-101-0x00000000050D0000-0x00000000054D4000-memory.dmp
memory/1924-148-0x0000000000B50000-0x0000000000F54000-memory.dmp
memory/1924-149-0x0000000074570000-0x00000000745B9000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\state
| MD5 | 1d3e10ebfd6be7884c3f6bcee32696b3 |
| SHA1 | bce5d6f2dbc0c9b2474a357757d18617d4ad5ac3 |
| SHA256 | 9721b2db6d5d126c4636a4d4951655ccaaa13daa3b2d080a1e1a0e0ff80de49c |
| SHA512 | ed359c06afbe4e78abac6a0c8a6122307c106b05d968e98bb8af70a27eccc8a05a7f56bde6da71d25a35544ad5176db08c9a57e939e3f92af412ecd1d3d3d427 |
memory/1924-156-0x00000000740C0000-0x0000000074148000-memory.dmp
memory/1924-157-0x0000000073C00000-0x0000000073CCE000-memory.dmp
memory/1924-158-0x00000000745E0000-0x0000000074604000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-certs
| MD5 | b4b072a31675b9dd798d49ddf433508e |
| SHA1 | 77625a8ea0fde29739950ce8e3eb0d532ca53a45 |
| SHA256 | 4c76f0d9f4150eb6226ee0f2dbaf17ceada6e954eb46d298bf52438045505fd8 |
| SHA512 | 65e9931faca893e36cacb8dd7bb3ad7d8c3bf4e896822c7a47ec43273e13686c64d5c3fa7b54c7ed88ce45bef52e2cccbbf8ab9c17d49c4f18cc562b3facc0d6 |
memory/1924-159-0x0000000073D90000-0x000000007405F000-memory.dmp
memory/1924-153-0x0000000074150000-0x000000007425A000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new
| MD5 | 462e670fdefc532075e1d5e712e6feaa |
| SHA1 | e20408e76f42ce5eec774024af3500c0f06f9dfb |
| SHA256 | 1bf62eb8003b99c2f826ef6329eb3be127375f7580d8b917842a64fea136f3e8 |
| SHA512 | 37a45375ed0a2c391b371468b85acec734e45d47ca0522df01f428e1d54752ad57ee7dd4241034612975ef90306ee5f2d838d490fbe3a7134171ecfb09c9c46d |
memory/1924-150-0x0000000074260000-0x0000000074328000-memory.dmp
memory/1924-167-0x0000000000B50000-0x0000000000F54000-memory.dmp
memory/1924-170-0x0000000074260000-0x0000000074328000-memory.dmp
memory/2928-175-0x00000000050D0000-0x00000000054D4000-memory.dmp
memory/1924-176-0x0000000000B50000-0x0000000000F54000-memory.dmp
memory/1924-184-0x0000000000B50000-0x0000000000F54000-memory.dmp
memory/888-211-0x0000000000B50000-0x0000000000F54000-memory.dmp
memory/888-218-0x0000000074260000-0x0000000074328000-memory.dmp
memory/888-220-0x0000000074150000-0x000000007425A000-memory.dmp
memory/888-224-0x00000000745E0000-0x0000000074604000-memory.dmp
memory/888-223-0x0000000073C00000-0x0000000073CCE000-memory.dmp
memory/888-222-0x00000000740C0000-0x0000000074148000-memory.dmp
memory/888-232-0x0000000000B50000-0x0000000000F54000-memory.dmp
memory/888-216-0x0000000074570000-0x00000000745B9000-memory.dmp
memory/888-215-0x0000000073D90000-0x000000007405F000-memory.dmp
memory/2928-209-0x00000000050D0000-0x00000000054D4000-memory.dmp
memory/884-250-0x0000000000EE0000-0x00000000012E4000-memory.dmp
memory/884-251-0x0000000074060000-0x000000007432F000-memory.dmp
memory/884-252-0x00000000745C0000-0x0000000074609000-memory.dmp
memory/884-253-0x0000000073E80000-0x0000000073F8A000-memory.dmp
memory/884-254-0x0000000074530000-0x00000000745B8000-memory.dmp
memory/884-255-0x0000000073DB0000-0x0000000073E7E000-memory.dmp
memory/884-256-0x0000000074660000-0x0000000074684000-memory.dmp
