Malware Analysis Report

2024-09-22 21:58

Sample ID 240426-hh1q7sba5z
Target 8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2
SHA256 8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2
Tags
bitrat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2

Threat Level: Known bad

The file 8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2 was found to be: Known bad.

Malicious Activity Summary

bitrat trojan upx

BitRAT payload

BitRAT

Bitrat family

Loads dropped DLL

UPX packed file

Executes dropped EXE

Checks computer location settings

ACProtect 1.3x - 1.4x DLL software

Uses Tor communications

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies system certificate store

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-04-26 06:45

Signatures

BitRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Bitrat family

bitrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-26 06:44

Reported

2024-04-26 06:56

Platform

win10v2004-20240412-en

Max time kernel

595s

Max time network

601s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe"

Signatures

BitRAT

trojan bitrat

BitRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Uses Tor communications

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4812 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4812 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe

"C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe"

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 67.32.209.4.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 172.98.193.43:443 tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
FR 86.105.212.130:443 tcp
NL 23.62.61.194:443 www.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
N/A 127.0.0.1:54900 tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
FR 193.70.112.165:443 tcp
US 8.8.8.8:53 165.112.70.193.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
FI 37.27.67.176:443 tcp
DE 89.163.164.202:443 tcp
US 8.8.8.8:53 202.164.163.89.in-addr.arpa udp
US 8.8.8.8:53 176.67.27.37.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 153.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 198.32.209.4.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
N/A 127.0.0.1:55057 tcp
US 128.31.0.13:443 tcp
FI 37.27.67.176:443 tcp
MD 185.250.148.190:443 tcp
US 8.8.8.8:53 190.148.250.185.in-addr.arpa udp
N/A 127.0.0.1:55093 tcp
US 8.8.8.8:53 13.0.31.128.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:55170 tcp
DE 62.141.38.69:443 tcp
FI 37.27.67.176:443 tcp
US 135.148.53.55:443 tcp
N/A 127.0.0.1:55204 tcp
US 8.8.8.8:53 55.53.148.135.in-addr.arpa udp
US 8.8.8.8:53 50.192.11.51.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
NL 77.247.181.162:443 tcp
US 135.148.53.55:443 tcp
N/A 127.0.0.1:55289 tcp
FI 37.27.67.176:443 tcp
N/A 127.0.0.1:45808 tcp
BG 94.156.175.120:443 tcp
US 8.8.8.8:53 120.175.156.94.in-addr.arpa udp
US 8.8.8.8:53 myexternalip.com udp
US 34.117.118.44:443 myexternalip.com tcp
US 8.8.8.8:53 44.118.117.34.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 80.190.18.2.in-addr.arpa udp
N/A 127.0.0.1:55371 tcp
CZ 31.31.78.49:443 tcp
N/A 127.0.0.1:55400 tcp
US 135.148.53.55:443 tcp
FI 37.27.67.176:443 tcp
US 8.8.8.8:53 49.78.31.31.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:55474 tcp
N/A 127.0.0.1:55497 tcp
FR 93.118.34.246:443 tcp
US 135.148.53.55:443 tcp
US 8.8.8.8:53 246.34.118.93.in-addr.arpa udp
FI 37.27.67.176:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:55553 tcp
FR 37.187.102.108:443 tcp
N/A 127.0.0.1:55580 tcp
US 135.148.53.55:443 tcp
FI 37.27.67.176:443 tcp
N/A 127.0.0.1:45808 tcp
BG 94.156.175.120:443 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:55639 tcp
N/A 127.0.0.1:55662 tcp
DE 81.7.13.84:443 tcp
US 135.148.53.55:443 tcp
FI 37.27.67.176:443 tcp
N/A 127.0.0.1:45808 tcp
BG 94.156.175.120:443 tcp
US 34.117.118.44:443 myexternalip.com tcp
US 199.184.246.250:443 tcp
N/A 127.0.0.1:55731 tcp
FI 37.27.67.176:443 tcp
US 135.148.53.55:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:55796 tcp
DE 37.120.174.249:443 tcp
N/A 127.0.0.1:55818 tcp
FI 37.27.67.176:443 tcp
US 8.8.8.8:53 249.174.120.37.in-addr.arpa udp
BG 94.156.175.120:443 tcp
N/A 127.0.0.1:45808 tcp
US 135.148.53.55:443 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:55873 tcp
N/A 127.0.0.1:55900 tcp
AT 37.252.187.111:443 tcp
FI 37.27.67.176:443 tcp
US 135.148.53.55:443 tcp
N/A 127.0.0.1:45808 tcp
BG 94.156.175.120:443 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:55963 tcp
RO 185.225.17.3:443 tcp
US 135.148.53.55:443 tcp
FI 37.27.67.176:443 tcp
N/A 127.0.0.1:45808 tcp
BG 94.156.175.120:443 tcp

Files

memory/4812-0-0x0000000000400000-0x0000000000FBD000-memory.dmp

memory/4812-1-0x0000000075110000-0x0000000075149000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\8123e463\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

memory/432-20-0x0000000000210000-0x0000000000614000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\8123e463\tor\torrc

MD5 22ec9e4c1cdf6aca7b2997be93f46645
SHA1 df0a0e3373fc514518b70adfebc86c23c3f04bf8
SHA256 b2c53ffa29d2c7207304ba7dbc81429d36cdc2542ff701bf2a386ad07aacfdb4
SHA512 d96b3ee219aa5fac241415237ec3c0523b7c02b27ca77089d5a6530c32d398741c911b496c44b6217c42afbdb13d95aa565cae7c6562410978684e51e235fd94

memory/432-35-0x00000000741F0000-0x00000000742BE000-memory.dmp

memory/432-34-0x00000000742C0000-0x0000000074388000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\8123e463\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\8123e463\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\8123e463\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\8123e463\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

memory/432-39-0x00000000741A0000-0x00000000741E9000-memory.dmp

memory/432-40-0x0000000074090000-0x000000007419A000-memory.dmp

memory/432-41-0x0000000074060000-0x0000000074084000-memory.dmp

memory/432-43-0x0000000001560000-0x00000000015E8000-memory.dmp

memory/432-42-0x0000000073FD0000-0x0000000074058000-memory.dmp

memory/432-44-0x0000000074390000-0x000000007465F000-memory.dmp

memory/4812-45-0x0000000073BC0000-0x0000000073BF9000-memory.dmp

memory/432-46-0x0000000000210000-0x0000000000614000-memory.dmp

memory/432-47-0x00000000742C0000-0x0000000074388000-memory.dmp

memory/432-49-0x00000000741F0000-0x00000000742BE000-memory.dmp

memory/4812-54-0x0000000000400000-0x0000000000FBD000-memory.dmp

memory/432-55-0x0000000000210000-0x0000000000614000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdesc-consensus.tmp

MD5 e0c532df4b63edb19c242ef478980308
SHA1 e62c4db641e976bac705db9d547d213ff2c49217
SHA256 895abba685d7e4ee4c67e8ac6e9e6971144f3dfa00f83a8a40cecd07705f2cf7
SHA512 da0d4d4fb18d3276a659e21801b77e70cbe72432e5e6e89b4f0228524ca99107745463b37ce78bed46fe48a4d6cc9b52076f58b0ebb11a1c82961b10598c9d6e

memory/432-64-0x0000000000210000-0x0000000000614000-memory.dmp

memory/432-72-0x0000000001560000-0x00000000015E8000-memory.dmp

memory/432-73-0x0000000000210000-0x0000000000614000-memory.dmp

memory/432-81-0x0000000000210000-0x0000000000614000-memory.dmp

memory/4812-90-0x0000000075130000-0x0000000075169000-memory.dmp

memory/432-91-0x0000000000210000-0x0000000000614000-memory.dmp

memory/432-102-0x0000000000210000-0x0000000000614000-memory.dmp

memory/432-110-0x0000000000210000-0x0000000000614000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new

MD5 fa0c55d44672e60bb75938e14b14fb1e
SHA1 4fda728eae4d894c4ba386c1eafd6d41a3aea700
SHA256 5bfc40e29452e93c9a9a32d62f9001bba610bfc4a6635ec7dce700cf374158a1
SHA512 e50993f37830b83d9984a9446b06e94af91b11c6977ece1c08e7434f60dae37c6b0320be745fa37bcb678e6fb713e09427c4ab35759a4cccbef38eb319c46ef6

memory/432-124-0x0000000000210000-0x0000000000614000-memory.dmp

memory/3212-149-0x0000000000210000-0x0000000000614000-memory.dmp

memory/3212-151-0x0000000074390000-0x000000007465F000-memory.dmp

memory/432-150-0x0000000000210000-0x0000000000614000-memory.dmp

memory/3212-152-0x00000000742C0000-0x0000000074388000-memory.dmp

memory/3212-153-0x00000000741F0000-0x00000000742BE000-memory.dmp

memory/3212-157-0x0000000074060000-0x0000000074084000-memory.dmp

memory/3212-156-0x00000000741A0000-0x00000000741E9000-memory.dmp

memory/3212-159-0x0000000074090000-0x000000007419A000-memory.dmp

memory/3212-161-0x0000000073FD0000-0x0000000074058000-memory.dmp

memory/3212-167-0x0000000000210000-0x0000000000614000-memory.dmp

memory/3212-170-0x00000000741F0000-0x00000000742BE000-memory.dmp

memory/3212-169-0x00000000742C0000-0x0000000074388000-memory.dmp

memory/3212-168-0x0000000074390000-0x000000007465F000-memory.dmp

memory/1288-184-0x0000000074210000-0x0000000074234000-memory.dmp

memory/1288-177-0x0000000074360000-0x0000000074428000-memory.dmp

memory/1288-183-0x0000000074240000-0x0000000074289000-memory.dmp

memory/1288-185-0x0000000074100000-0x000000007420A000-memory.dmp

memory/1288-186-0x0000000074070000-0x00000000740F8000-memory.dmp

memory/1288-191-0x0000000074430000-0x00000000746FF000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-certs

