Malware Analysis Report

2024-09-22 22:00

Sample ID 240426-hhztxaba5y
Target 8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2
SHA256 8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2
Tags
bitrat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2

Threat Level: Known bad

The file 8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2 was found to be: Known bad.

Malicious Activity Summary

bitrat trojan upx

BitRAT

Bitrat family

BitRAT payload

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

UPX packed file

ACProtect 1.3x - 1.4x DLL software

Uses Tor communications

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-04-26 06:45

Signatures

BitRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Bitrat family

bitrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-26 06:44

Reported

2024-04-26 06:51

Platform

win10v2004-20240412-en

Max time kernel

295s

Max time network

302s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe"

Signatures

BitRAT

trojan bitrat

BitRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses Tor communications

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1060 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1060 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1060 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1060 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1060 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1060 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1060 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1060 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1060 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1060 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1060 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1060 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1060 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1060 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1060 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1060 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1060 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1060 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1060 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1060 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1060 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe

"C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe"

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 156.33.209.4.in-addr.arpa udp
N/A 127.0.0.1:63365 tcp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 199.249.230.83:443 tcp
NL 192.42.116.16:443 tcp
FR 62.210.254.132:443 tcp
N/A 127.0.0.1:45808 tcp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
FR 217.182.51.248:443 tcp
DE 131.188.40.189:443 tcp
US 8.8.8.8:53 189.40.188.131.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
IS 147.189.192.35:443 tcp
DE 82.165.101.234:443 tcp
US 8.8.8.8:53 35.192.189.147.in-addr.arpa udp
US 8.8.8.8:53 234.101.165.82.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
DE 192.68.11.203:443 tcp
FR 94.23.76.52:443 tcp
N/A 127.0.0.1:63505 tcp
US 8.8.8.8:53 52.76.23.94.in-addr.arpa udp
US 8.8.8.8:53 203.11.68.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 50.192.11.51.in-addr.arpa udp
N/A 127.0.0.1:63603 tcp
N/A 127.0.0.1:63640 tcp
FR 178.33.183.251:443 tcp
DE 192.68.11.203:443 tcp
DE 81.7.10.19:443 tcp
US 8.8.8.8:53 19.10.7.81.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
N/A 127.0.0.1:63725 tcp
DK 185.96.88.29:443 tcp
PL 193.42.36.82:443 tcp
DE 192.68.11.203:443 tcp
N/A 127.0.0.1:63751 tcp
US 8.8.8.8:53 82.36.42.193.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
DE 192.68.11.203:443 tcp
N/A 127.0.0.1:63835 tcp
DE 81.7.16.182:443 tcp
DE 192.68.11.203:443 tcp
DE 89.58.54.129:443 tcp
US 8.8.8.8:53 129.54.58.89.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp

Files

memory/1060-0-0x0000000000400000-0x0000000000FBD000-memory.dmp

memory/1060-1-0x0000000074D80000-0x0000000074DB9000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\8123e463\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\8123e463\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\8123e463\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\8123e463\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

memory/3660-35-0x00000000741B0000-0x00000000741F9000-memory.dmp

memory/3660-36-0x0000000074180000-0x00000000741A4000-memory.dmp

memory/3660-37-0x00000000740B0000-0x0000000074178000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

memory/3660-32-0x0000000000020000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\8123e463\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

memory/3660-39-0x00000000011D0000-0x000000000149F000-memory.dmp

memory/3660-38-0x0000000073FA0000-0x00000000740AA000-memory.dmp

memory/3660-40-0x0000000073CD0000-0x0000000073F9F000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\torrc

MD5 22ec9e4c1cdf6aca7b2997be93f46645
SHA1 df0a0e3373fc514518b70adfebc86c23c3f04bf8
SHA256 b2c53ffa29d2c7207304ba7dbc81429d36cdc2542ff701bf2a386ad07aacfdb4
SHA512 d96b3ee219aa5fac241415237ec3c0523b7c02b27ca77089d5a6530c32d398741c911b496c44b6217c42afbdb13d95aa565cae7c6562410978684e51e235fd94

memory/3660-42-0x0000000073C40000-0x0000000073CC8000-memory.dmp

memory/3660-45-0x0000000074200000-0x00000000742CE000-memory.dmp

memory/1060-46-0x0000000073910000-0x0000000073949000-memory.dmp

memory/3660-47-0x0000000000020000-0x0000000000424000-memory.dmp

memory/3660-48-0x0000000074200000-0x00000000742CE000-memory.dmp

memory/3660-49-0x00000000741B0000-0x00000000741F9000-memory.dmp

memory/3660-51-0x00000000740B0000-0x0000000074178000-memory.dmp

memory/3660-53-0x0000000073CD0000-0x0000000073F9F000-memory.dmp

memory/3660-50-0x0000000074180000-0x00000000741A4000-memory.dmp

memory/1060-55-0x0000000000400000-0x0000000000FBD000-memory.dmp

memory/3660-56-0x0000000000020000-0x0000000000424000-memory.dmp

memory/3660-57-0x0000000000020000-0x0000000000424000-memory.dmp

memory/3660-65-0x00000000011D0000-0x000000000149F000-memory.dmp

memory/3660-66-0x00000000011D0000-0x0000000001258000-memory.dmp

memory/3660-67-0x0000000000020000-0x0000000000424000-memory.dmp

memory/3660-75-0x0000000000020000-0x0000000000424000-memory.dmp

memory/1060-83-0x0000000074DA0000-0x0000000074DD9000-memory.dmp

memory/3660-84-0x0000000000020000-0x0000000000424000-memory.dmp

memory/3660-92-0x0000000000020000-0x0000000000424000-memory.dmp

memory/3660-100-0x0000000000020000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdesc-consensus.tmp

MD5 e0c532df4b63edb19c242ef478980308
SHA1 e62c4db641e976bac705db9d547d213ff2c49217
SHA256 895abba685d7e4ee4c67e8ac6e9e6971144f3dfa00f83a8a40cecd07705f2cf7
SHA512 da0d4d4fb18d3276a659e21801b77e70cbe72432e5e6e89b4f0228524ca99107745463b37ce78bed46fe48a4d6cc9b52076f58b0ebb11a1c82961b10598c9d6e

memory/3660-116-0x0000000000020000-0x0000000000424000-memory.dmp

memory/1620-133-0x0000000000020000-0x0000000000424000-memory.dmp

memory/1620-142-0x00000000740B0000-0x0000000074178000-memory.dmp

memory/3660-143-0x0000000000020000-0x0000000000424000-memory.dmp

memory/1620-144-0x0000000074200000-0x00000000742CE000-memory.dmp

memory/1620-145-0x00000000741B0000-0x00000000741F9000-memory.dmp

memory/1620-146-0x0000000074180000-0x00000000741A4000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\state

MD5 c3f8f2e59dbf913b0e63f7609a3d9bcf
SHA1 9985a850f481bbff90f8469cbd7090338b18adc1
SHA256 edc3d18fd9c19d2acedbc5e4016e0b5a79971c646775840c839cfef3797cd6bd
SHA512 22cce2c167e860ee2dab7d9d0a0caeca48b7f419f20409c2f12de6f770e1bbbe0f94ec1c24609aefa448b8259ac8bb1b22db05483a400ee192a38fecff757bf9

memory/1620-149-0x0000000073C40000-0x0000000073CC8000-memory.dmp

memory/1620-147-0x0000000073FA0000-0x00000000740AA000-memory.dmp

memory/1620-153-0x0000000073CD0000-0x0000000073F9F000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-certs