memory/884-257-0x0000000073F90000-0x0000000074058000-memory.dmp
memory/2928-268-0x00000000050D0000-0x00000000054D4000-memory.dmp
memory/884-278-0x0000000074060000-0x000000007432F000-memory.dmp
memory/884-277-0x0000000000EE0000-0x00000000012E4000-memory.dmp
memory/2928-294-0x00000000050D0000-0x00000000054D4000-memory.dmp
memory/2384-295-0x0000000000EE0000-0x00000000012E4000-memory.dmp
memory/2384-297-0x0000000074060000-0x000000007432F000-memory.dmp
memory/2384-300-0x00000000745C0000-0x0000000074609000-memory.dmp
memory/2384-303-0x0000000073F90000-0x0000000074058000-memory.dmp
memory/2384-306-0x0000000073E80000-0x0000000073F8A000-memory.dmp
memory/2384-309-0x0000000074530000-0x00000000745B8000-memory.dmp
memory/2384-312-0x0000000073DB0000-0x0000000073E7E000-memory.dmp
memory/2384-314-0x0000000074660000-0x0000000074684000-memory.dmp
memory/2384-317-0x0000000000EE0000-0x00000000012E4000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new
| MD5 | e7395a33665e96ad7f5604d7ab204912 |
| SHA1 | 8d06616feb602cb112b9093ab8ca9ceea4174117 |
| SHA256 | 39da6a68c7b6a27c6d48869626ba05048ced8cb004d0e166ef195189781f43f9 |
| SHA512 | bde165ed6202a8a5506babc2e8456991151c6e15fec478f68a3cc1ae8c605c15ded83abba57a7a2655a3ac4d1d787bd4b503e3be11a71a9eefc68aff2fe69f79 |
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new
| MD5 | 61f62aa276a505f6f78b28c4078f15e8 |
| SHA1 | 7a41171db24171889fffa1bbb07a29d48bdeb0da |
| SHA256 | d9d3abc6ab816dde1bcedeabe500fbdd8eb68077c54c8f5fe8a3ddd18068f71f |
| SHA512 | eb7f0e5b07143289c938bbb6f1a8ff15d053f397b785634cf92ae24543b1b96db9d260143c80e970d2e0b4d9eb4b0b538f541db54c18585057099190043b17da |
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-26 06:44
Reported
2024-04-26 06:56
Platform
win10-20240404-en
Max time kernel
599s
Max time network
603s
Command Line
Signatures
BitRAT
BitRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
Uses Tor communications
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
"C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe"
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:49792 | tcp | |
| FR | 163.172.176.167:443 | tcp | |
| US | 199.249.230.83:443 | tcp | |
| DE | 81.7.3.67:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| FR | 178.33.183.251:443 | tcp | |
| CA | 199.58.81.140:443 | tcp | |
| US | 8.8.8.8:53 | 140.81.58.199.in-addr.arpa | udp |
| DE | 85.215.68.72:443 | tcp | |
| NL | 51.15.76.56:443 | tcp | |
| US | 8.8.8.8:53 | 72.68.215.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.76.15.51.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:49891 | tcp | |
| US | 172.241.140.249:443 | tcp | |
| EE | 94.131.15.74:443 | tcp | |
| N/A | 127.0.0.1:49928 | tcp | |
| US | 8.8.8.8:53 | 74.15.131.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.140.241.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:49992 | tcp | |
| RO | 185.100.84.212:443 | tcp | |
| ES | 217.160.114.209:443 | tcp | |
| DE | 88.198.35.49:443 | tcp | |
| N/A | 127.0.0.1:50028 | tcp | |
| US | 8.8.8.8:53 | 49.35.198.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.114.160.217.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | 91.16.208.104.in-addr.arpa | udp |