MD5 4e28cad3a1fb25fadbade03b6b187c9c
SHA1 9c36c72b384eace1797c5a8e47b36516073a038e
SHA256 78477407e5d820c6b951ad6953ca2eea0af6048c8a3c37d78d03d35ab2d0053d
SHA512 91ab9690f62af49b0f6c46c483edbea790efea0529e1cb38090d5e07de99861f61743062fc85df80573d9b15500aed22aa19248f171f150f15098542884d3216

C:\Users\Admin\AppData\Local\8123e463\tor\data\state

MD5 9345ffe91563b01c1f0a8c85d7dcd890
SHA1 25bfb64a03f927e05761116a91ddaac55a3945d3
SHA256 8d27becd1d7df23e7dddfced108abf16f51a43a45c53eac54d64b3b34380b9e6
SHA512 259318d17a8f01e5aaf3296a8b56ec4f067aae8d1da7ecb47d9c7dec265caaf893ed53800c0404d300de820e9ad356f7cfddf701b7bae0ea5a6c6033bc9aebc4

memory/1288-192-0x0000000074290000-0x000000007435E000-memory.dmp

memory/4812-210-0x0000000073E30000-0x0000000073E69000-memory.dmp

memory/1288-211-0x0000000000210000-0x0000000000614000-memory.dmp

memory/1288-212-0x0000000074360000-0x0000000074428000-memory.dmp

memory/3124-248-0x0000000074360000-0x0000000074428000-memory.dmp

memory/1288-249-0x0000000000210000-0x0000000000614000-memory.dmp

memory/3124-247-0x0000000074430000-0x00000000746FF000-memory.dmp

memory/3124-245-0x0000000000210000-0x0000000000614000-memory.dmp

memory/3124-251-0x0000000074290000-0x000000007435E000-memory.dmp

memory/3124-252-0x0000000074240000-0x0000000074289000-memory.dmp

memory/3124-256-0x0000000074100000-0x000000007420A000-memory.dmp

memory/3124-258-0x0000000074070000-0x00000000740F8000-memory.dmp

memory/3124-254-0x0000000074210000-0x0000000074234000-memory.dmp

memory/3124-264-0x0000000074430000-0x00000000746FF000-memory.dmp

memory/3124-266-0x0000000074290000-0x000000007435E000-memory.dmp

memory/3124-265-0x0000000074360000-0x0000000074428000-memory.dmp

memory/3124-267-0x0000000000210000-0x0000000000614000-memory.dmp

memory/2440-279-0x0000000000210000-0x0000000000614000-memory.dmp

memory/2440-280-0x0000000074430000-0x00000000746FF000-memory.dmp

memory/2440-281-0x0000000074360000-0x0000000074428000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\state

MD5 e4cfe13b3089c18e230f0b6c82a5affa
SHA1 5550f17a2d69b3a3c7138b4060e7042e0e21eb80
SHA256 4800096fe43d30315fe9e0e9c01dee78e4236d03d9b1ca5ae67ce5c092330257
SHA512 58c32819961b7328f3f960c9ff3c318c94e90e5fb47ea78870c8c063b303197bb62ff9f27938397c7402252e52b08a256d8b17cfd35db431480fa21d21579200

memory/2440-286-0x00000000741D0000-0x00000000742DA000-memory.dmp

memory/2440-287-0x0000000074140000-0x00000000741C8000-memory.dmp

memory/2440-288-0x0000000074070000-0x000000007413E000-memory.dmp

memory/2440-285-0x00000000742E0000-0x0000000074304000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs

MD5 12f08dbfce1dc2fc90ebca01331b2cdb
SHA1 4aef85f4b022c3e20138ecb03a387a26ac22bce0
SHA256 a89d5e8be15212a756e999bc2f107b3ea09b1074233292be6cd7fdac98352edd
SHA512 0cc256afae4a439ca0eb8234a99e95fec181dcd4281ff26eb23ea947e8c9882e95309ac778f8ad381d65271bdfa59a67c9bf9bed227f38b465573e34ffae17ae

memory/2440-284-0x0000000074310000-0x0000000074359000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new

MD5 c0fc79207b3463a808b1f43f9e5fb83d
SHA1 86da6ea945df4c80ea559059159f64618285ce95
SHA256 8e9401edc4e5d1f1b8aa96249d8e5800a5f970264e37074d0e4caf5d62659ae9
SHA512 4e42d597fb6989c33b492e9f624176784d4d7985d0b799ff3461fa2a911b2d822e17f4fc55737ab7ba38356f44c7213bc99e4b7aca84fc7a8938364e14e15b04

memory/4812-301-0x0000000073E30000-0x0000000073E69000-memory.dmp

memory/2440-311-0x0000000000210000-0x0000000000614000-memory.dmp

memory/2440-313-0x0000000074360000-0x0000000074428000-memory.dmp

memory/2440-312-0x0000000074430000-0x00000000746FF000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new

MD5 70e6c315c01f78373298953557bcd31f
SHA1 d1ed9da26d0de5c0a7f3fe8b6dd9508fc3e818f0
SHA256 a26a5ed697c8c3d136c9b55ceb08e9f87a0fd1428d7aacb88a7495d8d09acae1
SHA512 36d88cebe702cef048f711355a624a448d7f7876d86db4486f616088cda497df6c632c9892435cbe32a0ad3b6a0da3672f63912380d659d3572f70e64cb0a8cf

Analysis: behavioral5

Detonation Overview

Submitted

2024-04-26 06:44

Reported

2024-04-26 06:56

Platform

win11-20240412-en

Max time kernel

592s

Max time network

602s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe"

Signatures

BitRAT

trojan bitrat

BitRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Uses Tor communications

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4708 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4708 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4708 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4708 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4708 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4708 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4708 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4708 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4708 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4708 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4708 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4708 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4708 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4708 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4708 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4708 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4708 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4708 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4708 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4708 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4708 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4708 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4708 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4708 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4708 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4708 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4708 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4708 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4708 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4708 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4708 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4708 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4708 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4708 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4708 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4708 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4708 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4708 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4708 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe

"C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe"

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

Network

Country Destination Domain Proto
GR 185.4.132.148:443 tcp
NL 192.42.116.16:443 tcp
N/A 127.0.0.1:49766 tcp
US 8.8.8.8:53 148.132.4.185.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 198.24.168.226:443 tcp
DE 194.163.178.164:443 tcp
US 8.8.8.8:53 226.168.24.198.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
DE 81.7.13.84:443 tcp
US 198.24.168.226:443 tcp
US 74.123.97.26:443 tcp
N/A 127.0.0.1:49888 tcp
N/A 127.0.0.1:45808 tcp
AT 37.252.187.111:443 tcp
US 198.24.168.226:443 tcp
US 74.123.97.26:443 tcp
N/A 127.0.0.1:49985 tcp
N/A 127.0.0.1:45808 tcp
DK 185.96.180.29:443 tcp
US 198.24.168.226:443 tcp
US 74.123.97.26:443 tcp
N/A 127.0.0.1:50083 tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:50173 tcp
US 198.24.168.226:443 tcp
US 74.123.97.26:443 tcp
US 74.123.97.26:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
N/A 127.0.0.1:50252 tcp
US 204.8.156.142:443 tcp
US 198.24.168.226:443 tcp
US 74.123.97.26:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
FR 163.172.149.122:443 tcp
N/A 127.0.0.1:50316 tcp
US 198.24.168.226:443 tcp
US 74.123.97.26:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50375 tcp
N/A 127.0.0.1:50403 tcp
CZ 195.123.245.141:443 tcp
US 198.24.168.226:443 tcp
US 74.123.97.26:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50465 tcp
SE 85.230.178.139:443 tcp
US 74.123.97.26:443 tcp
US 198.24.168.226:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
US 204.8.96.83:443 tcp
N/A 127.0.0.1:50530 tcp
US 198.24.168.226:443 tcp
US 74.123.97.26:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50592 tcp
DE 81.7.16.182:443 tcp
US 74.123.97.26:443 tcp
US 198.24.168.226:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50657 tcp
NL 77.247.181.162:443 tcp
US 74.123.97.26:443 tcp
US 198.24.168.226:443 tcp
N/A 127.0.0.1:45808 tcp

Files

memory/4708-0-0x0000000000400000-0x0000000000FBD000-memory.dmp

memory/4708-1-0x0000000074340000-0x000000007437C000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

memory/2324-17-0x0000000000F90000-0x0000000001394000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\8123e463\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\8123e463\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\8123e463\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\8123e463\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

memory/2324-32-0x0000000073910000-0x0000000073959000-memory.dmp

memory/2324-35-0x0000000073840000-0x0000000073908000-memory.dmp

memory/2324-37-0x0000000073740000-0x0000000073764000-memory.dmp

memory/2324-36-0x0000000073770000-0x000000007383E000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\torrc

