Malware Analysis Report

2024-09-22 22:02

Sample ID 240507-pnbgtsac85
Target a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449
SHA256 a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449
Tags
bitrat persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449

Threat Level: Known bad

The file a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449 was found to be: Known bad.

Malicious Activity Summary

bitrat persistence trojan upx

Bitrat family

BitRAT

UPX packed file

ACProtect 1.3x - 1.4x DLL software

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Modifies system certificate store

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-07 12:28

Signatures

Bitrat family

bitrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-07 12:28

Reported

2024-05-07 12:33

Platform

win11-20240419-en

Max time kernel

298s

Max time network

302s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"

Signatures

BitRAT

trojan bitrat

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1" C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3344 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 3344 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 3344 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 3344 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 3344 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 3344 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 3344 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 3344 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 3344 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 3344 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 3344 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 3344 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 3344 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 3344 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 3344 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe

"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

Network

Country Destination Domain Proto
N/A 127.0.0.1:49785 tcp
US 172.98.193.43:443 tcp
MD 178.17.174.14:9001 tcp
US 8.8.8.8:53 14.174.17.178.in-addr.arpa udp
DE 217.79.179.177:9001 tcp
DE 144.76.200.80:9001 tcp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 80.200.76.144.in-addr.arpa udp
DE 144.76.200.80:9001 tcp
N/A 127.0.0.1:45808 tcp
DE 217.79.179.177:9001 tcp
DE 178.254.44.163:6080 tcp
CH 81.17.28.117:9001 tcp
N/A 127.0.0.1:49923 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
FI 37.27.58.206:9001 tcp
N/A 127.0.0.1:50028 tcp
US 51.81.56.228:443 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:50118 tcp
US 51.81.93.108:443 tcp
DE 148.251.151.125:9001 tcp
N/A 127.0.0.1:45808 tcp
FI 135.181.63.118:9100 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50201 tcp
RU 37.153.1.10:9001 tcp
GB 181.215.32.131:443 tcp
DE 138.201.78.61:9001 tcp
N/A 127.0.0.1:45808 tcp
US 66.206.1.202:9000 tcp

Files

memory/3344-0-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/3344-1-0x0000000074520000-0x000000007455C000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

memory/5068-17-0x0000000000990000-0x0000000000D94000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

memory/5068-37-0x0000000073780000-0x000000007388A000-memory.dmp

memory/5068-36-0x0000000073890000-0x0000000073918000-memory.dmp

memory/5068-35-0x0000000073920000-0x0000000073944000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

memory/5068-32-0x0000000073950000-0x0000000073999000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

memory/5068-29-0x00000000739A0000-0x0000000073A68000-memory.dmp

memory/5068-28-0x0000000073A70000-0x0000000073B3E000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

memory/5068-40-0x00000000734B0000-0x000000007377F000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\torrc

MD5 439cd73927f46fde28540391feee8477
SHA1 ee7fb2aeb7708378abda293b03f5c9ffb6dbc742
SHA256 d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75
SHA512 c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319

memory/5068-41-0x0000000001D00000-0x0000000001FCF000-memory.dmp

memory/3344-50-0x0000000073090000-0x00000000730CC000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdesc-consensus

MD5 2e9a4917f6eca568920415d5732154da
SHA1 b2aa2df460fecec7b9a4bf367d98b4de6868d4f6
SHA256 94961ea60aaacfdfe1facac4f6e7dc5c8ef5ba7403a89e9a4a23ce3d834d6a88
SHA512 d14412ce224793517eb6e048a18ffc7638627b83bf838c6fbbeb5fe72074e7c886d6b4d3eca5041289c842ce2092feab85664c8fc83af05488ef2e4dbe1622fc

memory/3344-54-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/5068-59-0x0000000073950000-0x0000000073999000-memory.dmp

memory/5068-63-0x00000000734B0000-0x000000007377F000-memory.dmp

memory/5068-62-0x0000000073780000-0x000000007388A000-memory.dmp

memory/5068-64-0x0000000000990000-0x0000000000D94000-memory.dmp

memory/5068-61-0x0000000073890000-0x0000000073918000-memory.dmp

memory/5068-60-0x0000000073920000-0x0000000073944000-memory.dmp

memory/5068-58-0x00000000739A0000-0x0000000073A68000-memory.dmp

memory/5068-57-0x0000000073A70000-0x0000000073B3E000-memory.dmp

memory/5068-56-0x0000000000990000-0x0000000000D94000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 efaace97a1f610cf9b388cdc4f692b92
SHA1 2f41ac178241a945be623fe2a7459c404c75aa78
SHA256 43de4747e60152780e1ede4e08e5125c99a5a4cd2815086a7ee63f955142a394
SHA512 a9fbf562170f2310141d6d7d7706e4178f004fd66f487c3ee22fa9b7132eedb94e2cbf45c6174f27a715579d7df3d4119b71db06ae5a680617cd8a22257ec360

memory/3344-72-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/5068-73-0x0000000000990000-0x0000000000D94000-memory.dmp

memory/5068-82-0x0000000000990000-0x0000000000D94000-memory.dmp

memory/5068-91-0x0000000000990000-0x0000000000D94000-memory.dmp

memory/3344-107-0x00000000744B0000-0x00000000744EC000-memory.dmp

memory/3344-106-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/5068-108-0x0000000000990000-0x0000000000D94000-memory.dmp

memory/5068-117-0x0000000000990000-0x0000000000D94000-memory.dmp

memory/5068-126-0x0000000000990000-0x0000000000D94000-memory.dmp

memory/5068-153-0x0000000000990000-0x0000000000D94000-memory.dmp

memory/4268-169-0x0000000073530000-0x00000000735B8000-memory.dmp

memory/4268-168-0x00000000735C0000-0x00000000736CA000-memory.dmp

memory/4268-167-0x00000000736D0000-0x00000000736F4000-memory.dmp

memory/4268-166-0x0000000073700000-0x0000000073749000-memory.dmp

memory/4268-165-0x0000000073750000-0x000000007381E000-memory.dmp

memory/4268-164-0x0000000073820000-0x00000000738E8000-memory.dmp

memory/4268-163-0x00000000738F0000-0x0000000073BBF000-memory.dmp

memory/4268-162-0x0000000000990000-0x0000000000D94000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-certs

MD5 5a9e2e29419bf828241d75ebd478b0ba
SHA1 9fee72795bc0a62d3717a90d9b392cd8c42a430d
SHA256 7cd79bcb4eb3ed232dc61cb9974bab720d99ff6417762ae57579d70158e5f926
SHA512 6d0188bb400d6c55ad7bc43c863530a17dd31793f5e81965ec4974881a64721a73ee1845910c7cabc62498ce77e27de51f14b430a612a116fbedd074a79bb0a2

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 ed5872df5b36b0fbadb69e491737321e
SHA1 b03b5d035a523b57b6b48261028eea255a4140a3
SHA256 63cdd3e8866003f31e8606c2ecfcaaeb3df5c977f9ad9af69e70522cdae1831a
SHA512 227e3635c0c0dd126c9082eb98ceac78d681b374825ebe81746e270592a9d96d4860d8ed3b1fa281d4115b4df61575bef116c00533cf800f80933001cffc7564

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 b389e1cea9a8855c01641c539a64ccf5
SHA1 40bde0553a34ef5ee44842f6eea6086c7b797bc9
SHA256 8829ccc7c46955aa357a66891d4511384421c7cf548034b6765f00674a71a247
SHA512 e1bbd0a22f865cada39dd32ba498af649ea0144eab9eddeccc4adf464e229b19b877e793d99a75f035ee24b5daa2ed74881139dd30b54c67ef36176c11d22e7d

memory/3344-200-0x0000000073320000-0x000000007335C000-memory.dmp

memory/4268-201-0x0000000000990000-0x0000000000D94000-memory.dmp

memory/4268-204-0x0000000073750000-0x000000007381E000-memory.dmp

memory/4268-203-0x0000000073820000-0x00000000738E8000-memory.dmp

memory/4268-202-0x00000000738F0000-0x0000000073BBF000-memory.dmp

memory/4268-249-0x0000000000990000-0x0000000000D94000-memory.dmp

memory/4180-265-0x0000000073530000-0x00000000735B8000-memory.dmp

memory/4180-264-0x00000000722C0000-0x00000000723CA000-memory.dmp

memory/4180-263-0x00000000735C0000-0x00000000735E4000-memory.dmp

memory/4180-262-0x00000000735F0000-0x0000000073639000-memory.dmp

memory/4180-261-0x0000000073640000-0x000000007370E000-memory.dmp

memory/4180-260-0x0000000073710000-0x00000000737D8000-memory.dmp

memory/4180-259-0x00000000723D0000-0x000000007269F000-memory.dmp

memory/4180-258-0x0000000000990000-0x0000000000D94000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-certs

MD5 33641cd92307103fb663e48a297408ea
SHA1 eceec4ae61617c1afa5cb397fe07784a10c0645d
SHA256 214e7046d0ef7eb047d6482f3be51a0307678ba2eeca7327ae6cd4cc58529836
SHA512 00e632925c1a6596a83844a49b881faec4d6d32190f738e8c4df43d3f1cfd6a9c1639a1946cc5dfb5ae0858f7bb1865f060578de18b58afd9eca385f8c85b74a

