Analysis Overview
SHA256
8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2
Threat Level: Known bad
The file 8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2 was found to be: Known bad.
Malicious Activity Summary
BitRAT
Bitrat family
BitRAT payload
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
UPX packed file
ACProtect 1.3x - 1.4x DLL software
Uses Tor communications
Looks up external IP address via web service
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-04-26 06:45
Signatures
BitRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Bitrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-26 06:44
Reported
2024-04-26 06:51
Platform
win10v2004-20240412-en
Max time kernel
295s
Max time network
302s
Command Line
Signatures
BitRAT
BitRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Uses Tor communications
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
"C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe"
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.33.209.4.in-addr.arpa | udp |
| N/A | 127.0.0.1:63365 | tcp | |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 199.249.230.83:443 | tcp | |
| NL | 192.42.116.16:443 | tcp | |
| FR | 62.210.254.132:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| FR | 217.182.51.248:443 | tcp | |
| DE | 131.188.40.189:443 | tcp | |
| US | 8.8.8.8:53 | 189.40.188.131.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.143.109.104.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.251.17.2.in-addr.arpa | udp |
| IS | 147.189.192.35:443 | tcp | |
| DE | 82.165.101.234:443 | tcp | |
| US | 8.8.8.8:53 | 35.192.189.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.101.165.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| DE | 192.68.11.203:443 | tcp | |
| FR | 94.23.76.52:443 | tcp | |
| N/A | 127.0.0.1:63505 | tcp | |
| US | 8.8.8.8:53 | 52.76.23.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.11.68.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | 50.192.11.51.in-addr.arpa | udp |
| N/A | 127.0.0.1:63603 | tcp | |
| N/A | 127.0.0.1:63640 | tcp | |
| FR | 178.33.183.251:443 | tcp | |
| DE | 192.68.11.203:443 | tcp | |
| DE | 81.7.10.19:443 | tcp | |
| US | 8.8.8.8:53 | 19.10.7.81.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| N/A | 127.0.0.1:63725 | tcp | |
| DK | 185.96.88.29:443 | tcp | |
| PL | 193.42.36.82:443 | tcp | |
| DE | 192.68.11.203:443 | tcp | |
| N/A | 127.0.0.1:63751 | tcp | |
| US | 8.8.8.8:53 | 82.36.42.193.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| DE | 192.68.11.203:443 | tcp | |
| N/A | 127.0.0.1:63835 | tcp | |
| DE | 81.7.16.182:443 | tcp | |
| DE | 192.68.11.203:443 | tcp | |
| DE | 89.58.54.129:443 | tcp | |
| US | 8.8.8.8:53 | 129.54.58.89.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp |
Files
memory/1060-0-0x0000000000400000-0x0000000000FBD000-memory.dmp
memory/1060-1-0x0000000074D80000-0x0000000074DB9000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
C:\Users\Admin\AppData\Local\8123e463\tor\libcrypto-1_1.dll
| MD5 | 2384a02c4a1f7ec481adde3a020607d3 |
| SHA1 | 7e848d35a10bf9296c8fa41956a3daa777f86365 |
| SHA256 | c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369 |
| SHA512 | 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503 |
C:\Users\Admin\AppData\Local\8123e463\tor\libevent-2-1-6.dll
| MD5 | 099983c13bade9554a3c17484e5481f1 |
| SHA1 | a84e69ad9722f999252d59d0ed9a99901a60e564 |
| SHA256 | b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838 |
| SHA512 | 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2 |
C:\Users\Admin\AppData\Local\8123e463\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
C:\Users\Admin\AppData\Local\8123e463\tor\libwinpthread-1.dll
| MD5 | d407cc6d79a08039a6f4b50539e560b8 |
| SHA1 | 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71 |
| SHA256 | 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e |
| SHA512 | 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c |
memory/3660-35-0x00000000741B0000-0x00000000741F9000-memory.dmp
memory/3660-36-0x0000000074180000-0x00000000741A4000-memory.dmp
memory/3660-37-0x00000000740B0000-0x0000000074178000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\libgcc_s_sjlj-1.dll
| MD5 | b0d98f7157d972190fe0759d4368d320 |
| SHA1 | 5715a533621a2b642aad9616e603c6907d80efc4 |
| SHA256 | 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5 |
| SHA512 | 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496 |
memory/3660-32-0x0000000000020000-0x0000000000424000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\zlib1.dll
| MD5 | add33041af894b67fe34e1dc819b7eb6 |
| SHA1 | 6db46eb021855a587c95479422adcc774a272eeb |
| SHA256 | 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183 |
| SHA512 | bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa |
C:\Users\Admin\AppData\Local\8123e463\tor\libssl-1_1.dll
| MD5 | c88826ac4bb879622e43ead5bdb95aeb |
| SHA1 | 87d29853649a86f0463bfd9ad887b85eedc21723 |
| SHA256 | c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f |
| SHA512 | f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3 |
memory/3660-39-0x00000000011D0000-0x000000000149F000-memory.dmp
memory/3660-38-0x0000000073FA0000-0x00000000740AA000-memory.dmp
memory/3660-40-0x0000000073CD0000-0x0000000073F9F000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\torrc
| MD5 | 22ec9e4c1cdf6aca7b2997be93f46645 |
| SHA1 | df0a0e3373fc514518b70adfebc86c23c3f04bf8 |
| SHA256 | b2c53ffa29d2c7207304ba7dbc81429d36cdc2542ff701bf2a386ad07aacfdb4 |
| SHA512 | d96b3ee219aa5fac241415237ec3c0523b7c02b27ca77089d5a6530c32d398741c911b496c44b6217c42afbdb13d95aa565cae7c6562410978684e51e235fd94 |
memory/3660-42-0x0000000073C40000-0x0000000073CC8000-memory.dmp
memory/3660-45-0x0000000074200000-0x00000000742CE000-memory.dmp
memory/1060-46-0x0000000073910000-0x0000000073949000-memory.dmp
memory/3660-47-0x0000000000020000-0x0000000000424000-memory.dmp
memory/3660-48-0x0000000074200000-0x00000000742CE000-memory.dmp
memory/3660-49-0x00000000741B0000-0x00000000741F9000-memory.dmp
memory/3660-51-0x00000000740B0000-0x0000000074178000-memory.dmp
memory/3660-53-0x0000000073CD0000-0x0000000073F9F000-memory.dmp
memory/3660-50-0x0000000074180000-0x00000000741A4000-memory.dmp
memory/1060-55-0x0000000000400000-0x0000000000FBD000-memory.dmp
memory/3660-56-0x0000000000020000-0x0000000000424000-memory.dmp
memory/3660-57-0x0000000000020000-0x0000000000424000-memory.dmp
memory/3660-65-0x00000000011D0000-0x000000000149F000-memory.dmp
memory/3660-66-0x00000000011D0000-0x0000000001258000-memory.dmp
memory/3660-67-0x0000000000020000-0x0000000000424000-memory.dmp
memory/3660-75-0x0000000000020000-0x0000000000424000-memory.dmp
memory/1060-83-0x0000000074DA0000-0x0000000074DD9000-memory.dmp
memory/3660-84-0x0000000000020000-0x0000000000424000-memory.dmp
memory/3660-92-0x0000000000020000-0x0000000000424000-memory.dmp
memory/3660-100-0x0000000000020000-0x0000000000424000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdesc-consensus.tmp
| MD5 | e0c532df4b63edb19c242ef478980308 |
| SHA1 | e62c4db641e976bac705db9d547d213ff2c49217 |
| SHA256 | 895abba685d7e4ee4c67e8ac6e9e6971144f3dfa00f83a8a40cecd07705f2cf7 |
| SHA512 | da0d4d4fb18d3276a659e21801b77e70cbe72432e5e6e89b4f0228524ca99107745463b37ce78bed46fe48a4d6cc9b52076f58b0ebb11a1c82961b10598c9d6e |