MD5 22ec9e4c1cdf6aca7b2997be93f46645
SHA1 df0a0e3373fc514518b70adfebc86c23c3f04bf8
SHA256 b2c53ffa29d2c7207304ba7dbc81429d36cdc2542ff701bf2a386ad07aacfdb4
SHA512 d96b3ee219aa5fac241415237ec3c0523b7c02b27ca77089d5a6530c32d398741c911b496c44b6217c42afbdb13d95aa565cae7c6562410978684e51e235fd94

C:\Users\Admin\AppData\Local\8123e463\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\8123e463\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

memory/2324-39-0x00000000736B0000-0x0000000073738000-memory.dmp

memory/2324-43-0x00000000732D0000-0x000000007359F000-memory.dmp

memory/2324-42-0x00000000735A0000-0x00000000736AA000-memory.dmp

memory/2324-44-0x0000000002200000-0x00000000024CF000-memory.dmp

memory/4708-45-0x0000000072EB0000-0x0000000072EEC000-memory.dmp

memory/2324-46-0x0000000000F90000-0x0000000001394000-memory.dmp

memory/2324-48-0x0000000073840000-0x0000000073908000-memory.dmp

memory/2324-47-0x0000000073910000-0x0000000073959000-memory.dmp

memory/2324-49-0x0000000073770000-0x000000007383E000-memory.dmp

memory/4708-54-0x0000000000400000-0x0000000000FBD000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdesc-consensus

MD5 e0c532df4b63edb19c242ef478980308
SHA1 e62c4db641e976bac705db9d547d213ff2c49217
SHA256 895abba685d7e4ee4c67e8ac6e9e6971144f3dfa00f83a8a40cecd07705f2cf7
SHA512 da0d4d4fb18d3276a659e21801b77e70cbe72432e5e6e89b4f0228524ca99107745463b37ce78bed46fe48a4d6cc9b52076f58b0ebb11a1c82961b10598c9d6e

memory/2324-66-0x0000000000F90000-0x0000000001394000-memory.dmp

memory/2324-67-0x0000000000F90000-0x0000000001394000-memory.dmp

memory/2324-75-0x0000000002200000-0x00000000024CF000-memory.dmp

memory/2324-76-0x0000000000F90000-0x0000000001394000-memory.dmp

memory/2324-84-0x0000000000F90000-0x0000000001394000-memory.dmp

memory/4708-95-0x0000000074310000-0x000000007434C000-memory.dmp

memory/2324-96-0x0000000000F90000-0x0000000001394000-memory.dmp

memory/2324-105-0x0000000000F90000-0x0000000001394000-memory.dmp

memory/2324-113-0x0000000000F90000-0x0000000001394000-memory.dmp

memory/2324-124-0x0000000000F90000-0x0000000001394000-memory.dmp

memory/2880-150-0x0000000000F90000-0x0000000001394000-memory.dmp

memory/2880-151-0x00000000732D0000-0x000000007359F000-memory.dmp

memory/2880-152-0x0000000073840000-0x0000000073908000-memory.dmp

memory/2880-157-0x0000000073770000-0x000000007383E000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-certs

MD5 d718cf7e25be82074d4f52ead4877158
SHA1 9d039962ca73212ff4991a28eba039c1782441d2
SHA256 aeaf3a6c0182786d49eeaf44b924e45649276287b81a319f7d335d3038392d7e
SHA512 5fb62efd2bf2d1c4a8c4d5af9e55e389156e58beed5cf380e49ab6a1e900f7074fc9626468895eb0ae106ce9485154eaf44f7fdc85111ead7fd0f5d4438e01ed

C:\Users\Admin\AppData\Local\8123e463\tor\data\state

MD5 1ba243de6973024fb3277fa6a748b6d7
SHA1 7d9a620d416415a4d5f255df0468a8e3a5df4b38
SHA256 c1944c99d0cb47f9156b2638a75efd69bbb56bff6ea3180855ea1fd9d20344d7
SHA512 ad5ec056b370893ed4aee564ede4c0896c859390603feea39005c775fc647e131ed1b14a8daef718cfe3b01394938ccd4483793c94dc146b4f05e45ee9af2822

memory/2324-149-0x0000000000F90000-0x0000000001394000-memory.dmp

memory/2880-158-0x0000000073910000-0x0000000073959000-memory.dmp

memory/2880-159-0x0000000073740000-0x0000000073764000-memory.dmp

memory/2880-160-0x00000000735A0000-0x00000000736AA000-memory.dmp

memory/2880-161-0x00000000736B0000-0x0000000073738000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new

MD5 52934624f49badf6e158e206b41a1306
SHA1 914e3b08e70306cb1cc5bc47dae76c9dee0e04ce
SHA256 437e929b65a7fe9b1cf91c81317dab9101319942781b38321a2f079ea728c0fa
SHA512 b73ff7571ac1d5222f1faddfea50f13a513c7db3aabd9f96f679ab70dffb533c2c2c473d036a28e5a1ddd0eac5695c668b4695aa369d20a2bafbe370593d95ca

memory/4708-184-0x0000000073140000-0x000000007317C000-memory.dmp

memory/2880-185-0x0000000000F90000-0x0000000001394000-memory.dmp

memory/2880-187-0x0000000073840000-0x0000000073908000-memory.dmp

memory/2880-186-0x00000000732D0000-0x000000007359F000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new

MD5 f09751657238e728e5d2553dd61e360a
SHA1 4c791ed031e28b9cb419f9997d075854aec6f547
SHA256 0496928546526ca5ebe61b8d2de67ab21395b52a02ade9b91cfaea2d933a35ad
SHA512 4731cfd9410586f6ba1b92a8d1d7fdcee4cbc5313136416ccae564175578f129ce0fb23069e348cf390817c78ee99db9311ac7f1eea96c076ac87a8e247d8b1a

memory/2880-240-0x0000000000F90000-0x0000000001394000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\state

MD5 3fd1b66a9365e9c9d7ecec6f89551abb
SHA1 728e7cadea8daafb4a8c4e39eead626ea3e6d459
SHA256 69228831bc90c5ceb447990967238375394c9aa1433868e66d6a1e1cb4c02b15
SHA512 6277f3cd9e403b98d0c2db2d40bfd8f6ec1b8cdb2ccd3b82c2691f2cd1c121f73d432770cd4bf264ce2b7e0305da696f8325dde1582b634bc83600447c8b30aa

memory/3672-245-0x0000000000F90000-0x0000000001394000-memory.dmp

memory/3672-246-0x00000000732D0000-0x000000007359F000-memory.dmp

memory/3672-247-0x0000000073840000-0x0000000073908000-memory.dmp

memory/3672-248-0x0000000073770000-0x000000007383E000-memory.dmp

memory/3672-249-0x0000000073910000-0x0000000073959000-memory.dmp

memory/3672-250-0x0000000073740000-0x0000000073764000-memory.dmp

memory/3672-251-0x00000000735A0000-0x00000000736AA000-memory.dmp

memory/3672-254-0x00000000736B0000-0x0000000073738000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs

MD5 5c84a9cf4bf364dd11bfbd40c2f077e6
SHA1 301f7f4a8d240dcc7e97cf707d987192358ff00a
SHA256 9e6c950dc81f60d6b4751986c1f6fa1d6837e5f312ca6c643ed7a4de74e261bc
SHA512 04c5502470003433d408a7e5d322a9f7d2e35382e289e308eb9426e1dcc91ade8d737c1063fbeea36e16d06b9926406e6b71c6f06aa4aa425f94d5ec5cf9b8c1

memory/4708-277-0x0000000073140000-0x000000007317C000-memory.dmp

memory/3672-280-0x0000000000F90000-0x0000000001394000-memory.dmp

memory/4708-281-0x0000000074340000-0x000000007437C000-memory.dmp

memory/4708-298-0x0000000072EB0000-0x0000000072EEC000-memory.dmp

memory/3672-328-0x0000000000F90000-0x0000000001394000-memory.dmp

memory/1544-334-0x0000000000F90000-0x0000000001394000-memory.dmp

memory/1544-335-0x00000000732D0000-0x000000007359F000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\state

MD5 99c6d85e9d85e0ebab0a2ea6dde6a39a
SHA1 e5a73a6b8db77fe05d1bae3f3fe07abb3ef38a8e
SHA256 5c789ca94c42ad10b0b6de63123b17a613daba23a3cada4a78d5d94676904e7a
SHA512 78bb47b1529c56b07c66fbcdbcf75e95e5b9911f53d07bd41528378e84fde33fcf9279cd5ee07dc5cd8f33576f7f36bc346bb6e085daf194d89fbfe5128c3a35

memory/1544-336-0x0000000073840000-0x0000000073908000-memory.dmp

memory/1544-337-0x0000000073770000-0x000000007383E000-memory.dmp

memory/1544-338-0x0000000073910000-0x0000000073959000-memory.dmp

memory/1544-339-0x0000000073740000-0x0000000073764000-memory.dmp

memory/1544-340-0x00000000735A0000-0x00000000736AA000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs