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 61f260444a9dc8e464e6a8863fc23799
SHA1 6b46a64adbc0df678e85c6c2534c386403febd4f
SHA256 6013e59bf4cc5a36011da264d3b21efe9d54cd5881b8844801b14b7a4a7636c1
SHA512 a82a058de7df304c90b28ad79957097f58364c2645d31dad1bde8ec98c5a91f9d0e0350c6ef8faa18257bd41c176dc4cfee95685771ec5aeee5621ddc58bf163

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs

MD5 867e1205f855c0b90d835fd45a7e8a53
SHA1 0120dc8b790bcdc4f426471646b83f6279e64d38
SHA256 5909ce2f957139031cdbed39b84bc6f17a6e6fe2240923c0057ecac9e7f94e87
SHA512 2b5ad18fe3db3c3c9631d583e17973887275d5deeaec12769f43260659ac202c125bd123de52b9c400f9c9ebcd58ff74c9cc225d602d3ea4641a2935cee269d5

memory/3344-290-0x0000000072090000-0x00000000720CC000-memory.dmp

memory/4180-292-0x0000000000990000-0x0000000000D94000-memory.dmp

memory/4180-295-0x0000000073640000-0x000000007370E000-memory.dmp

memory/4180-294-0x0000000073710000-0x00000000737D8000-memory.dmp

memory/4180-293-0x00000000723D0000-0x000000007269F000-memory.dmp

memory/3344-296-0x0000000074520000-0x000000007455C000-memory.dmp

memory/3344-315-0x0000000073090000-0x00000000730CC000-memory.dmp

memory/4180-334-0x0000000000990000-0x0000000000D94000-memory.dmp

memory/2576-349-0x00000000723D0000-0x000000007269F000-memory.dmp

memory/2576-348-0x0000000073530000-0x00000000735B8000-memory.dmp

memory/2576-347-0x00000000722C0000-0x00000000723CA000-memory.dmp

memory/2576-346-0x00000000735C0000-0x00000000735E4000-memory.dmp

memory/2576-345-0x00000000735F0000-0x0000000073639000-memory.dmp

memory/2576-344-0x0000000073640000-0x000000007370E000-memory.dmp

memory/2576-343-0x0000000073710000-0x00000000737D8000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 f893b8731304cb2c8090b4fd5514be24
SHA1 f0b804cd095406cd267d9fce6dbb1054ac0a02bf
SHA256 dd8a654a5494169f984d3ab57a11b45bfed2beca0d2fce647a18684270c800c6
SHA512 4c25d631a7d071de872c2e2b0c597aeff4c6bc28f7668b123f8a4e7801f3a4eba0f52f50e6fadf92654a251a1ff5e7209d886fe5a45a8547b1a8516f99e32d44

memory/2576-366-0x0000000000990000-0x0000000000D94000-memory.dmp

memory/2576-377-0x00000000735C0000-0x00000000735E4000-memory.dmp

memory/2576-376-0x0000000073640000-0x000000007370E000-memory.dmp

memory/2576-375-0x0000000073710000-0x00000000737D8000-memory.dmp

memory/2576-379-0x00000000723D0000-0x000000007269F000-memory.dmp

memory/3344-380-0x00000000744B0000-0x00000000744EC000-memory.dmp

memory/2576-407-0x0000000000990000-0x0000000000D94000-memory.dmp

memory/1588-419-0x0000000073640000-0x000000007370E000-memory.dmp

memory/1588-425-0x00000000735F0000-0x0000000073639000-memory.dmp

memory/1588-424-0x0000000073530000-0x00000000735B8000-memory.dmp

memory/1588-423-0x00000000011B0000-0x00000000011F9000-memory.dmp

memory/1588-422-0x00000000722C0000-0x00000000723CA000-memory.dmp

memory/1588-421-0x00000000735C0000-0x00000000735E4000-memory.dmp

memory/1588-420-0x00000000723D0000-0x000000007269F000-memory.dmp

memory/1588-418-0x0000000073710000-0x00000000737D8000-memory.dmp

memory/1588-417-0x0000000000990000-0x0000000000D94000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 c6ca415efd8885bd7732f346cdce2f71
SHA1 c3c2851e26f1ebd6a9ce14032b21fc2396f49121
SHA256 a57efb9b7a2b656a0ba847d8c9bf59ee9c41a97608f0f152c7c764b85c3077c9
SHA512 1950fef96ceefb27e06d37e74e7cb77bbb115fce3ba0488e03ddc3c6af0caca454e98b58c1d5926e32cc76e9dc493196caeb087f1708abfa18b856cd14e87221

memory/1588-451-0x0000000000990000-0x0000000000D94000-memory.dmp

memory/1588-452-0x0000000073710000-0x00000000737D8000-memory.dmp

memory/1588-455-0x00000000011B0000-0x00000000011F9000-memory.dmp

memory/1588-454-0x00000000723D0000-0x000000007269F000-memory.dmp

memory/1588-453-0x0000000073640000-0x000000007370E000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-07 12:28

Reported

2024-05-07 12:33

Platform

win10v2004-20240426-en

Max time kernel

298s

Max time network

301s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"

Signatures

BitRAT

trojan bitrat

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1" C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1䈀" C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2020 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2020 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2020 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2020 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2020 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2020 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2020 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2020 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2020 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2020 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2020 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2020 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2020 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2020 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2020 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2020 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2020 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2020 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe

"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
PL 51.38.134.104:443 tcp
FR 62.210.254.132:443 tcp
DE 131.188.40.188:80 tcp
US 8.8.8.8:53 188.40.188.131.in-addr.arpa udp
N/A 127.0.0.1:64711 tcp
N/A 127.0.0.1:45808 tcp
SE 193.11.114.43:9001 tcp
US 8.8.8.8:53 43.114.11.193.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 172.93.102.139:443 tcp
FR 51.210.148.166:9001 tcp
US 8.8.8.8:53 139.102.93.172.in-addr.arpa udp
US 8.8.8.8:53 166.148.210.51.in-addr.arpa udp
DE 157.90.212.53:443 tcp
US 8.8.8.8:53 53.212.90.157.in-addr.arpa udp
US 172.93.102.139:443 tcp
FR 51.210.148.166:9001 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 myexternalip.com udp
US 34.117.118.44:443 myexternalip.com tcp
US 8.8.8.8:53 107.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 44.118.117.34.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 15.204.227.206:9100 tcp
US 8.8.8.8:53 206.227.204.15.in-addr.arpa udp
LV 94.140.120.130:443 tcp
US 8.8.8.8:53 130.120.140.94.in-addr.arpa udp
N/A 127.0.0.1:64855 tcp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
NL 89.248.165.40:9001 tcp
US 8.8.8.8:53 40.165.248.89.in-addr.arpa udp
DE 202.61.224.179:9030 tcp
US 15.204.227.206:9100 tcp
US 8.8.8.8:53 179.224.61.202.in-addr.arpa udp
DE 185.220.101.137:11137 tcp
US 8.8.8.8:53 137.101.220.185.in-addr.arpa udp
N/A 127.0.0.1:64970 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
US 136.53.157.170:9001 tcp
N/A 127.0.0.1:65050 tcp
FI 135.181.78.152:1656 tcp
US 8.8.8.8:53 170.157.53.136.in-addr.arpa udp
US 15.204.227.206:9100 tcp
US 8.8.8.8:53 152.78.181.135.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
DK 185.96.88.29:443 tcp
CZ 87.236.197.123:80 tcp
N/A 127.0.0.1:65128 tcp
US 8.8.8.8:53 123.197.236.87.in-addr.arpa udp
US 15.204.227.206:9100 tcp
N/A 127.0.0.1:45808 tcp
DK 185.129.62.62:9001 tcp
N/A 127.0.0.1:65208 tcp
US 15.204.220.109:8443 tcp
US 8.8.8.8:53 62.62.129.185.in-addr.arpa udp
US 8.8.8.8:53 109.220.204.15.in-addr.arpa udp
US 15.204.227.206:9100 tcp
N/A 127.0.0.1:45808 tcp

Files

memory/2020-0-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2020-1-0x00000000751D0000-0x0000000075209000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

memory/2636-41-0x00000000017D0000-0x0000000001858000-memory.dmp

memory/2636-43-0x0000000074090000-0x000000007435F000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\torrc

MD5 439cd73927f46fde28540391feee8477
SHA1 ee7fb2aeb7708378abda293b03f5c9ffb6dbc742
SHA256 d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75
SHA512 c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319

memory/2636-42-0x00000000017D0000-0x0000000001A9F000-memory.dmp

memory/2636-40-0x0000000074360000-0x00000000743E8000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

memory/2636-35-0x00000000743F0000-0x00000000744FA000-memory.dmp

memory/2636-34-0x0000000074650000-0x0000000074718000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

memory/2636-32-0x0000000074500000-0x0000000074524000-memory.dmp

memory/2636-31-0x0000000074530000-0x00000000745FE000-memory.dmp

memory/2636-30-0x0000000074600000-0x0000000074649000-memory.dmp

memory/2636-29-0x0000000000900000-0x0000000000D04000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

memory/2020-47-0x0000000073C80000-0x0000000073CB9000-memory.dmp

memory/2020-48-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2636-49-0x0000000000900000-0x0000000000D04000-memory.dmp

memory/2636-56-0x0000000074090000-0x000000007435F000-memory.dmp

memory/2636-54-0x00000000743F0000-0x00000000744FA000-memory.dmp

memory/2636-53-0x0000000074500000-0x0000000074524000-memory.dmp

memory/2636-52-0x0000000074530000-0x00000000745FE000-memory.dmp

memory/2636-51-0x0000000074600000-0x0000000074649000-memory.dmp

memory/2636-50-0x0000000074650000-0x0000000074718000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdesc-consensus.tmp