memory/3660-116-0x0000000000020000-0x0000000000424000-memory.dmp
memory/1620-133-0x0000000000020000-0x0000000000424000-memory.dmp
memory/1620-142-0x00000000740B0000-0x0000000074178000-memory.dmp
memory/3660-143-0x0000000000020000-0x0000000000424000-memory.dmp
memory/1620-144-0x0000000074200000-0x00000000742CE000-memory.dmp
memory/1620-145-0x00000000741B0000-0x00000000741F9000-memory.dmp
memory/1620-146-0x0000000074180000-0x00000000741A4000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\state
| MD5 | c3f8f2e59dbf913b0e63f7609a3d9bcf |
| SHA1 | 9985a850f481bbff90f8469cbd7090338b18adc1 |
| SHA256 | edc3d18fd9c19d2acedbc5e4016e0b5a79971c646775840c839cfef3797cd6bd |
| SHA512 | 22cce2c167e860ee2dab7d9d0a0caeca48b7f419f20409c2f12de6f770e1bbbe0f94ec1c24609aefa448b8259ac8bb1b22db05483a400ee192a38fecff757bf9 |
memory/1620-149-0x0000000073C40000-0x0000000073CC8000-memory.dmp
memory/1620-147-0x0000000073FA0000-0x00000000740AA000-memory.dmp
memory/1620-153-0x0000000073CD0000-0x0000000073F9F000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-certs
| MD5 | 6563a0f6d4668173f52c63fea1b8e390 |
| SHA1 | 8a7344726ad087690463d11a5681366e66e1e97e |
| SHA256 | 32bdcd32ee71ec9aebece80821375bbb381638ab312af899759c3459c80d4eea |
| SHA512 | ccc6fa0bd213671c9a41a0412442543eb2db6d0004e8183f2ab894b3b6154e7c62ff8132b92a585cc31b71c88c2edb5d72aa5b1cd831710d49990fa60f965a35 |
memory/1620-165-0x0000000000020000-0x0000000000424000-memory.dmp
memory/1620-174-0x00000000740B0000-0x0000000074178000-memory.dmp
memory/1620-175-0x0000000074200000-0x00000000742CE000-memory.dmp
memory/1060-176-0x00000000738A0000-0x00000000738D9000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new
| MD5 | d45e35da821f7a95acd2bcc4ec1cb689 |
| SHA1 | 3dbc14fa6c0104d5fb1ced99e1deca7b64fa96c2 |
| SHA256 | cab3c029449ce3aca31d10a16dc8a8b6904f5e44f49e0d62481d1dde8dde987f |
| SHA512 | 693586d807749501b66955b0d3b6bdf2c484643af23c75d303fc5a197d0ea2f67b990947a38a8022bfac5b9cd7d9182da4b6cdf740b181a83d6b6fad079dc7d2 |
memory/1620-234-0x0000000000020000-0x0000000000424000-memory.dmp
memory/3092-237-0x0000000000020000-0x0000000000424000-memory.dmp
memory/3092-240-0x0000000073CD0000-0x0000000073F9F000-memory.dmp
memory/3092-241-0x00000000740B0000-0x0000000074178000-memory.dmp
memory/3092-243-0x0000000074200000-0x00000000742CE000-memory.dmp
memory/3092-245-0x00000000741B0000-0x00000000741F9000-memory.dmp
memory/3092-247-0x0000000074180000-0x00000000741A4000-memory.dmp
memory/3092-249-0x0000000073FA0000-0x00000000740AA000-memory.dmp
memory/3092-251-0x0000000073C40000-0x0000000073CC8000-memory.dmp
memory/3640-263-0x0000000073FD0000-0x0000000074098000-memory.dmp
memory/3640-266-0x0000000073E40000-0x0000000073F4A000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\state
| MD5 | 1741e847ba59b5bc3c264b36eb3e1427 |
| SHA1 | ad8abbc82ba3ddb70d785161c8545d25bb00f926 |
| SHA256 | fd1da47c82cc17c86c6ec1c1a0da7d2cd9ec730c7eeffe213b004f67ff72b4b8 |
| SHA512 | 703b7df62e5be35fd2b491aca2199cb1a5b8225bdfb5e8bb3a61ef0b3232a55f05770dfbd307dfb8d85055ab5c80c3224e0cbc256cba7f420edade9f24eb246e |
memory/3640-269-0x0000000073DB0000-0x0000000073E38000-memory.dmp
memory/3640-270-0x0000000073CE0000-0x0000000073DAE000-memory.dmp
memory/3640-271-0x00000000740A0000-0x000000007436F000-memory.dmp
memory/3640-265-0x0000000073F50000-0x0000000073F74000-memory.dmp
memory/3640-264-0x0000000073F80000-0x0000000073FC9000-memory.dmp
memory/1060-286-0x00000000738A0000-0x00000000738D9000-memory.dmp
memory/3640-287-0x0000000000020000-0x0000000000424000-memory.dmp
memory/3640-296-0x0000000073FD0000-0x0000000074098000-memory.dmp
memory/1060-297-0x0000000074D80000-0x0000000074DB9000-memory.dmp
memory/1060-306-0x0000000073910000-0x0000000073949000-memory.dmp
memory/3992-339-0x0000000000020000-0x0000000000424000-memory.dmp
memory/3992-341-0x00000000740A0000-0x000000007436F000-memory.dmp
memory/3992-346-0x0000000073CE0000-0x0000000073DAE000-memory.dmp
memory/3992-347-0x0000000073F80000-0x0000000073FC9000-memory.dmp
memory/3640-343-0x0000000000020000-0x0000000000424000-memory.dmp
memory/3992-342-0x0000000073FD0000-0x0000000074098000-memory.dmp
memory/3992-349-0x0000000073F50000-0x0000000073F74000-memory.dmp
memory/3992-352-0x0000000073E40000-0x0000000073F4A000-memory.dmp
memory/3992-353-0x0000000073DB0000-0x0000000073E38000-memory.dmp
memory/3992-358-0x00000000740A0000-0x000000007436F000-memory.dmp
memory/3992-359-0x0000000073FD0000-0x0000000074098000-memory.dmp
memory/3992-360-0x0000000000020000-0x0000000000424000-memory.dmp
memory/1320-365-0x00000000740A0000-0x000000007436F000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new
| MD5 | d327f1e2481fba0d4a1f1d6889fab952 |
| SHA1 | 63e809bbfd7ee758db87aa642499b868233e2613 |
| SHA256 | b7b4861d4fe65355757a660cf34a9a9b37180baa96e09cc8bac0d79020da4844 |
| SHA512 | b3987622fa523ce6be868d9e2428cb2bb9ebfdc0825dec368a70362e28caca7e4bf2df7e7f689b8ee6270c44c18a9884a903904755660bef4f82ec11ce1c0ae7 |
Analysis: behavioral5
Detonation Overview
Submitted
2024-04-26 06:44
Reported
2024-04-26 06:50
Platform
win11-20240412-en
Max time kernel
297s
Max time network
301s
Command Line
Signatures
BitRAT
BitRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
Uses Tor communications
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
"C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe"
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:49762 | tcp | |
| FR | 163.172.149.122:443 | tcp | |
| CZ | 37.157.195.87:443 | tcp | |
| RO | 185.225.17.3:443 | tcp | |
| US | 8.8.8.8:53 | 122.149.172.163.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 204.8.156.142:443 | tcp | |
| DE | 131.188.40.189:443 | tcp | |
| US | 8.8.8.8:53 | 142.156.8.204.in-addr.arpa | udp |
| US | 51.81.208.163:443 | tcp | |
| PL | 83.168.69.84:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:49868 | tcp | |
| RO | 185.225.17.3:443 | tcp | |
| PL | 83.168.69.84:443 | tcp | |
| US | 45.76.2.145:443 | tcp | |
| N/A | 127.0.0.1:49897 | tcp | |
| NL | 52.111.243.29:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 45.76.2.145:443 | tcp | |
| PL | 83.168.69.84:443 | tcp | |
| N/A | 127.0.0.1:49988 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| PL | 83.168.69.84:443 | tcp | |
| US | 45.76.2.145:443 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| US | 8.8.8.8:53 | 44.118.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| N/A | 127.0.0.1:50110 | tcp | |
| DE | 31.185.104.21:443 | tcp | |
| N/A | 127.0.0.1:50138 | tcp | |
| PL | 83.168.69.84:443 | tcp | |
| US | 45.76.2.145:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50208 | tcp | |
| N/A | 127.0.0.1:50229 | tcp | |
| US | 45.76.2.145:443 | tcp | |
| PL | 83.168.69.84:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| FR | 212.47.244.38:443 | tcp | |
| N/A | 127.0.0.1:50295 | tcp | |
| PL | 83.168.69.84:443 | tcp | |
| US | 45.76.2.145:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp |
Files
memory/3028-0-0x0000000000400000-0x0000000000FBD000-memory.dmp
memory/3028-1-0x0000000074C30000-0x0000000074C6C000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
C:\Users\Admin\AppData\Local\8123e463\tor\libevent-2-1-6.dll
| MD5 | 099983c13bade9554a3c17484e5481f1 |