MD5 570c89598f8f10193ead291433574ea9
SHA1 68a41bc86a20982f2acaa38ef323eca037b1fff4
SHA256 5655071709771b7fbfd361f1ff69977df9ad40aaa2074d776e32a618a8386932
SHA512 77558b6a3ba83b9414d8f457a311cdb4048d121eff3a67c6f545b61dfbcf45d25019ea392d228d180a1c285bcc0576903d3a3d9995e0587a64181ddea0608903

memory/1544-342-0x00000000736B0000-0x0000000073738000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new

MD5 29279bda6d42b29b51a8f929a2791998
SHA1 95bfbd3a1fc7ca8bdfdffa94ae4dfabe2cf3bfbf
SHA256 1240948d619b08825dea82bf483b04fb8877153695dac313ee79353c2cf3db87
SHA512 308bb60a9a1ff50b42af4dad9f47594b548709ed7c59eb8fa74383c71652ffbc8f95854250b61b07d4bf3046e2a47f74c5bb97829ea6b5846a99819576d87b0f

memory/4708-365-0x0000000073140000-0x000000007317C000-memory.dmp

memory/1544-367-0x0000000000F90000-0x0000000001394000-memory.dmp

memory/4708-368-0x0000000074310000-0x000000007434C000-memory.dmp

memory/1544-403-0x0000000000F90000-0x0000000001394000-memory.dmp

memory/3508-411-0x0000000000F90000-0x0000000001394000-memory.dmp

memory/3508-413-0x0000000073840000-0x0000000073908000-memory.dmp

memory/3508-412-0x00000000732D0000-0x000000007359F000-memory.dmp

memory/3508-414-0x0000000073770000-0x000000007383E000-memory.dmp

memory/3508-416-0x0000000073910000-0x0000000073959000-memory.dmp

memory/3508-417-0x0000000073740000-0x0000000073764000-memory.dmp

memory/3508-418-0x00000000735A0000-0x00000000736AA000-memory.dmp

memory/3508-419-0x00000000736B0000-0x0000000073738000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new

MD5 947d33fe52eb99408ea98384eda3179c
SHA1 ba2be5105d33c08c980fe3df07a9575e1af717df
SHA256 49008bba84cd625cfe8c35e2939e0317e244892601924cae5084d908336177f9
SHA512 db00450d332fb2db294be1b6994670f83b665f2ac9062d9ca55c9dbca3d1266eafbca3ff99c0d39054e06f9b1c754f84524fdd04c750e929c0d4a015222668d6

memory/4708-442-0x0000000073140000-0x000000007317C000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-26 06:44

Reported

2024-04-26 06:56

Platform

win10v2004-20240412-en

Max time kernel

597s

Max time network

604s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe"

Signatures

BitRAT

trojan bitrat

BitRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Uses Tor communications

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 952 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 952 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe

"C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe"

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 67.32.209.4.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
BG 213.183.60.21:443 tcp
NL 23.62.61.129:443 www.bing.com tcp
N/A 127.0.0.1:51181 tcp
FR 217.182.51.248:443 tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
DE 54.36.237.163:443 tcp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
DE 31.185.104.20:443 tcp
NL 45.66.33.45:443 tcp
US 8.8.8.8:53 153.97.55.23.in-addr.arpa udp
US 199.249.230.64:443 tcp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 200.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
DE 131.188.40.189:443 tcp
US 172.98.193.43:443 tcp
US 8.8.8.8:53 189.40.188.131.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
FR 92.222.79.186:443 tcp
IT 45.92.70.100:443 tcp
US 8.8.8.8:53 100.70.92.45.in-addr.arpa udp
US 8.8.8.8:53 186.79.222.92.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
DE 82.165.76.126:443 tcp
BG 82.118.242.103:443 tcp
US 8.8.8.8:53 126.76.165.82.in-addr.arpa udp
US 8.8.8.8:53 103.242.118.82.in-addr.arpa udp
N/A 127.0.0.1:51366 tcp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 139.144.220.112:443 tcp
DE 82.165.76.126:443 tcp
BG 82.118.242.103:443 tcp
US 8.8.8.8:53 112.220.144.139.in-addr.arpa udp
N/A 127.0.0.1:51509 tcp
US 8.8.8.8:53 210.80.50.20.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
BE 2.17.197.200:80 tcp
DE 31.185.104.21:443 tcp
BG 82.118.242.103:443 tcp
DE 82.165.76.126:443 tcp
N/A 127.0.0.1:51698 tcp
N/A 127.0.0.1:45808 tcp
BG 82.118.242.103:443 tcp
US 8.8.8.8:53 myexternalip.com udp
US 34.117.118.44:443 myexternalip.com tcp
US 8.8.8.8:53 44.118.117.34.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 80.190.18.2.in-addr.arpa udp
N/A 127.0.0.1:51884 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
N/A 127.0.0.1:51915 tcp
LU 92.38.163.21:443 tcp
BG 82.118.242.103:443 tcp
DE 82.165.76.126:443 tcp
US 8.8.8.8:53 208.14.97.104.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:52036 tcp
N/A 127.0.0.1:52068 tcp
DE 81.7.14.253:443 tcp
DE 82.165.76.126:443 tcp
US 8.8.8.8:53 253.14.7.81.in-addr.arpa udp
BG 82.118.242.103:443 tcp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 139.144.220.112:443 tcp
US 34.117.118.44:443 myexternalip.com tcp
FR 212.47.244.38:443 tcp
N/A 127.0.0.1:52174 tcp
DE 82.165.76.126:443 tcp
BG 82.118.242.103:443 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:52247 tcp
N/A 127.0.0.1:52278 tcp
PL 51.38.134.104:443 tcp
BG 82.118.242.103:443 tcp
DE 82.165.76.126:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:52331 tcp
N/A 127.0.0.1:52359 tcp
US 204.8.156.142:443 tcp
BG 82.118.242.103:443 tcp
US 8.8.8.8:53 142.156.8.204.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 139.144.220.112:443 tcp
DE 82.165.76.126:443 tcp
N/A 127.0.0.1:52429 tcp
DE 193.23.244.244:443 tcp
DE 82.165.76.126:443 tcp
US 8.8.8.8:53 244.244.23.193.in-addr.arpa udp
BG 82.118.242.103:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:52498 tcp
N/A 127.0.0.1:52525 tcp
NL 185.246.152.22:443 tcp
DE 82.165.76.126:443 tcp
BG 82.118.242.103:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:52591 tcp
N/A 127.0.0.1:52617 tcp
US 50.7.74.170:443 tcp
DE 82.165.76.126:443 tcp
BG 82.118.242.103:443 tcp

Files

memory/952-0-0x0000000000400000-0x0000000000FBD000-memory.dmp

memory/952-1-0x00000000749A0000-0x00000000749D9000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\8123e463\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

memory/2176-19-0x0000000000BC0000-0x0000000000FC4000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\8123e463\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\8123e463\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\8123e463\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

memory/2176-33-0x0000000073BD0000-0x0000000073C19000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\8123e463\tor\torrc

MD5 22ec9e4c1cdf6aca7b2997be93f46645
SHA1 df0a0e3373fc514518b70adfebc86c23c3f04bf8
SHA256 b2c53ffa29d2c7207304ba7dbc81429d36cdc2542ff701bf2a386ad07aacfdb4
SHA512 d96b3ee219aa5fac241415237ec3c0523b7c02b27ca77089d5a6530c32d398741c911b496c44b6217c42afbdb13d95aa565cae7c6562410978684e51e235fd94

C:\Users\Admin\AppData\Local\8123e463\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

memory/2176-37-0x0000000073B00000-0x0000000073BC8000-memory.dmp

memory/2176-38-0x0000000073AD0000-0x0000000073AF4000-memory.dmp

memory/2176-39-0x0000000073A00000-0x0000000073ACE000-memory.dmp

memory/2176-40-0x0000000073970000-0x00000000739F8000-memory.dmp

memory/2176-41-0x0000000073860000-0x000000007396A000-memory.dmp

memory/2176-42-0x0000000073C20000-0x0000000073EEF000-memory.dmp

memory/952-43-0x0000000073530000-0x0000000073569000-memory.dmp

memory/2176-44-0x0000000000BC0000-0x0000000000FC4000-memory.dmp

memory/952-52-0x0000000000400000-0x0000000000FBD000-memory.dmp

memory/2176-53-0x0000000000BC0000-0x0000000000FC4000-memory.dmp

memory/2176-54-0x0000000000BC0000-0x0000000000FC4000-memory.dmp

memory/2176-62-0x0000000000BC0000-0x0000000000FC4000-memory.dmp

memory/2176-70-0x0000000000BC0000-0x0000000000FC4000-memory.dmp

memory/952-78-0x0000000074280000-0x00000000742B9000-memory.dmp

memory/2176-79-0x0000000000BC0000-0x0000000000FC4000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdesc-consensus.tmp