MD5 0ce4530144899e61e7151afe7810919f
SHA1 f300561ff8bbd2b426926aced1e576bd2b91d001
SHA256 59f1410ba288f348e46546682bc8ae589accfdb2abc49b0b59fed35ed9de32e5
SHA512 595a94b645837f8627b703920cec6eda3e6103ae964c91c383679f00b712343b7f8d4656db6efdaceabe8c641cf45d6461ff77cc9fafa263880bc1a0763a83e6

memory/2020-65-0x0000000000400000-0x0000000000BD8000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 2976e802f4f169364c03d0324c483e00
SHA1 bc3a73fa821fc478cf28ec3e98fa7e9af13236d4
SHA256 87f6b34c666587a49042c6b64604e3e1d4e68cf6bd8e79dec0ded6568367ad75
SHA512 34d1d23f14ea61de276e87e8602039f5a00e84e80c6dde9fbbc765fed71706310900a3c0dde25bb34303699acd625ac059f02e13f5e0c5d7f9fb6bf8f462018a

memory/2636-74-0x0000000000900000-0x0000000000D04000-memory.dmp

memory/2636-84-0x00000000017D0000-0x0000000001858000-memory.dmp

memory/2636-85-0x00000000017D0000-0x0000000001A9F000-memory.dmp

memory/2020-93-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2636-94-0x0000000000900000-0x0000000000D04000-memory.dmp

memory/2020-102-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2636-103-0x0000000000900000-0x0000000000D04000-memory.dmp

memory/2636-112-0x0000000000900000-0x0000000000D04000-memory.dmp

memory/2636-127-0x0000000000900000-0x0000000000D04000-memory.dmp

memory/2636-144-0x0000000000900000-0x0000000000D04000-memory.dmp

memory/2636-145-0x00000000017D0000-0x0000000001858000-memory.dmp

memory/2292-159-0x0000000074120000-0x000000007422A000-memory.dmp

memory/2292-161-0x0000000074450000-0x000000007471F000-memory.dmp

memory/2292-160-0x0000000074090000-0x0000000074118000-memory.dmp

memory/2292-158-0x0000000074230000-0x0000000074254000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 73c4dd64964beb82855a643cd55bc943
SHA1 6b6b3198e3b518704f0c540c78450446121318ce
SHA256 56b17ff407ffd9254580eb32211703b4df5ccb553f538999b4e2321c7ba7d057
SHA512 14faedc6121f7cc86ccd19944ea7df723b937d56ad5aa39fe6066ad1d2cb460b109218440830a113b8deb50a9bcb8609f4b4ac3f6427dfe879b597233810c9ad

memory/2292-157-0x0000000074260000-0x00000000742A9000-memory.dmp

memory/2292-156-0x00000000742B0000-0x000000007437E000-memory.dmp

memory/2292-155-0x0000000074380000-0x0000000074448000-memory.dmp

memory/2292-154-0x0000000000900000-0x0000000000D04000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-certs

MD5 18897048a8cec5a88ae09c8c9dfc30e4
SHA1 1e925d20f1a396f10e8b351ad9bee8c3ec8c3c9e
SHA256 f3a0223d561181e9b596f59ad5004c3f451ef91c48230d7f8501f428cc952309
SHA512 c01848b13854eff1710b8880cbf57f8df381fb5b9d1d98da972a019118e7be832d7e93aeb35538e8bb09c6e18e7ea8e02ee6b3b58fdf9c8b285fc46e4e0cdfb1

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 c6d818c8dde5f24100c5383f6db16595
SHA1 3cc1de73ef86d949c63622774ca36f3a828e92ca
SHA256 bd8fd97d829084ae26849e5289f97d5838efdefd62f04a03fae04579e5136801
SHA512 ea017c04258b48cd1371a562a9a429607d625350478b2bef4c20e810a7aa33b0f33d8ca59d48a460128e57d9952ed58bc80c3bf949fee5550cd75483c79fe064

memory/2020-171-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2292-183-0x0000000000900000-0x0000000000D04000-memory.dmp

memory/2292-192-0x0000000074380000-0x0000000074448000-memory.dmp

memory/2292-193-0x00000000742B0000-0x000000007437E000-memory.dmp

memory/2020-197-0x0000000072DA0000-0x0000000072DD9000-memory.dmp

memory/2292-196-0x0000000074090000-0x0000000074118000-memory.dmp

memory/2292-195-0x0000000074120000-0x000000007422A000-memory.dmp

memory/2292-194-0x0000000074230000-0x0000000074254000-memory.dmp

memory/2292-198-0x0000000074450000-0x000000007471F000-memory.dmp

memory/1800-260-0x0000000074450000-0x000000007471F000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 3e517ab99211cfde535d66d73aac4d1d
SHA1 f67615ec021c5c7b9ead0fc146c778d35d09f7d0
SHA256 35869f150638fd2f9af24cbc4e5306e4ca8ad150dc217e004f6333a4d09f7ab5
SHA512 eee76d71cd0f271b068c6b26cbb120d9c4cce39aa4a497b353cd549047f04aae5a497c23df0e4efadfb1d45306a4707c0409ce232d4e62157858649d3d0cd242

memory/1800-259-0x00000000015D0000-0x0000000001658000-memory.dmp

memory/1800-258-0x0000000074090000-0x0000000074118000-memory.dmp

memory/1800-257-0x0000000074120000-0x000000007422A000-memory.dmp

memory/1800-256-0x0000000074260000-0x00000000742A9000-memory.dmp

memory/1800-255-0x00000000742B0000-0x000000007437E000-memory.dmp

memory/1800-254-0x0000000074380000-0x0000000074448000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs

MD5 af8c45cad5f875d98531061763f3cee8
SHA1 46d9101623512c9b62a6c2f53897163a7310cf3f
SHA256 1ebc4887d4c1e2e588da3612cc688e7a0562f43299aa4298b56d5b0347d982d7
SHA512 3bf912e8b1397727dea9a73e003e6a62e804ce3bc5351a006cc4fcd3bb92558508364e48279d950881906ffce3ae782bec8e84d5e2f650121a401edbdacb9964

memory/2292-244-0x0000000000900000-0x0000000000D04000-memory.dmp

memory/1800-276-0x0000000000900000-0x0000000000D04000-memory.dmp

memory/1800-288-0x00000000015D0000-0x0000000001658000-memory.dmp

memory/1800-287-0x0000000074230000-0x0000000074254000-memory.dmp

memory/1800-286-0x00000000742B0000-0x000000007437E000-memory.dmp

memory/1800-285-0x0000000074380000-0x0000000074448000-memory.dmp

memory/1800-290-0x0000000074450000-0x000000007471F000-memory.dmp

memory/1800-318-0x0000000000900000-0x0000000000D04000-memory.dmp

memory/2020-320-0x00000000751D0000-0x0000000075209000-memory.dmp

memory/3172-333-0x0000000074090000-0x00000000740B4000-memory.dmp

memory/3172-332-0x00000000740C0000-0x0000000074148000-memory.dmp

memory/3172-331-0x0000000074150000-0x000000007425A000-memory.dmp

memory/3172-330-0x0000000074260000-0x00000000742A9000-memory.dmp

memory/3172-329-0x0000000074380000-0x0000000074448000-memory.dmp

memory/3172-328-0x0000000074450000-0x000000007471F000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 8584f8f5cec87211a2baaa57187e1d75
SHA1 b1b3e27d7a158d754e980c3fc440858504e5e94a
SHA256 2c8512c12748db59204ebb8a02a99d6649c9d03615dcb872713cb8416a6e2c9a
SHA512 282d4e391e9419d183e711ced33d94c91c60aa48b91f2c9e718ff938de659218fb2c975e845982364dc5664aeff70ff046a5da2dacc5a6d2026ef81b34def850

memory/2020-339-0x0000000073C80000-0x0000000073CB9000-memory.dmp

memory/3172-349-0x0000000000900000-0x0000000000D04000-memory.dmp

memory/3172-350-0x0000000074450000-0x000000007471F000-memory.dmp

memory/3172-359-0x0000000074380000-0x0000000074448000-memory.dmp

memory/3172-360-0x00000000742B0000-0x000000007437E000-memory.dmp

memory/3172-388-0x0000000000900000-0x0000000000D04000-memory.dmp

memory/3976-405-0x0000000001AE0000-0x0000000001DAF000-memory.dmp

memory/3976-404-0x0000000074380000-0x000000007464F000-memory.dmp

memory/3976-403-0x0000000074090000-0x00000000740B4000-memory.dmp

memory/3976-402-0x00000000740C0000-0x0000000074148000-memory.dmp

memory/3976-401-0x0000000074150000-0x000000007425A000-memory.dmp

memory/3976-400-0x0000000074260000-0x00000000742A9000-memory.dmp

memory/3976-399-0x00000000742B0000-0x000000007437E000-memory.dmp

memory/3976-398-0x0000000074650000-0x0000000074718000-memory.dmp

memory/3976-418-0x0000000000900000-0x0000000000D04000-memory.dmp

memory/3976-427-0x0000000074650000-0x0000000074718000-memory.dmp

memory/3976-430-0x0000000074090000-0x00000000740B4000-memory.dmp

memory/3976-431-0x0000000074380000-0x000000007464F000-memory.dmp

memory/3976-429-0x0000000074150000-0x000000007425A000-memory.dmp

memory/3976-428-0x00000000742B0000-0x000000007437E000-memory.dmp

memory/3976-433-0x0000000001AE0000-0x0000000001DAF000-memory.dmp

memory/3976-470-0x0000000000900000-0x0000000000D04000-memory.dmp

memory/3208-479-0x0000000074090000-0x00000000740B4000-memory.dmp

memory/3208-478-0x00000000740C0000-0x0000000074148000-memory.dmp

memory/3208-477-0x0000000074150000-0x000000007425A000-memory.dmp

memory/3208-476-0x00000000013A0000-0x00000000013E9000-memory.dmp

memory/3208-475-0x0000000074260000-0x00000000742A9000-memory.dmp

memory/3208-474-0x00000000742B0000-0x000000007437E000-memory.dmp

memory/3208-473-0x0000000074380000-0x0000000074448000-memory.dmp

memory/3208-472-0x0000000074450000-0x000000007471F000-memory.dmp

memory/3208-471-0x0000000000900000-0x0000000000D04000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-07 12:28

