Malware Analysis Report

2024-09-22 22:01

Sample ID 240426-hhylvaba94
Target 8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2
SHA256 8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2
Tags
bitrat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2

Threat Level: Known bad

The file 8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2 was found to be: Known bad.

Malicious Activity Summary

bitrat trojan upx

BitRAT payload

Bitrat family

BitRAT

Checks computer location settings

Executes dropped EXE

UPX packed file

ACProtect 1.3x - 1.4x DLL software

Loads dropped DLL

Uses Tor communications

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-04-26 06:44

Signatures

BitRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Bitrat family

bitrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-26 06:44

Reported

2024-04-26 06:48

Platform

win10-20240404-en

Max time kernel

149s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe"

Signatures

BitRAT

trojan bitrat

BitRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses Tor communications

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4512 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4512 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4512 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4512 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4512 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4512 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4512 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4512 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 4512 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe

"C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe"

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

Network

Country Destination Domain Proto
US 172.98.193.43:443 tcp
FR 37.187.102.108:443 tcp
FR 178.33.183.251:443 tcp
N/A 127.0.0.1:49807 tcp
N/A 127.0.0.1:45808 tcp
FR 163.172.157.213:443 tcp
NL 45.66.33.45:443 tcp
FR 212.47.244.38:443 tcp
US 154.35.175.225:443 tcp
FR 163.172.53.84:443 tcp
PL 51.38.134.104:443 tcp
N/A 127.0.0.1:45808 tcp
AT 37.252.187.111:443 tcp
DE 131.188.40.189:443 tcp
DE 46.165.230.5:443 tcp
US 8.8.8.8:53 5.230.165.46.in-addr.arpa udp
US 8.8.8.8:53 189.40.188.131.in-addr.arpa udp
FI 95.217.112.218:443 tcp
NL 109.104.153.187:443 tcp
US 8.8.8.8:53 218.112.217.95.in-addr.arpa udp
US 8.8.8.8:53 187.153.104.109.in-addr.arpa udp
US 38.154.240.58:443 tcp
UA 176.107.176.31:443 tcp
US 8.8.8.8:53 58.240.154.38.in-addr.arpa udp
US 8.8.8.8:53 31.176.107.176.in-addr.arpa udp
N/A 127.0.0.1:49937 tcp
N/A 127.0.0.1:49974 tcp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp

Files

memory/4512-0-0x0000000000400000-0x0000000000FBD000-memory.dmp

memory/4512-1-0x00000000735A0000-0x00000000735DA000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\8123e463\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\8123e463\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

\Users\Admin\AppData\Local\8123e463\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

\Users\Admin\AppData\Local\8123e463\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

memory/2136-31-0x0000000001370000-0x0000000001774000-memory.dmp

memory/2136-32-0x0000000072B70000-0x0000000072BB9000-memory.dmp

memory/2136-33-0x0000000072AA0000-0x0000000072B68000-memory.dmp

\Users\Admin\AppData\Local\8123e463\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\8123e463\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\8123e463\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\8123e463\tor\torrc

MD5 22ec9e4c1cdf6aca7b2997be93f46645
SHA1 df0a0e3373fc514518b70adfebc86c23c3f04bf8
SHA256 b2c53ffa29d2c7207304ba7dbc81429d36cdc2542ff701bf2a386ad07aacfdb4
SHA512 d96b3ee219aa5fac241415237ec3c0523b7c02b27ca77089d5a6530c32d398741c911b496c44b6217c42afbdb13d95aa565cae7c6562410978684e51e235fd94

memory/2136-37-0x0000000072600000-0x0000000072688000-memory.dmp

memory/2136-38-0x0000000001280000-0x0000000001308000-memory.dmp

memory/2136-35-0x0000000072960000-0x0000000072984000-memory.dmp

memory/2136-41-0x0000000001780000-0x0000000001A4F000-memory.dmp

memory/2136-43-0x0000000072BC0000-0x0000000072C8E000-memory.dmp

memory/2136-42-0x0000000072690000-0x000000007295F000-memory.dmp

memory/2136-34-0x0000000072990000-0x0000000072A9A000-memory.dmp

memory/4512-44-0x0000000072330000-0x000000007236A000-memory.dmp

memory/2136-45-0x0000000001370000-0x0000000001774000-memory.dmp

memory/2136-48-0x0000000072AA0000-0x0000000072B68000-memory.dmp

memory/2136-52-0x0000000072690000-0x000000007295F000-memory.dmp

memory/4512-53-0x0000000000400000-0x0000000000FBD000-memory.dmp

memory/2136-54-0x0000000001370000-0x0000000001774000-memory.dmp

memory/2136-62-0x0000000001370000-0x0000000001774000-memory.dmp

memory/2136-63-0x0000000001280000-0x0000000001308000-memory.dmp

memory/2136-64-0x0000000001780000-0x0000000001A4F000-memory.dmp

memory/2136-65-0x0000000001370000-0x0000000001774000-memory.dmp

memory/2136-73-0x0000000001370000-0x0000000001774000-memory.dmp

memory/4512-81-0x0000000072EA0000-0x0000000072EDA000-memory.dmp

memory/2136-82-0x0000000001370000-0x0000000001774000-memory.dmp

memory/2136-90-0x0000000001370000-0x0000000001774000-memory.dmp

memory/2136-98-0x0000000001370000-0x0000000001774000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdesc-consensus.tmp