MD5 e0c532df4b63edb19c242ef478980308
SHA1 e62c4db641e976bac705db9d547d213ff2c49217
SHA256 895abba685d7e4ee4c67e8ac6e9e6971144f3dfa00f83a8a40cecd07705f2cf7
SHA512 da0d4d4fb18d3276a659e21801b77e70cbe72432e5e6e89b4f0228524ca99107745463b37ce78bed46fe48a4d6cc9b52076f58b0ebb11a1c82961b10598c9d6e

memory/2176-95-0x0000000000BC0000-0x0000000000FC4000-memory.dmp

memory/2176-104-0x0000000000BC0000-0x0000000000FC4000-memory.dmp

memory/4036-120-0x0000000073B00000-0x0000000073BC8000-memory.dmp

memory/4036-127-0x0000000073AD0000-0x0000000073AF4000-memory.dmp

memory/4036-121-0x0000000073A00000-0x0000000073ACE000-memory.dmp

memory/4036-128-0x0000000073860000-0x000000007396A000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-certs

MD5 b793ecdee06448caf21f204c556dac74
SHA1 630c11bd79a14b178b89d30ce49e01ffa9eed9f3
SHA256 645fe8cfee1d7f6ce044831d1798b41a005af5e01cc851075d06cd9a3f57a811
SHA512 07ce2dddb35a85a83c93480c33b991c04dddaf1628be157704d24330fc10936665b8b776926ef555ceb101233f90cef4c8d2bdb1a0a6c05cd5ba0189c8cc6170

memory/4036-129-0x0000000073970000-0x00000000739F8000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\state

MD5 73a187e30c5c7977f2e23271edfba8fc
SHA1 3b10059a189852c8ad31f165b65f05f4f41aefe2
SHA256 e2d98bbb1e26adae2cf01b7bb68d49c4381bbdbc27b9ab10d0cbc7465afd6e50
SHA512 844914a633f04e20db96fbe96166445730077d2172e5c3311b7758a3f34d725c62e04a79aa39775f41628bf83b4e7bd4acd20942c71a9e705fb886d7a85928a3

memory/4036-130-0x0000000073C20000-0x0000000073EEF000-memory.dmp

memory/4036-122-0x0000000073BD0000-0x0000000073C19000-memory.dmp

memory/4036-134-0x0000000000BC0000-0x0000000000FC4000-memory.dmp

memory/4036-136-0x0000000073B00000-0x0000000073BC8000-memory.dmp

memory/4036-137-0x0000000073A00000-0x0000000073ACE000-memory.dmp

memory/4036-145-0x0000000000BC0000-0x0000000000FC4000-memory.dmp

memory/952-154-0x0000000074040000-0x0000000074079000-memory.dmp

memory/4036-202-0x0000000000BC0000-0x0000000000FC4000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\state

MD5 c710a901b99992abfc7399821a703aa0
SHA1 c2423182b4329384dfd43fe0cf741de276b10bec
SHA256 61e8546cfbf3e15ca792312f573e0be655618c0ae5c0beb0dbef1fadcf871c33
SHA512 635a98216f5c84f4bff2436e741ff7942785129218d2d3399a12ea3e5c0b0b4ad106a1c0b6195f1961ad97d0b205b5fae637c613c64007c69f04e9c4a77ea6e2

memory/1148-207-0x0000000000BC0000-0x0000000000FC4000-memory.dmp

memory/1148-208-0x0000000073C20000-0x0000000073EEF000-memory.dmp

memory/1148-209-0x0000000073B00000-0x0000000073BC8000-memory.dmp

memory/1148-210-0x0000000073A00000-0x0000000073ACE000-memory.dmp

memory/1148-211-0x0000000073BD0000-0x0000000073C19000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new

MD5 4bf6a93bfb7eb821a71b235049fa4107
SHA1 bed27a52460122600912cc37962abc4e1ebff05c
SHA256 9dbd4937105eacb352d7baf5a0f31ec0c00a93caf1f5f8d0681086301c4ba16f
SHA512 13893dff521b6c4869c9bb489c5f9dc46584c425790eee91e09673b5b4ccf349571c78a8a96c8095febe1b5659ab16afe8bcef0c552cac89d490b37ed9bddd9c

memory/1148-214-0x0000000073860000-0x000000007396A000-memory.dmp

memory/1148-215-0x0000000073970000-0x00000000739F8000-memory.dmp

memory/1148-213-0x0000000073AD0000-0x0000000073AF4000-memory.dmp

memory/952-237-0x0000000074040000-0x0000000074079000-memory.dmp

memory/1148-238-0x0000000000BC0000-0x0000000000FC4000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new

MD5 fbf2bafd1085164712e68c1e8b95905c
SHA1 1d82dc608a9abbff978965956412ed2b6597dc7f
SHA256 42ecb9451de71ac9917e04824f0fea095991825a6a955571926d35e21c12f8c9
SHA512 066643a7d07c876f0a7aaa87eb0f9471d6228939182051b01d9f1d8f555e7414dedacc9694a2f1182343e3ee9e58cb403cb61de99f4f2a3d6659c848d7abaeff

memory/952-260-0x00000000749A0000-0x00000000749D9000-memory.dmp

memory/952-269-0x0000000073530000-0x0000000073569000-memory.dmp

memory/1148-282-0x0000000000BC0000-0x0000000000FC4000-memory.dmp

memory/2688-293-0x0000000073F80000-0x000000007424F000-memory.dmp

memory/2688-294-0x0000000073EB0000-0x0000000073F78000-memory.dmp

memory/2688-295-0x0000000073DE0000-0x0000000073EAE000-memory.dmp

memory/2688-298-0x0000000073CD0000-0x0000000073DDA000-memory.dmp

memory/2688-299-0x0000000073C40000-0x0000000073CC8000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\state

MD5 9842ca277bf863accebc0329083db9bc
SHA1 3ace8f437e5bd6b7216a9912a16fa899cce72606
SHA256 f9cb14d5f50652c78715be201ce9557979a50d89be110e8b8097bd88de0ef060
SHA512 7464d8189956a8e6ea84d2a04267048478bc4740e68a39590228785955292a79d981c6fea4ebf6d1c11af2fdf2b77ff2d12c0493721189451ef076bb065cc3ad

memory/2688-296-0x0000000074910000-0x0000000074959000-memory.dmp

memory/2688-297-0x0000000074A00000-0x0000000074A24000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs

MD5 fa21fd784c9682a94aeae03588be5b29
SHA1 3686223649478603fb23b5053269dd1fc22143ca
SHA256 c0f0fe8d6de6359172db57c083ce364cb83834609562e003cd5dec5dd9d38b92
SHA512 2296fba30a4dac7c4df36650f44bbae00dd11c7aa5f21bfab64082e6d1009b448fbedc16da922c154b2232b745e1d5e5f981167dd84e0385cab345f221863855

memory/2688-325-0x0000000000BC0000-0x0000000000FC4000-memory.dmp

memory/952-326-0x0000000073950000-0x0000000073989000-memory.dmp

memory/2688-327-0x0000000073F80000-0x000000007424F000-memory.dmp

memory/2688-328-0x0000000073EB0000-0x0000000073F78000-memory.dmp

memory/2688-329-0x0000000073DE0000-0x0000000073EAE000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new

MD5 0e8254adb790c60dea317d33f4505b55
SHA1 c753127692ea6d5052391747a870419eefe0379e
SHA256 efdec03e301736775c35608dea8346cc70140c39067859eb5e1cb6a6fae8eb30
SHA512 1509b4541c93e88e9cf6577c0e109954a4fbfdeb17c4dafa8bec48134acaf1f8270792144b6465c0dd9a9e8412104626a1cec7228595d8547a26aa704f9f6990

memory/952-344-0x0000000074280000-0x00000000742B9000-memory.dmp

memory/2372-394-0x0000000073EB0000-0x0000000073F78000-memory.dmp

memory/2372-396-0x0000000073DE0000-0x0000000073EAE000-memory.dmp

memory/2372-384-0x0000000000BC0000-0x0000000000FC4000-memory.dmp

memory/2372-398-0x0000000074910000-0x0000000074959000-memory.dmp

memory/2372-403-0x0000000073CD0000-0x0000000073DDA000-memory.dmp

memory/2372-404-0x0000000073C40000-0x0000000073CC8000-memory.dmp

memory/2688-400-0x0000000000BC0000-0x0000000000FC4000-memory.dmp

memory/2372-407-0x0000000073F80000-0x000000007424F000-memory.dmp

memory/2372-399-0x0000000074A00000-0x0000000074A24000-memory.dmp

memory/2372-414-0x0000000074A00000-0x0000000074A24000-memory.dmp

memory/2372-413-0x0000000074910000-0x0000000074959000-memory.dmp

memory/2372-415-0x0000000000BC0000-0x0000000000FC4000-memory.dmp

memory/2372-416-0x0000000073EB0000-0x0000000073F78000-memory.dmp

memory/2372-417-0x0000000073DE0000-0x0000000073EAE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-26 06:44

Reported

2024-04-26 06:56

Platform

win7-20240220-en

Max time kernel

599s

Max time network

601s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe"

Signatures

BitRAT

trojan bitrat

BitRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Uses Tor communications

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2928 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2928 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe

"C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe"