| N/A | 127.0.0.1:50105 | tcp | |
| N/A | 127.0.0.1:50133 | tcp | |
| US | 23.141.40.7:443 | tcp | |
| NL | 51.15.76.56:443 | tcp | |
| DE | 129.13.131.140:443 | tcp | |
| US | 8.8.8.8:53 | 7.40.141.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.131.13.129.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:50206 | tcp | |
| DK | 185.96.88.29:443 | tcp | |
| LU | 104.244.79.122:443 | tcp | |
| DE | 85.214.200.184:443 | tcp | |
| N/A | 127.0.0.1:50233 | tcp | |
| US | 8.8.8.8:53 | 184.200.214.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.79.244.104.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:50306 | tcp | |
| N/A | 127.0.0.1:50331 | tcp | |
| FR | 212.47.244.38:443 | tcp | |
| DE | 178.254.29.190:443 | tcp | |
| EE | 94.131.15.74:443 | tcp | |
| US | 8.8.8.8:53 | 190.29.254.178.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| EE | 94.131.15.74:443 | tcp | |
| DE | 178.254.29.190:443 | tcp | |
| US | 8.8.8.8:53 | myexternalip.com | udp |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| US | 8.8.8.8:53 | 44.118.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| N/A | 127.0.0.1:50419 | tcp | |
| DE | 185.94.29.93:443 | tcp | |
| N/A | 127.0.0.1:50446 | tcp | |
| EE | 94.131.15.74:443 | tcp | |
| US | 8.8.8.8:53 | 93.29.94.185.in-addr.arpa | udp |
| DE | 178.254.29.190:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50507 | tcp | |
| N/A | 127.0.0.1:50531 | tcp | |
| FR | 212.47.244.38:443 | tcp | |
| DE | 178.254.29.190:443 | tcp | |
| EE | 94.131.15.74:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50592 | tcp | |
| GR | 185.4.132.148:443 | tcp | |
| EE | 94.131.15.74:443 | tcp | |
| US | 8.8.8.8:53 | 148.132.4.185.in-addr.arpa | udp |
| DE | 178.254.29.190:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50645 | tcp | |
| N/A | 127.0.0.1:50671 | tcp | |
| GR | 185.4.132.148:443 | tcp | |
| EE | 94.131.15.74:443 | tcp | |
| DE | 178.254.29.190:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| FR | 212.47.244.38:443 | tcp | |
| N/A | 127.0.0.1:50721 | tcp | |
| N/A | 127.0.0.1:50748 | tcp | |
| EE | 94.131.15.74:443 | tcp | |
| DE | 178.254.29.190:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50801 | tcp | |
| N/A | 127.0.0.1:50828 | tcp | |
| SE | 85.230.178.139:443 | tcp | |
| DE | 178.254.29.190:443 | tcp | |
| EE | 94.131.15.74:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50882 | tcp | |
| CZ | 37.157.195.87:443 | tcp | |
| N/A | 127.0.0.1:50911 | tcp | |
| EE | 94.131.15.74:443 | tcp | |
| DE | 178.254.29.190:443 | tcp |
Files
memory/4192-0-0x0000000000400000-0x0000000000FBD000-memory.dmp
memory/4192-1-0x00000000741D0000-0x000000007420A000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
C:\Users\Admin\AppData\Local\8123e463\tor\libcrypto-1_1.dll
| MD5 | 2384a02c4a1f7ec481adde3a020607d3 |
| SHA1 | 7e848d35a10bf9296c8fa41956a3daa777f86365 |
| SHA256 | c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369 |
| SHA512 | 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503 |