| SHA1 | a84e69ad9722f999252d59d0ed9a99901a60e564 |
| SHA256 | b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838 |
| SHA512 | 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2 |
C:\Users\Admin\AppData\Local\8123e463\tor\libssl-1_1.dll
| MD5 | c88826ac4bb879622e43ead5bdb95aeb |
| SHA1 | 87d29853649a86f0463bfd9ad887b85eedc21723 |
| SHA256 | c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f |
| SHA512 | f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3 |
C:\Users\Admin\AppData\Local\8123e463\tor\zlib1.dll
| MD5 | add33041af894b67fe34e1dc819b7eb6 |
| SHA1 | 6db46eb021855a587c95479422adcc774a272eeb |
| SHA256 | 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183 |
| SHA512 | bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa |
C:\Users\Admin\AppData\Local\8123e463\tor\libgcc_s_sjlj-1.dll
| MD5 | b0d98f7157d972190fe0759d4368d320 |
| SHA1 | 5715a533621a2b642aad9616e603c6907d80efc4 |
| SHA256 | 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5 |
| SHA512 | 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496 |
C:\Users\Admin\AppData\Local\8123e463\tor\torrc
| MD5 | 22ec9e4c1cdf6aca7b2997be93f46645 |
| SHA1 | df0a0e3373fc514518b70adfebc86c23c3f04bf8 |
| SHA256 | b2c53ffa29d2c7207304ba7dbc81429d36cdc2542ff701bf2a386ad07aacfdb4 |
| SHA512 | d96b3ee219aa5fac241415237ec3c0523b7c02b27ca77089d5a6530c32d398741c911b496c44b6217c42afbdb13d95aa565cae7c6562410978684e51e235fd94 |
C:\Users\Admin\AppData\Local\8123e463\tor\libcrypto-1_1.dll
| MD5 | 2384a02c4a1f7ec481adde3a020607d3 |
| SHA1 | 7e848d35a10bf9296c8fa41956a3daa777f86365 |
| SHA256 | c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369 |
| SHA512 | 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503 |
C:\Users\Admin\AppData\Local\8123e463\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
C:\Users\Admin\AppData\Local\8123e463\tor\libwinpthread-1.dll
| MD5 | d407cc6d79a08039a6f4b50539e560b8 |
| SHA1 | 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71 |
| SHA256 | 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e |
| SHA512 | 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c |
memory/1592-31-0x0000000000560000-0x0000000000964000-memory.dmp
memory/1592-38-0x0000000073F80000-0x000000007424F000-memory.dmp
memory/1592-39-0x0000000073DE0000-0x0000000073EAE000-memory.dmp
memory/1592-40-0x0000000073CD0000-0x0000000073DDA000-memory.dmp
memory/1592-41-0x0000000073C80000-0x0000000073CC9000-memory.dmp
memory/1592-42-0x0000000001830000-0x0000000001879000-memory.dmp
memory/1592-43-0x0000000073C50000-0x0000000073C74000-memory.dmp
memory/1592-44-0x0000000073BC0000-0x0000000073C48000-memory.dmp
memory/1592-45-0x0000000001830000-0x00000000018B8000-memory.dmp
memory/1592-46-0x0000000073EB0000-0x0000000073F78000-memory.dmp
memory/3028-47-0x00000000737A0000-0x00000000737DC000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdesc-consensus
| MD5 | e0c532df4b63edb19c242ef478980308 |
| SHA1 | e62c4db641e976bac705db9d547d213ff2c49217 |
| SHA256 | 895abba685d7e4ee4c67e8ac6e9e6971144f3dfa00f83a8a40cecd07705f2cf7 |
| SHA512 | da0d4d4fb18d3276a659e21801b77e70cbe72432e5e6e89b4f0228524ca99107745463b37ce78bed46fe48a4d6cc9b52076f58b0ebb11a1c82961b10598c9d6e |
memory/1592-56-0x0000000000560000-0x0000000000964000-memory.dmp
memory/1592-58-0x0000000073F80000-0x000000007424F000-memory.dmp
memory/3028-64-0x0000000000400000-0x0000000000FBD000-memory.dmp
memory/1592-65-0x0000000000560000-0x0000000000964000-memory.dmp
memory/1592-66-0x0000000000560000-0x0000000000964000-memory.dmp
memory/1592-74-0x0000000000560000-0x0000000000964000-memory.dmp
memory/1592-83-0x0000000000560000-0x0000000000964000-memory.dmp
memory/3028-95-0x0000000074C00000-0x0000000074C3C000-memory.dmp
memory/1592-96-0x0000000000560000-0x0000000000964000-memory.dmp
memory/1592-104-0x0000000000560000-0x0000000000964000-memory.dmp
memory/1592-112-0x0000000000560000-0x0000000000964000-memory.dmp
memory/1416-129-0x0000000073EB0000-0x0000000073F78000-memory.dmp
memory/1416-130-0x0000000073DE0000-0x0000000073EAE000-memory.dmp
memory/1416-131-0x0000000073C80000-0x0000000073CC9000-memory.dmp
memory/1416-133-0x0000000000560000-0x0000000000964000-memory.dmp
memory/1416-135-0x0000000073F80000-0x000000007424F000-memory.dmp
memory/1416-137-0x0000000073EB0000-0x0000000073F78000-memory.dmp
memory/1416-134-0x0000000073C50000-0x0000000073C74000-memory.dmp
memory/1416-138-0x0000000073BC0000-0x0000000073C48000-memory.dmp
memory/1416-139-0x0000000073DE0000-0x0000000073EAE000-memory.dmp
memory/1416-140-0x0000000073C80000-0x0000000073CC9000-memory.dmp
memory/1416-136-0x0000000073CD0000-0x0000000073DDA000-memory.dmp
memory/3932-154-0x0000000074000000-0x00000000742CF000-memory.dmp
memory/3932-157-0x0000000073EE0000-0x0000000073F29000-memory.dmp
memory/3932-156-0x0000000073F30000-0x0000000073FF8000-memory.dmp
memory/3932-162-0x0000000073EB0000-0x0000000073ED4000-memory.dmp
memory/3932-163-0x0000000073DA0000-0x0000000073EAA000-memory.dmp
memory/3932-164-0x0000000073D10000-0x0000000073D98000-memory.dmp
memory/3932-165-0x0000000073C40000-0x0000000073D0E000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-certs
| MD5 | 83ebf71835b5a5139c68caec74b3eb52 |
| SHA1 | fcfe555c238d42c6731345010426f0d06d0ffca3 |
| SHA256 | cca655d1b5b64ba5f965873ceff6ce8782400483ac12c05a4d6ff4896a8f671c |
| SHA512 | a905a018d25ddcf0ff2d06a441dad198ce993f2a0e371f5bf3d28bac3173040311e817c96f42d604f8fc212b63a675b481cafd58a782b13a542b1893f4e2af17 |
C:\Users\Admin\AppData\Local\8123e463\tor\data\state
| MD5 | 0c1315a5cb05aa88b872b2922e056336 |
| SHA1 | 30ea561c655524ba502ab3fbf6d9de3a07bd8c49 |
| SHA256 | 8b82b23f493d7095a1d23feb61bb81695aa2b5a912fd80e08321951cbe45f373 |
| SHA512 | d6fce30c969a0ea790a31081e944f33bc113a704d7c4aaef7ee67d5fde70af2e07949f6629cc2d39230b345a898e9b9298d011259e418945e0fe870e0e76fba7 |
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new
| MD5 | d29fdd6ff41e4213c593c4bb430d4542 |
| SHA1 | 3819d6ea47323e68e80f29ba4594e9e10875f919 |
| SHA256 | 9544189a1cd9dbc0f57549439bd6ee62020760f4ccc33ca9c68a3b457acfdb5f |
| SHA512 | 43c00430f3a32f303c2375eb26480621a114e51d737a33f42b520cefa0c9cffb76b000eafc8cab00e129bc49a1811fb2d62e1e8b07e77ecf4d5d7c746e1f2393 |
memory/3028-184-0x0000000073A30000-0x0000000073A6C000-memory.dmp
memory/3932-185-0x0000000074000000-0x00000000742CF000-memory.dmp
memory/3932-194-0x0000000000560000-0x0000000000964000-memory.dmp
memory/3932-195-0x0000000073F30000-0x0000000073FF8000-memory.dmp
memory/3932-240-0x0000000000560000-0x0000000000964000-memory.dmp
memory/3548-241-0x0000000000560000-0x0000000000964000-memory.dmp
memory/3548-245-0x0000000073F30000-0x0000000073FF8000-memory.dmp
memory/3548-244-0x0000000074000000-0x00000000742CF000-memory.dmp
memory/3548-246-0x0000000073C40000-0x0000000073D0E000-memory.dmp
memory/3548-247-0x0000000073EE0000-0x0000000073F29000-memory.dmp
memory/3548-249-0x0000000073DA0000-0x0000000073EAA000-memory.dmp
memory/3548-248-0x0000000073EB0000-0x0000000073ED4000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\state
| MD5 | eecacceb8836292ebfcb3993a1dc6216 |
| SHA1 | cb37d4d8020f7b88c5b9b40288393c28d2046113 |
| SHA256 | 78fad745dc6c57c8728abc61d88d5857903b634b097b2137a085e344aa08a999 |
| SHA512 | 94bc56b0f05fc8d38d604daa2d02c8c701b8ea775cfdcc564b4a5dc75c2e223a9b0679e131162ac2a384bbe0487f57d5087a1bc5fec028147d7139eaf742a5e9 |