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

Network

Country Destination Domain Proto
N/A 127.0.0.1:49225 tcp
US 199.249.230.64:443 tcp
CZ 195.123.245.141:443 tcp
US 204.8.156.142:443 tcp
N/A 127.0.0.1:45808 tcp
DE 37.221.192.121:443 tcp
US 135.148.52.158:443 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:49317 tcp
DK 185.96.180.29:443 tcp
DE 88.198.35.49:443 tcp
AU 170.64.216.180:443 tcp
N/A 127.0.0.1:49348 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:49417 tcp
FR 163.172.157.213:443 tcp
FR 163.172.182.26:443 tcp
US 135.148.52.231:443 tcp
N/A 127.0.0.1:49458 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:49506 tcp
N/A 127.0.0.1:49540 tcp
FR 62.210.254.132:443 tcp
ES 82.223.114.35:443 tcp
NL 5.2.70.140:443 tcp
N/A 127.0.0.1:45808 tcp
US 135.148.52.158:443 tcp
N/A 127.0.0.1:49599 tcp
N/A 127.0.0.1:49631 tcp
FR 92.222.38.67:443 tcp
FR 163.172.182.26:443 tcp
US 15.204.142.37:443 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:49685 tcp
N/A 127.0.0.1:49719 tcp
DE 5.45.111.149:443 tcp
ES 82.223.114.35:443 tcp
NL 5.2.70.140:443 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:49777 tcp
PL 51.38.134.104:443 tcp
US 135.148.52.231:443 tcp
DE 37.221.192.121:443 tcp
N/A 127.0.0.1:49809 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:49865 tcp
N/A 127.0.0.1:49897 tcp
DE 85.214.200.184:443 tcp
DE 87.118.88.94:443 tcp
DE 85.214.200.184:443 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:49952 tcp
N/A 127.0.0.1:49984 tcp
NL 77.247.181.166:443 tcp
DE 85.214.200.184:443 tcp
N/A 127.0.0.1:45808 tcp
US 198.24.168.226:443 tcp
N/A 127.0.0.1:50038 tcp
N/A 127.0.0.1:50071 tcp
DE 31.185.104.21:443 tcp
DE 85.214.200.184:443 tcp
US 135.148.52.231:443 tcp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 myexternalip.com udp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50144 tcp
SE 171.25.193.25:443 tcp
N/A 127.0.0.1:50175 tcp
DE 85.214.200.184:443 tcp
US 135.148.52.231:443 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:50228 tcp
DE 31.185.104.21:443 tcp
N/A 127.0.0.1:50262 tcp
DE 85.214.200.184:443 tcp
US 135.148.52.231:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50323 tcp
US 199.184.246.250:443 tcp
US 135.148.52.231:443 tcp
DE 85.214.200.184:443 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:50385 tcp
N/A 127.0.0.1:50418 tcp
DE 81.7.16.182:443 tcp
DE 85.214.200.184:443 tcp
US 135.148.52.231:443 tcp
N/A 127.0.0.1:45808 tcp
US 162.251.116.34:443 tcp
N/A 127.0.0.1:50477 tcp
N/A 127.0.0.1:50512 tcp
FR 193.70.112.165:443 tcp
US 135.148.52.231:443 tcp
DE 85.214.200.184:443 tcp
N/A 127.0.0.1:45808 tcp

Files

memory/2928-0-0x0000000000400000-0x0000000000FBD000-memory.dmp

\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\8123e463\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

memory/2928-17-0x00000000046D0000-0x0000000004AD4000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\8123e463\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\8123e463\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\8123e463\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\8123e463\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\8123e463\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

memory/2868-33-0x0000000000B50000-0x0000000000F54000-memory.dmp

memory/2868-35-0x0000000073F90000-0x0000000074058000-memory.dmp

memory/2868-34-0x00000000745C0000-0x0000000074609000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\torrc

MD5 22ec9e4c1cdf6aca7b2997be93f46645
SHA1 df0a0e3373fc514518b70adfebc86c23c3f04bf8
SHA256 b2c53ffa29d2c7207304ba7dbc81429d36cdc2542ff701bf2a386ad07aacfdb4
SHA512 d96b3ee219aa5fac241415237ec3c0523b7c02b27ca77089d5a6530c32d398741c911b496c44b6217c42afbdb13d95aa565cae7c6562410978684e51e235fd94

memory/2868-42-0x0000000074660000-0x0000000074684000-memory.dmp

memory/2868-41-0x0000000073DB0000-0x0000000073E7E000-memory.dmp

memory/2868-40-0x0000000074530000-0x00000000745B8000-memory.dmp

memory/2868-37-0x0000000073E80000-0x0000000073F8A000-memory.dmp

memory/2928-43-0x00000000046D0000-0x0000000004AD4000-memory.dmp

memory/2868-44-0x0000000074060000-0x000000007432F000-memory.dmp

memory/2868-47-0x0000000000B50000-0x0000000000F54000-memory.dmp

memory/2868-50-0x0000000073F90000-0x0000000074058000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdesc-consensus.tmp

MD5 e0c532df4b63edb19c242ef478980308
SHA1 e62c4db641e976bac705db9d547d213ff2c49217
SHA256 895abba685d7e4ee4c67e8ac6e9e6971144f3dfa00f83a8a40cecd07705f2cf7
SHA512 da0d4d4fb18d3276a659e21801b77e70cbe72432e5e6e89b4f0228524ca99107745463b37ce78bed46fe48a4d6cc9b52076f58b0ebb11a1c82961b10598c9d6e

memory/2928-61-0x0000000000400000-0x0000000000FBD000-memory.dmp

memory/2928-62-0x00000000046D0000-0x0000000004AD4000-memory.dmp

memory/2868-63-0x0000000000B50000-0x0000000000F54000-memory.dmp

memory/2868-64-0x0000000000B50000-0x0000000000F54000-memory.dmp

memory/2928-72-0x00000000046D0000-0x0000000004AD4000-memory.dmp

memory/2868-73-0x0000000000B50000-0x0000000000F54000-memory.dmp

memory/2868-81-0x0000000000B50000-0x0000000000F54000-memory.dmp

memory/2868-93-0x0000000000B50000-0x0000000000F54000-memory.dmp

memory/1248-112-0x00000000745C0000-0x0000000074609000-memory.dmp

memory/1248-111-0x0000000074060000-0x000000007432F000-memory.dmp

memory/1248-113-0x0000000073F90000-0x0000000074058000-memory.dmp

memory/1248-118-0x0000000073E80000-0x0000000073F8A000-memory.dmp

memory/1248-122-0x0000000073DB0000-0x0000000073E7E000-memory.dmp

memory/1248-123-0x0000000000B50000-0x0000000000F54000-memory.dmp

memory/1248-124-0x0000000074660000-0x0000000074684000-memory.dmp

memory/1248-120-0x0000000074530000-0x00000000745B8000-memory.dmp

memory/1248-127-0x0000000073F90000-0x0000000074058000-memory.dmp

memory/1248-130-0x0000000073DB0000-0x0000000073E7E000-memory.dmp

memory/1248-129-0x0000000074530000-0x00000000745B8000-memory.dmp

memory/1248-128-0x0000000073E80000-0x0000000073F8A000-memory.dmp

memory/1248-125-0x0000000074060000-0x000000007432F000-memory.dmp

memory/1248-126-0x00000000745C0000-0x0000000074609000-memory.dmp

memory/2928-101-0x00000000050D0000-0x00000000054D4000-memory.dmp

memory/1924-148-0x0000000000B50000-0x0000000000F54000-memory.dmp

memory/1924-149-0x0000000074570000-0x00000000745B9000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\state

MD5 1d3e10ebfd6be7884c3f6bcee32696b3
SHA1 bce5d6f2dbc0c9b2474a357757d18617d4ad5ac3
SHA256 9721b2db6d5d126c4636a4d4951655ccaaa13daa3b2d080a1e1a0e0ff80de49c
SHA512 ed359c06afbe4e78abac6a0c8a6122307c106b05d968e98bb8af70a27eccc8a05a7f56bde6da71d25a35544ad5176db08c9a57e939e3f92af412ecd1d3d3d427

memory/1924-156-0x00000000740C0000-0x0000000074148000-memory.dmp

memory/1924-157-0x0000000073C00000-0x0000000073CCE000-memory.dmp

memory/1924-158-0x00000000745E0000-0x0000000074604000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-certs

MD5 b4b072a31675b9dd798d49ddf433508e
SHA1 77625a8ea0fde29739950ce8e3eb0d532ca53a45
SHA256 4c76f0d9f4150eb6226ee0f2dbaf17ceada6e954eb46d298bf52438045505fd8
SHA512 65e9931faca893e36cacb8dd7bb3ad7d8c3bf4e896822c7a47ec43273e13686c64d5c3fa7b54c7ed88ce45bef52e2cccbbf8ab9c17d49c4f18cc562b3facc0d6

memory/1924-159-0x0000000073D90000-0x000000007405F000-memory.dmp

memory/1924-153-0x0000000074150000-0x000000007425A000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new