MD5 6563a0f6d4668173f52c63fea1b8e390
SHA1 8a7344726ad087690463d11a5681366e66e1e97e
SHA256 32bdcd32ee71ec9aebece80821375bbb381638ab312af899759c3459c80d4eea
SHA512 ccc6fa0bd213671c9a41a0412442543eb2db6d0004e8183f2ab894b3b6154e7c62ff8132b92a585cc31b71c88c2edb5d72aa5b1cd831710d49990fa60f965a35

memory/1620-165-0x0000000000020000-0x0000000000424000-memory.dmp

memory/1620-174-0x00000000740B0000-0x0000000074178000-memory.dmp

memory/1620-175-0x0000000074200000-0x00000000742CE000-memory.dmp

memory/1060-176-0x00000000738A0000-0x00000000738D9000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new

MD5 d45e35da821f7a95acd2bcc4ec1cb689
SHA1 3dbc14fa6c0104d5fb1ced99e1deca7b64fa96c2
SHA256 cab3c029449ce3aca31d10a16dc8a8b6904f5e44f49e0d62481d1dde8dde987f
SHA512 693586d807749501b66955b0d3b6bdf2c484643af23c75d303fc5a197d0ea2f67b990947a38a8022bfac5b9cd7d9182da4b6cdf740b181a83d6b6fad079dc7d2

memory/1620-234-0x0000000000020000-0x0000000000424000-memory.dmp

memory/3092-237-0x0000000000020000-0x0000000000424000-memory.dmp

memory/3092-240-0x0000000073CD0000-0x0000000073F9F000-memory.dmp

memory/3092-241-0x00000000740B0000-0x0000000074178000-memory.dmp

memory/3092-243-0x0000000074200000-0x00000000742CE000-memory.dmp

memory/3092-245-0x00000000741B0000-0x00000000741F9000-memory.dmp

memory/3092-247-0x0000000074180000-0x00000000741A4000-memory.dmp

memory/3092-249-0x0000000073FA0000-0x00000000740AA000-memory.dmp

memory/3092-251-0x0000000073C40000-0x0000000073CC8000-memory.dmp

memory/3640-263-0x0000000073FD0000-0x0000000074098000-memory.dmp

memory/3640-266-0x0000000073E40000-0x0000000073F4A000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\state

MD5 1741e847ba59b5bc3c264b36eb3e1427
SHA1 ad8abbc82ba3ddb70d785161c8545d25bb00f926
SHA256 fd1da47c82cc17c86c6ec1c1a0da7d2cd9ec730c7eeffe213b004f67ff72b4b8
SHA512 703b7df62e5be35fd2b491aca2199cb1a5b8225bdfb5e8bb3a61ef0b3232a55f05770dfbd307dfb8d85055ab5c80c3224e0cbc256cba7f420edade9f24eb246e

memory/3640-269-0x0000000073DB0000-0x0000000073E38000-memory.dmp

memory/3640-270-0x0000000073CE0000-0x0000000073DAE000-memory.dmp

memory/3640-271-0x00000000740A0000-0x000000007436F000-memory.dmp

memory/3640-265-0x0000000073F50000-0x0000000073F74000-memory.dmp

memory/3640-264-0x0000000073F80000-0x0000000073FC9000-memory.dmp

memory/1060-286-0x00000000738A0000-0x00000000738D9000-memory.dmp

memory/3640-287-0x0000000000020000-0x0000000000424000-memory.dmp

memory/3640-296-0x0000000073FD0000-0x0000000074098000-memory.dmp

memory/1060-297-0x0000000074D80000-0x0000000074DB9000-memory.dmp

memory/1060-306-0x0000000073910000-0x0000000073949000-memory.dmp

memory/3992-339-0x0000000000020000-0x0000000000424000-memory.dmp

memory/3992-341-0x00000000740A0000-0x000000007436F000-memory.dmp

memory/3992-346-0x0000000073CE0000-0x0000000073DAE000-memory.dmp

memory/3992-347-0x0000000073F80000-0x0000000073FC9000-memory.dmp

memory/3640-343-0x0000000000020000-0x0000000000424000-memory.dmp

memory/3992-342-0x0000000073FD0000-0x0000000074098000-memory.dmp

memory/3992-349-0x0000000073F50000-0x0000000073F74000-memory.dmp

memory/3992-352-0x0000000073E40000-0x0000000073F4A000-memory.dmp

memory/3992-353-0x0000000073DB0000-0x0000000073E38000-memory.dmp

memory/3992-358-0x00000000740A0000-0x000000007436F000-memory.dmp

memory/3992-359-0x0000000073FD0000-0x0000000074098000-memory.dmp

memory/3992-360-0x0000000000020000-0x0000000000424000-memory.dmp

memory/1320-365-0x00000000740A0000-0x000000007436F000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new

MD5 d327f1e2481fba0d4a1f1d6889fab952
SHA1 63e809bbfd7ee758db87aa642499b868233e2613
SHA256 b7b4861d4fe65355757a660cf34a9a9b37180baa96e09cc8bac0d79020da4844
SHA512 b3987622fa523ce6be868d9e2428cb2bb9ebfdc0825dec368a70362e28caca7e4bf2df7e7f689b8ee6270c44c18a9884a903904755660bef4f82ec11ce1c0ae7

Analysis: behavioral5

Detonation Overview

Submitted

2024-04-26 06:44

Reported

2024-04-26 06:50

Platform

win11-20240412-en

Max time kernel

297s

Max time network

301s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe"

Signatures

BitRAT

trojan bitrat

BitRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Uses Tor communications

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3028 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3028 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3028 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3028 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3028 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3028 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3028 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3028 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3028 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3028 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3028 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3028 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3028 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3028 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3028 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3028 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3028 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3028 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3028 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3028 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3028 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3028 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3028 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3028 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3028 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3028 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3028 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe

"C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe"

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

Network

Country Destination Domain Proto
N/A 127.0.0.1:49762 tcp
FR 163.172.149.122:443 tcp
CZ 37.157.195.87:443 tcp
RO 185.225.17.3:443 tcp
US 8.8.8.8:53 122.149.172.163.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 204.8.156.142:443 tcp
DE 131.188.40.189:443 tcp
US 8.8.8.8:53 142.156.8.204.in-addr.arpa udp
US 51.81.208.163:443 tcp
PL 83.168.69.84:443 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:49868 tcp
RO 185.225.17.3:443 tcp
PL 83.168.69.84:443 tcp
US 45.76.2.145:443 tcp
N/A 127.0.0.1:49897 tcp
NL 52.111.243.29:443 tcp
N/A 127.0.0.1:45808 tcp
US 45.76.2.145:443 tcp
PL 83.168.69.84:443 tcp
N/A 127.0.0.1:49988 tcp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
PL 83.168.69.84:443 tcp
US 45.76.2.145:443 tcp
US 34.117.118.44:443 myexternalip.com tcp
US 8.8.8.8:53 44.118.117.34.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
N/A 127.0.0.1:50110 tcp
DE 31.185.104.21:443 tcp
N/A 127.0.0.1:50138 tcp
PL 83.168.69.84:443 tcp
US 45.76.2.145:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50208 tcp
N/A 127.0.0.1:50229 tcp
US 45.76.2.145:443 tcp
PL 83.168.69.84:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
FR 212.47.244.38:443 tcp
N/A 127.0.0.1:50295 tcp
PL 83.168.69.84:443 tcp
US 45.76.2.145:443 tcp
N/A 127.0.0.1:45808 tcp

Files

memory/3028-0-0x0000000000400000-0x0000000000FBD000-memory.dmp

memory/3028-1-0x0000000074C30000-0x0000000074C6C000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\8123e463\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\8123e463\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\8123e463\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\8123e463\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\8123e463\tor\torrc

MD5 22ec9e4c1cdf6aca7b2997be93f46645
SHA1 df0a0e3373fc514518b70adfebc86c23c3f04bf8
SHA256 b2c53ffa29d2c7207304ba7dbc81429d36cdc2542ff701bf2a386ad07aacfdb4
SHA512 d96b3ee219aa5fac241415237ec3c0523b7c02b27ca77089d5a6530c32d398741c911b496c44b6217c42afbdb13d95aa565cae7c6562410978684e51e235fd94