MD5 e0c532df4b63edb19c242ef478980308
SHA1 e62c4db641e976bac705db9d547d213ff2c49217
SHA256 895abba685d7e4ee4c67e8ac6e9e6971144f3dfa00f83a8a40cecd07705f2cf7
SHA512 da0d4d4fb18d3276a659e21801b77e70cbe72432e5e6e89b4f0228524ca99107745463b37ce78bed46fe48a4d6cc9b52076f58b0ebb11a1c82961b10598c9d6e

memory/2136-117-0x0000000001370000-0x0000000001774000-memory.dmp

memory/3196-140-0x0000000072AA0000-0x0000000072B68000-memory.dmp

memory/3196-143-0x0000000072B70000-0x0000000072BB9000-memory.dmp

memory/3196-144-0x0000000072960000-0x0000000072984000-memory.dmp

memory/3196-142-0x0000000072BC0000-0x0000000072C8E000-memory.dmp

memory/3196-149-0x0000000072600000-0x0000000072688000-memory.dmp

memory/3196-146-0x0000000072990000-0x0000000072A9A000-memory.dmp

memory/3196-138-0x0000000001370000-0x0000000001774000-memory.dmp

memory/2136-153-0x0000000001370000-0x0000000001774000-memory.dmp

memory/3196-151-0x0000000072690000-0x000000007295F000-memory.dmp

memory/3196-163-0x0000000072960000-0x0000000072984000-memory.dmp

memory/3196-162-0x0000000072BC0000-0x0000000072C8E000-memory.dmp

memory/3196-161-0x0000000072AA0000-0x0000000072B68000-memory.dmp

memory/3196-160-0x0000000001370000-0x0000000001774000-memory.dmp

memory/2940-176-0x0000000072CF0000-0x0000000072DB8000-memory.dmp

memory/2940-177-0x0000000073590000-0x00000000735D9000-memory.dmp

memory/2940-178-0x0000000073560000-0x0000000073584000-memory.dmp

memory/2940-182-0x0000000072B50000-0x0000000072BD8000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-certs

MD5 87ad2cbe4f774b4ab5a2888adeefd3a5
SHA1 e101ac5ca3f178960f038d1a3f4908a05090d105
SHA256 894a60054b94cc0c46410c60e2729cf5ac2b3e960edd383e142d8528b789fa30
SHA512 c7f2eed88a15d436468f35ff6619a7bfa096e4dc9cda7056a1aad72c679b21ac7a9ff1de69a89f1aaa4690216cff7227853e5e6ff43e33d9ade1ebd04057d0d7

memory/2940-186-0x0000000072A80000-0x0000000072B4E000-memory.dmp

memory/2940-187-0x0000000072DC0000-0x000000007308F000-memory.dmp

memory/2940-183-0x0000000001D40000-0x0000000001DC8000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\state

MD5 e72963aaaf23a9e114b139c0ae6b4c6a
SHA1 0e9eff08ecf303264e40e3ff642a4729c859feb2
SHA256 c3f1a9e836758b2d93125f8d48074308c79caf7a5a5a87c6626d8942fd27c453
SHA512 1d70ded8ea61c9716dcd7dc9e777919dcca1c50017e80c970326a850d477d25b9518012e6a37afaa6be5d7b321a829254e62307469aca6cd688a085476bbbca3

memory/2940-179-0x0000000072BE0000-0x0000000072CEA000-memory.dmp

memory/4512-199-0x00000000727E0000-0x000000007281A000-memory.dmp

memory/2940-200-0x0000000001370000-0x0000000001774000-memory.dmp

memory/2940-209-0x0000000072CF0000-0x0000000072DB8000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-26 06:44

Reported

2024-04-26 06:48

Platform

win10v2004-20240412-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe"

Signatures

BitRAT

trojan bitrat

BitRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses Tor communications

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2296 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2296 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2296 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2296 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2296 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2296 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2296 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2296 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 2296 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe

"C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe"

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 198.32.209.4.in-addr.arpa udp
US 199.249.230.83:443 tcp
RO 185.225.17.3:443 tcp
N/A 127.0.0.1:53188 tcp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 50.7.74.174:443 tcp
N/A 127.0.0.1:45808 tcp
US 128.31.0.13:443 tcp
AT 86.59.21.38:443 tcp
US 8.8.8.8:53 13.0.31.128.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 104.248.15.16:443 tcp
US 162.251.117.10:443 tcp
US 8.8.8.8:53 10.117.251.162.in-addr.arpa udp
US 8.8.8.8:53 16.15.248.104.in-addr.arpa udp
US 8.8.8.8:53 153.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
N/A 127.0.0.1:53415 tcp
DE 62.141.38.69:443 tcp
FR 94.23.76.52:443 tcp
US 162.251.117.10:443 tcp
N/A 127.0.0.1:53454 tcp
US 8.8.8.8:53 52.76.23.94.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
BE 2.17.197.217:80 tcp

Files

memory/2296-0-0x0000000000400000-0x0000000000FBD000-memory.dmp

memory/2296-1-0x0000000074BC0000-0x0000000074BF9000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\8123e463\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\8123e463\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

memory/4756-34-0x0000000073E40000-0x000000007410F000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\torrc