Reported

2024-05-07 12:33

Platform

win7-20240215-en

Max time kernel

300s

Max time network

299s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"

Signatures

BitRAT

trojan bitrat

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1" C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2356 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2356 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2356 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2356 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2356 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2356 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2356 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2356 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2356 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2356 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2356 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2356 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2356 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2356 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2356 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2356 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2356 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2356 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2356 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2356 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2356 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2356 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2356 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2356 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2356 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2356 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2356 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2356 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2356 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2356 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2356 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2356 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe

"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

Network

Country Destination Domain Proto
SK 85.248.227.163:9001 tcp
FR 93.115.97.242:9001 tcp
CZ 195.123.245.141:443 tcp
FR 94.23.149.136:9100 tcp
FI 185.103.110.14:9001 tcp
N/A 127.0.0.1:49231 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:45808 tcp
FI 95.216.90.10:10000 tcp
FR 146.59.197.114:9001 tcp
N/A 127.0.0.1:49330 tcp
N/A 127.0.0.1:45808 tcp
US 108.181.57.253:9001 tcp
DE 46.4.66.178:9001 tcp
DE 185.220.101.203:443 tcp
N/A 127.0.0.1:49391 tcp
DE 185.220.101.203:443 tcp
DE 46.4.66.178:9001 tcp
N/A 127.0.0.1:45808 tcp
LT 212.24.100.138:9001 tcp
RO 79.119.54.37:9001 tcp
FI 95.217.39.117:4443 tcp
N/A 127.0.0.1:49505 tcp
LT 212.24.100.138:9001 tcp
RO 79.119.54.37:9001 tcp
N/A 127.0.0.1:45808 tcp
PL 54.37.139.118:9001 tcp
CZ 87.236.199.239:80 tcp
US 23.82.137.99:443 tcp
N/A 127.0.0.1:49584 tcp
CZ 87.236.199.239:80 tcp
N/A 127.0.0.1:45808 tcp
DE 37.120.174.249:443 tcp
DE 94.130.132.10:9066 tcp
N/A 127.0.0.1:49662 tcp
DE 185.126.117.202:9001 tcp
N/A 127.0.0.1:45808 tcp
NL 37.139.8.104:9001 tcp
BG 185.82.217.49:9001 tcp
N/A 127.0.0.1:49722 tcp
US 68.134.176.234:4433 tcp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 myexternalip.com udp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:49813 tcp
N/A 185.177.229.20:993 tcp

Files

memory/2356-0-0x0000000000400000-0x0000000000BD8000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

memory/2356-19-0x0000000004080000-0x0000000004484000-memory.dmp

\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

memory/2356-26-0x0000000004080000-0x0000000004484000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

memory/2548-39-0x0000000074DC0000-0x0000000074DE4000-memory.dmp

memory/2548-38-0x0000000074C90000-0x0000000074D18000-memory.dmp

memory/2548-37-0x00000000745E0000-0x00000000746EA000-memory.dmp

memory/2548-36-0x00000000746F0000-0x00000000747B8000-memory.dmp

memory/2548-35-0x0000000074D20000-0x0000000074D69000-memory.dmp

memory/2548-41-0x0000000074510000-0x00000000745DE000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\torrc

MD5 439cd73927f46fde28540391feee8477
SHA1 ee7fb2aeb7708378abda293b03f5c9ffb6dbc742
SHA256 d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75
SHA512 c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319

memory/2548-40-0x00000000747C0000-0x0000000074A8F000-memory.dmp

memory/2548-34-0x0000000000180000-0x0000000000584000-memory.dmp

\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdesc-consensus.tmp

MD5 0ce4530144899e61e7151afe7810919f
SHA1 f300561ff8bbd2b426926aced1e576bd2b91d001
SHA256 59f1410ba288f348e46546682bc8ae589accfdb2abc49b0b59fed35ed9de32e5
SHA512 595a94b645837f8627b703920cec6eda3e6103ae964c91c383679f00b712343b7f8d4656db6efdaceabe8c641cf45d6461ff77cc9fafa263880bc1a0763a83e6

memory/2356-56-0x0000000000400000-0x0000000000BD8000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 e52dd1cd459fc2661715be4aff74a42f
SHA1 63b1478c971636a8203cc375838452b293ab179f
SHA256 3267348a0f751eb9204fd0b48ddb72f3ad06d58e87b8851e6f3aca7926946709
SHA512 abbfefec95d45bb4b2d84123b2892ede574294edeacec5b78f5d9c6e0f857ac754e423d36460c323286b2b85a5f7edcac76c54467e45857ce65f653a0bd7218c

memory/2548-63-0x0000000000180000-0x0000000000584000-memory.dmp

memory/2548-69-0x0000000074510000-0x00000000745DE000-memory.dmp

memory/2548-66-0x00000000746F0000-0x00000000747B8000-memory.dmp

memory/2548-64-0x00000000747C0000-0x0000000074A8F000-memory.dmp

memory/2548-73-0x0000000000180000-0x0000000000584000-memory.dmp

memory/2356-72-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2356-82-0x0000000004080000-0x0000000004484000-memory.dmp

memory/2548-74-0x0000000000180000-0x0000000000584000-memory.dmp

memory/2356-83-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2548-84-0x0000000000180000-0x0000000000584000-memory.dmp

memory/2548-93-0x0000000000180000-0x0000000000584000-memory.dmp

memory/2548-103-0x0000000000180000-0x0000000000584000-memory.dmp

memory/2984-132-0x0000000000180000-0x0000000000584000-memory.dmp

memory/2984-131-0x0000000074D40000-0x0000000074D64000-memory.dmp

memory/2984-130-0x0000000074360000-0x000000007442E000-memory.dmp

memory/2984-129-0x0000000074820000-0x00000000748A8000-memory.dmp

memory/2984-128-0x00000000748B0000-0x00000000749BA000-memory.dmp

memory/2984-127-0x00000000749C0000-0x0000000074A88000-memory.dmp

memory/2984-126-0x0000000074CD0000-0x0000000074D19000-memory.dmp

memory/2984-125-0x00000000744F0000-0x00000000747BF000-memory.dmp

memory/2356-124-0x0000000004C10000-0x0000000005014000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 7cf8c8840f363fc74f9a74f7643b0b6b
SHA1 2cc53d10194fecb733fc77b43d30254ecab2b716
SHA256 f22d40694dc05593b13b978b241d3a6f9f8a63f107a2ced6a8155cb4610d0dae
SHA512 11523ca4181d4d61ec5fc9bc43a9e066b7ac73feb558bdb2d297247f08a40db53b650cb71c15d2081395e1b4583954096f673a72283a904bc7f47bf88e525e27

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-certs

MD5 9cecc6e5ad020ea00a0f4289278122ee
SHA1 5e5af19e5725b29cb28011f96ff74b2800a9cf83
SHA256 760623fbcb86cefa6db2646f50c1d0ed5302cfaaf9855218a9685832d7a44f6b
SHA512 37725e0cd2616b435b7c8a4d929b9d5dc9e4caa389d50b3d32a5de888ab4cef6ba6e49d7df3e911e314d8610df0d89d8bb9c267cae3d1686d421dcfa50bddad3