C:\Users\Admin\AppData\Local\8123e463\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\8123e463\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\8123e463\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

memory/1592-31-0x0000000000560000-0x0000000000964000-memory.dmp

memory/1592-38-0x0000000073F80000-0x000000007424F000-memory.dmp

memory/1592-39-0x0000000073DE0000-0x0000000073EAE000-memory.dmp

memory/1592-40-0x0000000073CD0000-0x0000000073DDA000-memory.dmp

memory/1592-41-0x0000000073C80000-0x0000000073CC9000-memory.dmp

memory/1592-42-0x0000000001830000-0x0000000001879000-memory.dmp

memory/1592-43-0x0000000073C50000-0x0000000073C74000-memory.dmp

memory/1592-44-0x0000000073BC0000-0x0000000073C48000-memory.dmp

memory/1592-45-0x0000000001830000-0x00000000018B8000-memory.dmp

memory/1592-46-0x0000000073EB0000-0x0000000073F78000-memory.dmp

memory/3028-47-0x00000000737A0000-0x00000000737DC000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdesc-consensus

MD5 e0c532df4b63edb19c242ef478980308
SHA1 e62c4db641e976bac705db9d547d213ff2c49217
SHA256 895abba685d7e4ee4c67e8ac6e9e6971144f3dfa00f83a8a40cecd07705f2cf7
SHA512 da0d4d4fb18d3276a659e21801b77e70cbe72432e5e6e89b4f0228524ca99107745463b37ce78bed46fe48a4d6cc9b52076f58b0ebb11a1c82961b10598c9d6e

memory/1592-56-0x0000000000560000-0x0000000000964000-memory.dmp

memory/1592-58-0x0000000073F80000-0x000000007424F000-memory.dmp

memory/3028-64-0x0000000000400000-0x0000000000FBD000-memory.dmp

memory/1592-65-0x0000000000560000-0x0000000000964000-memory.dmp

memory/1592-66-0x0000000000560000-0x0000000000964000-memory.dmp

memory/1592-74-0x0000000000560000-0x0000000000964000-memory.dmp

memory/1592-83-0x0000000000560000-0x0000000000964000-memory.dmp

memory/3028-95-0x0000000074C00000-0x0000000074C3C000-memory.dmp

memory/1592-96-0x0000000000560000-0x0000000000964000-memory.dmp

memory/1592-104-0x0000000000560000-0x0000000000964000-memory.dmp

memory/1592-112-0x0000000000560000-0x0000000000964000-memory.dmp

memory/1416-129-0x0000000073EB0000-0x0000000073F78000-memory.dmp

memory/1416-130-0x0000000073DE0000-0x0000000073EAE000-memory.dmp

memory/1416-131-0x0000000073C80000-0x0000000073CC9000-memory.dmp

memory/1416-133-0x0000000000560000-0x0000000000964000-memory.dmp

memory/1416-135-0x0000000073F80000-0x000000007424F000-memory.dmp

memory/1416-137-0x0000000073EB0000-0x0000000073F78000-memory.dmp

memory/1416-134-0x0000000073C50000-0x0000000073C74000-memory.dmp

memory/1416-138-0x0000000073BC0000-0x0000000073C48000-memory.dmp

memory/1416-139-0x0000000073DE0000-0x0000000073EAE000-memory.dmp

memory/1416-140-0x0000000073C80000-0x0000000073CC9000-memory.dmp

memory/1416-136-0x0000000073CD0000-0x0000000073DDA000-memory.dmp

memory/3932-154-0x0000000074000000-0x00000000742CF000-memory.dmp

memory/3932-157-0x0000000073EE0000-0x0000000073F29000-memory.dmp

memory/3932-156-0x0000000073F30000-0x0000000073FF8000-memory.dmp

memory/3932-162-0x0000000073EB0000-0x0000000073ED4000-memory.dmp

memory/3932-163-0x0000000073DA0000-0x0000000073EAA000-memory.dmp

memory/3932-164-0x0000000073D10000-0x0000000073D98000-memory.dmp

memory/3932-165-0x0000000073C40000-0x0000000073D0E000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-certs

MD5 83ebf71835b5a5139c68caec74b3eb52
SHA1 fcfe555c238d42c6731345010426f0d06d0ffca3
SHA256 cca655d1b5b64ba5f965873ceff6ce8782400483ac12c05a4d6ff4896a8f671c
SHA512 a905a018d25ddcf0ff2d06a441dad198ce993f2a0e371f5bf3d28bac3173040311e817c96f42d604f8fc212b63a675b481cafd58a782b13a542b1893f4e2af17

C:\Users\Admin\AppData\Local\8123e463\tor\data\state

MD5 0c1315a5cb05aa88b872b2922e056336
SHA1 30ea561c655524ba502ab3fbf6d9de3a07bd8c49
SHA256 8b82b23f493d7095a1d23feb61bb81695aa2b5a912fd80e08321951cbe45f373
SHA512 d6fce30c969a0ea790a31081e944f33bc113a704d7c4aaef7ee67d5fde70af2e07949f6629cc2d39230b345a898e9b9298d011259e418945e0fe870e0e76fba7

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new

MD5 d29fdd6ff41e4213c593c4bb430d4542
SHA1 3819d6ea47323e68e80f29ba4594e9e10875f919
SHA256 9544189a1cd9dbc0f57549439bd6ee62020760f4ccc33ca9c68a3b457acfdb5f
SHA512 43c00430f3a32f303c2375eb26480621a114e51d737a33f42b520cefa0c9cffb76b000eafc8cab00e129bc49a1811fb2d62e1e8b07e77ecf4d5d7c746e1f2393

memory/3028-184-0x0000000073A30000-0x0000000073A6C000-memory.dmp

memory/3932-185-0x0000000074000000-0x00000000742CF000-memory.dmp

memory/3932-194-0x0000000000560000-0x0000000000964000-memory.dmp

memory/3932-195-0x0000000073F30000-0x0000000073FF8000-memory.dmp

memory/3932-240-0x0000000000560000-0x0000000000964000-memory.dmp

memory/3548-241-0x0000000000560000-0x0000000000964000-memory.dmp

memory/3548-245-0x0000000073F30000-0x0000000073FF8000-memory.dmp

memory/3548-244-0x0000000074000000-0x00000000742CF000-memory.dmp

memory/3548-246-0x0000000073C40000-0x0000000073D0E000-memory.dmp

memory/3548-247-0x0000000073EE0000-0x0000000073F29000-memory.dmp

memory/3548-249-0x0000000073DA0000-0x0000000073EAA000-memory.dmp

memory/3548-248-0x0000000073EB0000-0x0000000073ED4000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\state

MD5 eecacceb8836292ebfcb3993a1dc6216
SHA1 cb37d4d8020f7b88c5b9b40288393c28d2046113
SHA256 78fad745dc6c57c8728abc61d88d5857903b634b097b2137a085e344aa08a999
SHA512 94bc56b0f05fc8d38d604daa2d02c8c701b8ea775cfdcc564b4a5dc75c2e223a9b0679e131162ac2a384bbe0487f57d5087a1bc5fec028147d7139eaf742a5e9

memory/3548-250-0x0000000073D10000-0x0000000073D98000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new

MD5 f38719968f0ef122ff36fd1eefb082e7
SHA1 6cd695823ff015cae1b3fd30033900f8b3d15762
SHA256 50a93e19abb4a42d088cd7eed116fb7f82234179f58f20ab369722c6fc9b4da6
SHA512 b56a8fade69f34857986e573b6a3b6458beb33a6f39eacd12f425a9c096b10e61633af8e1071e1d2745831d704c36d9045c916ff68ab13194915b1662221c162