MD5 462e670fdefc532075e1d5e712e6feaa
SHA1 e20408e76f42ce5eec774024af3500c0f06f9dfb
SHA256 1bf62eb8003b99c2f826ef6329eb3be127375f7580d8b917842a64fea136f3e8
SHA512 37a45375ed0a2c391b371468b85acec734e45d47ca0522df01f428e1d54752ad57ee7dd4241034612975ef90306ee5f2d838d490fbe3a7134171ecfb09c9c46d

memory/1924-150-0x0000000074260000-0x0000000074328000-memory.dmp

memory/1924-167-0x0000000000B50000-0x0000000000F54000-memory.dmp

memory/1924-170-0x0000000074260000-0x0000000074328000-memory.dmp

memory/2928-175-0x00000000050D0000-0x00000000054D4000-memory.dmp

memory/1924-176-0x0000000000B50000-0x0000000000F54000-memory.dmp

memory/1924-184-0x0000000000B50000-0x0000000000F54000-memory.dmp

memory/888-211-0x0000000000B50000-0x0000000000F54000-memory.dmp

memory/888-218-0x0000000074260000-0x0000000074328000-memory.dmp

memory/888-220-0x0000000074150000-0x000000007425A000-memory.dmp

memory/888-224-0x00000000745E0000-0x0000000074604000-memory.dmp

memory/888-223-0x0000000073C00000-0x0000000073CCE000-memory.dmp

memory/888-222-0x00000000740C0000-0x0000000074148000-memory.dmp

memory/888-232-0x0000000000B50000-0x0000000000F54000-memory.dmp

memory/888-216-0x0000000074570000-0x00000000745B9000-memory.dmp

memory/888-215-0x0000000073D90000-0x000000007405F000-memory.dmp

memory/2928-209-0x00000000050D0000-0x00000000054D4000-memory.dmp

memory/884-250-0x0000000000EE0000-0x00000000012E4000-memory.dmp

memory/884-251-0x0000000074060000-0x000000007432F000-memory.dmp

memory/884-252-0x00000000745C0000-0x0000000074609000-memory.dmp

memory/884-253-0x0000000073E80000-0x0000000073F8A000-memory.dmp

memory/884-254-0x0000000074530000-0x00000000745B8000-memory.dmp

memory/884-255-0x0000000073DB0000-0x0000000073E7E000-memory.dmp

memory/884-256-0x0000000074660000-0x0000000074684000-memory.dmp

memory/884-257-0x0000000073F90000-0x0000000074058000-memory.dmp

memory/2928-268-0x00000000050D0000-0x00000000054D4000-memory.dmp

memory/884-278-0x0000000074060000-0x000000007432F000-memory.dmp

memory/884-277-0x0000000000EE0000-0x00000000012E4000-memory.dmp

memory/2928-294-0x00000000050D0000-0x00000000054D4000-memory.dmp

memory/2384-295-0x0000000000EE0000-0x00000000012E4000-memory.dmp

memory/2384-297-0x0000000074060000-0x000000007432F000-memory.dmp

memory/2384-300-0x00000000745C0000-0x0000000074609000-memory.dmp

memory/2384-303-0x0000000073F90000-0x0000000074058000-memory.dmp

memory/2384-306-0x0000000073E80000-0x0000000073F8A000-memory.dmp

memory/2384-309-0x0000000074530000-0x00000000745B8000-memory.dmp

memory/2384-312-0x0000000073DB0000-0x0000000073E7E000-memory.dmp

memory/2384-314-0x0000000074660000-0x0000000074684000-memory.dmp

memory/2384-317-0x0000000000EE0000-0x00000000012E4000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new

MD5 e7395a33665e96ad7f5604d7ab204912
SHA1 8d06616feb602cb112b9093ab8ca9ceea4174117
SHA256 39da6a68c7b6a27c6d48869626ba05048ced8cb004d0e166ef195189781f43f9
SHA512 bde165ed6202a8a5506babc2e8456991151c6e15fec478f68a3cc1ae8c605c15ded83abba57a7a2655a3ac4d1d787bd4b503e3be11a71a9eefc68aff2fe69f79

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new

MD5 61f62aa276a505f6f78b28c4078f15e8
SHA1 7a41171db24171889fffa1bbb07a29d48bdeb0da
SHA256 d9d3abc6ab816dde1bcedeabe500fbdd8eb68077c54c8f5fe8a3ddd18068f71f
SHA512 eb7f0e5b07143289c938bbb6f1a8ff15d053f397b785634cf92ae24543b1b96db9d260143c80e970d2e0b4d9eb4b0b538f541db54c18585057099190043b17da

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-26 06:44

Reported

2024-04-26 06:56

Platform

win10-20240404-en

Max time kernel

599s

Max time network

603s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe"

Signatures

BitRAT

trojan bitrat

BitRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Uses Tor communications

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4192 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4192 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe

"C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe"

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

Network

Country Destination Domain Proto
N/A 127.0.0.1:49792 tcp
FR 163.172.176.167:443 tcp
US 199.249.230.83:443 tcp
DE 81.7.3.67:443 tcp
N/A 127.0.0.1:45808 tcp
FR 178.33.183.251:443 tcp
CA 199.58.81.140:443 tcp
US 8.8.8.8:53 140.81.58.199.in-addr.arpa udp
DE 85.215.68.72:443 tcp
NL 51.15.76.56:443 tcp
US 8.8.8.8:53 72.68.215.85.in-addr.arpa udp
US 8.8.8.8:53 56.76.15.51.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:49891 tcp
US 172.241.140.249:443 tcp
EE 94.131.15.74:443 tcp
N/A 127.0.0.1:49928 tcp
US 8.8.8.8:53 74.15.131.94.in-addr.arpa udp
US 8.8.8.8:53 249.140.241.172.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:49992 tcp
RO 185.100.84.212:443 tcp
ES 217.160.114.209:443 tcp
DE 88.198.35.49:443 tcp
N/A 127.0.0.1:50028 tcp
US 8.8.8.8:53 49.35.198.88.in-addr.arpa udp
US 8.8.8.8:53 209.114.160.217.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp
N/A 127.0.0.1:50105 tcp
N/A 127.0.0.1:50133 tcp
US 23.141.40.7:443 tcp
NL 51.15.76.56:443 tcp
DE 129.13.131.140:443 tcp
US 8.8.8.8:53 7.40.141.23.in-addr.arpa udp
US 8.8.8.8:53 140.131.13.129.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
N/A 127.0.0.1:50206 tcp
DK 185.96.88.29:443 tcp
LU 104.244.79.122:443 tcp
DE 85.214.200.184:443 tcp
N/A 127.0.0.1:50233 tcp
US 8.8.8.8:53 184.200.214.85.in-addr.arpa udp
US 8.8.8.8:53 122.79.244.104.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:50306 tcp
N/A 127.0.0.1:50331 tcp
FR 212.47.244.38:443 tcp
DE 178.254.29.190:443 tcp
EE 94.131.15.74:443 tcp
US 8.8.8.8:53 190.29.254.178.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
EE 94.131.15.74:443 tcp
DE 178.254.29.190:443 tcp
US 8.8.8.8:53 myexternalip.com udp
US 34.117.118.44:443 myexternalip.com tcp
US 8.8.8.8:53 44.118.117.34.in-addr.arpa udp
US 8.8.8.8:53 80.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
N/A 127.0.0.1:50419 tcp
DE 185.94.29.93:443 tcp
N/A 127.0.0.1:50446 tcp
EE 94.131.15.74:443 tcp
US 8.8.8.8:53 93.29.94.185.in-addr.arpa udp
DE 178.254.29.190:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50507 tcp
N/A 127.0.0.1:50531 tcp
FR 212.47.244.38:443 tcp
DE 178.254.29.190:443 tcp
EE 94.131.15.74:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50592 tcp
GR 185.4.132.148:443 tcp
EE 94.131.15.74:443 tcp
US 8.8.8.8:53 148.132.4.185.in-addr.arpa udp
DE 178.254.29.190:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50645 tcp
N/A 127.0.0.1:50671 tcp
GR 185.4.132.148:443 tcp
EE 94.131.15.74:443 tcp
DE 178.254.29.190:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
FR 212.47.244.38:443 tcp
N/A 127.0.0.1:50721 tcp
N/A 127.0.0.1:50748 tcp
EE 94.131.15.74:443 tcp
DE 178.254.29.190:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50801 tcp
N/A 127.0.0.1:50828 tcp
SE 85.230.178.139:443 tcp
DE 178.254.29.190:443 tcp
EE 94.131.15.74:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50882 tcp
CZ 37.157.195.87:443 tcp
N/A 127.0.0.1:50911 tcp
EE 94.131.15.74:443 tcp
DE 178.254.29.190:443 tcp

Files

memory/4192-0-0x0000000000400000-0x0000000000FBD000-memory.dmp

memory/4192-1-0x00000000741D0000-0x000000007420A000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\8123e463\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\8123e463\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\8123e463\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

\Users\Admin\AppData\Local\8123e463\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

memory/3548-32-0x00000000737F0000-0x00000000738B8000-memory.dmp

\Users\Admin\AppData\Local\8123e463\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

memory/3548-27-0x0000000000CF0000-0x00000000010F4000-memory.dmp

\Users\Admin\AppData\Local\8123e463\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\8123e463\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

memory/3548-33-0x00000000737A0000-0x00000000737E9000-memory.dmp

memory/3548-39-0x0000000001940000-0x00000000019C8000-memory.dmp

memory/3548-42-0x00000000735C0000-0x00000000736CA000-memory.dmp

memory/3548-43-0x0000000073590000-0x00000000735B4000-memory.dmp

memory/3548-41-0x00000000732C0000-0x000000007358F000-memory.dmp

memory/3548-40-0x0000000001940000-0x0000000001C0F000-memory.dmp

memory/3548-38-0x0000000073230000-0x00000000732B8000-memory.dmp

memory/3548-37-0x00000000736D0000-0x000000007379E000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\torrc