MD5 22ec9e4c1cdf6aca7b2997be93f46645
SHA1 df0a0e3373fc514518b70adfebc86c23c3f04bf8
SHA256 b2c53ffa29d2c7207304ba7dbc81429d36cdc2542ff701bf2a386ad07aacfdb4
SHA512 d96b3ee219aa5fac241415237ec3c0523b7c02b27ca77089d5a6530c32d398741c911b496c44b6217c42afbdb13d95aa565cae7c6562410978684e51e235fd94

C:\Users\Admin\AppData\Local\8123e463\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\8123e463\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\8123e463\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\8123e463\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\8123e463\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

memory/4756-19-0x0000000000150000-0x0000000000554000-memory.dmp

memory/4756-38-0x0000000073D20000-0x0000000073D69000-memory.dmp

memory/4756-39-0x0000000073CF0000-0x0000000073D14000-memory.dmp

memory/4756-40-0x0000000073C20000-0x0000000073CE8000-memory.dmp

memory/4756-41-0x0000000001CF0000-0x0000000001D39000-memory.dmp

memory/4756-42-0x0000000073B90000-0x0000000073C18000-memory.dmp

memory/4756-43-0x0000000073A80000-0x0000000073B8A000-memory.dmp

memory/4756-44-0x0000000073D70000-0x0000000073E3E000-memory.dmp

memory/2296-45-0x0000000073750000-0x0000000073789000-memory.dmp

memory/4756-48-0x0000000000150000-0x0000000000554000-memory.dmp

memory/4756-49-0x0000000073E40000-0x000000007410F000-memory.dmp

memory/2296-59-0x0000000000400000-0x0000000000FBD000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdesc-consensus.tmp

MD5 e0c532df4b63edb19c242ef478980308
SHA1 e62c4db641e976bac705db9d547d213ff2c49217
SHA256 895abba685d7e4ee4c67e8ac6e9e6971144f3dfa00f83a8a40cecd07705f2cf7
SHA512 da0d4d4fb18d3276a659e21801b77e70cbe72432e5e6e89b4f0228524ca99107745463b37ce78bed46fe48a4d6cc9b52076f58b0ebb11a1c82961b10598c9d6e

memory/4756-63-0x0000000000150000-0x0000000000554000-memory.dmp

memory/4756-64-0x0000000000150000-0x0000000000554000-memory.dmp

memory/4756-72-0x0000000000150000-0x0000000000554000-memory.dmp

memory/4756-81-0x0000000000150000-0x0000000000554000-memory.dmp

memory/2296-92-0x0000000074BE0000-0x0000000074C19000-memory.dmp

memory/4756-93-0x0000000000150000-0x0000000000554000-memory.dmp

memory/4756-101-0x0000000000150000-0x0000000000554000-memory.dmp

memory/4756-109-0x0000000000150000-0x0000000000554000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new

MD5 0af236369544dabc71f4ebbcd01f315d
SHA1 c02678daaee24988ac5d82b3a4ed211db1eb0332
SHA256 4fef2ca0159b2f71e85dc3f78aed4992b2946473fc24593c86e1a754b849eef3
SHA512 b2a26cc4c49a3818ea40274d212b76eb0d91413115034a6e4129768f4d75403481d1a4d11db461cda9e79c25bca14ab40811318f564e181d0edd017c77a00574

memory/4756-122-0x0000000000150000-0x0000000000554000-memory.dmp

memory/208-147-0x0000000000150000-0x0000000000554000-memory.dmp

memory/208-151-0x0000000073C20000-0x0000000073CE8000-memory.dmp

memory/208-153-0x0000000073D70000-0x0000000073E3E000-memory.dmp

memory/208-149-0x0000000073E40000-0x000000007410F000-memory.dmp

memory/4756-148-0x0000000000150000-0x0000000000554000-memory.dmp

memory/208-155-0x0000000073D20000-0x0000000073D69000-memory.dmp

memory/208-158-0x0000000073CF0000-0x0000000073D14000-memory.dmp

memory/208-159-0x0000000073A80000-0x0000000073B8A000-memory.dmp

memory/208-161-0x0000000073B90000-0x0000000073C18000-memory.dmp

memory/208-165-0x0000000073E40000-0x000000007410F000-memory.dmp

memory/208-166-0x0000000073C20000-0x0000000073CE8000-memory.dmp

memory/208-167-0x0000000000150000-0x0000000000554000-memory.dmp

memory/4784-180-0x0000000073D90000-0x0000000073DB4000-memory.dmp

memory/4784-181-0x0000000073C80000-0x0000000073D8A000-memory.dmp

memory/4784-177-0x0000000073E10000-0x0000000073ED8000-memory.dmp

memory/4784-182-0x0000000073BF0000-0x0000000073C78000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-certs

MD5 666151c0eb8f01a5f1c3675d4ee3107f
SHA1 6d806fd018dbe78df40def920efc63dc04abb715
SHA256 cb51171424e52f3a0ddd9e90afab374bead8bc1231e9b2b938b0e7bca41f28b4
SHA512 5daad962735510a334bc2fbe2c7d0830e395dc68eb3859078ef03b7d30c52770872acdfeb67136b5f530b1d93ca69acac0bcc88be5d25031a488a3629787f539