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs

MD5 10cbc86f0c7854243b5d712e66c7667a
SHA1 d442bf4ba4a2932ca36067cef0fda1f97705f2c1
SHA256 dcd65938828e3f7045fa70313097429f15ab3c1cbbb08a954e0402a0618dea0f
SHA512 645631d6aac1ddb9e8cfcb53699418b9f37e7725cd7707e0010fee71aada49439ad2a16e17f88b616d39cc0d18f3c23711c1a579954039dc4b93968a4e5ae9f7

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new

MD5 84421cec86ae6818f2e4a6a55282eb11
SHA1 a8f2abd0f7c1852b3aa107ff8076d376f29376e9
SHA256 e41728a293bc8410592810f1e5c019d8cdd3763cb38ce3db6f8fae54c05c8161
SHA512 c4ffad90dffbada13b8662724346ab0f8fe3caaaade83e57179cdac00ef4a31a82ee3046afa9749c3c596365836d43dd9d5a9f17502a2a9c2c865cd757b4d2b0

memory/3028-279-0x0000000073A30000-0x0000000073A6C000-memory.dmp

memory/3548-280-0x0000000000560000-0x0000000000964000-memory.dmp

memory/3548-281-0x0000000074000000-0x00000000742CF000-memory.dmp

memory/3028-302-0x0000000074C30000-0x0000000074C6C000-memory.dmp

memory/3028-314-0x00000000737A0000-0x00000000737DC000-memory.dmp

memory/2524-344-0x0000000073C40000-0x0000000073D0E000-memory.dmp

memory/2524-346-0x0000000073EE0000-0x0000000073F29000-memory.dmp

memory/2524-348-0x0000000073EB0000-0x0000000073ED4000-memory.dmp

memory/3548-350-0x0000000000560000-0x0000000000964000-memory.dmp

memory/2524-352-0x0000000073D10000-0x0000000073D98000-memory.dmp

memory/2524-351-0x0000000073DA0000-0x0000000073EAA000-memory.dmp

memory/2524-353-0x0000000074000000-0x00000000742CF000-memory.dmp

memory/2524-364-0x0000000000560000-0x0000000000964000-memory.dmp

memory/2524-363-0x0000000073D10000-0x0000000073D98000-memory.dmp

memory/2524-362-0x0000000073DA0000-0x0000000073EAA000-memory.dmp

memory/2524-366-0x0000000073C40000-0x0000000073D0E000-memory.dmp

memory/2524-365-0x0000000073F30000-0x0000000073FF8000-memory.dmp

memory/2524-367-0x0000000073EE0000-0x0000000073F29000-memory.dmp

memory/2524-368-0x0000000073EB0000-0x0000000073ED4000-memory.dmp

memory/1168-372-0x0000000000560000-0x0000000000964000-memory.dmp

memory/1168-374-0x0000000073F30000-0x0000000073FF8000-memory.dmp

memory/1168-373-0x0000000074000000-0x00000000742CF000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-26 06:44

Reported

2024-04-26 06:50

Platform

win10-20240404-en

Max time kernel

299s

Max time network

302s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe"

Signatures

BitRAT

trojan bitrat

BitRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses Tor communications

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 512 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 512 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 512 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 512 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 512 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 512 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 512 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 512 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 512 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 512 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 512 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 512 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 512 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 512 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 512 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 512 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 512 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 512 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 512 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 512 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 512 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 512 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 512 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 512 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 512 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 512 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 512 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe

"C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe"

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

Network

Country Destination Domain Proto
N/A 127.0.0.1:49795 tcp
NL 80.127.137.19:443 tcp
FR 163.172.53.84:443 tcp
NL 185.246.152.22:443 tcp
N/A 127.0.0.1:45808 tcp
GR 185.4.132.148:443 tcp
US 204.13.164.118:443 tcp
US 8.8.8.8:53 148.132.4.185.in-addr.arpa udp
US 8.8.8.8:53 118.164.13.204.in-addr.arpa udp
DE 94.16.120.204:443 tcp
US 15.204.14.102:443 tcp
US 8.8.8.8:53 204.120.16.94.in-addr.arpa udp
US 8.8.8.8:53 102.14.204.15.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
N/A 127.0.0.1:49909 tcp
DK 185.96.180.29:443 tcp
NL 45.94.31.54:443 tcp
US 64.176.210.130:443 tcp
N/A 127.0.0.1:49949 tcp
US 8.8.8.8:53 130.210.176.64.in-addr.arpa udp
US 8.8.8.8:53 54.31.94.45.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 66.229.138.52.in-addr.arpa udp
N/A 127.0.0.1:50028 tcp
N/A 127.0.0.1:50068 tcp
CZ 195.123.245.141:443 tcp
US 172.233.129.176:443 tcp
US 172.96.172.157:443 tcp
US 8.8.8.8:53 141.245.123.195.in-addr.arpa udp
US 8.8.8.8:53 157.172.96.172.in-addr.arpa udp
US 8.8.8.8:53 176.129.233.172.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
N/A 127.0.0.1:50150 tcp
N/A 127.0.0.1:50174 tcp
SE 171.25.193.25:443 tcp
US 15.204.141.10:443 tcp
GB 213.171.194.25:443 tcp
US 8.8.8.8:53 25.194.171.213.in-addr.arpa udp
US 8.8.8.8:53 25.193.25.171.in-addr.arpa udp
US 8.8.8.8:53 10.141.204.15.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:50249 tcp
US 50.7.74.172:443 tcp
DE 82.165.116.173:443 tcp
GB 213.171.194.25:443 tcp
N/A 127.0.0.1:50275 tcp
US 8.8.8.8:53 173.116.165.82.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp

Files

memory/512-0-0x0000000000400000-0x0000000000FBD000-memory.dmp

memory/512-1-0x0000000073BA0000-0x0000000073BDA000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\8123e463\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\8123e463\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\8123e463\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\8123e463\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\8123e463\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\8123e463\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\8123e463\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

memory/2852-31-0x0000000000CA0000-0x00000000010A4000-memory.dmp

memory/2852-32-0x0000000073170000-0x00000000731B9000-memory.dmp

memory/2852-33-0x00000000730A0000-0x0000000073168000-memory.dmp

memory/2852-34-0x0000000073070000-0x0000000073094000-memory.dmp

memory/2852-35-0x0000000072F60000-0x000000007306A000-memory.dmp

memory/2852-40-0x0000000072C90000-0x0000000072F5F000-memory.dmp

memory/2852-37-0x00000000012B0000-0x000000000157F000-memory.dmp

memory/2852-42-0x0000000000C00000-0x0000000000C88000-memory.dmp

memory/2852-41-0x0000000072C00000-0x0000000072C88000-memory.dmp

memory/2852-43-0x00000000731C0000-0x000000007328E000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\torrc

MD5 22ec9e4c1cdf6aca7b2997be93f46645
SHA1 df0a0e3373fc514518b70adfebc86c23c3f04bf8
SHA256 b2c53ffa29d2c7207304ba7dbc81429d36cdc2542ff701bf2a386ad07aacfdb4
SHA512 d96b3ee219aa5fac241415237ec3c0523b7c02b27ca77089d5a6530c32d398741c911b496c44b6217c42afbdb13d95aa565cae7c6562410978684e51e235fd94

memory/512-44-0x0000000072930000-0x000000007296A000-memory.dmp

memory/2852-45-0x0000000000CA0000-0x00000000010A4000-memory.dmp

memory/2852-48-0x00000000730A0000-0x0000000073168000-memory.dmp

memory/2852-51-0x0000000072C90000-0x0000000072F5F000-memory.dmp

memory/512-53-0x0000000000400000-0x0000000000FBD000-memory.dmp

memory/2852-54-0x0000000000CA0000-0x00000000010A4000-memory.dmp

memory/2852-55-0x0000000000CA0000-0x00000000010A4000-memory.dmp

memory/2852-63-0x00000000012B0000-0x000000000157F000-memory.dmp

memory/2852-64-0x0000000000C00000-0x0000000000C88000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdesc-consensus.tmp