memory/3548-250-0x0000000073D10000-0x0000000073D98000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new
| MD5 | f38719968f0ef122ff36fd1eefb082e7 |
| SHA1 | 6cd695823ff015cae1b3fd30033900f8b3d15762 |
| SHA256 | 50a93e19abb4a42d088cd7eed116fb7f82234179f58f20ab369722c6fc9b4da6 |
| SHA512 | b56a8fade69f34857986e573b6a3b6458beb33a6f39eacd12f425a9c096b10e61633af8e1071e1d2745831d704c36d9045c916ff68ab13194915b1662221c162 |
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs
| MD5 | 10cbc86f0c7854243b5d712e66c7667a |
| SHA1 | d442bf4ba4a2932ca36067cef0fda1f97705f2c1 |
| SHA256 | dcd65938828e3f7045fa70313097429f15ab3c1cbbb08a954e0402a0618dea0f |
| SHA512 | 645631d6aac1ddb9e8cfcb53699418b9f37e7725cd7707e0010fee71aada49439ad2a16e17f88b616d39cc0d18f3c23711c1a579954039dc4b93968a4e5ae9f7 |
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new
| MD5 | 84421cec86ae6818f2e4a6a55282eb11 |
| SHA1 | a8f2abd0f7c1852b3aa107ff8076d376f29376e9 |
| SHA256 | e41728a293bc8410592810f1e5c019d8cdd3763cb38ce3db6f8fae54c05c8161 |
| SHA512 | c4ffad90dffbada13b8662724346ab0f8fe3caaaade83e57179cdac00ef4a31a82ee3046afa9749c3c596365836d43dd9d5a9f17502a2a9c2c865cd757b4d2b0 |
memory/3028-279-0x0000000073A30000-0x0000000073A6C000-memory.dmp
memory/3548-280-0x0000000000560000-0x0000000000964000-memory.dmp
memory/3548-281-0x0000000074000000-0x00000000742CF000-memory.dmp
memory/3028-302-0x0000000074C30000-0x0000000074C6C000-memory.dmp
memory/3028-314-0x00000000737A0000-0x00000000737DC000-memory.dmp
memory/2524-344-0x0000000073C40000-0x0000000073D0E000-memory.dmp
memory/2524-346-0x0000000073EE0000-0x0000000073F29000-memory.dmp
memory/2524-348-0x0000000073EB0000-0x0000000073ED4000-memory.dmp
memory/3548-350-0x0000000000560000-0x0000000000964000-memory.dmp
memory/2524-352-0x0000000073D10000-0x0000000073D98000-memory.dmp
memory/2524-351-0x0000000073DA0000-0x0000000073EAA000-memory.dmp
memory/2524-353-0x0000000074000000-0x00000000742CF000-memory.dmp
memory/2524-364-0x0000000000560000-0x0000000000964000-memory.dmp
memory/2524-363-0x0000000073D10000-0x0000000073D98000-memory.dmp
memory/2524-362-0x0000000073DA0000-0x0000000073EAA000-memory.dmp
memory/2524-366-0x0000000073C40000-0x0000000073D0E000-memory.dmp
memory/2524-365-0x0000000073F30000-0x0000000073FF8000-memory.dmp
memory/2524-367-0x0000000073EE0000-0x0000000073F29000-memory.dmp
memory/2524-368-0x0000000073EB0000-0x0000000073ED4000-memory.dmp
memory/1168-372-0x0000000000560000-0x0000000000964000-memory.dmp
memory/1168-374-0x0000000073F30000-0x0000000073FF8000-memory.dmp
memory/1168-373-0x0000000074000000-0x00000000742CF000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-26 06:44
Reported
2024-04-26 06:50
Platform
win10-20240404-en
Max time kernel
299s
Max time network
302s
Command Line
Signatures
BitRAT
BitRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Uses Tor communications
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
"C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe"
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:49795 | tcp | |
| NL | 80.127.137.19:443 | tcp | |
| FR | 163.172.53.84:443 | tcp | |
| NL | 185.246.152.22:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| GR | 185.4.132.148:443 | tcp | |
| US | 204.13.164.118:443 | tcp | |
| US | 8.8.8.8:53 | 148.132.4.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 118.164.13.204.in-addr.arpa | udp |
| DE | 94.16.120.204:443 | tcp | |
| US | 15.204.14.102:443 | tcp | |
| US | 8.8.8.8:53 | 204.120.16.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.14.204.15.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:49909 | tcp | |
| DK | 185.96.180.29:443 | tcp | |
| NL | 45.94.31.54:443 | tcp | |
| US | 64.176.210.130:443 | tcp | |
| N/A | 127.0.0.1:49949 | tcp | |
| US | 8.8.8.8:53 | 130.210.176.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.31.94.45.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | 66.229.138.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:50028 | tcp | |
| N/A | 127.0.0.1:50068 | tcp | |
| CZ | 195.123.245.141:443 | tcp | |
| US | 172.233.129.176:443 | tcp | |
| US | 172.96.172.157:443 | tcp | |
| US | 8.8.8.8:53 | 141.245.123.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.172.96.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.129.233.172.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:50150 | tcp | |
| N/A | 127.0.0.1:50174 | tcp | |
| SE | 171.25.193.25:443 | tcp | |
| US | 15.204.141.10:443 | tcp | |
| GB | 213.171.194.25:443 | tcp | |
| US | 8.8.8.8:53 | 25.194.171.213.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.193.25.171.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.141.204.15.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:50249 | tcp | |
| US | 50.7.74.172:443 | tcp | |
| DE | 82.165.116.173:443 | tcp | |
| GB | 213.171.194.25:443 | tcp | |
| N/A | 127.0.0.1:50275 | tcp | |
| US | 8.8.8.8:53 | 173.116.165.82.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp |
Files
memory/512-0-0x0000000000400000-0x0000000000FBD000-memory.dmp
memory/512-1-0x0000000073BA0000-0x0000000073BDA000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
C:\Users\Admin\AppData\Local\8123e463\tor\libcrypto-1_1.dll
| MD5 | 2384a02c4a1f7ec481adde3a020607d3 |
| SHA1 | 7e848d35a10bf9296c8fa41956a3daa777f86365 |
| SHA256 | c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369 |
| SHA512 | 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503 |
C:\Users\Admin\AppData\Local\8123e463\tor\libevent-2-1-6.dll
| MD5 | 099983c13bade9554a3c17484e5481f1 |
| SHA1 | a84e69ad9722f999252d59d0ed9a99901a60e564 |
| SHA256 | b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838 |
| SHA512 | 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2 |
C:\Users\Admin\AppData\Local\8123e463\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
C:\Users\Admin\AppData\Local\8123e463\tor\libgcc_s_sjlj-1.dll
| MD5 | b0d98f7157d972190fe0759d4368d320 |
| SHA1 | 5715a533621a2b642aad9616e603c6907d80efc4 |
| SHA256 | 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5 |
| SHA512 | 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496 |
\Users\Admin\AppData\Local\8123e463\tor\libwinpthread-1.dll
| MD5 | d407cc6d79a08039a6f4b50539e560b8 |
| SHA1 | 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71 |
| SHA256 | 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e |
| SHA512 | 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c |
\Users\Admin\AppData\Local\8123e463\tor\zlib1.dll
| MD5 | add33041af894b67fe34e1dc819b7eb6 |
| SHA1 | 6db46eb021855a587c95479422adcc774a272eeb |
| SHA256 | 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183 |
| SHA512 | bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa |
\Users\Admin\AppData\Local\8123e463\tor\libssl-1_1.dll
| MD5 | c88826ac4bb879622e43ead5bdb95aeb |
| SHA1 | 87d29853649a86f0463bfd9ad887b85eedc21723 |
| SHA256 | c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f |
| SHA512 | f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3 |
memory/2852-31-0x0000000000CA0000-0x00000000010A4000-memory.dmp
memory/2852-32-0x0000000073170000-0x00000000731B9000-memory.dmp
memory/2852-33-0x00000000730A0000-0x0000000073168000-memory.dmp
memory/2852-34-0x0000000073070000-0x0000000073094000-memory.dmp