C:\Users\Admin\AppData\Local\8123e463\tor\data\state

MD5 da4ef2e53a0c9f71e78587aa43bed36d
SHA1 fa10415f700906cf15a5286f9769ab675efc6789
SHA256 1381297da3b8835deaa55128c601319fdb72698edcdf324f86509bcf04347b71
SHA512 ee7d17fd3ededf114ac78367ee59e613b4d089073995e5e0c4e661ef14d3896ca9059eaac26f966c21444ecf3dac11041828ca5c1666b12361be2b8ada687127

memory/4784-188-0x0000000073EE0000-0x00000000741AF000-memory.dmp

memory/4784-183-0x0000000073B20000-0x0000000073BEE000-memory.dmp

memory/4784-189-0x0000000073DC0000-0x0000000073E09000-memory.dmp

memory/2296-205-0x00000000736E0000-0x0000000073719000-memory.dmp

memory/4784-206-0x0000000000150000-0x0000000000554000-memory.dmp

memory/4784-207-0x0000000073E10000-0x0000000073ED8000-memory.dmp

memory/4784-216-0x0000000073D90000-0x0000000073DB4000-memory.dmp

memory/4784-217-0x0000000073B20000-0x0000000073BEE000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new

MD5 537abab3b7fd68801e046e8421358a5b
SHA1 b99f71c8fd854661b9045de74e630d45f73c89bb
SHA256 ccb21e9fccebe65b46e95f81bcb6c097b9b418dfc338513d839a7368ad6b9073
SHA512 fc5d97f4278d3be44853ecadf599955105894e03407029b6090a346af6664c470cd17ecdbe7c86d3ab04624b9bcc583f11b08c874a44b84e4d17450b031ba26d

Analysis: behavioral5

Detonation Overview

Submitted

2024-04-26 06:44

Reported

2024-04-26 06:48

Platform

win11-20240412-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe"

Signatures

BitRAT

trojan bitrat

BitRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses Tor communications

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1972 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe

"C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe"

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

Network

Country Destination Domain Proto
DE 31.185.104.21:443 tcp
US 204.8.156.142:443 tcp
N/A 127.0.0.1:49793 tcp
US 8.8.8.8:53 142.156.8.204.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
DE 45.91.101.227:443 tcp
FR 62.210.97.21:443 tcp
US 8.8.8.8:53 21.97.210.62.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
NL 5.200.21.144:443 tcp
US 135.148.53.55:443 tcp
US 172.241.23.114:443 tcp
N/A 127.0.0.1:49897 tcp
US 52.111.227.13:443 tcp
N/A 127.0.0.1:45808 tcp
FR 95.128.43.164:443 tcp
FR 146.59.234.220:443 tcp
SE 193.182.111.43:443 tcp
N/A 127.0.0.1:49980 tcp
US 8.8.8.8:53 43.111.182.193.in-addr.arpa udp

Files

memory/1972-0-0x0000000000400000-0x0000000000FBD000-memory.dmp

memory/1972-1-0x0000000074980000-0x00000000749BC000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\8123e463\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\8123e463\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\8123e463\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

memory/3544-33-0x0000000000F70000-0x0000000001374000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\torrc

MD5 22ec9e4c1cdf6aca7b2997be93f46645
SHA1 df0a0e3373fc514518b70adfebc86c23c3f04bf8
SHA256 b2c53ffa29d2c7207304ba7dbc81429d36cdc2542ff701bf2a386ad07aacfdb4
SHA512 d96b3ee219aa5fac241415237ec3c0523b7c02b27ca77089d5a6530c32d398741c911b496c44b6217c42afbdb13d95aa565cae7c6562410978684e51e235fd94

C:\Users\Admin\AppData\Local\8123e463\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\8123e463\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

memory/3544-38-0x0000000073B30000-0x0000000073BFE000-memory.dmp

memory/3544-37-0x0000000073C00000-0x0000000073CC8000-memory.dmp

memory/3544-39-0x0000000073AE0000-0x0000000073B29000-memory.dmp

memory/3544-40-0x0000000000AB0000-0x0000000000AF9000-memory.dmp

memory/3544-42-0x0000000073A20000-0x0000000073AA8000-memory.dmp

memory/3544-43-0x0000000073910000-0x0000000073A1A000-memory.dmp

memory/3544-41-0x0000000073AB0000-0x0000000073AD4000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

memory/3544-44-0x0000000073CD0000-0x0000000073F9F000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

memory/1972-45-0x00000000734F0000-0x000000007352C000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdesc-consensus