MD5 e0c532df4b63edb19c242ef478980308
SHA1 e62c4db641e976bac705db9d547d213ff2c49217
SHA256 895abba685d7e4ee4c67e8ac6e9e6971144f3dfa00f83a8a40cecd07705f2cf7
SHA512 da0d4d4fb18d3276a659e21801b77e70cbe72432e5e6e89b4f0228524ca99107745463b37ce78bed46fe48a4d6cc9b52076f58b0ebb11a1c82961b10598c9d6e

memory/2852-73-0x0000000000CA0000-0x00000000010A4000-memory.dmp

memory/2852-81-0x0000000000CA0000-0x00000000010A4000-memory.dmp

memory/512-89-0x00000000734A0000-0x00000000734DA000-memory.dmp

memory/2852-90-0x0000000000CA0000-0x00000000010A4000-memory.dmp

memory/2852-101-0x0000000000CA0000-0x00000000010A4000-memory.dmp

memory/2852-109-0x0000000000CA0000-0x00000000010A4000-memory.dmp

memory/2852-117-0x0000000000CA0000-0x00000000010A4000-memory.dmp

memory/3560-143-0x00000000730A0000-0x0000000073168000-memory.dmp

memory/3560-142-0x0000000072C90000-0x0000000072F5F000-memory.dmp

memory/3560-140-0x0000000000CA0000-0x00000000010A4000-memory.dmp

memory/3560-146-0x00000000731C0000-0x000000007328E000-memory.dmp

memory/3560-152-0x0000000073070000-0x0000000073094000-memory.dmp

memory/2852-151-0x0000000000CA0000-0x00000000010A4000-memory.dmp

memory/3560-149-0x0000000073170000-0x00000000731B9000-memory.dmp

memory/3560-154-0x0000000072F60000-0x000000007306A000-memory.dmp

memory/3560-156-0x0000000072C00000-0x0000000072C88000-memory.dmp

memory/3560-161-0x0000000072C90000-0x0000000072F5F000-memory.dmp

memory/3560-160-0x0000000000CA0000-0x00000000010A4000-memory.dmp

memory/3156-175-0x0000000073B90000-0x0000000073BD9000-memory.dmp

memory/3156-176-0x0000000073B60000-0x0000000073B84000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\state

MD5 3462ada9c04195c4646f378d48f30dc3
SHA1 09473bc71e21a14ebf2c951fc59a490dfad4f19f
SHA256 e9095206ccd0eace4f9db4416b0dd7c1412845447f8e299072ef7f9977c1df67
SHA512 7f99a619e4bca8545e8be6cb1d63c8697f8fa2472253f07a42933ac5d0042b2bea9d7c8b41337709343765d2c916602fbb034741900da1e1b7f49c8374b1302c

memory/3156-182-0x0000000073150000-0x00000000731D8000-memory.dmp

memory/3156-183-0x0000000073080000-0x000000007314E000-memory.dmp

memory/3156-181-0x00000000731E0000-0x00000000732EA000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-certs

MD5 31169be22008dac1e39e2b15c4153695
SHA1 1e3a31a8c8dc2815aec3d8713566a3cca5fc0461
SHA256 7f6b44eb05543fc103e0421ddf48d4545f63eebf249b72fbd507acb21c5e37f4
SHA512 57e307872172595b4956b51cb30c707997b383c810e109602592b8eb083e52f1a2021006fc9bdd9554358578d03cbd24197f5f955160bda0c9cc883d7c41615d

memory/3156-184-0x00000000733C0000-0x000000007368F000-memory.dmp

memory/3156-174-0x00000000732F0000-0x00000000733B8000-memory.dmp

memory/3156-173-0x0000000000CA0000-0x00000000010A4000-memory.dmp

memory/512-196-0x0000000072DE0000-0x0000000072E1A000-memory.dmp

memory/3156-197-0x0000000000CA0000-0x00000000010A4000-memory.dmp

memory/3156-206-0x00000000732F0000-0x00000000733B8000-memory.dmp

memory/4244-244-0x0000000000CA0000-0x00000000010A4000-memory.dmp

memory/4244-246-0x00000000732F0000-0x00000000733B8000-memory.dmp

memory/4244-247-0x0000000073080000-0x000000007314E000-memory.dmp

memory/4244-255-0x00000000731E0000-0x00000000732EA000-memory.dmp

memory/4244-252-0x0000000073B60000-0x0000000073B84000-memory.dmp

memory/4244-250-0x0000000073B90000-0x0000000073BD9000-memory.dmp

memory/4244-257-0x0000000073150000-0x00000000731D8000-memory.dmp

memory/4244-261-0x00000000733C0000-0x000000007368F000-memory.dmp

memory/3156-259-0x0000000000CA0000-0x00000000010A4000-memory.dmp

memory/4244-267-0x0000000000CA0000-0x00000000010A4000-memory.dmp

memory/4244-268-0x00000000732F0000-0x00000000733B8000-memory.dmp

memory/4244-269-0x0000000073080000-0x000000007314E000-memory.dmp

memory/3220-283-0x0000000073B90000-0x0000000073BD9000-memory.dmp

memory/3220-282-0x00000000732F0000-0x00000000733B8000-memory.dmp

memory/3220-284-0x0000000073B60000-0x0000000073B84000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\state

MD5 ee4000ca999e713d1992ff05b2803080
SHA1 e4491327c73648478448108c3c451d1c223cd6da
SHA256 e5f9d3abfbb605a792025ae88eadb1297b62bd3f1667c92f8d1f90f9b560a685
SHA512 35b62550774562fdca66f16796584a6d3327116b2498e4daca8423993b0c7d0fe445477c82e904da4d7e9389cbfd271962c52ec49328fb5d8539c34ea7812288

memory/3220-285-0x00000000731E0000-0x00000000732EA000-memory.dmp

memory/3220-288-0x0000000073150000-0x00000000731D8000-memory.dmp

memory/3220-289-0x00000000016D0000-0x0000000001758000-memory.dmp

memory/3220-290-0x0000000073080000-0x000000007314E000-memory.dmp

memory/3220-291-0x00000000733C0000-0x000000007368F000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new

MD5 4f985be34da5fe805563392f5e7c111e
SHA1 13fbb87787dbdd590e6022ff6b74c2cd3f7006a0
SHA256 161b9f47e5a2bf989a12fa054831f33e1911088c216f74a7c7b0f0e76369174a
SHA512 c74da445621cb3a4d4bd573b49487b360ee1552365d1cf7d84e6bfc462fb08158f530670e8702360bbca3aa78ea2f070553e04b93fb5330859fbb62efcf4f237

memory/512-306-0x0000000072DE0000-0x0000000072E1A000-memory.dmp

memory/512-307-0x0000000073BA0000-0x0000000073BDA000-memory.dmp

memory/3220-308-0x0000000000CA0000-0x00000000010A4000-memory.dmp

memory/3220-317-0x00000000732F0000-0x00000000733B8000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new

MD5 da495e01c31bcc994915c8be83f38e7f
SHA1 99f6b5f6b79977ff1ca1b7fb3a70fad21bec703b
SHA256 8185b79b05ef85f52176c6873ce24fb0a58d4d1df19a4e4fd5d81e0d2bbe52e2
SHA512 0eed608535acaff65fbd0766a8f0f19fe9ca965170c77fd3238b6409cd729585d70cea043980374f02edf190acddcee1b3fcb25630400a2143dd13d069b31aa8