C:\Users\Admin\AppData\Local\8123e463\tor\libssl-1_1.dll
| MD5 | c88826ac4bb879622e43ead5bdb95aeb |
| SHA1 | 87d29853649a86f0463bfd9ad887b85eedc21723 |
| SHA256 | c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f |
| SHA512 | f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3 |
\Users\Admin\AppData\Local\8123e463\tor\libevent-2-1-6.dll
| MD5 | 099983c13bade9554a3c17484e5481f1 |
| SHA1 | a84e69ad9722f999252d59d0ed9a99901a60e564 |
| SHA256 | b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838 |
| SHA512 | 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2 |
\Users\Admin\AppData\Local\8123e463\tor\libgcc_s_sjlj-1.dll
| MD5 | b0d98f7157d972190fe0759d4368d320 |
| SHA1 | 5715a533621a2b642aad9616e603c6907d80efc4 |
| SHA256 | 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5 |
| SHA512 | 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496 |
memory/3548-32-0x00000000737F0000-0x00000000738B8000-memory.dmp
\Users\Admin\AppData\Local\8123e463\tor\libwinpthread-1.dll
| MD5 | d407cc6d79a08039a6f4b50539e560b8 |
| SHA1 | 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71 |
| SHA256 | 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e |
| SHA512 | 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c |
memory/3548-27-0x0000000000CF0000-0x00000000010F4000-memory.dmp
\Users\Admin\AppData\Local\8123e463\tor\zlib1.dll
| MD5 | add33041af894b67fe34e1dc819b7eb6 |
| SHA1 | 6db46eb021855a587c95479422adcc774a272eeb |
| SHA256 | 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183 |
| SHA512 | bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa |
\Users\Admin\AppData\Local\8123e463\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
memory/3548-33-0x00000000737A0000-0x00000000737E9000-memory.dmp
memory/3548-39-0x0000000001940000-0x00000000019C8000-memory.dmp
memory/3548-42-0x00000000735C0000-0x00000000736CA000-memory.dmp
memory/3548-43-0x0000000073590000-0x00000000735B4000-memory.dmp
memory/3548-41-0x00000000732C0000-0x000000007358F000-memory.dmp
memory/3548-40-0x0000000001940000-0x0000000001C0F000-memory.dmp
memory/3548-38-0x0000000073230000-0x00000000732B8000-memory.dmp
memory/3548-37-0x00000000736D0000-0x000000007379E000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\torrc
| MD5 | 22ec9e4c1cdf6aca7b2997be93f46645 |
| SHA1 | df0a0e3373fc514518b70adfebc86c23c3f04bf8 |
| SHA256 | b2c53ffa29d2c7207304ba7dbc81429d36cdc2542ff701bf2a386ad07aacfdb4 |
| SHA512 | d96b3ee219aa5fac241415237ec3c0523b7c02b27ca77089d5a6530c32d398741c911b496c44b6217c42afbdb13d95aa565cae7c6562410978684e51e235fd94 |
memory/4192-44-0x0000000072F60000-0x0000000072F9A000-memory.dmp
memory/3548-45-0x0000000000CF0000-0x00000000010F4000-memory.dmp
memory/3548-46-0x00000000737F0000-0x00000000738B8000-memory.dmp
memory/3548-48-0x00000000736D0000-0x000000007379E000-memory.dmp
memory/4192-53-0x0000000000400000-0x0000000000FBD000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdesc-consensus.tmp
| MD5 | e0c532df4b63edb19c242ef478980308 |
| SHA1 | e62c4db641e976bac705db9d547d213ff2c49217 |
| SHA256 | 895abba685d7e4ee4c67e8ac6e9e6971144f3dfa00f83a8a40cecd07705f2cf7 |