MD5 e0c532df4b63edb19c242ef478980308
SHA1 e62c4db641e976bac705db9d547d213ff2c49217
SHA256 895abba685d7e4ee4c67e8ac6e9e6971144f3dfa00f83a8a40cecd07705f2cf7
SHA512 da0d4d4fb18d3276a659e21801b77e70cbe72432e5e6e89b4f0228524ca99107745463b37ce78bed46fe48a4d6cc9b52076f58b0ebb11a1c82961b10598c9d6e

memory/3544-54-0x0000000000F70000-0x0000000001374000-memory.dmp

memory/3544-56-0x0000000073C00000-0x0000000073CC8000-memory.dmp

memory/1972-62-0x0000000000400000-0x0000000000FBD000-memory.dmp

memory/3544-63-0x0000000000F70000-0x0000000001374000-memory.dmp

memory/3544-64-0x0000000000F70000-0x0000000001374000-memory.dmp

memory/3544-72-0x0000000000F70000-0x0000000001374000-memory.dmp

memory/3544-83-0x0000000000F70000-0x0000000001374000-memory.dmp

memory/1972-91-0x0000000074990000-0x00000000749CC000-memory.dmp

memory/3544-92-0x0000000000F70000-0x0000000001374000-memory.dmp

memory/3544-101-0x0000000000F70000-0x0000000001374000-memory.dmp

memory/3544-109-0x0000000000F70000-0x0000000001374000-memory.dmp

memory/3736-126-0x0000000000F70000-0x0000000001374000-memory.dmp

memory/3736-127-0x0000000073C00000-0x0000000073CC8000-memory.dmp

memory/3736-128-0x0000000073B30000-0x0000000073BFE000-memory.dmp

memory/3736-129-0x0000000073AE0000-0x0000000073B29000-memory.dmp

memory/3736-130-0x0000000073AB0000-0x0000000073AD4000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\state

MD5 8345450027bae29fd073471cc044b772
SHA1 4eb0fcfd3bca8a178e67186c5e0bffd52c207097
SHA256 2400c4cf6c4ef4aa4b62b3d912fb8835ff22a9deb4a3283a087a461bd03327b5
SHA512 afb9b440f20252ec1b8bd24ff3b4f9cf3357dc1a7582cf660027d90f396d050b98074c62a28f670c4a565eea58c073cbcd928c246303085c0a6a8108c8b1ff72

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-certs

MD5 8370957cd0f0a83adb9b7763d43489e8
SHA1 2e4a295592d506128cabd5c927fa1fc29318d872
SHA256 72af4696590ed84161b9fe17ce83b78e5f3cfcb14a43c76360d31c9c25617e03
SHA512 4256e9b2bcc02589ef9c9500a9860b178117f2b502711723a78acd2286de535b82fd0c2cd37844de44eecfb800cef64690015bcbd5bd05923733973a2908d4e6

memory/3736-137-0x0000000073CD0000-0x0000000073F9F000-memory.dmp

memory/3736-134-0x0000000073A20000-0x0000000073AA8000-memory.dmp

memory/3736-133-0x0000000073910000-0x0000000073A1A000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new

MD5 21ffd700b03a033ac5d8061c8c7b4e87
SHA1 5216ae493dc1a67c99d19773923449d1e0fecf0d
SHA256 0e012a9090e4a4b0eec74b8aa8487cc5e38ae6e124d030ba3da60e760c563808
SHA512 65ea49b7112502fd98d0a1a63560a7375358706a2243a467a8025f492ba5e26139c3c5b57429c0c9cd4ef41344ed8aee61e6e17bc5f687a270a6a00091f7ed3c

memory/3736-144-0x0000000000F70000-0x0000000001374000-memory.dmp

memory/3736-147-0x0000000073B30000-0x0000000073BFE000-memory.dmp

memory/3736-146-0x0000000073C00000-0x0000000073CC8000-memory.dmp

memory/3736-160-0x0000000000F70000-0x0000000001374000-memory.dmp

memory/1972-161-0x0000000073530000-0x000000007356C000-memory.dmp

memory/3736-204-0x0000000000F70000-0x0000000001374000-memory.dmp

memory/3568-210-0x0000000073AB0000-0x0000000073AD4000-memory.dmp

memory/3568-209-0x0000000000F70000-0x0000000001374000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\state

MD5 f2008d7c90885b211959d37bc8449978
SHA1 2e5106350b89ddbc54637ff80bf0d34ca673ff38
SHA256 bec4e593a234c56d26b6315843fc802ee13217dde2c64f299d844f5800903817
SHA512 b22e030c9b99ed27e4857a4961ee4e44855207bd515ce7e184cc80152170ed8ccb83791503a2ad2b6723e506db5feb77337059a8f71f2cdd2d5e8ca18eadfc79

memory/3568-211-0x0000000073CD0000-0x0000000073F9F000-memory.dmp

memory/3568-212-0x0000000073C00000-0x0000000073CC8000-memory.dmp

memory/3568-213-0x0000000073B30000-0x0000000073BFE000-memory.dmp

memory/3568-214-0x0000000073AE0000-0x0000000073B29000-memory.dmp

memory/3568-215-0x0000000073910000-0x0000000073A1A000-memory.dmp

memory/3568-216-0x0000000073A20000-0x0000000073AA8000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs

MD5 0d0bfda050b5d3dc77f8bca274db46b6
SHA1 c301db87f21c514dc59b4a8a977ddd7059433151
SHA256 4383919cb0a9b9cf38df38e504c4b57e98ec3cfba56903986cb3a2844472cef6
SHA512 d3d87c5bb0dce1482a1f95273aa8b7d6e276dad68bcb0307cbc645f5ca5b24216205d311f2f2aedf6470b65056216d6b7dde137b9ca3141b822542c7b8c58d07

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-26 06:44

Reported

2024-04-26 06:48

Platform

win10-20240404-en

Max time kernel

150s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe"