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 f5d7fc7548a2b12a54024a77766c1067
SHA1 4266cd386e28756987fe885d967092296a1f3367
SHA256 bec44a0fdadc53e029c7556b39584b17395c652450742e28ee3eca2f8082c4da
SHA512 d35823cf6b105a64e1d361fcd430b6c4788eac9d2b22635da2b96e0a376c335616e7a04896ac654011fec5313cd1a00bea56eba0b07912a5fbb5c6c8ca9b57fa

memory/2356-144-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2984-145-0x0000000000180000-0x0000000000584000-memory.dmp

memory/2984-146-0x00000000744F0000-0x00000000747BF000-memory.dmp

memory/2984-151-0x0000000074360000-0x000000007442E000-memory.dmp

memory/2984-148-0x00000000749C0000-0x0000000074A88000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 d15553c1ccff0d1bb17d4c4906201e45
SHA1 84963b91a7997347b03299fdbfba84653dd20967
SHA256 2977aa04db284398f83835162a092fbbbb6700ab19af59e3a18ba20c7f238c55
SHA512 f7ecb71cd524749767b1309c511e934d9e04af48c6a48a4b4851c981c0ebc2e54986fd74af81a936f83975a3e666c9d2d641137c6d3226382eb7d27eea2cc62d

memory/2984-159-0x0000000000180000-0x0000000000584000-memory.dmp

memory/2984-187-0x0000000000180000-0x0000000000584000-memory.dmp

memory/1672-210-0x00000000747C0000-0x0000000074A8F000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 8fd8d25ea96030d2ab6b5020914b157a
SHA1 4f99c54b219afe00bc0db1fd533d427f57b7bd33
SHA256 0d711f6318367cf7567d3049953b6ffba71ee139c12ada87ffe6c9ac64f22f5e
SHA512 a69bc062e428ab549f8d5638248e00b9c8e98a8c7925801f4889f56d573d0cd5dd181d48284c1c0d160d448fa0b3470b3f9c3e7195c2d858cc061397394a299e

memory/1672-207-0x0000000074DC0000-0x0000000074DE4000-memory.dmp

memory/1672-206-0x0000000074510000-0x00000000745DE000-memory.dmp

memory/1672-205-0x0000000074C90000-0x0000000074D18000-memory.dmp

memory/1672-204-0x00000000745E0000-0x00000000746EA000-memory.dmp

memory/1672-203-0x00000000746F0000-0x00000000747B8000-memory.dmp

memory/1672-202-0x0000000074D20000-0x0000000074D69000-memory.dmp

memory/1672-201-0x0000000000180000-0x0000000000584000-memory.dmp

memory/2356-200-0x0000000004C10000-0x0000000005014000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs

MD5 3d39846e1c82d179d3260a29d3708a2f
SHA1 56bd77f0d5857eec0449d13f8fa4a02e16c92ccc
SHA256 ba267f410a602f492575dc761cc2099548c81c5e2ac1fad3471573f72a43b374
SHA512 35be0216dbbf2fc3b8101a1dfb85e24246acb5f1db1a8332a7bdbc2e7ea9c8c5d4159c0bf67276324f51f513fc5556b170a8ac0998a18ce5d6a326e598039cde

memory/2356-232-0x0000000004C10000-0x0000000005014000-memory.dmp

memory/1672-241-0x0000000000180000-0x0000000000584000-memory.dmp

memory/1672-243-0x0000000074510000-0x00000000745DE000-memory.dmp

memory/1672-242-0x00000000746F0000-0x00000000747B8000-memory.dmp

memory/1672-244-0x00000000747C0000-0x0000000074A8F000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 24ab6e513ea7b72024412b4e3a0cafa6
SHA1 249104e26d0b3a5563e2ead9b67e24bbec64fea2
SHA256 7227da35a6f0086491b9e87259c88c19f5648b691a1fa05dc1f99f674deaf163
SHA512 6c0f5eb595c5503f7114abba95e9accb6497379053d66e9dea46f49c43b680f2fa6bbad27564468a703f742d13e4c78ef3241e66d111681f57fd751e05939f0f

memory/2672-293-0x0000000074DC0000-0x0000000074DE4000-memory.dmp

memory/2672-292-0x0000000074510000-0x00000000745DE000-memory.dmp

memory/2672-291-0x0000000074C90000-0x0000000074D18000-memory.dmp

memory/2672-290-0x00000000745E0000-0x00000000746EA000-memory.dmp

memory/2672-289-0x00000000746F0000-0x00000000747B8000-memory.dmp

memory/2672-288-0x0000000074D20000-0x0000000074D69000-memory.dmp

memory/2672-287-0x00000000747C0000-0x0000000074A8F000-memory.dmp

memory/2672-286-0x0000000000180000-0x0000000000584000-memory.dmp

memory/1672-277-0x0000000000180000-0x0000000000584000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 c0e01a0d51bc110f279329b3a4135d52
SHA1 8687e567f580ff20d695af2053350b0540afeb74
SHA256 154bae874f8454e36a7b8cdc19dcffd4b4e6e3d42da4593a872f4f98768cb01c
SHA512 7acf2d59b23e9db89a570cc6e5239d92cf18c9b65a2c7f1cb2d5540f22a46eb8269e2719cde9b5615a48a06b2f1ede2eb6a0361d80cead075c1eabdfe57bed5f

memory/2672-326-0x00000000746F0000-0x00000000747B8000-memory.dmp

memory/2672-325-0x00000000747C0000-0x0000000074A8F000-memory.dmp

memory/2672-327-0x0000000074510000-0x00000000745DE000-memory.dmp

memory/2672-324-0x0000000000180000-0x0000000000584000-memory.dmp

memory/2356-323-0x0000000004C10000-0x0000000005014000-memory.dmp

memory/2672-348-0x0000000000180000-0x0000000000584000-memory.dmp

memory/1684-365-0x0000000074D40000-0x0000000074D64000-memory.dmp

memory/1684-364-0x0000000074360000-0x000000007442E000-memory.dmp

memory/1684-363-0x0000000074820000-0x00000000748A8000-memory.dmp

memory/1684-362-0x00000000748B0000-0x00000000749BA000-memory.dmp

memory/1684-361-0x00000000749C0000-0x0000000074A88000-memory.dmp

memory/1684-360-0x0000000074CD0000-0x0000000074D19000-memory.dmp

memory/1684-359-0x0000000000180000-0x0000000000584000-memory.dmp

memory/2356-358-0x0000000004C10000-0x0000000005014000-memory.dmp

memory/1684-366-0x00000000744F0000-0x00000000747BF000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 c8d82052e8aec210515e2c3725c9e0ad
SHA1 f3fd58632e6ba05c1ca707332bdf730dfa67fba4
SHA256 10b1f5d7be34941703250d92a1c487e367daa969634ab5b5b285415ca2412213
SHA512 0dead69bfa47742cb41e9176d2dbbcd9b0c17141a5a471eb6562a1863d2e43efa003545142d4e6d700f5b0038087614d5f64d720b55aa438a1cb947d1505b1bb

memory/2356-383-0x0000000004C10000-0x0000000005014000-memory.dmp

memory/1684-392-0x0000000000180000-0x0000000000584000-memory.dmp

memory/1684-394-0x0000000074360000-0x000000007442E000-memory.dmp

memory/1684-393-0x00000000749C0000-0x0000000074A88000-memory.dmp

memory/1684-395-0x00000000744F0000-0x00000000747BF000-memory.dmp

memory/1684-427-0x0000000000180000-0x0000000000584000-memory.dmp

memory/2356-428-0x0000000004C10000-0x0000000005014000-memory.dmp

memory/1700-431-0x0000000074CD0000-0x0000000074D19000-memory.dmp

memory/1700-430-0x00000000744F0000-0x00000000747BF000-memory.dmp

memory/1700-433-0x00000000748B0000-0x00000000749BA000-memory.dmp

memory/1700-436-0x0000000074D40000-0x0000000074D64000-memory.dmp

memory/1700-435-0x0000000074360000-0x000000007442E000-memory.dmp

memory/1700-434-0x0000000074820000-0x00000000748A8000-memory.dmp

memory/1700-432-0x00000000749C0000-0x0000000074A88000-memory.dmp

memory/1700-429-0x0000000000180000-0x0000000000584000-memory.dmp

memory/1700-463-0x00000000749C0000-0x0000000074A88000-memory.dmp

memory/1700-462-0x00000000744F0000-0x00000000747BF000-memory.dmp

memory/1700-464-0x0000000074360000-0x000000007442E000-memory.dmp

memory/1700-461-0x0000000000180000-0x0000000000584000-memory.dmp

memory/2356-460-0x0000000004C10000-0x0000000005014000-memory.dmp

memory/1700-485-0x0000000000180000-0x0000000000584000-memory.dmp

memory/2356-489-0x0000000004C10000-0x0000000005014000-memory.dmp

memory/1864-490-0x0000000000180000-0x0000000000584000-memory.dmp

memory/2356-515-0x0000000004C10000-0x0000000005014000-memory.dmp

memory/1864-516-0x0000000000180000-0x0000000000584000-memory.dmp

memory/1864-568-0x0000000000180000-0x0000000000584000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-07 12:28

Reported

2024-05-07 12:33

Platform

win10-20240404-en

Max time kernel

300s

Max time network

302s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"

Signatures

BitRAT

trojan bitrat

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1" C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1밀" C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1\uff00" C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1᐀" C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1뜀" C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4472 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4472 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4472 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4472 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4472 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4472 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4472 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4472 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4472 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4472 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4472 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4472 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4472 wrote to memory of 168 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4472 wrote to memory of 168 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4472 wrote to memory of 168 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4472 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4472 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4472 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe

"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

Network

Country Destination Domain Proto
FR 163.172.53.84:443 tcp
US 8.8.8.8:53 84.53.172.163.in-addr.arpa udp
NO 193.35.52.53:9001 tcp
DK 85.235.250.88:443 tcp
N/A 127.0.0.1:49810 tcp
US 66.111.2.16:9001 tcp
US 154.35.175.225:443 tcp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 16.2.111.66.in-addr.arpa udp
DE 93.90.202.104:20 tcp
NL 5.2.70.140:443 tcp
US 8.8.8.8:53 104.202.90.93.in-addr.arpa udp
NL 208.67.104.129:9200 tcp
US 8.8.8.8:53 129.104.67.208.in-addr.arpa udp
US 20.231.121.79:80 tcp
N/A 127.0.0.1:45808 tcp
DE 93.90.202.104:20 tcp
DE 89.58.43.207:9001 tcp
N/A 127.0.0.1:49934 tcp
US 8.8.8.8:53 207.43.58.89.in-addr.arpa udp
FR 94.23.149.136:9000 tcp
US 8.8.8.8:53 136.149.23.94.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
FI 95.217.112.245:80 tcp
US 8.8.8.8:53 245.112.217.95.in-addr.arpa udp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
FR 163.5.121.253:9000 tcp
US 8.8.8.8:53 253.121.5.163.in-addr.arpa udp
DE 89.58.43.207:9001 tcp
N/A 127.0.0.1:50038 tcp
N/A 127.0.0.1:45808 tcp
DE 93.177.65.182:443 tcp
US 8.8.8.8:53 182.65.177.93.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
N/A 127.0.0.1:50128 tcp
CA 198.100.153.7:9000 tcp
FR 163.5.121.253:9000 tcp
US 8.8.8.8:53 7.153.100.198.in-addr.arpa udp
DE 89.58.43.207:9001 tcp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 myexternalip.com udp
US 34.117.118.44:443 myexternalip.com tcp
US 8.8.8.8:53 44.118.117.34.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 80.190.18.2.in-addr.arpa udp
DE 185.94.29.93:443 tcp
N/A 127.0.0.1:50211 tcp
FR 163.5.121.253:9000 tcp
US 8.8.8.8:53 93.29.94.185.in-addr.arpa udp
DE 89.58.43.207:9001 tcp
CA 198.100.153.7:9000 tcp
N/A 127.0.0.1:45808 tcp
US 204.8.96.83:443 tcp
N/A 127.0.0.1:50300 tcp

Files

memory/4472-0-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/4472-1-0x0000000073AA0000-0x0000000073ADA000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

memory/1248-26-0x0000000000880000-0x0000000000C84000-memory.dmp

\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

memory/1248-34-0x00000000739F0000-0x0000000073A14000-memory.dmp

memory/1248-36-0x0000000001800000-0x0000000001ACF000-memory.dmp

memory/1248-40-0x0000000000C90000-0x0000000000D18000-memory.dmp

memory/1248-39-0x0000000072B10000-0x0000000072B98000-memory.dmp

memory/1248-38-0x0000000073B20000-0x0000000073B69000-memory.dmp

memory/1248-37-0x0000000072BA0000-0x0000000072E6F000-memory.dmp

memory/1248-35-0x0000000072E70000-0x0000000072F7A000-memory.dmp

memory/1248-33-0x0000000072F80000-0x0000000073048000-memory.dmp

memory/1248-31-0x0000000073050000-0x000000007311E000-memory.dmp

\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\d46500b0\tor\torrc

MD5 439cd73927f46fde28540391feee8477
SHA1 ee7fb2aeb7708378abda293b03f5c9ffb6dbc742
SHA256 d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75
SHA512 c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319

memory/4472-44-0x0000000072800000-0x000000007283A000-memory.dmp

memory/4472-45-0x0000000000400000-0x0000000000BD8000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdesc-consensus.tmp

MD5 0ce4530144899e61e7151afe7810919f
SHA1 f300561ff8bbd2b426926aced1e576bd2b91d001
SHA256 59f1410ba288f348e46546682bc8ae589accfdb2abc49b0b59fed35ed9de32e5
SHA512 595a94b645837f8627b703920cec6eda3e6103ae964c91c383679f00b712343b7f8d4656db6efdaceabe8c641cf45d6461ff77cc9fafa263880bc1a0763a83e6

memory/1248-54-0x0000000000880000-0x0000000000C84000-memory.dmp

memory/1248-59-0x0000000072E70000-0x0000000072F7A000-memory.dmp

memory/1248-58-0x00000000739F0000-0x0000000073A14000-memory.dmp

memory/1248-57-0x0000000072F80000-0x0000000073048000-memory.dmp

memory/1248-56-0x0000000073050000-0x000000007311E000-memory.dmp

memory/1248-61-0x0000000072BA0000-0x0000000072E6F000-memory.dmp

memory/4472-63-0x0000000000400000-0x0000000000BD8000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 3b7faeea81fbf9171deb51a7cb820548
SHA1 07f8f1bc00fe4294e9dca1551fb7fa52f28573d3
SHA256 505adfcb05dcc8c83bcfdf3fbb8b8299af48bac9ba4ba4e14361e23f744e8188
SHA512 4972bf6389cadc18596d2fdb3921bda9988c2389d4ff0b931bd0b404badae382482e3482aca2e18c422f0318df01eb86ce630501bd7e2e57b4f79ff4b7e54674

memory/1248-71-0x0000000000880000-0x0000000000C84000-memory.dmp

memory/1248-84-0x0000000001800000-0x0000000001ACF000-memory.dmp

memory/1248-76-0x0000000000880000-0x0000000000C84000-memory.dmp

memory/1248-85-0x0000000000C90000-0x0000000000D18000-memory.dmp

memory/4472-86-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/1248-87-0x0000000000880000-0x0000000000C84000-memory.dmp

memory/1248-101-0x0000000000880000-0x0000000000C84000-memory.dmp

memory/1248-110-0x0000000000880000-0x0000000000C84000-memory.dmp

memory/1248-119-0x0000000000880000-0x0000000000C84000-memory.dmp

memory/1248-129-0x0000000000880000-0x0000000000C84000-memory.dmp

memory/760-151-0x00000000732C0000-0x000000007358F000-memory.dmp

memory/760-150-0x0000000072F80000-0x0000000073008000-memory.dmp

memory/760-149-0x0000000073010000-0x000000007311A000-memory.dmp

memory/760-148-0x00000000731C0000-0x00000000731E4000-memory.dmp

memory/760-147-0x0000000073B20000-0x0000000073B69000-memory.dmp

memory/760-146-0x00000000731F0000-0x00000000732BE000-memory.dmp

memory/760-145-0x00000000739E0000-0x0000000073AA8000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 73c4dd64964beb82855a643cd55bc943
SHA1 6b6b3198e3b518704f0c540c78450446121318ce
SHA256 56b17ff407ffd9254580eb32211703b4df5ccb553f538999b4e2321c7ba7d057
SHA512 14faedc6121f7cc86ccd19944ea7df723b937d56ad5aa39fe6066ad1d2cb460b109218440830a113b8deb50a9bcb8609f4b4ac3f6427dfe879b597233810c9ad

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-certs

MD5 fe85b792cc3adf3d2d63cb01e2698dc4
SHA1 397f455b998b2bda640b97edcf2c7d93bc1d8f27
SHA256 9220a285b51591598c57d10e530a8a8cd29858ca95008abd1b0a3d506a8cdf31
SHA512 855fdb7a4817cdbd65c9744c31c403abc96c96bb5172741217c34c7ca70104b1ba6d0fc0c79efc5c42b85245cfa6a1fe9a98f1050d07474d9535f66030a02d36

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 498107148e7083f88855574a83ff6a02
SHA1 432151fb8b77a41ce667f22a7b62b3642025e1b4
SHA256 07614730253cc542014a1c26b7323020a4e6b8ee8fd6c0aedb4e874cb1456f81
SHA512 9a6dc51c56ffd8b6b7ab84d7f5143b512569bc710e45b953f96fa5440af73e36c9808679708e28a5dbd0a66588fe9e11083865ba94832a8c494e44fc7f96f93e

memory/760-173-0x0000000000880000-0x0000000000C84000-memory.dmp

memory/4472-185-0x0000000072CF0000-0x0000000072D2A000-memory.dmp

memory/760-184-0x00000000731C0000-0x00000000731E4000-memory.dmp

memory/760-183-0x00000000731F0000-0x00000000732BE000-memory.dmp

memory/760-182-0x00000000739E0000-0x0000000073AA8000-memory.dmp

memory/760-186-0x00000000732C0000-0x000000007358F000-memory.dmp

memory/760-232-0x0000000000880000-0x0000000000C84000-memory.dmp

memory/4912-248-0x00000000732F0000-0x0000000073314000-memory.dmp

memory/4912-247-0x0000000072E50000-0x000000007311F000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 63884b0a76110a4ac5f8c32bd564762a
SHA1 962df9e0baf01e4c3287b08a1e3049585987d75c
SHA256 235f2352170fce16a0e114e183e1128d5fde509497f58c9149456bc4a78c210e
SHA512 9a34c08c1a6e57c3d93a2495f5b575986be5966fe95b216cd489adda599c8e8f12d66630705d31d8c82b6cce332e953c71e11ff6cfe871e6bf41c2459d4a6bba

memory/4912-246-0x0000000073320000-0x00000000733A8000-memory.dmp

memory/4912-245-0x00000000733B0000-0x00000000734BA000-memory.dmp

memory/4912-244-0x0000000073B20000-0x0000000073B69000-memory.dmp

memory/4912-243-0x00000000734C0000-0x000000007358E000-memory.dmp

memory/4912-242-0x00000000739E0000-0x0000000073AA8000-memory.dmp

memory/4912-241-0x0000000000880000-0x0000000000C84000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs

MD5 ede33e27556a4e16e10e31ed08d28b3d
SHA1 dfca647b16666258cb8def96808a5b4c4612829c
SHA256 8aee8acf35d4d9188039eae88945ebbc11a27b0980180c846d97dda439fc054a
SHA512 165aeb01b428e253577a17d57e65e5bea922aade3ab9d606344ca57b9200a8b5dc50b6f8688e3a0087ec354b081417f742fba83febc4b94f195f7f4b3d0f4da5

memory/4472-272-0x00000000731E0000-0x000000007321A000-memory.dmp

memory/4912-273-0x0000000000880000-0x0000000000C84000-memory.dmp

memory/4912-276-0x0000000072E50000-0x000000007311F000-memory.dmp

memory/4912-275-0x00000000734C0000-0x000000007358E000-memory.dmp

memory/4912-274-0x00000000739E0000-0x0000000073AA8000-memory.dmp

memory/4912-313-0x0000000000880000-0x0000000000C84000-memory.dmp

memory/868-327-0x0000000072F80000-0x0000000073008000-memory.dmp

memory/868-328-0x00000000732C0000-0x000000007358F000-memory.dmp

memory/868-326-0x0000000073010000-0x000000007311A000-memory.dmp

memory/868-325-0x00000000731C0000-0x00000000731E4000-memory.dmp

memory/868-324-0x0000000073B20000-0x0000000073B69000-memory.dmp

memory/868-323-0x0000000000880000-0x0000000000C84000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 b28bf287fa34a6c45aa44c06ca91597c
SHA1 d4e966d8874397f5334a9492ea5a885b8b0324ef
SHA256 a2802a4a59e4750ea98e2e8d0108e44f48b7daea32b2f631bc1d90e0210dfd21
SHA512 7edb39ffb7921c78e6f7b1cd29e40898355380bb45acbdbd42db0a16b9bfa33bf22c0106875a05d5135c97e0149ed580ab83eaf9ef45e8047eab18c3dd5634ba

memory/868-343-0x0000000000880000-0x0000000000C84000-memory.dmp

memory/4472-355-0x0000000072CF0000-0x0000000072D2A000-memory.dmp

memory/868-354-0x00000000731C0000-0x00000000731E4000-memory.dmp

memory/868-353-0x00000000731F0000-0x00000000732BE000-memory.dmp

memory/868-352-0x00000000739E0000-0x0000000073AA8000-memory.dmp

memory/868-356-0x00000000732C0000-0x000000007358F000-memory.dmp

memory/868-390-0x0000000000880000-0x0000000000C84000-memory.dmp

memory/168-401-0x0000000072F80000-0x0000000073008000-memory.dmp

memory/168-402-0x00000000732C0000-0x000000007358F000-memory.dmp

memory/168-400-0x0000000073010000-0x000000007311A000-memory.dmp

memory/168-399-0x0000000073B20000-0x0000000073B69000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 576d9470d9556b5a0fa1cda8240254c3
SHA1 19a8c51170ceb9b83549751361ff3ca291170f83
SHA256 2fdea6c4631881414335ab1a8732830916e271f7c4a046c5e4b8acae9f90fe53
SHA512 7ee099042671cf0c3d51c054eb9d9c099d4fdb80ebcfaa78a0a1b3a8a3df39f15e7e05e67f0b54a07d0a04d07ab3735461c14e1f429304bc48e8050531779ef8

memory/168-417-0x0000000000880000-0x0000000000C84000-memory.dmp

memory/168-428-0x00000000731C0000-0x00000000731E4000-memory.dmp

memory/168-427-0x00000000731F0000-0x00000000732BE000-memory.dmp

memory/4472-429-0x0000000072240000-0x000000007227A000-memory.dmp

memory/168-426-0x00000000739E0000-0x0000000073AA8000-memory.dmp

memory/168-431-0x00000000732C0000-0x000000007358F000-memory.dmp

memory/4472-432-0x0000000072CF0000-0x0000000072D2A000-memory.dmp

memory/168-477-0x0000000000880000-0x0000000000C84000-memory.dmp

memory/3020-485-0x00000000732C0000-0x000000007358F000-memory.dmp

memory/3020-484-0x0000000073B20000-0x0000000073B69000-memory.dmp

memory/3020-483-0x0000000072F80000-0x0000000073008000-memory.dmp

memory/3020-482-0x00000000007D0000-0x0000000000819000-memory.dmp

memory/3020-481-0x0000000073010000-0x000000007311A000-memory.dmp

memory/3020-480-0x00000000007D0000-0x0000000000819000-memory.dmp

memory/3020-479-0x00000000731C0000-0x00000000731E4000-memory.dmp

memory/3020-478-0x00000000739E0000-0x0000000073AA8000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-07 12:28

Reported

2024-05-07 12:33

Platform

win10v2004-20240419-en

Max time kernel

298s

Max time network

301s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"

Signatures

BitRAT

trojan bitrat

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1" C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5036 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 5036 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 5036 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 5036 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 5036 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 5036 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 5036 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 5036 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 5036 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 5036 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 5036 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 5036 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 5036 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 5036 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 5036 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 5036 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 5036 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 5036 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe

"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
SE 85.230.178.139:443 tcp
N/A 127.0.0.1:55072 tcp
NL 185.246.152.22:443 tcp
FR 62.210.254.132:443 tcp
RU 213.141.138.174:9001 tcp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
RU 37.153.1.10:9001 tcp
US 128.31.0.39:9101 tcp
FR 163.172.176.167:443 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 204.13.164.118:443 tcp
US 8.8.8.8:53 118.164.13.204.in-addr.arpa udp
US 209.127.116.162:443 tcp
DE 213.109.161.242:8443 tcp
US 8.8.8.8:53 242.161.109.213.in-addr.arpa udp
US 8.8.8.8:53 162.116.127.209.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 107.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
DE 213.109.161.242:8443 tcp
US 209.127.116.162:443 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
FR 94.23.149.136:9000 tcp
N/A 127.0.0.1:55243 tcp
US 8.8.8.8:53 136.149.23.94.in-addr.arpa udp
NL 77.174.62.158:9001 tcp
US 8.8.8.8:53 158.62.174.77.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 myexternalip.com udp
US 34.117.118.44:443 myexternalip.com tcp
US 8.8.8.8:53 44.118.117.34.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 80.190.18.2.in-addr.arpa udp
N/A 127.0.0.1:55350 tcp
US 66.111.2.20:9001 tcp
US 8.8.8.8:53 20.2.111.66.in-addr.arpa udp
FR 94.23.149.136:9000 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:55423 tcp
NL 51.158.201.235:8080 tcp
FR 94.23.149.136:9000 tcp
US 8.8.8.8:53 235.201.158.51.in-addr.arpa udp
US 66.111.2.20:9001 tcp
N/A 127.0.0.1:45808 tcp
US 138.91.171.81:80 tcp
US 34.117.118.44:443 myexternalip.com tcp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
N/A 127.0.0.1:55506 tcp
FR 51.254.96.208:9001 tcp
US 66.111.2.20:9001 tcp
US 8.8.8.8:53 208.96.254.51.in-addr.arpa udp
FR 94.23.149.136:9000 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:55566 tcp
DE 5.199.142.236:9001 tcp
FR 94.23.149.136:9000 tcp
US 66.111.2.20:9001 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp

Files

memory/5036-0-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/5036-1-0x0000000074710000-0x0000000074749000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

memory/4992-19-0x0000000000910000-0x0000000000D14000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\d46500b0\tor\torrc

MD5 439cd73927f46fde28540391feee8477
SHA1 ee7fb2aeb7708378abda293b03f5c9ffb6dbc742
SHA256 d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75
SHA512 c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319

C:\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

memory/4992-38-0x0000000073B80000-0x0000000073C48000-memory.dmp

memory/4992-39-0x0000000073B30000-0x0000000073B79000-memory.dmp

memory/4992-40-0x0000000073A60000-0x0000000073B2E000-memory.dmp

memory/4992-45-0x0000000001500000-0x00000000017CF000-memory.dmp

memory/4992-46-0x00000000735C0000-0x000000007388F000-memory.dmp

memory/4992-44-0x0000000001500000-0x0000000001588000-memory.dmp

memory/4992-43-0x0000000073890000-0x0000000073918000-memory.dmp

memory/4992-42-0x0000000073920000-0x0000000073A2A000-memory.dmp

memory/4992-41-0x0000000073A30000-0x0000000073A54000-memory.dmp

memory/5036-47-0x00000000732A0000-0x00000000732D9000-memory.dmp

memory/5036-48-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/4992-49-0x0000000000910000-0x0000000000D14000-memory.dmp

memory/5036-57-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/4992-66-0x0000000000910000-0x0000000000D14000-memory.dmp

memory/4992-58-0x0000000000910000-0x0000000000D14000-memory.dmp

memory/4992-67-0x0000000001500000-0x0000000001588000-memory.dmp

memory/4992-69-0x0000000000910000-0x0000000000D14000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdesc-consensus.tmp