memory/2852-35-0x0000000072F60000-0x000000007306A000-memory.dmp
memory/2852-40-0x0000000072C90000-0x0000000072F5F000-memory.dmp
memory/2852-37-0x00000000012B0000-0x000000000157F000-memory.dmp
memory/2852-42-0x0000000000C00000-0x0000000000C88000-memory.dmp
memory/2852-41-0x0000000072C00000-0x0000000072C88000-memory.dmp
memory/2852-43-0x00000000731C0000-0x000000007328E000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\torrc
| MD5 | 22ec9e4c1cdf6aca7b2997be93f46645 |
| SHA1 | df0a0e3373fc514518b70adfebc86c23c3f04bf8 |
| SHA256 | b2c53ffa29d2c7207304ba7dbc81429d36cdc2542ff701bf2a386ad07aacfdb4 |
| SHA512 | d96b3ee219aa5fac241415237ec3c0523b7c02b27ca77089d5a6530c32d398741c911b496c44b6217c42afbdb13d95aa565cae7c6562410978684e51e235fd94 |
memory/512-44-0x0000000072930000-0x000000007296A000-memory.dmp
memory/2852-45-0x0000000000CA0000-0x00000000010A4000-memory.dmp
memory/2852-48-0x00000000730A0000-0x0000000073168000-memory.dmp
memory/2852-51-0x0000000072C90000-0x0000000072F5F000-memory.dmp
memory/512-53-0x0000000000400000-0x0000000000FBD000-memory.dmp
memory/2852-54-0x0000000000CA0000-0x00000000010A4000-memory.dmp
memory/2852-55-0x0000000000CA0000-0x00000000010A4000-memory.dmp
memory/2852-63-0x00000000012B0000-0x000000000157F000-memory.dmp
memory/2852-64-0x0000000000C00000-0x0000000000C88000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdesc-consensus.tmp
| MD5 | e0c532df4b63edb19c242ef478980308 |
| SHA1 | e62c4db641e976bac705db9d547d213ff2c49217 |
| SHA256 | 895abba685d7e4ee4c67e8ac6e9e6971144f3dfa00f83a8a40cecd07705f2cf7 |
| SHA512 | da0d4d4fb18d3276a659e21801b77e70cbe72432e5e6e89b4f0228524ca99107745463b37ce78bed46fe48a4d6cc9b52076f58b0ebb11a1c82961b10598c9d6e |
memory/2852-73-0x0000000000CA0000-0x00000000010A4000-memory.dmp
memory/2852-81-0x0000000000CA0000-0x00000000010A4000-memory.dmp
memory/512-89-0x00000000734A0000-0x00000000734DA000-memory.dmp
memory/2852-90-0x0000000000CA0000-0x00000000010A4000-memory.dmp
memory/2852-101-0x0000000000CA0000-0x00000000010A4000-memory.dmp
memory/2852-109-0x0000000000CA0000-0x00000000010A4000-memory.dmp
memory/2852-117-0x0000000000CA0000-0x00000000010A4000-memory.dmp
memory/3560-143-0x00000000730A0000-0x0000000073168000-memory.dmp
memory/3560-142-0x0000000072C90000-0x0000000072F5F000-memory.dmp
memory/3560-140-0x0000000000CA0000-0x00000000010A4000-memory.dmp
memory/3560-146-0x00000000731C0000-0x000000007328E000-memory.dmp
memory/3560-152-0x0000000073070000-0x0000000073094000-memory.dmp
memory/2852-151-0x0000000000CA0000-0x00000000010A4000-memory.dmp
memory/3560-149-0x0000000073170000-0x00000000731B9000-memory.dmp
memory/3560-154-0x0000000072F60000-0x000000007306A000-memory.dmp
memory/3560-156-0x0000000072C00000-0x0000000072C88000-memory.dmp
memory/3560-161-0x0000000072C90000-0x0000000072F5F000-memory.dmp
memory/3560-160-0x0000000000CA0000-0x00000000010A4000-memory.dmp
memory/3156-175-0x0000000073B90000-0x0000000073BD9000-memory.dmp
memory/3156-176-0x0000000073B60000-0x0000000073B84000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\state
| MD5 | 3462ada9c04195c4646f378d48f30dc3 |
| SHA1 | 09473bc71e21a14ebf2c951fc59a490dfad4f19f |
| SHA256 | e9095206ccd0eace4f9db4416b0dd7c1412845447f8e299072ef7f9977c1df67 |
| SHA512 | 7f99a619e4bca8545e8be6cb1d63c8697f8fa2472253f07a42933ac5d0042b2bea9d7c8b41337709343765d2c916602fbb034741900da1e1b7f49c8374b1302c |
memory/3156-182-0x0000000073150000-0x00000000731D8000-memory.dmp
memory/3156-183-0x0000000073080000-0x000000007314E000-memory.dmp
memory/3156-181-0x00000000731E0000-0x00000000732EA000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-certs
| MD5 | 31169be22008dac1e39e2b15c4153695 |
| SHA1 | 1e3a31a8c8dc2815aec3d8713566a3cca5fc0461 |
| SHA256 | 7f6b44eb05543fc103e0421ddf48d4545f63eebf249b72fbd507acb21c5e37f4 |
| SHA512 | 57e307872172595b4956b51cb30c707997b383c810e109602592b8eb083e52f1a2021006fc9bdd9554358578d03cbd24197f5f955160bda0c9cc883d7c41615d |
memory/3156-184-0x00000000733C0000-0x000000007368F000-memory.dmp
memory/3156-174-0x00000000732F0000-0x00000000733B8000-memory.dmp
memory/3156-173-0x0000000000CA0000-0x00000000010A4000-memory.dmp
memory/512-196-0x0000000072DE0000-0x0000000072E1A000-memory.dmp
memory/3156-197-0x0000000000CA0000-0x00000000010A4000-memory.dmp
memory/3156-206-0x00000000732F0000-0x00000000733B8000-memory.dmp
memory/4244-244-0x0000000000CA0000-0x00000000010A4000-memory.dmp
memory/4244-246-0x00000000732F0000-0x00000000733B8000-memory.dmp
memory/4244-247-0x0000000073080000-0x000000007314E000-memory.dmp
memory/4244-255-0x00000000731E0000-0x00000000732EA000-memory.dmp
memory/4244-252-0x0000000073B60000-0x0000000073B84000-memory.dmp
memory/4244-250-0x0000000073B90000-0x0000000073BD9000-memory.dmp
memory/4244-257-0x0000000073150000-0x00000000731D8000-memory.dmp
memory/4244-261-0x00000000733C0000-0x000000007368F000-memory.dmp
memory/3156-259-0x0000000000CA0000-0x00000000010A4000-memory.dmp
memory/4244-267-0x0000000000CA0000-0x00000000010A4000-memory.dmp
memory/4244-268-0x00000000732F0000-0x00000000733B8000-memory.dmp
memory/4244-269-0x0000000073080000-0x000000007314E000-memory.dmp
memory/3220-283-0x0000000073B90000-0x0000000073BD9000-memory.dmp
memory/3220-282-0x00000000732F0000-0x00000000733B8000-memory.dmp
memory/3220-284-0x0000000073B60000-0x0000000073B84000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\state
| MD5 | ee4000ca999e713d1992ff05b2803080 |
| SHA1 | e4491327c73648478448108c3c451d1c223cd6da |
| SHA256 | e5f9d3abfbb605a792025ae88eadb1297b62bd3f1667c92f8d1f90f9b560a685 |
| SHA512 | 35b62550774562fdca66f16796584a6d3327116b2498e4daca8423993b0c7d0fe445477c82e904da4d7e9389cbfd271962c52ec49328fb5d8539c34ea7812288 |
memory/3220-285-0x00000000731E0000-0x00000000732EA000-memory.dmp
memory/3220-288-0x0000000073150000-0x00000000731D8000-memory.dmp
memory/3220-289-0x00000000016D0000-0x0000000001758000-memory.dmp
memory/3220-290-0x0000000073080000-0x000000007314E000-memory.dmp
memory/3220-291-0x00000000733C0000-0x000000007368F000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new
| MD5 | 4f985be34da5fe805563392f5e7c111e |
| SHA1 | 13fbb87787dbdd590e6022ff6b74c2cd3f7006a0 |
| SHA256 | 161b9f47e5a2bf989a12fa054831f33e1911088c216f74a7c7b0f0e76369174a |
| SHA512 | c74da445621cb3a4d4bd573b49487b360ee1552365d1cf7d84e6bfc462fb08158f530670e8702360bbca3aa78ea2f070553e04b93fb5330859fbb62efcf4f237 |
memory/512-306-0x0000000072DE0000-0x0000000072E1A000-memory.dmp
memory/512-307-0x0000000073BA0000-0x0000000073BDA000-memory.dmp
memory/3220-308-0x0000000000CA0000-0x00000000010A4000-memory.dmp
memory/3220-317-0x00000000732F0000-0x00000000733B8000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new
| MD5 | da495e01c31bcc994915c8be83f38e7f |
| SHA1 | 99f6b5f6b79977ff1ca1b7fb3a70fad21bec703b |
| SHA256 | 8185b79b05ef85f52176c6873ce24fb0a58d4d1df19a4e4fd5d81e0d2bbe52e2 |
| SHA512 | 0eed608535acaff65fbd0766a8f0f19fe9ca965170c77fd3238b6409cd729585d70cea043980374f02edf190acddcee1b3fcb25630400a2143dd13d069b31aa8 |
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new
| MD5 | 9a679924f74257b83913acbbfc0e8e00 |
| SHA1 | 9445ff04c262c2d610c59e6f11d0ce23d18af24b |
| SHA256 | 41d406a792183f12276ae1d5ecdf044e48aec13d23415d7dedd9a575c9ce15a9 |