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new

MD5 9a679924f74257b83913acbbfc0e8e00
SHA1 9445ff04c262c2d610c59e6f11d0ce23d18af24b
SHA256 41d406a792183f12276ae1d5ecdf044e48aec13d23415d7dedd9a575c9ce15a9
SHA512 dc3e57359a1daa9223ad96cf3f9897c3fbc9afe8e5e0cb8ca69a03ee601a34615dcdc37dcf9279963611f7399fab2c0137213d81aaf47dc706367f544d091e63

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-26 06:44

Reported

2024-04-26 06:50

Platform

win7-20240215-en

Max time kernel

296s

Max time network

301s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe"

Signatures

BitRAT

trojan bitrat

BitRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses Tor communications

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1972 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 1972 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe

"C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe"

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

Network

Country Destination Domain Proto
N/A 127.0.0.1:49224 tcp
FR 217.182.51.248:443 tcp
NL 77.247.181.164:443 tcp
DE 46.165.230.5:443 tcp
N/A 127.0.0.1:45808 tcp
US 107.155.81.178:443 tcp
GB 181.215.32.138:443 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:49306 tcp
LU 92.38.163.21:443 tcp
NL 45.94.31.54:443 tcp
CH 213.144.135.21:443 tcp
N/A 127.0.0.1:49348 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:49417 tcp
FR 163.172.139.104:443 tcp
IT 152.89.170.188:443 tcp
CH 31.164.215.246:443 tcp
N/A 127.0.0.1:49465 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:49518 tcp
N/A 127.0.0.1:49549 tcp
US 50.7.74.170:443 tcp
US 162.251.116.50:443 tcp
FI 95.217.112.243:443 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:49607 tcp
N/A 127.0.0.1:49638 tcp
LU 92.38.163.21:443 tcp
US 108.181.132.245:443 tcp
DE 193.31.27.59:443 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:49694 tcp
DE 46.182.21.248:443 tcp
US 108.181.132.245:443 tcp
NL 45.94.31.54:443 tcp
N/A 127.0.0.1:49726 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:49782 tcp
N/A 127.0.0.1:45808 tcp
US 50.7.74.172:443 tcp
DE 173.249.8.113:443 tcp
CH 31.164.215.246:443 tcp
N/A 127.0.0.1:49849 tcp

Files

memory/1972-0-0x0000000000400000-0x0000000000FBD000-memory.dmp

\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\8123e463\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\8123e463\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\8123e463\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\8123e463\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\8123e463\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\8123e463\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\8123e463\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\8123e463\tor\torrc

MD5 22ec9e4c1cdf6aca7b2997be93f46645
SHA1 df0a0e3373fc514518b70adfebc86c23c3f04bf8
SHA256 b2c53ffa29d2c7207304ba7dbc81429d36cdc2542ff701bf2a386ad07aacfdb4
SHA512 d96b3ee219aa5fac241415237ec3c0523b7c02b27ca77089d5a6530c32d398741c911b496c44b6217c42afbdb13d95aa565cae7c6562410978684e51e235fd94

memory/1972-33-0x00000000044F0000-0x00000000048F4000-memory.dmp

memory/1964-34-0x0000000001240000-0x0000000001644000-memory.dmp

memory/1964-38-0x0000000074CF0000-0x0000000074D39000-memory.dmp

memory/1964-37-0x0000000074790000-0x0000000074A5F000-memory.dmp

memory/1964-39-0x00000000746C0000-0x0000000074788000-memory.dmp

memory/1964-40-0x00000000745B0000-0x00000000746BA000-memory.dmp

memory/1964-41-0x0000000074C60000-0x0000000074CE8000-memory.dmp

memory/1964-42-0x00000000744E0000-0x00000000745AE000-memory.dmp

memory/1964-43-0x0000000074D90000-0x0000000074DB4000-memory.dmp

memory/1972-44-0x00000000044F0000-0x00000000048F4000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdesc-consensus.tmp

MD5 e0c532df4b63edb19c242ef478980308
SHA1 e62c4db641e976bac705db9d547d213ff2c49217
SHA256 895abba685d7e4ee4c67e8ac6e9e6971144f3dfa00f83a8a40cecd07705f2cf7
SHA512 da0d4d4fb18d3276a659e21801b77e70cbe72432e5e6e89b4f0228524ca99107745463b37ce78bed46fe48a4d6cc9b52076f58b0ebb11a1c82961b10598c9d6e

memory/1964-53-0x0000000001240000-0x0000000001644000-memory.dmp

memory/1964-54-0x0000000074790000-0x0000000074A5F000-memory.dmp

memory/1972-61-0x0000000000400000-0x0000000000FBD000-memory.dmp

memory/1972-62-0x00000000044F0000-0x00000000048F4000-memory.dmp

memory/1964-63-0x0000000001240000-0x0000000001644000-memory.dmp

memory/1964-71-0x0000000001240000-0x0000000001644000-memory.dmp

memory/1972-72-0x00000000044F0000-0x00000000048F4000-memory.dmp

memory/1964-73-0x0000000001240000-0x0000000001644000-memory.dmp

memory/1964-81-0x0000000001240000-0x0000000001644000-memory.dmp

memory/1972-109-0x0000000005220000-0x0000000005624000-memory.dmp

memory/2944-112-0x0000000001240000-0x0000000001644000-memory.dmp

memory/2944-114-0x0000000074790000-0x0000000074A5F000-memory.dmp

memory/2944-117-0x0000000074CF0000-0x0000000074D39000-memory.dmp

memory/2944-121-0x00000000746C0000-0x0000000074788000-memory.dmp

memory/2944-124-0x00000000745B0000-0x00000000746BA000-memory.dmp

memory/2944-128-0x00000000744E0000-0x00000000745AE000-memory.dmp

memory/2944-129-0x0000000074D90000-0x0000000074DB4000-memory.dmp

memory/2944-127-0x0000000074C60000-0x0000000074CE8000-memory.dmp

memory/1964-93-0x0000000001240000-0x0000000001644000-memory.dmp

memory/1972-146-0x0000000005220000-0x0000000005624000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\state

MD5 d1f2cf04f278120f84eb38d55698a268
SHA1 aaadb578686be939fe60b5184801d2511af55825
SHA256 bd4e5813771e5bf9b9e08108f3d891cc9cb9f229ed8b8fefea61d563e34dc882
SHA512 f9e3df1f79f8a463b720c81929705bde71d06519bad98ad73b5519c6bfe7d66209116155ed181e7a26c47992570580e27b874a72c6e2f79f89e942062e2913a9

memory/2076-152-0x0000000074790000-0x0000000074A5F000-memory.dmp

memory/2076-153-0x0000000074CF0000-0x0000000074D39000-memory.dmp

memory/2076-154-0x00000000746C0000-0x0000000074788000-memory.dmp

memory/2076-155-0x00000000745B0000-0x00000000746BA000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new

MD5 394712acc34a2dde4b20232eec191c08
SHA1 740da0d29801d3c88f32ff4c4ca91b0efb16609d
SHA256 a906962690f03d6451a5dfe22a965487b42c432c7c6c75f002dc846d7ccfc69b
SHA512 a05f3443236d2a31ab8eb0d8b2376fac0298b395f366ef31e0d665138f9e9b96c5e8ac5bf2cad0450132e255a02ef8ccfb547313787784c6dd7c51d1290f720d