| SHA512 | da0d4d4fb18d3276a659e21801b77e70cbe72432e5e6e89b4f0228524ca99107745463b37ce78bed46fe48a4d6cc9b52076f58b0ebb11a1c82961b10598c9d6e |
memory/3548-62-0x0000000000CF0000-0x00000000010F4000-memory.dmp
memory/3548-63-0x0000000000CF0000-0x00000000010F4000-memory.dmp
memory/3548-71-0x0000000001940000-0x00000000019C8000-memory.dmp
memory/3548-72-0x0000000001940000-0x0000000001C0F000-memory.dmp
memory/3548-73-0x0000000000CF0000-0x00000000010F4000-memory.dmp
memory/3548-81-0x0000000000CF0000-0x00000000010F4000-memory.dmp
memory/4192-92-0x0000000073AD0000-0x0000000073B0A000-memory.dmp
memory/3548-93-0x0000000000CF0000-0x00000000010F4000-memory.dmp
memory/3548-101-0x0000000000CF0000-0x00000000010F4000-memory.dmp
memory/3548-110-0x0000000000CF0000-0x00000000010F4000-memory.dmp
memory/4000-127-0x00000000737F0000-0x00000000738B8000-memory.dmp
memory/4000-130-0x00000000736D0000-0x000000007379E000-memory.dmp
memory/4000-132-0x00000000737A0000-0x00000000737E9000-memory.dmp
memory/4000-135-0x0000000073590000-0x00000000735B4000-memory.dmp
memory/4000-133-0x00000000732C0000-0x000000007358F000-memory.dmp
memory/4000-136-0x00000000737F0000-0x00000000738B8000-memory.dmp
memory/4000-137-0x00000000735C0000-0x00000000736CA000-memory.dmp
memory/3548-134-0x0000000001940000-0x00000000019C8000-memory.dmp
memory/4000-139-0x0000000073230000-0x00000000732B8000-memory.dmp
memory/4000-129-0x0000000000CF0000-0x00000000010F4000-memory.dmp
memory/4000-126-0x00000000732C0000-0x000000007358F000-memory.dmp
memory/4000-124-0x0000000000CF0000-0x00000000010F4000-memory.dmp
memory/1296-155-0x0000000073920000-0x00000000739E8000-memory.dmp
memory/1296-156-0x00000000741C0000-0x0000000074209000-memory.dmp
memory/1296-163-0x00000000736B0000-0x0000000073738000-memory.dmp
memory/1296-164-0x00000000739F0000-0x0000000073CBF000-memory.dmp
memory/1296-165-0x0000000073850000-0x000000007391E000-memory.dmp
memory/1296-162-0x0000000073740000-0x000000007384A000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-certs
| MD5 | ba7209133c48200828c4976cab4aed6a |
| SHA1 | 8697a3ff19d245aa5c2ac058066b5096aadb7108 |
| SHA256 | 987cc55317ece75159035c07f7cccdd7506ffdaa3d2a970800db32d867c98726 |
| SHA512 | 71ee0ca7439638788f5a06250535c4c99783e2aa50ffc2fb849830f8044e8a2ae0920277a39e9998ea973c446fd76bbe5c7bf498a49c47e0d49d1ba085469257 |
C:\Users\Admin\AppData\Local\8123e463\tor\data\state
| MD5 | 719de8f74162f2a549c117b58759631d |
| SHA1 | e6ca88d3db263cd200f7e6954975252c215abf16 |
| SHA256 | e66585e3bd795b20424d3c092d0af9d2fd306622b1b9268a3278661b2294d0b0 |
| SHA512 | e345c66f666e56b9842b0c2851f41559305f391dce8912c6cb94b51a10b54588cb3e75be4754500be8f02db8cfce7e5bee353b181d156d28665dc8ea5a4ddd92 |
memory/1296-157-0x0000000074190000-0x00000000741B4000-memory.dmp
memory/4192-177-0x0000000073410000-0x000000007344A000-memory.dmp
memory/1296-178-0x0000000000CF0000-0x00000000010F4000-memory.dmp
memory/1296-179-0x0000000073920000-0x00000000739E8000-memory.dmp
memory/4724-210-0x0000000000CF0000-0x00000000010F4000-memory.dmp
memory/4724-212-0x00000000739F0000-0x0000000073CBF000-memory.dmp