| SHA512 | dc3e57359a1daa9223ad96cf3f9897c3fbc9afe8e5e0cb8ca69a03ee601a34615dcdc37dcf9279963611f7399fab2c0137213d81aaf47dc706367f544d091e63 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-26 06:44
Reported
2024-04-26 06:50
Platform
win7-20240215-en
Max time kernel
296s
Max time network
301s
Command Line
Signatures
BitRAT
BitRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Uses Tor communications
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
"C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe"
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:49224 | tcp | |
| FR | 217.182.51.248:443 | tcp | |
| NL | 77.247.181.164:443 | tcp | |
| DE | 46.165.230.5:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 107.155.81.178:443 | tcp | |
| GB | 181.215.32.138:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:49306 | tcp | |
| LU | 92.38.163.21:443 | tcp | |
| NL | 45.94.31.54:443 | tcp | |
| CH | 213.144.135.21:443 | tcp | |
| N/A | 127.0.0.1:49348 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:49417 | tcp | |
| FR | 163.172.139.104:443 | tcp | |
| IT | 152.89.170.188:443 | tcp | |
| CH | 31.164.215.246:443 | tcp | |
| N/A | 127.0.0.1:49465 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:49518 | tcp | |
| N/A | 127.0.0.1:49549 | tcp | |
| US | 50.7.74.170:443 | tcp | |
| US | 162.251.116.50:443 | tcp | |
| FI | 95.217.112.243:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:49607 | tcp | |
| N/A | 127.0.0.1:49638 | tcp | |
| LU | 92.38.163.21:443 | tcp | |
| US | 108.181.132.245:443 | tcp | |
| DE | 193.31.27.59:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:49694 | tcp | |
| DE | 46.182.21.248:443 | tcp | |
| US | 108.181.132.245:443 | tcp | |
| NL | 45.94.31.54:443 | tcp | |
| N/A | 127.0.0.1:49726 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:49782 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 50.7.74.172:443 | tcp | |
| DE | 173.249.8.113:443 | tcp | |
| CH | 31.164.215.246:443 | tcp | |
| N/A | 127.0.0.1:49849 | tcp |
Files
memory/1972-0-0x0000000000400000-0x0000000000FBD000-memory.dmp
\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
C:\Users\Admin\AppData\Local\8123e463\tor\libcrypto-1_1.dll
| MD5 | 2384a02c4a1f7ec481adde3a020607d3 |
| SHA1 | 7e848d35a10bf9296c8fa41956a3daa777f86365 |
| SHA256 | c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369 |
| SHA512 | 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503 |
C:\Users\Admin\AppData\Local\8123e463\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
C:\Users\Admin\AppData\Local\8123e463\tor\libevent-2-1-6.dll
| MD5 | 099983c13bade9554a3c17484e5481f1 |
| SHA1 | a84e69ad9722f999252d59d0ed9a99901a60e564 |
| SHA256 | b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838 |
| SHA512 | 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2 |
C:\Users\Admin\AppData\Local\8123e463\tor\libgcc_s_sjlj-1.dll
| MD5 | b0d98f7157d972190fe0759d4368d320 |
| SHA1 | 5715a533621a2b642aad9616e603c6907d80efc4 |
| SHA256 | 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5 |
| SHA512 | 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496 |
C:\Users\Admin\AppData\Local\8123e463\tor\libwinpthread-1.dll
| MD5 | d407cc6d79a08039a6f4b50539e560b8 |
| SHA1 | 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71 |
| SHA256 | 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e |
| SHA512 | 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c |
C:\Users\Admin\AppData\Local\8123e463\tor\libssl-1_1.dll
| MD5 | c88826ac4bb879622e43ead5bdb95aeb |
| SHA1 | 87d29853649a86f0463bfd9ad887b85eedc21723 |
| SHA256 | c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f |
| SHA512 | f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3 |
C:\Users\Admin\AppData\Local\8123e463\tor\zlib1.dll
| MD5 | add33041af894b67fe34e1dc819b7eb6 |
| SHA1 | 6db46eb021855a587c95479422adcc774a272eeb |
| SHA256 | 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183 |
| SHA512 | bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa |
C:\Users\Admin\AppData\Local\8123e463\tor\torrc
| MD5 | 22ec9e4c1cdf6aca7b2997be93f46645 |
| SHA1 | df0a0e3373fc514518b70adfebc86c23c3f04bf8 |
| SHA256 | b2c53ffa29d2c7207304ba7dbc81429d36cdc2542ff701bf2a386ad07aacfdb4 |
| SHA512 | d96b3ee219aa5fac241415237ec3c0523b7c02b27ca77089d5a6530c32d398741c911b496c44b6217c42afbdb13d95aa565cae7c6562410978684e51e235fd94 |
memory/1972-33-0x00000000044F0000-0x00000000048F4000-memory.dmp
memory/1964-34-0x0000000001240000-0x0000000001644000-memory.dmp
memory/1964-38-0x0000000074CF0000-0x0000000074D39000-memory.dmp
memory/1964-37-0x0000000074790000-0x0000000074A5F000-memory.dmp
memory/1964-39-0x00000000746C0000-0x0000000074788000-memory.dmp
memory/1964-40-0x00000000745B0000-0x00000000746BA000-memory.dmp
memory/1964-41-0x0000000074C60000-0x0000000074CE8000-memory.dmp
memory/1964-42-0x00000000744E0000-0x00000000745AE000-memory.dmp
memory/1964-43-0x0000000074D90000-0x0000000074DB4000-memory.dmp
memory/1972-44-0x00000000044F0000-0x00000000048F4000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdesc-consensus.tmp
| MD5 | e0c532df4b63edb19c242ef478980308 |
| SHA1 | e62c4db641e976bac705db9d547d213ff2c49217 |
| SHA256 | 895abba685d7e4ee4c67e8ac6e9e6971144f3dfa00f83a8a40cecd07705f2cf7 |
| SHA512 | da0d4d4fb18d3276a659e21801b77e70cbe72432e5e6e89b4f0228524ca99107745463b37ce78bed46fe48a4d6cc9b52076f58b0ebb11a1c82961b10598c9d6e |
memory/1964-53-0x0000000001240000-0x0000000001644000-memory.dmp
memory/1964-54-0x0000000074790000-0x0000000074A5F000-memory.dmp
memory/1972-61-0x0000000000400000-0x0000000000FBD000-memory.dmp
memory/1972-62-0x00000000044F0000-0x00000000048F4000-memory.dmp
memory/1964-63-0x0000000001240000-0x0000000001644000-memory.dmp
memory/1964-71-0x0000000001240000-0x0000000001644000-memory.dmp
memory/1972-72-0x00000000044F0000-0x00000000048F4000-memory.dmp
memory/1964-73-0x0000000001240000-0x0000000001644000-memory.dmp
memory/1964-81-0x0000000001240000-0x0000000001644000-memory.dmp
memory/1972-109-0x0000000005220000-0x0000000005624000-memory.dmp
memory/2944-112-0x0000000001240000-0x0000000001644000-memory.dmp
memory/2944-114-0x0000000074790000-0x0000000074A5F000-memory.dmp
memory/2944-117-0x0000000074CF0000-0x0000000074D39000-memory.dmp
memory/2944-121-0x00000000746C0000-0x0000000074788000-memory.dmp
memory/2944-124-0x00000000745B0000-0x00000000746BA000-memory.dmp
memory/2944-128-0x00000000744E0000-0x00000000745AE000-memory.dmp
memory/2944-129-0x0000000074D90000-0x0000000074DB4000-memory.dmp
memory/2944-127-0x0000000074C60000-0x0000000074CE8000-memory.dmp
memory/1964-93-0x0000000001240000-0x0000000001644000-memory.dmp
memory/1972-146-0x0000000005220000-0x0000000005624000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\state
| MD5 | d1f2cf04f278120f84eb38d55698a268 |
| SHA1 | aaadb578686be939fe60b5184801d2511af55825 |
| SHA256 | bd4e5813771e5bf9b9e08108f3d891cc9cb9f229ed8b8fefea61d563e34dc882 |
| SHA512 | f9e3df1f79f8a463b720c81929705bde71d06519bad98ad73b5519c6bfe7d66209116155ed181e7a26c47992570580e27b874a72c6e2f79f89e942062e2913a9 |
memory/2076-152-0x0000000074790000-0x0000000074A5F000-memory.dmp
memory/2076-153-0x0000000074CF0000-0x0000000074D39000-memory.dmp
memory/2076-154-0x00000000746C0000-0x0000000074788000-memory.dmp
memory/2076-155-0x00000000745B0000-0x00000000746BA000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new