Signatures

BitRAT

trojan bitrat

BitRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses Tor communications

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3384 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3384 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3384 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3384 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3384 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3384 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3384 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3384 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3384 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe

"C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe"

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

Network

Country Destination Domain Proto
FR 37.187.20.59:443 tcp
FR 178.33.183.251:443 tcp
US 8.8.8.8:53 59.20.187.37.in-addr.arpa udp
FR 188.138.88.42:443 tcp
DE 193.23.244.244:443 tcp
N/A 127.0.0.1:49819 tcp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 244.244.23.193.in-addr.arpa udp
DE 173.249.8.113:443 tcp
LT 176.223.141.106:443 tcp
US 8.8.8.8:53 113.8.249.173.in-addr.arpa udp
US 8.8.8.8:53 106.141.223.176.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 209.133.206.38:443 tcp
NL 51.158.238.104:443 tcp
CH 31.164.215.246:443 tcp
US 8.8.8.8:53 246.215.164.31.in-addr.arpa udp
US 8.8.8.8:53 38.206.133.209.in-addr.arpa udp
US 8.8.8.8:53 104.238.158.51.in-addr.arpa udp
N/A 127.0.0.1:49934 tcp
N/A 127.0.0.1:49970 tcp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp

Files

memory/3384-0-0x0000000000400000-0x0000000000FBD000-memory.dmp

memory/3384-1-0x0000000073CF0000-0x0000000073D2A000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\8123e463\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\8123e463\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\8123e463\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\8123e463\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

memory/3020-28-0x0000000000D90000-0x0000000001194000-memory.dmp

memory/3020-31-0x0000000073240000-0x000000007330E000-memory.dmp

memory/3020-33-0x00000000731C0000-0x00000000731E4000-memory.dmp

memory/3020-34-0x0000000073130000-0x00000000731B8000-memory.dmp

memory/3020-35-0x0000000073020000-0x000000007312A000-memory.dmp

memory/3020-36-0x0000000072D50000-0x000000007301F000-memory.dmp

memory/3020-32-0x00000000731F0000-0x0000000073239000-memory.dmp

\Users\Admin\AppData\Local\8123e463\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

\Users\Admin\AppData\Local\8123e463\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

memory/3020-40-0x0000000001E60000-0x000000000212F000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\torrc

MD5 22ec9e4c1cdf6aca7b2997be93f46645
SHA1 df0a0e3373fc514518b70adfebc86c23c3f04bf8
SHA256 b2c53ffa29d2c7207304ba7dbc81429d36cdc2542ff701bf2a386ad07aacfdb4
SHA512 d96b3ee219aa5fac241415237ec3c0523b7c02b27ca77089d5a6530c32d398741c911b496c44b6217c42afbdb13d95aa565cae7c6562410978684e51e235fd94

memory/3020-41-0x0000000073310000-0x00000000733D8000-memory.dmp

\Users\Admin\AppData\Local\8123e463\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

memory/3384-42-0x0000000072A60000-0x0000000072A9A000-memory.dmp

memory/3020-43-0x0000000000D90000-0x0000000001194000-memory.dmp

memory/3020-45-0x0000000073240000-0x000000007330E000-memory.dmp

memory/3020-50-0x0000000072D50000-0x000000007301F000-memory.dmp

memory/3384-51-0x0000000000400000-0x0000000000FBD000-memory.dmp

memory/3020-52-0x0000000000D90000-0x0000000001194000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdesc-consensus.tmp

MD5 e0c532df4b63edb19c242ef478980308
SHA1 e62c4db641e976bac705db9d547d213ff2c49217
SHA256 895abba685d7e4ee4c67e8ac6e9e6971144f3dfa00f83a8a40cecd07705f2cf7
SHA512 da0d4d4fb18d3276a659e21801b77e70cbe72432e5e6e89b4f0228524ca99107745463b37ce78bed46fe48a4d6cc9b52076f58b0ebb11a1c82961b10598c9d6e

memory/3020-61-0x0000000000D90000-0x0000000001194000-memory.dmp

memory/3020-69-0x0000000000D90000-0x0000000001194000-memory.dmp

memory/3020-77-0x0000000000D90000-0x0000000001194000-memory.dmp

memory/3384-85-0x00000000735F0000-0x000000007362A000-memory.dmp

memory/3020-86-0x0000000000D90000-0x0000000001194000-memory.dmp

memory/3020-98-0x0000000000D90000-0x0000000001194000-memory.dmp

memory/3020-106-0x0000000000D90000-0x0000000001194000-memory.dmp

memory/3020-114-0x0000000000D90000-0x0000000001194000-memory.dmp

memory/2648-136-0x0000000073310000-0x00000000733D8000-memory.dmp

memory/2648-138-0x0000000073240000-0x000000007330E000-memory.dmp

memory/2648-142-0x00000000731C0000-0x00000000731E4000-memory.dmp

memory/2648-144-0x0000000073020000-0x000000007312A000-memory.dmp

memory/3020-147-0x0000000000D90000-0x0000000001194000-memory.dmp

memory/2648-146-0x0000000073130000-0x00000000731B8000-memory.dmp

memory/2648-149-0x0000000072D50000-0x000000007301F000-memory.dmp

memory/2648-140-0x00000000731F0000-0x0000000073239000-memory.dmp

memory/2648-156-0x00000000731C0000-0x00000000731E4000-memory.dmp

memory/2648-157-0x0000000000D90000-0x0000000001194000-memory.dmp

memory/2648-158-0x0000000073310000-0x00000000733D8000-memory.dmp

memory/2648-159-0x0000000073240000-0x000000007330E000-memory.dmp

memory/4912-171-0x0000000073510000-0x00000000737DF000-memory.dmp

memory/4912-174-0x0000000073CB0000-0x0000000073CD4000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-certs