memory/4724-214-0x0000000073920000-0x00000000739E8000-memory.dmp
memory/4724-217-0x0000000073850000-0x000000007391E000-memory.dmp
memory/4724-219-0x00000000741C0000-0x0000000074209000-memory.dmp
memory/1296-222-0x0000000000CF0000-0x00000000010F4000-memory.dmp
memory/4724-224-0x0000000073740000-0x000000007384A000-memory.dmp
memory/4724-221-0x0000000074190000-0x00000000741B4000-memory.dmp
memory/4724-226-0x00000000736B0000-0x0000000073738000-memory.dmp
memory/4724-232-0x0000000000CF0000-0x00000000010F4000-memory.dmp
memory/4724-234-0x0000000073920000-0x00000000739E8000-memory.dmp
memory/4724-235-0x0000000073850000-0x000000007391E000-memory.dmp
memory/4724-233-0x00000000739F0000-0x0000000073CBF000-memory.dmp
memory/2680-248-0x0000000000CF0000-0x00000000010F4000-memory.dmp
memory/2680-249-0x00000000739F0000-0x0000000073CBF000-memory.dmp
memory/2680-252-0x0000000073920000-0x00000000739E8000-memory.dmp
memory/2680-254-0x0000000073810000-0x000000007391A000-memory.dmp
memory/2680-255-0x0000000074190000-0x00000000741B4000-memory.dmp
memory/2680-253-0x00000000741C0000-0x0000000074209000-memory.dmp
memory/2680-257-0x0000000001180000-0x0000000001208000-memory.dmp
memory/2680-256-0x0000000073780000-0x0000000073808000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\state
| MD5 | cb9cd726fd67806324161138c8b876ec |
| SHA1 | 3628a0c91feef02f69cfa2a9609f47dc591d3d9b |
| SHA256 | 5a3c06d2dcc2f39cf1228734c3302e2a18073a7671ce555ee9ceccb7b935630a |
| SHA512 | 824c5c3b7858d4cf818f98c1c4a2cd92deb34b45648d66767f91578ec37e424f3a4aa3b3a6d9a52a546169ac64364e7465d734b02bdd484ac0e40c0fceb41033 |
memory/2680-258-0x00000000736B0000-0x000000007377E000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new
| MD5 | d1a71ddd706c229dc21cb70d32c95f55 |
| SHA1 | 94958f0af3173b32ee0fb0bedd8087ff574d40e2 |
| SHA256 | 9c3b0eb3ee72cd02699c45764a74c9b35200ab4ae72f3a0e104dca9d8da58e12 |
| SHA512 | 5b055c9008d7b25772f52cb11ec57e0e53ff640f03a4656790c210b265702cb9c33cb04a67b8003ac092416a84ede0e6f2e4cf0058e11e16fdd83e29d12a9808 |
memory/4192-273-0x0000000073410000-0x000000007344A000-memory.dmp
memory/2680-282-0x0000000000CF0000-0x00000000010F4000-memory.dmp
memory/2680-283-0x00000000739F0000-0x0000000073CBF000-memory.dmp
memory/2680-284-0x0000000001180000-0x0000000001208000-memory.dmp
memory/1348-315-0x0000000000CF0000-0x00000000010F4000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new
| MD5 | 042619f5e932ec6e3d17624c449b007b |
| SHA1 | a35f7b9f9aa767a67837a9015397a99573788d98 |
| SHA256 | 7e65c5fe8c7ce1877b248811df2426fecb99ba2c48ef02c77cfb8b1de3301f35 |
| SHA512 | 34608e2a66c5d72feea69211ba34af018b63b6598d6278d1dd6752b3e524672eccb322b3aefed0abc2fb37a061f6b1c0697db122c7d966a970475ebcdd3da582 |
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new
| MD5 | 389da97e2c888561700a94c1502b45dc |
| SHA1 | 43400a5100c705f24989de27e807e2a067a7ab21 |
| SHA256 | 2f8ebdd71fcbb178ee092977eca2b74ae2d3fae51d3e231bb966fb10565c8b40 |
| SHA512 | 0e0fd10c674a02c1215aa9b4c69afd02c019f93eebd05245fbbb6b178b205c1b36f5a04d8073b2c9ec4deb1e9bc68f7c0207752c275d8e84651cf5ebfdf8685b |