| MD5 | 394712acc34a2dde4b20232eec191c08 |
| SHA1 | 740da0d29801d3c88f32ff4c4ca91b0efb16609d |
| SHA256 | a906962690f03d6451a5dfe22a965487b42c432c7c6c75f002dc846d7ccfc69b |
| SHA512 | a05f3443236d2a31ab8eb0d8b2376fac0298b395f366ef31e0d665138f9e9b96c5e8ac5bf2cad0450132e255a02ef8ccfb547313787784c6dd7c51d1290f720d |
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-certs
| MD5 | 1d2bdf5fa83f26ed89b5e7e8890e8a9c |
| SHA1 | ba664fec451f2a4ef2f1ac718cd56b0708e3266e |
| SHA256 | 80cebed4d6bdd1e2d045faae340a9e2031200fd32159edcb3eae013ecf2d8486 |
| SHA512 | 7e005b68bb3bc0e4bc7d3783d65b5de1c931a90396c87a24a86ff04a3deaa3d9d3ef3177cfb928f88dedcd0f8f4b638ede0a21453216e95a3725c570b6828854 |
memory/2076-161-0x0000000074C60000-0x0000000074CE8000-memory.dmp
memory/2076-162-0x00000000744E0000-0x00000000745AE000-memory.dmp
memory/2076-163-0x0000000074D90000-0x0000000074DB4000-memory.dmp
memory/2076-148-0x0000000001240000-0x0000000001644000-memory.dmp
memory/2076-166-0x0000000001240000-0x0000000001644000-memory.dmp
memory/2076-174-0x0000000001240000-0x0000000001644000-memory.dmp
memory/1972-182-0x0000000005220000-0x0000000005624000-memory.dmp
memory/2076-183-0x0000000001240000-0x0000000001644000-memory.dmp
memory/1972-208-0x0000000005220000-0x0000000005624000-memory.dmp
memory/924-212-0x0000000001240000-0x0000000001644000-memory.dmp
memory/924-218-0x0000000074790000-0x0000000074A5F000-memory.dmp
memory/924-219-0x0000000074CF0000-0x0000000074D39000-memory.dmp
memory/924-221-0x00000000746C0000-0x0000000074788000-memory.dmp
memory/924-223-0x00000000745B0000-0x00000000746BA000-memory.dmp
memory/924-225-0x0000000074C60000-0x0000000074CE8000-memory.dmp
memory/924-227-0x00000000744E0000-0x00000000745AE000-memory.dmp
memory/924-229-0x0000000074D90000-0x0000000074DB4000-memory.dmp
memory/924-232-0x0000000001240000-0x0000000001644000-memory.dmp
memory/2316-247-0x00000000002E0000-0x00000000006E4000-memory.dmp
memory/2316-248-0x00000000744C0000-0x000000007478F000-memory.dmp
memory/2316-249-0x0000000074CA0000-0x0000000074CE9000-memory.dmp
memory/2316-251-0x0000000074880000-0x000000007498A000-memory.dmp
memory/2316-252-0x00000000747F0000-0x0000000074878000-memory.dmp
memory/2316-250-0x0000000074990000-0x0000000074A58000-memory.dmp
memory/2316-255-0x0000000074330000-0x00000000743FE000-memory.dmp
memory/2316-256-0x0000000074D10000-0x0000000074D34000-memory.dmp
memory/2316-276-0x00000000002E0000-0x00000000006E4000-memory.dmp
memory/2316-277-0x00000000744C0000-0x000000007478F000-memory.dmp
memory/2316-278-0x0000000074CA0000-0x0000000074CE9000-memory.dmp
memory/2316-281-0x00000000747F0000-0x0000000074878000-memory.dmp
memory/2316-280-0x0000000074880000-0x000000007498A000-memory.dmp
memory/2316-279-0x0000000074990000-0x0000000074A58000-memory.dmp
memory/2316-282-0x0000000074330000-0x00000000743FE000-memory.dmp
memory/1972-298-0x0000000005220000-0x0000000005624000-memory.dmp
memory/2912-300-0x00000000002E0000-0x00000000006E4000-memory.dmp
memory/2912-301-0x00000000744C0000-0x000000007478F000-memory.dmp
memory/2912-303-0x0000000074CA0000-0x0000000074CE9000-memory.dmp
memory/2912-306-0x0000000074990000-0x0000000074A58000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-26 06:44
Reported
2024-04-26 06:51
Platform
win10-20240404-en
Max time kernel
300s
Max time network
306s
Command Line
Signatures
BitRAT
BitRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Uses Tor communications
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe
"C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe"
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc
Network
| Country | Destination | Domain | Proto |
| GR | 185.4.132.148:443 | tcp | |
| US | 8.8.8.8:53 | 148.132.4.185.in-addr.arpa | udp |
| N/A | 127.0.0.1:49829 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| FR | 86.105.212.130:443 | tcp | |
| TR | 5.252.74.238:443 | tcp | |
| US | 135.148.100.89:443 | tcp | |
| US | 8.8.8.8:53 | 89.100.148.135.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.74.252.5.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| FR | 37.187.102.108:443 | tcp | |
| DE | 45.142.177.89:443 | tcp | |
| US | 135.148.100.89:443 | tcp | |
| US | 8.8.8.8:53 | 89.177.142.45.in-addr.arpa | udp |
| N/A | 127.0.0.1:49945 | tcp | |
| N/A | 127.0.0.1:49983 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | 198.111.78.13.in-addr.arpa | udp |
| US | 23.141.40.7:443 | tcp | |
| NO | 185.181.60.181:443 | tcp | |
| CA | 207.134.205.114:443 | tcp | |
| US | 8.8.8.8:53 | 181.60.181.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.205.134.207.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.40.141.23.in-addr.arpa | udp |
| N/A | 127.0.0.1:50067 | tcp | |
| N/A | 127.0.0.1:50104 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:50160 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| GR | 185.4.132.148:443 | tcp | |
| US | 135.148.100.89:443 | tcp | |
| DE | 88.198.35.49:443 | tcp | |
| N/A | 127.0.0.1:50186 | tcp | |
| US | 8.8.8.8:53 | 49.35.198.88.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:50255 | tcp | |
| NL | 77.247.181.166:443 | tcp | |
| TR | 5.252.74.238:443 | tcp | |
| FR | 51.159.179.214:443 | tcp | |
| N/A | 127.0.0.1:50283 | tcp | |
| US | 8.8.8.8:53 | 214.179.159.51.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp |
Files
memory/3272-0-0x0000000000400000-0x0000000000FBD000-memory.dmp
memory/3272-1-0x0000000073DA0000-0x0000000073DDA000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
C:\Users\Admin\AppData\Local\8123e463\tor\libcrypto-1_1.dll
| MD5 | 2384a02c4a1f7ec481adde3a020607d3 |
| SHA1 | 7e848d35a10bf9296c8fa41956a3daa777f86365 |
| SHA256 | c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369 |
| SHA512 | 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503 |
C:\Users\Admin\AppData\Local\8123e463\tor\libevent-2-1-6.dll
| MD5 | 099983c13bade9554a3c17484e5481f1 |
| SHA1 | a84e69ad9722f999252d59d0ed9a99901a60e564 |
| SHA256 | b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838 |
| SHA512 | 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2 |
memory/4816-17-0x0000000000090000-0x0000000000494000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
C:\Users\Admin\AppData\Local\8123e463\tor\libssl-1_1.dll
| MD5 | c88826ac4bb879622e43ead5bdb95aeb |
| SHA1 | 87d29853649a86f0463bfd9ad887b85eedc21723 |
| SHA256 | c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f |
| SHA512 | f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3 |
\Users\Admin\AppData\Local\8123e463\tor\libwinpthread-1.dll
| MD5 | d407cc6d79a08039a6f4b50539e560b8 |
| SHA1 | 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71 |
| SHA256 | 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e |
| SHA512 | 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c |
\Users\Admin\AppData\Local\8123e463\tor\libgcc_s_sjlj-1.dll
| MD5 | b0d98f7157d972190fe0759d4368d320 |
| SHA1 | 5715a533621a2b642aad9616e603c6907d80efc4 |
| SHA256 | 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5 |
| SHA512 | 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496 |
\Users\Admin\AppData\Local\8123e463\tor\zlib1.dll
| MD5 | add33041af894b67fe34e1dc819b7eb6 |
| SHA1 | 6db46eb021855a587c95479422adcc774a272eeb |