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-certs

MD5 1d2bdf5fa83f26ed89b5e7e8890e8a9c
SHA1 ba664fec451f2a4ef2f1ac718cd56b0708e3266e
SHA256 80cebed4d6bdd1e2d045faae340a9e2031200fd32159edcb3eae013ecf2d8486
SHA512 7e005b68bb3bc0e4bc7d3783d65b5de1c931a90396c87a24a86ff04a3deaa3d9d3ef3177cfb928f88dedcd0f8f4b638ede0a21453216e95a3725c570b6828854

memory/2076-161-0x0000000074C60000-0x0000000074CE8000-memory.dmp

memory/2076-162-0x00000000744E0000-0x00000000745AE000-memory.dmp

memory/2076-163-0x0000000074D90000-0x0000000074DB4000-memory.dmp

memory/2076-148-0x0000000001240000-0x0000000001644000-memory.dmp

memory/2076-166-0x0000000001240000-0x0000000001644000-memory.dmp

memory/2076-174-0x0000000001240000-0x0000000001644000-memory.dmp

memory/1972-182-0x0000000005220000-0x0000000005624000-memory.dmp

memory/2076-183-0x0000000001240000-0x0000000001644000-memory.dmp

memory/1972-208-0x0000000005220000-0x0000000005624000-memory.dmp

memory/924-212-0x0000000001240000-0x0000000001644000-memory.dmp

memory/924-218-0x0000000074790000-0x0000000074A5F000-memory.dmp

memory/924-219-0x0000000074CF0000-0x0000000074D39000-memory.dmp

memory/924-221-0x00000000746C0000-0x0000000074788000-memory.dmp

memory/924-223-0x00000000745B0000-0x00000000746BA000-memory.dmp

memory/924-225-0x0000000074C60000-0x0000000074CE8000-memory.dmp

memory/924-227-0x00000000744E0000-0x00000000745AE000-memory.dmp

memory/924-229-0x0000000074D90000-0x0000000074DB4000-memory.dmp

memory/924-232-0x0000000001240000-0x0000000001644000-memory.dmp

memory/2316-247-0x00000000002E0000-0x00000000006E4000-memory.dmp

memory/2316-248-0x00000000744C0000-0x000000007478F000-memory.dmp

memory/2316-249-0x0000000074CA0000-0x0000000074CE9000-memory.dmp

memory/2316-251-0x0000000074880000-0x000000007498A000-memory.dmp

memory/2316-252-0x00000000747F0000-0x0000000074878000-memory.dmp

memory/2316-250-0x0000000074990000-0x0000000074A58000-memory.dmp

memory/2316-255-0x0000000074330000-0x00000000743FE000-memory.dmp

memory/2316-256-0x0000000074D10000-0x0000000074D34000-memory.dmp

memory/2316-276-0x00000000002E0000-0x00000000006E4000-memory.dmp

memory/2316-277-0x00000000744C0000-0x000000007478F000-memory.dmp

memory/2316-278-0x0000000074CA0000-0x0000000074CE9000-memory.dmp

memory/2316-281-0x00000000747F0000-0x0000000074878000-memory.dmp

memory/2316-280-0x0000000074880000-0x000000007498A000-memory.dmp

memory/2316-279-0x0000000074990000-0x0000000074A58000-memory.dmp

memory/2316-282-0x0000000074330000-0x00000000743FE000-memory.dmp

memory/1972-298-0x0000000005220000-0x0000000005624000-memory.dmp

memory/2912-300-0x00000000002E0000-0x00000000006E4000-memory.dmp

memory/2912-301-0x00000000744C0000-0x000000007478F000-memory.dmp

memory/2912-303-0x0000000074CA0000-0x0000000074CE9000-memory.dmp

memory/2912-306-0x0000000074990000-0x0000000074A58000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-26 06:44

Reported

2024-04-26 06:51

Platform

win10-20240404-en

Max time kernel

300s

Max time network

306s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe"

Signatures

BitRAT

trojan bitrat

BitRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses Tor communications

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3272 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3272 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3272 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3272 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3272 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3272 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3272 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3272 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3272 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3272 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3272 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3272 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3272 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3272 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3272 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3272 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3272 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3272 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3272 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3272 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3272 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3272 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3272 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3272 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3272 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3272 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe
PID 3272 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe

"C:\Users\Admin\AppData\Local\Temp\8524d39271ec09d851920db4036d9dafe4f61f5cbd44d81322c9ec29ef1aadc2.exe"

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe" -f torrc

Network

Country Destination Domain Proto
GR 185.4.132.148:443 tcp
US 8.8.8.8:53 148.132.4.185.in-addr.arpa udp
N/A 127.0.0.1:49829 tcp
N/A 127.0.0.1:45808 tcp
FR 86.105.212.130:443 tcp
TR 5.252.74.238:443 tcp
US 135.148.100.89:443 tcp
US 8.8.8.8:53 89.100.148.135.in-addr.arpa udp
US 8.8.8.8:53 238.74.252.5.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
FR 37.187.102.108:443 tcp
DE 45.142.177.89:443 tcp
US 135.148.100.89:443 tcp
US 8.8.8.8:53 89.177.142.45.in-addr.arpa udp
N/A 127.0.0.1:49945 tcp
N/A 127.0.0.1:49983 tcp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 198.111.78.13.in-addr.arpa udp
US 23.141.40.7:443 tcp
NO 185.181.60.181:443 tcp
CA 207.134.205.114:443 tcp
US 8.8.8.8:53 181.60.181.185.in-addr.arpa udp
US 8.8.8.8:53 114.205.134.207.in-addr.arpa udp
US 8.8.8.8:53 7.40.141.23.in-addr.arpa udp
N/A 127.0.0.1:50067 tcp
N/A 127.0.0.1:50104 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:50160 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
GR 185.4.132.148:443 tcp
US 135.148.100.89:443 tcp
DE 88.198.35.49:443 tcp
N/A 127.0.0.1:50186 tcp
US 8.8.8.8:53 49.35.198.88.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:50255 tcp
NL 77.247.181.166:443 tcp
TR 5.252.74.238:443 tcp
FR 51.159.179.214:443 tcp
N/A 127.0.0.1:50283 tcp
US 8.8.8.8:53 214.179.159.51.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp

Files

memory/3272-0-0x0000000000400000-0x0000000000FBD000-memory.dmp

memory/3272-1-0x0000000073DA0000-0x0000000073DDA000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\dllhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\8123e463\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\8123e463\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

memory/4816-17-0x0000000000090000-0x0000000000494000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\8123e463\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\8123e463\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\8123e463\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\8123e463\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

memory/4816-32-0x00000000733C0000-0x0000000073488000-memory.dmp

memory/4816-33-0x0000000073390000-0x00000000733B4000-memory.dmp

memory/4816-35-0x0000000073270000-0x000000007333E000-memory.dmp

memory/4816-36-0x0000000073160000-0x000000007326A000-memory.dmp

memory/4816-34-0x0000000073340000-0x0000000073389000-memory.dmp

memory/4816-37-0x00000000730D0000-0x0000000073158000-memory.dmp

memory/4816-39-0x0000000001A90000-0x0000000001B18000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\torrc

MD5 22ec9e4c1cdf6aca7b2997be93f46645
SHA1 df0a0e3373fc514518b70adfebc86c23c3f04bf8
SHA256 b2c53ffa29d2c7207304ba7dbc81429d36cdc2542ff701bf2a386ad07aacfdb4
SHA512 d96b3ee219aa5fac241415237ec3c0523b7c02b27ca77089d5a6530c32d398741c911b496c44b6217c42afbdb13d95aa565cae7c6562410978684e51e235fd94

memory/4816-42-0x0000000001A90000-0x0000000001D5F000-memory.dmp

memory/4816-43-0x0000000072E00000-0x00000000730CF000-memory.dmp

memory/3272-44-0x0000000072B10000-0x0000000072B4A000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdesc-consensus.tmp