MD5 77d944e433f6b4e502f89d86fb13e71a
SHA1 d81515388d50d808d3f86085e071ca3ba664fc8e
SHA256 9236948b3f2bbd1c696bb4fcd2487511b7fe7afebaaa5606347098b7f0da5845
SHA512 7f80b69c8f3ddae491d565b7a39ac753008f14240ff0650cb8d0953b42fda745f28a4c6eaf703f127ee95b412bc18d8765203d978d17f7d6f32eb26b41aa0033

memory/4912-180-0x00000000731D0000-0x0000000073258000-memory.dmp

memory/4912-181-0x0000000073370000-0x000000007343E000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\state

MD5 ad284d376100daf23e435fb0b628cfb2
SHA1 0a93d9076d4915920330b623279ed7f9f1fa16f0
SHA256 627fcb8345acb2e552c1054326b715d7468d71298c7100ecb8ab9a6ceaec958f
SHA512 202ccb2a52828b82c5657ea3f001d99a5a8f763b05304a8ef64ddc2d144c944f6207895d305425a01cb4359548cbe3dd03056e363cf41dd9d21f9d0ef3702456

memory/4912-175-0x0000000073260000-0x000000007336A000-memory.dmp

memory/4912-172-0x0000000073440000-0x0000000073508000-memory.dmp

memory/4912-173-0x0000000073CE0000-0x0000000073D29000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new

MD5 39caea1b8ac5a8fe3ebc70010449d460
SHA1 0cea565a242c2471e0f37b637f74b0056ac0d8e8
SHA256 20b39031abc132da722e2aa3cfe70c064cc6cc0a8c7b3c3c4a2095f1965970e3
SHA512 b1e04c80c16e15a4764bcb15132b30c751abbd8a3d3db65f87958cec7055c9440e26c3550e4a8c9f7a134d2165b740fce83e1056e44ac6084e971ac2051e3878

memory/3384-197-0x0000000072F30000-0x0000000072F6A000-memory.dmp

memory/4912-198-0x0000000000D90000-0x0000000001194000-memory.dmp

memory/4912-207-0x0000000073510000-0x00000000737DF000-memory.dmp

memory/4912-208-0x0000000073440000-0x0000000073508000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-26 06:44

Reported

2024-04-26 06:48

Platform

win7-20231129-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe"

Signatures

BitRAT

trojan bitrat

BitRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses Tor communications

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1988 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1988 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1988 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1988 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1988 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1988 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1988 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1988 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1988 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1988 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1988 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1988 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe

"C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe"

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

Network

Country Destination Domain Proto
CZ 31.31.78.49:443 tcp
N/A 127.0.0.1:49215 tcp
FR 62.210.254.132:443 tcp
US 64.79.152.132:443 tcp
N/A 127.0.0.1:45808 tcp
US 96.253.78.108:443 tcp
US 154.35.175.225:443 tcp
N/A 127.0.0.1:45808 tcp
NL 45.66.33.45:443 tcp
FR 95.128.43.164:443 tcp
DE 167.86.127.130:443 tcp
US 128.135.164.40:443 tcp
N/A 127.0.0.1:49295 tcp
N/A 127.0.0.1:45808 tcp
US 172.241.229.13:443 tcp
DE 88.198.35.49:443 tcp
N/A 127.0.0.1:49360 tcp

Files

memory/1988-0-0x0000000000400000-0x0000000000FBD000-memory.dmp

\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\8123e463\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

memory/1988-18-0x00000000044E0000-0x00000000048E4000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\8123e463\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

\Users\Admin\AppData\Local\8123e463\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\8123e463\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

memory/1988-28-0x00000000044E0000-0x00000000048E4000-memory.dmp

memory/2712-31-0x0000000073D20000-0x0000000073FEF000-memory.dmp

memory/2712-32-0x0000000074280000-0x00000000742C9000-memory.dmp

memory/2712-37-0x00000000741F0000-0x0000000074278000-memory.dmp

memory/2712-36-0x0000000073C50000-0x0000000073D18000-memory.dmp

\Users\Admin\AppData\Local\8123e463\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

memory/2712-38-0x0000000000DC0000-0x00000000011C4000-memory.dmp

\Users\Admin\AppData\Local\8123e463\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\8123e463\tor\torrc