MD5 22ec9e4c1cdf6aca7b2997be93f46645
SHA1 df0a0e3373fc514518b70adfebc86c23c3f04bf8
SHA256 b2c53ffa29d2c7207304ba7dbc81429d36cdc2542ff701bf2a386ad07aacfdb4
SHA512 d96b3ee219aa5fac241415237ec3c0523b7c02b27ca77089d5a6530c32d398741c911b496c44b6217c42afbdb13d95aa565cae7c6562410978684e51e235fd94

memory/4192-44-0x0000000072F60000-0x0000000072F9A000-memory.dmp

memory/3548-45-0x0000000000CF0000-0x00000000010F4000-memory.dmp

memory/3548-46-0x00000000737F0000-0x00000000738B8000-memory.dmp

memory/3548-48-0x00000000736D0000-0x000000007379E000-memory.dmp

memory/4192-53-0x0000000000400000-0x0000000000FBD000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdesc-consensus.tmp

MD5 e0c532df4b63edb19c242ef478980308
SHA1 e62c4db641e976bac705db9d547d213ff2c49217
SHA256 895abba685d7e4ee4c67e8ac6e9e6971144f3dfa00f83a8a40cecd07705f2cf7
SHA512 da0d4d4fb18d3276a659e21801b77e70cbe72432e5e6e89b4f0228524ca99107745463b37ce78bed46fe48a4d6cc9b52076f58b0ebb11a1c82961b10598c9d6e

memory/3548-62-0x0000000000CF0000-0x00000000010F4000-memory.dmp

memory/3548-63-0x0000000000CF0000-0x00000000010F4000-memory.dmp

memory/3548-71-0x0000000001940000-0x00000000019C8000-memory.dmp

memory/3548-72-0x0000000001940000-0x0000000001C0F000-memory.dmp

memory/3548-73-0x0000000000CF0000-0x00000000010F4000-memory.dmp

memory/3548-81-0x0000000000CF0000-0x00000000010F4000-memory.dmp

memory/4192-92-0x0000000073AD0000-0x0000000073B0A000-memory.dmp

memory/3548-93-0x0000000000CF0000-0x00000000010F4000-memory.dmp

memory/3548-101-0x0000000000CF0000-0x00000000010F4000-memory.dmp

memory/3548-110-0x0000000000CF0000-0x00000000010F4000-memory.dmp

memory/4000-127-0x00000000737F0000-0x00000000738B8000-memory.dmp

memory/4000-130-0x00000000736D0000-0x000000007379E000-memory.dmp

memory/4000-132-0x00000000737A0000-0x00000000737E9000-memory.dmp

memory/4000-135-0x0000000073590000-0x00000000735B4000-memory.dmp

memory/4000-133-0x00000000732C0000-0x000000007358F000-memory.dmp

memory/4000-136-0x00000000737F0000-0x00000000738B8000-memory.dmp

memory/4000-137-0x00000000735C0000-0x00000000736CA000-memory.dmp

memory/3548-134-0x0000000001940000-0x00000000019C8000-memory.dmp

memory/4000-139-0x0000000073230000-0x00000000732B8000-memory.dmp

memory/4000-129-0x0000000000CF0000-0x00000000010F4000-memory.dmp

memory/4000-126-0x00000000732C0000-0x000000007358F000-memory.dmp

memory/4000-124-0x0000000000CF0000-0x00000000010F4000-memory.dmp

memory/1296-155-0x0000000073920000-0x00000000739E8000-memory.dmp

memory/1296-156-0x00000000741C0000-0x0000000074209000-memory.dmp

memory/1296-163-0x00000000736B0000-0x0000000073738000-memory.dmp

memory/1296-164-0x00000000739F0000-0x0000000073CBF000-memory.dmp

memory/1296-165-0x0000000073850000-0x000000007391E000-memory.dmp

memory/1296-162-0x0000000073740000-0x000000007384A000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-certs

MD5 ba7209133c48200828c4976cab4aed6a
SHA1 8697a3ff19d245aa5c2ac058066b5096aadb7108
SHA256 987cc55317ece75159035c07f7cccdd7506ffdaa3d2a970800db32d867c98726
SHA512 71ee0ca7439638788f5a06250535c4c99783e2aa50ffc2fb849830f8044e8a2ae0920277a39e9998ea973c446fd76bbe5c7bf498a49c47e0d49d1ba085469257

C:\Users\Admin\AppData\Local\8123e463\tor\data\state

MD5 719de8f74162f2a549c117b58759631d
SHA1 e6ca88d3db263cd200f7e6954975252c215abf16
SHA256 e66585e3bd795b20424d3c092d0af9d2fd306622b1b9268a3278661b2294d0b0
SHA512 e345c66f666e56b9842b0c2851f41559305f391dce8912c6cb94b51a10b54588cb3e75be4754500be8f02db8cfce7e5bee353b181d156d28665dc8ea5a4ddd92

memory/1296-157-0x0000000074190000-0x00000000741B4000-memory.dmp

memory/4192-177-0x0000000073410000-0x000000007344A000-memory.dmp

memory/1296-178-0x0000000000CF0000-0x00000000010F4000-memory.dmp

memory/1296-179-0x0000000073920000-0x00000000739E8000-memory.dmp

memory/4724-210-0x0000000000CF0000-0x00000000010F4000-memory.dmp

memory/4724-212-0x00000000739F0000-0x0000000073CBF000-memory.dmp

memory/4724-214-0x0000000073920000-0x00000000739E8000-memory.dmp

memory/4724-217-0x0000000073850000-0x000000007391E000-memory.dmp

memory/4724-219-0x00000000741C0000-0x0000000074209000-memory.dmp

memory/1296-222-0x0000000000CF0000-0x00000000010F4000-memory.dmp

memory/4724-224-0x0000000073740000-0x000000007384A000-memory.dmp

memory/4724-221-0x0000000074190000-0x00000000741B4000-memory.dmp

memory/4724-226-0x00000000736B0000-0x0000000073738000-memory.dmp

memory/4724-232-0x0000000000CF0000-0x00000000010F4000-memory.dmp

memory/4724-234-0x0000000073920000-0x00000000739E8000-memory.dmp

memory/4724-235-0x0000000073850000-0x000000007391E000-memory.dmp

memory/4724-233-0x00000000739F0000-0x0000000073CBF000-memory.dmp

memory/2680-248-0x0000000000CF0000-0x00000000010F4000-memory.dmp

memory/2680-249-0x00000000739F0000-0x0000000073CBF000-memory.dmp

memory/2680-252-0x0000000073920000-0x00000000739E8000-memory.dmp

memory/2680-254-0x0000000073810000-0x000000007391A000-memory.dmp

memory/2680-255-0x0000000074190000-0x00000000741B4000-memory.dmp

memory/2680-253-0x00000000741C0000-0x0000000074209000-memory.dmp

memory/2680-257-0x0000000001180000-0x0000000001208000-memory.dmp

memory/2680-256-0x0000000073780000-0x0000000073808000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\state

MD5 cb9cd726fd67806324161138c8b876ec
SHA1 3628a0c91feef02f69cfa2a9609f47dc591d3d9b
SHA256 5a3c06d2dcc2f39cf1228734c3302e2a18073a7671ce555ee9ceccb7b935630a
SHA512 824c5c3b7858d4cf818f98c1c4a2cd92deb34b45648d66767f91578ec37e424f3a4aa3b3a6d9a52a546169ac64364e7465d734b02bdd484ac0e40c0fceb41033

memory/2680-258-0x00000000736B0000-0x000000007377E000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new

MD5 d1a71ddd706c229dc21cb70d32c95f55
SHA1 94958f0af3173b32ee0fb0bedd8087ff574d40e2
SHA256 9c3b0eb3ee72cd02699c45764a74c9b35200ab4ae72f3a0e104dca9d8da58e12
SHA512 5b055c9008d7b25772f52cb11ec57e0e53ff640f03a4656790c210b265702cb9c33cb04a67b8003ac092416a84ede0e6f2e4cf0058e11e16fdd83e29d12a9808

memory/4192-273-0x0000000073410000-0x000000007344A000-memory.dmp

memory/2680-282-0x0000000000CF0000-0x00000000010F4000-memory.dmp

memory/2680-283-0x00000000739F0000-0x0000000073CBF000-memory.dmp

memory/2680-284-0x0000000001180000-0x0000000001208000-memory.dmp

memory/1348-315-0x0000000000CF0000-0x00000000010F4000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new

MD5 042619f5e932ec6e3d17624c449b007b
SHA1 a35f7b9f9aa767a67837a9015397a99573788d98
SHA256 7e65c5fe8c7ce1877b248811df2426fecb99ba2c48ef02c77cfb8b1de3301f35
SHA512 34608e2a66c5d72feea69211ba34af018b63b6598d6278d1dd6752b3e524672eccb322b3aefed0abc2fb37a061f6b1c0697db122c7d966a970475ebcdd3da582

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new

MD5 389da97e2c888561700a94c1502b45dc
SHA1 43400a5100c705f24989de27e807e2a067a7ab21
SHA256 2f8ebdd71fcbb178ee092977eca2b74ae2d3fae51d3e231bb966fb10565c8b40
SHA512 0e0fd10c674a02c1215aa9b4c69afd02c019f93eebd05245fbbb6b178b205c1b36f5a04d8073b2c9ec4deb1e9bc68f7c0207752c275d8e84651cf5ebfdf8685b