MD5 e0c532df4b63edb19c242ef478980308
SHA1 e62c4db641e976bac705db9d547d213ff2c49217
SHA256 895abba685d7e4ee4c67e8ac6e9e6971144f3dfa00f83a8a40cecd07705f2cf7
SHA512 da0d4d4fb18d3276a659e21801b77e70cbe72432e5e6e89b4f0228524ca99107745463b37ce78bed46fe48a4d6cc9b52076f58b0ebb11a1c82961b10598c9d6e

memory/4816-53-0x0000000000090000-0x0000000000494000-memory.dmp

memory/4816-54-0x00000000733C0000-0x0000000073488000-memory.dmp

memory/4816-57-0x0000000073270000-0x000000007333E000-memory.dmp

memory/3272-61-0x0000000000400000-0x0000000000FBD000-memory.dmp

memory/4816-62-0x0000000000090000-0x0000000000494000-memory.dmp

memory/4816-70-0x0000000000090000-0x0000000000494000-memory.dmp

memory/4816-71-0x0000000001A90000-0x0000000001B18000-memory.dmp

memory/4816-72-0x0000000001A90000-0x0000000001D5F000-memory.dmp

memory/4816-73-0x0000000000090000-0x0000000000494000-memory.dmp

memory/4816-84-0x0000000000090000-0x0000000000494000-memory.dmp

memory/3272-92-0x00000000736A0000-0x00000000736DA000-memory.dmp

memory/4816-93-0x0000000000090000-0x0000000000494000-memory.dmp

memory/4816-102-0x0000000000090000-0x0000000000494000-memory.dmp

memory/4816-110-0x0000000000090000-0x0000000000494000-memory.dmp

memory/4816-118-0x0000000000090000-0x0000000000494000-memory.dmp

memory/4528-141-0x0000000000090000-0x0000000000494000-memory.dmp

memory/4528-144-0x0000000072E00000-0x00000000730CF000-memory.dmp

memory/4528-147-0x0000000073270000-0x000000007333E000-memory.dmp

memory/4528-145-0x00000000733C0000-0x0000000073488000-memory.dmp

memory/4816-148-0x0000000000090000-0x0000000000494000-memory.dmp

memory/4528-152-0x0000000073390000-0x00000000733B4000-memory.dmp

memory/4528-150-0x0000000073340000-0x0000000073389000-memory.dmp

memory/4528-154-0x0000000073160000-0x000000007326A000-memory.dmp

memory/4528-161-0x0000000072E00000-0x00000000730CF000-memory.dmp

memory/4528-156-0x00000000730D0000-0x0000000073158000-memory.dmp

memory/4528-163-0x00000000733C0000-0x0000000073488000-memory.dmp

memory/4528-164-0x0000000073270000-0x000000007333E000-memory.dmp

memory/4528-162-0x0000000000090000-0x0000000000494000-memory.dmp

memory/4152-175-0x0000000000090000-0x0000000000494000-memory.dmp

memory/4152-178-0x0000000073D90000-0x0000000073DD9000-memory.dmp

memory/4152-180-0x00000000733E0000-0x00000000734EA000-memory.dmp

memory/4152-179-0x0000000073D60000-0x0000000073D84000-memory.dmp

memory/4152-181-0x0000000073350000-0x00000000733D8000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-certs

MD5 e19f21010caf272cad738630f8d7acdd
SHA1 d6ab2e039075aac15bad612698dfbf58d9b06cc9
SHA256 a905c97c9fa33a92bc278f86156de63c72ba05bdd3334503900e85fb9bebd622
SHA512 721efccd16583ae0fe05b21e8760cc6ee6c8876880d02c3c34bbf8b2841bb282f4e9a93e7c73d80cfb7159ba77d3ea538f4e8b24aef5f55ef259c6057158a748

memory/4152-187-0x00000000735C0000-0x000000007388F000-memory.dmp

memory/4152-184-0x0000000073280000-0x000000007334E000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\state

MD5 c5d2c8378663b67cb012b8fc0476f772
SHA1 e594bdefc047b0b2322b5ea748f4f45ff978ce26
SHA256 5d46c83dfd6c80a4487b14d3f21351c540e1204fce1391dcbfb9b48e5c4b4ece
SHA512 4eaa6b000528ec65f270b8511f02be49ea0c508d0d3645efb6b90e38b06ececbb70039c59981af60696ed07d7ea421882610fc926c9d325bdffbcee728446ad3

memory/4152-177-0x00000000734F0000-0x00000000735B8000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs.new

MD5 c15cdbb7a0050c9874f9718b75ddb4c8
SHA1 28b72954693213c60f200fb462f74a1c805d623c
SHA256 44d506a7f82e3e7e52ea559b87a476e2df0955633b9f98e1fcd4dcecd6c23a01
SHA512 ac6f19b8134e0369f7ec3cdb2eb361ba275133abf790c34e38100509939f7d2f79cd6baa3018af7aa5d932ea8480ef2fee15bf6882bee46c10ed6e5301036993

memory/3272-203-0x0000000072FE0000-0x000000007301A000-memory.dmp

memory/4152-204-0x0000000000090000-0x0000000000494000-memory.dmp

memory/4152-213-0x00000000734F0000-0x00000000735B8000-memory.dmp

memory/4152-214-0x0000000073280000-0x000000007334E000-memory.dmp

memory/240-253-0x0000000000090000-0x0000000000494000-memory.dmp

memory/240-256-0x00000000735C0000-0x000000007388F000-memory.dmp

memory/240-258-0x00000000734F0000-0x00000000735B8000-memory.dmp

memory/240-261-0x0000000073D90000-0x0000000073DD9000-memory.dmp

memory/240-260-0x0000000073280000-0x000000007334E000-memory.dmp

memory/4152-263-0x0000000000090000-0x0000000000494000-memory.dmp

memory/240-264-0x0000000073D60000-0x0000000073D84000-memory.dmp

memory/240-269-0x0000000073350000-0x00000000733D8000-memory.dmp

memory/240-266-0x00000000733E0000-0x00000000734EA000-memory.dmp

memory/240-274-0x00000000734F0000-0x00000000735B8000-memory.dmp

memory/240-275-0x0000000000090000-0x0000000000494000-memory.dmp

memory/240-276-0x00000000735C0000-0x000000007388F000-memory.dmp

memory/4876-288-0x00000000734F0000-0x00000000735B8000-memory.dmp

memory/4876-289-0x0000000073D90000-0x0000000073DD9000-memory.dmp

memory/4876-291-0x0000000073350000-0x00000000733D8000-memory.dmp

memory/4876-295-0x0000000073280000-0x000000007334E000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\state

MD5 e7c3cb37ce15d1b0eec4b428985aaf99
SHA1 769bf497d1df71aca0cb895c28a3052d2b9012d5
SHA256 1cb97e0908dbb4a0d1c14cbcdee25dec811d6e4935525a4cca50fad35f3b369a
SHA512 13221853c21dfc7d750c7905337b4ca3260d152b8dfac3f2bbaa9ac00d30bfce72fd0d5d757a0548c9f6bb5bb7a1eae323eaf04862da2504d0882615c61f3f62

memory/4876-292-0x00000000733E0000-0x00000000734EA000-memory.dmp

memory/4876-296-0x00000000735C0000-0x000000007388F000-memory.dmp

memory/4876-290-0x0000000073D60000-0x0000000073D84000-memory.dmp

C:\Users\Admin\AppData\Local\8123e463\tor\data\cached-microdescs

MD5 a945503f3829f711781799af76bf8291
SHA1 842a5d518d5665a9ef47d2baac778124d39f5f57
SHA256 bdada19ecaa0f74967fe9e29c1383b93641706d5a3833bf6f40bcb62a0552885
SHA512 510d2ea0f3a6e8d8cd2ebec8527daa4bae8229247faa884a0077f78f510e07420a0e76a7516ea82c0eb13e4b74d38c36f8592fee4816422ce20861daeda6b468

memory/3272-310-0x0000000072FE0000-0x000000007301A000-memory.dmp

memory/4876-311-0x0000000000090000-0x0000000000494000-memory.dmp