MD5 22ec9e4c1cdf6aca7b2997be93f46645
SHA1 df0a0e3373fc514518b70adfebc86c23c3f04bf8
SHA256 b2c53ffa29d2c7207304ba7dbc81429d36cdc2542ff701bf2a386ad07aacfdb4
SHA512 d96b3ee219aa5fac241415237ec3c0523b7c02b27ca77089d5a6530c32d398741c911b496c44b6217c42afbdb13d95aa565cae7c6562410978684e51e235fd94

memory/2712-40-0x0000000073B40000-0x0000000073C4A000-memory.dmp

memory/2712-43-0x0000000073A70000-0x0000000073B3E000-memory.dmp

memory/2712-44-0x0000000074320000-0x0000000074344000-memory.dmp

memory/2712-45-0x0000000000DC0000-0x00000000011C4000-memory.dmp

memory/2712-46-0x0000000073D20000-0x0000000073FEF000-memory.dmp

memory/2712-48-0x0000000073C50000-0x0000000073D18000-memory.dmp

memory/2712-47-0x0000000074280000-0x00000000742C9000-memory.dmp

memory/2712-51-0x0000000073A70000-0x0000000073B3E000-memory.dmp

memory/1988-53-0x0000000000400000-0x0000000000FBD000-memory.dmp

memory/1988-54-0x00000000044E0000-0x00000000048E4000-memory.dmp

memory/1988-55-0x00000000044E0000-0x00000000048E4000-memory.dmp

memory/2712-56-0x0000000000DC0000-0x00000000011C4000-memory.dmp

memory/2712-64-0x0000000000DC0000-0x00000000011C4000-memory.dmp

memory/2712-72-0x0000000000DC0000-0x00000000011C4000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdesc-consensus.tmp

MD5 e0c532df4b63edb19c242ef478980308
SHA1 e62c4db641e976bac705db9d547d213ff2c49217
SHA256 895abba685d7e4ee4c67e8ac6e9e6971144f3dfa00f83a8a40cecd07705f2cf7
SHA512 da0d4d4fb18d3276a659e21801b77e70cbe72432e5e6e89b4f0228524ca99107745463b37ce78bed46fe48a4d6cc9b52076f58b0ebb11a1c82961b10598c9d6e

memory/2712-89-0x0000000000DC0000-0x00000000011C4000-memory.dmp

memory/1988-105-0x0000000004F20000-0x0000000005324000-memory.dmp

memory/1404-106-0x0000000000DC0000-0x00000000011C4000-memory.dmp

memory/1404-107-0x0000000073D20000-0x0000000073FEF000-memory.dmp

memory/1404-110-0x0000000000DC0000-0x00000000011C4000-memory.dmp

memory/1404-109-0x0000000074280000-0x00000000742C9000-memory.dmp

memory/1404-111-0x0000000073C50000-0x0000000073D18000-memory.dmp

memory/1404-112-0x0000000073D20000-0x0000000073FEF000-memory.dmp

memory/1404-113-0x0000000073B40000-0x0000000073C4A000-memory.dmp

memory/1404-114-0x0000000074280000-0x00000000742C9000-memory.dmp

memory/1404-115-0x00000000741F0000-0x0000000074278000-memory.dmp

memory/1404-117-0x0000000073A70000-0x0000000073B3E000-memory.dmp

memory/1404-119-0x0000000074320000-0x0000000074344000-memory.dmp

memory/1988-158-0x0000000004F20000-0x0000000005324000-memory.dmp

memory/572-159-0x0000000000290000-0x0000000000694000-memory.dmp

memory/572-160-0x0000000073A50000-0x0000000073D1F000-memory.dmp

memory/572-161-0x0000000074230000-0x0000000074279000-memory.dmp

memory/572-162-0x0000000073F20000-0x0000000073FE8000-memory.dmp

memory/572-166-0x0000000073D80000-0x0000000073E08000-memory.dmp

memory/572-167-0x00000000742A0000-0x00000000742C4000-memory.dmp

memory/1988-168-0x0000000004F20000-0x0000000005324000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\state

MD5 42d47a1d044842177dc3aa0d27459d01
SHA1 587cceb2e5d072656fd3a3ab100f5a704722aa9e
SHA256 d1392c2f5e77c55ef3e7ce800a2f56dde02d753393f77147b238c44e4e240977
SHA512 3fe7b5fd5f28375ca76a04485920f8a95ca3605fd36fc7a94c486ddc1ada8702bcc8975f0d259be3e6187921d839714fb2d2889891841ab2be6402a880bfccf5

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-certs

MD5 f6ae420060b40d0f6f30af716116c002
SHA1 1baa7725fd6ac7d4561b646da7b150b119982bef
SHA256 34acb50d7355665e7f2acbd49e1b6ad6711f72199dbc3eb1162366397a29c883
SHA512 dd5125d1a6881126839ed0263e4c2c22bc0dc1d5ee8105f15bb83318b9150ae30c0283a6b4d977347ae6ddf00d8fc96ce701572e3f8ecce700f49e93e00d619d

memory/572-169-0x00000000738C0000-0x000000007398E000-memory.dmp

memory/572-163-0x0000000073E10000-0x0000000073F1A000-memory.dmp

memory/572-193-0x0000000073E10000-0x0000000073F1A000-memory.dmp

memory/572-195-0x0000000073A50000-0x0000000073D1F000-memory.dmp

memory/572-196-0x0000000074230000-0x0000000074279000-memory.dmp

memory/572-194-0x0000000000290000-0x0000000000694000-memory.dmp

memory/572-197-0x0000000073F20000-0x0000000073FE8000-memory.dmp

memory/572-198-0x00000000738C0000-0x000000007398E000-memory.dmp