| SHA256 | 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183 |
| SHA512 | bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa |
memory/4816-32-0x00000000733C0000-0x0000000073488000-memory.dmp
memory/4816-33-0x0000000073390000-0x00000000733B4000-memory.dmp
memory/4816-35-0x0000000073270000-0x000000007333E000-memory.dmp
memory/4816-36-0x0000000073160000-0x000000007326A000-memory.dmp
memory/4816-34-0x0000000073340000-0x0000000073389000-memory.dmp
memory/4816-37-0x00000000730D0000-0x0000000073158000-memory.dmp
memory/4816-39-0x0000000001A90000-0x0000000001B18000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\torrc
| MD5 | 22ec9e4c1cdf6aca7b2997be93f46645 |
| SHA1 | df0a0e3373fc514518b70adfebc86c23c3f04bf8 |
| SHA256 | b2c53ffa29d2c7207304ba7dbc81429d36cdc2542ff701bf2a386ad07aacfdb4 |
| SHA512 | d96b3ee219aa5fac241415237ec3c0523b7c02b27ca77089d5a6530c32d398741c911b496c44b6217c42afbdb13d95aa565cae7c6562410978684e51e235fd94 |
memory/4816-42-0x0000000001A90000-0x0000000001D5F000-memory.dmp
memory/4816-43-0x0000000072E00000-0x00000000730CF000-memory.dmp
memory/3272-44-0x0000000072B10000-0x0000000072B4A000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdesc-consensus.tmp
| MD5 | e0c532df4b63edb19c242ef478980308 |
| SHA1 | e62c4db641e976bac705db9d547d213ff2c49217 |
| SHA256 | 895abba685d7e4ee4c67e8ac6e9e6971144f3dfa00f83a8a40cecd07705f2cf7 |
| SHA512 | da0d4d4fb18d3276a659e21801b77e70cbe72432e5e6e89b4f0228524ca99107745463b37ce78bed46fe48a4d6cc9b52076f58b0ebb11a1c82961b10598c9d6e |
memory/4816-53-0x0000000000090000-0x0000000000494000-memory.dmp
memory/4816-54-0x00000000733C0000-0x0000000073488000-memory.dmp
memory/4816-57-0x0000000073270000-0x000000007333E000-memory.dmp
memory/3272-61-0x0000000000400000-0x0000000000FBD000-memory.dmp
memory/4816-62-0x0000000000090000-0x0000000000494000-memory.dmp
memory/4816-70-0x0000000000090000-0x0000000000494000-memory.dmp
memory/4816-71-0x0000000001A90000-0x0000000001B18000-memory.dmp
memory/4816-72-0x0000000001A90000-0x0000000001D5F000-memory.dmp
memory/4816-73-0x0000000000090000-0x0000000000494000-memory.dmp
memory/4816-84-0x0000000000090000-0x0000000000494000-memory.dmp
memory/3272-92-0x00000000736A0000-0x00000000736DA000-memory.dmp
memory/4816-93-0x0000000000090000-0x0000000000494000-memory.dmp
memory/4816-102-0x0000000000090000-0x0000000000494000-memory.dmp
memory/4816-110-0x0000000000090000-0x0000000000494000-memory.dmp
memory/4816-118-0x0000000000090000-0x0000000000494000-memory.dmp
memory/4528-141-0x0000000000090000-0x0000000000494000-memory.dmp
memory/4528-144-0x0000000072E00000-0x00000000730CF000-memory.dmp
memory/4528-147-0x0000000073270000-0x000000007333E000-memory.dmp
memory/4528-145-0x00000000733C0000-0x0000000073488000-memory.dmp
memory/4816-148-0x0000000000090000-0x0000000000494000-memory.dmp
memory/4528-152-0x0000000073390000-0x00000000733B4000-memory.dmp
memory/4528-150-0x0000000073340000-0x0000000073389000-memory.dmp
memory/4528-154-0x0000000073160000-0x000000007326A000-memory.dmp
memory/4528-161-0x0000000072E00000-0x00000000730CF000-memory.dmp
memory/4528-156-0x00000000730D0000-0x0000000073158000-memory.dmp
memory/4528-163-0x00000000733C0000-0x0000000073488000-memory.dmp
memory/4528-164-0x0000000073270000-0x000000007333E000-memory.dmp
memory/4528-162-0x0000000000090000-0x0000000000494000-memory.dmp
memory/4152-175-0x0000000000090000-0x0000000000494000-memory.dmp
memory/4152-178-0x0000000073D90000-0x0000000073DD9000-memory.dmp
memory/4152-180-0x00000000733E0000-0x00000000734EA000-memory.dmp
memory/4152-179-0x0000000073D60000-0x0000000073D84000-memory.dmp
memory/4152-181-0x0000000073350000-0x00000000733D8000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-certs
| MD5 | e19f21010caf272cad738630f8d7acdd |
| SHA1 | d6ab2e039075aac15bad612698dfbf58d9b06cc9 |
| SHA256 | a905c97c9fa33a92bc278f86156de63c72ba05bdd3334503900e85fb9bebd622 |
| SHA512 | 721efccd16583ae0fe05b21e8760cc6ee6c8876880d02c3c34bbf8b2841bb282f4e9a93e7c73d80cfb7159ba77d3ea538f4e8b24aef5f55ef259c6057158a748 |
memory/4152-187-0x00000000735C0000-0x000000007388F000-memory.dmp
memory/4152-184-0x0000000073280000-0x000000007334E000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\state
| MD5 | c5d2c8378663b67cb012b8fc0476f772 |
| SHA1 | e594bdefc047b0b2322b5ea748f4f45ff978ce26 |
| SHA256 | 5d46c83dfd6c80a4487b14d3f21351c540e1204fce1391dcbfb9b48e5c4b4ece |
| SHA512 | 4eaa6b000528ec65f270b8511f02be49ea0c508d0d3645efb6b90e38b06ececbb70039c59981af60696ed07d7ea421882610fc926c9d325bdffbcee728446ad3 |
memory/4152-177-0x00000000734F0000-0x00000000735B8000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new
| MD5 | c15cdbb7a0050c9874f9718b75ddb4c8 |
| SHA1 | 28b72954693213c60f200fb462f74a1c805d623c |
| SHA256 | 44d506a7f82e3e7e52ea559b87a476e2df0955633b9f98e1fcd4dcecd6c23a01 |
| SHA512 | ac6f19b8134e0369f7ec3cdb2eb361ba275133abf790c34e38100509939f7d2f79cd6baa3018af7aa5d932ea8480ef2fee15bf6882bee46c10ed6e5301036993 |
memory/3272-203-0x0000000072FE0000-0x000000007301A000-memory.dmp
memory/4152-204-0x0000000000090000-0x0000000000494000-memory.dmp
memory/4152-213-0x00000000734F0000-0x00000000735B8000-memory.dmp
memory/4152-214-0x0000000073280000-0x000000007334E000-memory.dmp
memory/240-253-0x0000000000090000-0x0000000000494000-memory.dmp
memory/240-256-0x00000000735C0000-0x000000007388F000-memory.dmp
memory/240-258-0x00000000734F0000-0x00000000735B8000-memory.dmp
memory/240-261-0x0000000073D90000-0x0000000073DD9000-memory.dmp
memory/240-260-0x0000000073280000-0x000000007334E000-memory.dmp
memory/4152-263-0x0000000000090000-0x0000000000494000-memory.dmp
memory/240-264-0x0000000073D60000-0x0000000073D84000-memory.dmp
memory/240-269-0x0000000073350000-0x00000000733D8000-memory.dmp
memory/240-266-0x00000000733E0000-0x00000000734EA000-memory.dmp
memory/240-274-0x00000000734F0000-0x00000000735B8000-memory.dmp
memory/240-275-0x0000000000090000-0x0000000000494000-memory.dmp
memory/240-276-0x00000000735C0000-0x000000007388F000-memory.dmp
memory/4876-288-0x00000000734F0000-0x00000000735B8000-memory.dmp
memory/4876-289-0x0000000073D90000-0x0000000073DD9000-memory.dmp
memory/4876-291-0x0000000073350000-0x00000000733D8000-memory.dmp
memory/4876-295-0x0000000073280000-0x000000007334E000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\state
| MD5 | e7c3cb37ce15d1b0eec4b428985aaf99 |
| SHA1 | 769bf497d1df71aca0cb895c28a3052d2b9012d5 |
| SHA256 | 1cb97e0908dbb4a0d1c14cbcdee25dec811d6e4935525a4cca50fad35f3b369a |
| SHA512 | 13221853c21dfc7d750c7905337b4ca3260d152b8dfac3f2bbaa9ac00d30bfce72fd0d5d757a0548c9f6bb5bb7a1eae323eaf04862da2504d0882615c61f3f62 |
memory/4876-292-0x00000000733E0000-0x00000000734EA000-memory.dmp
memory/4876-296-0x00000000735C0000-0x000000007388F000-memory.dmp
memory/4876-290-0x0000000073D60000-0x0000000073D84000-memory.dmp
C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs
| MD5 | a945503f3829f711781799af76bf8291 |
| SHA1 | 842a5d518d5665a9ef47d2baac778124d39f5f57 |
| SHA256 | bdada19ecaa0f74967fe9e29c1383b93641706d5a3833bf6f40bcb62a0552885 |
| SHA512 | 510d2ea0f3a6e8d8cd2ebec8527daa4bae8229247faa884a0077f78f510e07420a0e76a7516ea82c0eb13e4b74d38c36f8592fee4816422ce20861daeda6b468 |
memory/3272-310-0x0000000072FE0000-0x000000007301A000-memory.dmp
memory/4876-311-0x0000000000090000-0x0000000000494000-memory.dmp