MD5 0ce4530144899e61e7151afe7810919f
SHA1 f300561ff8bbd2b426926aced1e576bd2b91d001
SHA256 59f1410ba288f348e46546682bc8ae589accfdb2abc49b0b59fed35ed9de32e5
SHA512 595a94b645837f8627b703920cec6eda3e6103ae964c91c383679f00b712343b7f8d4656db6efdaceabe8c641cf45d6461ff77cc9fafa263880bc1a0763a83e6

memory/4992-87-0x0000000000910000-0x0000000000D14000-memory.dmp

memory/5036-96-0x00000000746D0000-0x0000000074709000-memory.dmp

memory/5036-95-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/4992-97-0x0000000000910000-0x0000000000D14000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 8ec966f924f26a5194dd2abaf7c1bb54
SHA1 9111d8c067b1a3ad67de717f4cfae87a468b2194
SHA256 0a4bf5f6d25a9aba83302ae74861fdaaec391d13e5c08f5f7ea438896e1f7c18
SHA512 fb9455e4257ce4a65fce507948fe60632c0396835ce53a744be58134a4e26339fed9e4673d25283c625d4b80749d2c4ccf588dd73526a2c292e6882693485060

memory/5036-111-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/4992-112-0x0000000000910000-0x0000000000D14000-memory.dmp

memory/4992-127-0x0000000000910000-0x0000000000D14000-memory.dmp

memory/4992-156-0x0000000000910000-0x0000000000D14000-memory.dmp

memory/1636-172-0x0000000073660000-0x00000000736E8000-memory.dmp

memory/1636-171-0x00000000736F0000-0x00000000737FA000-memory.dmp

memory/1636-170-0x0000000073800000-0x0000000073824000-memory.dmp

memory/1636-169-0x0000000073830000-0x0000000073879000-memory.dmp

memory/1636-168-0x0000000073880000-0x000000007394E000-memory.dmp

memory/1636-167-0x0000000073950000-0x0000000073A18000-memory.dmp

memory/1636-166-0x0000000073A20000-0x0000000073CEF000-memory.dmp

memory/1636-165-0x0000000000910000-0x0000000000D14000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 476cf3d4249c28846aa114b365e4a969
SHA1 8d56cc428722e578a69b53e7113933ad962f7640
SHA256 1d53d8c66cefbef74f70c70cc3ea36077a288715a045b0ff71a23bfcf5acca07
SHA512 e69170d9519c77c3a9082d8fd0e24a413c0c92b59d9da7e7400061639e90185019178b532c49afa82d26282ec9669508f994e51ce52cef73c3432ed47a89c14e

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-certs

MD5 eb42bae5160f7dc8a0d9c2ffa4f137e5
SHA1 49103a6a3a63099344b5179c6b50daec7b6c7634
SHA256 fef657497951d8299097ef19b1e558c472031365bc7c7e5b6dfed881fdbcb054
SHA512 9ef01a84210325cf18b7f84754d5c900b0e81ed7fad45d519cbc8f9745c25cd913072e5922fe7a3ee457528d330cca2170280bd27480478651a367cfead1b6d7

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 31b155f719d94f1a5910e530c5da9c5c
SHA1 5c110d0e9a9bf97ba363ff17a94dc8c54181ab85
SHA256 b244b1b710ef4928921d1e3df8c85f8ee716e87d99107b58f026d1a3c8d373c1
SHA512 1ec79ad39468087b52d44799fb6d48734f9d9a4589399e0f584ff70a81098cd5ba3b45311c36c01b3460b4b55535edebcabf00f058d0b5d50bae83a5518049b2

memory/5036-202-0x0000000073230000-0x0000000073269000-memory.dmp

memory/1636-203-0x0000000000910000-0x0000000000D14000-memory.dmp

memory/1636-206-0x0000000073880000-0x000000007394E000-memory.dmp

memory/1636-205-0x0000000073950000-0x0000000073A18000-memory.dmp

memory/1636-204-0x0000000073A20000-0x0000000073CEF000-memory.dmp

memory/1636-249-0x0000000000910000-0x0000000000D14000-memory.dmp

memory/4992-251-0x0000000000910000-0x0000000000D14000-memory.dmp

memory/4992-265-0x00000000724E0000-0x00000000725EA000-memory.dmp

memory/4992-264-0x0000000073660000-0x00000000736E8000-memory.dmp

memory/4992-263-0x00000000736F0000-0x0000000073714000-memory.dmp

memory/4992-262-0x0000000073720000-0x0000000073769000-memory.dmp

memory/4992-261-0x0000000073770000-0x000000007383E000-memory.dmp

memory/4992-260-0x0000000073840000-0x0000000073908000-memory.dmp

memory/4992-259-0x00000000725F0000-0x00000000728BF000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 ce3793c1c145d996baec1df26db83870
SHA1 32ee3f7d9862737a62e6657df01410d284da88de
SHA256 d9d50c631ff901350638cb58bff0f2efe54f1ca97f6fdf463a0754323470518e
SHA512 07bcb15be8f9b8ebbe6c994abb3b411ff3eabe2235d8af36aab7f7e6fccee745a715683ff6d8b096422896045fc871f80ca6e88e7265598f697eb9cf171df93a

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs

MD5 ed11f09b76934497b0957c372f84d777
SHA1 bb0038306362b624df136ea6f0aae7deb09cec2d
SHA256 16376b28287766974e2f48876561ffebf44878e6e899089620249d245ff5d0c1
SHA512 7fca78b3b43e896cf89eb55a4b0cb4f8918466581e5d6f5afd2064589733f84b5153a4d6dc94ac2216d2180ff2b9bdfde780738c349ab819028a1c0e879da417

memory/4992-283-0x0000000000910000-0x0000000000D14000-memory.dmp

memory/4992-292-0x00000000725F0000-0x00000000728BF000-memory.dmp

memory/5036-296-0x00000000722D0000-0x0000000072309000-memory.dmp

memory/4992-295-0x00000000736F0000-0x0000000073714000-memory.dmp

memory/4992-294-0x0000000073770000-0x000000007383E000-memory.dmp

memory/4992-293-0x0000000073840000-0x0000000073908000-memory.dmp

memory/5036-306-0x0000000074710000-0x0000000074749000-memory.dmp

memory/4992-316-0x0000000000910000-0x0000000000D14000-memory.dmp

memory/4212-333-0x0000000073660000-0x0000000073684000-memory.dmp

memory/4212-332-0x0000000073690000-0x0000000073718000-memory.dmp

memory/4212-331-0x00000000724E0000-0x00000000725EA000-memory.dmp

memory/4212-330-0x0000000073720000-0x0000000073769000-memory.dmp

memory/4212-329-0x0000000073770000-0x000000007383E000-memory.dmp

memory/4212-328-0x0000000073840000-0x0000000073908000-memory.dmp

memory/4212-327-0x00000000725F0000-0x00000000728BF000-memory.dmp

memory/4212-326-0x0000000000910000-0x0000000000D14000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 4f07c891ed6c53a588d99cc8e320d907
SHA1 c2b7f5b854aaa7147e99f271841b2439ab3b4683
SHA256 c71eb79f5f8b26589da3f7827ecfeea7ff7a8619c281b74e065406c94d2e5113
SHA512 44c118685852d897f0f1fc6485a560ab0b2044de4641ff7c382713ebcd79666943a8b871b2cb9c9f81070505c78af85b447930ee07fa27c1b2bedc6778bbd9b7

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-certs

MD5 af69fe1379b902ac0242203f697ce6cf
SHA1 276925af6385dccff52daaeafae428b871ba3987
SHA256 c49c97536738e7e3a02cbae2f26b8afdc9186429eaa3cf8a346055dda5ce81e2
SHA512 31a889920a49ee5d1124c91a8c9ca329658ffe20b810ccfe4fa402e92e20e819819bfb564b90f6677209f464b75b1821f05b1ff2c12d1e6d48d208ba8a8dc88a

memory/5036-339-0x00000000732A0000-0x00000000732D9000-memory.dmp

memory/4212-350-0x0000000000910000-0x0000000000D14000-memory.dmp

memory/4212-359-0x00000000725F0000-0x00000000728BF000-memory.dmp

memory/4212-361-0x0000000073770000-0x000000007383E000-memory.dmp

memory/4212-360-0x0000000073840000-0x0000000073908000-memory.dmp

memory/4212-389-0x0000000000910000-0x0000000000D14000-memory.dmp

memory/5036-405-0x00000000746D0000-0x0000000074709000-memory.dmp

memory/3408-404-0x00000000725F0000-0x00000000728BF000-memory.dmp

memory/3408-403-0x0000000073660000-0x00000000736E8000-memory.dmp

memory/3408-402-0x00000000724E0000-0x00000000725EA000-memory.dmp

memory/3408-401-0x00000000736F0000-0x0000000073714000-memory.dmp

memory/3408-400-0x0000000073720000-0x0000000073769000-memory.dmp

memory/3408-399-0x0000000073770000-0x000000007383E000-memory.dmp

memory/3408-398-0x0000000073840000-0x0000000073908000-memory.dmp

memory/3408-419-0x0000000000910000-0x0000000000D14000-memory.dmp

memory/3408-428-0x0000000073840000-0x0000000073908000-memory.dmp

memory/3408-430-0x00000000736F0000-0x0000000073714000-memory.dmp

memory/3408-432-0x0000000073660000-0x00000000736E8000-memory.dmp

memory/3408-431-0x00000000724E0000-0x00000000725EA000-memory.dmp

memory/3408-429-0x0000000073770000-0x000000007383E000-memory.dmp

memory/3408-433-0x00000000725F0000-0x00000000728BF000-memory.dmp

memory/3408-452-0x0000000000910000-0x0000000000D14000-memory.dmp

memory/1008-454-0x0000000073840000-0x0000000073908000-memory.dmp

memory/1008-458-0x0000000073660000-0x00000000736E8000-memory.dmp

memory/1008-457-0x00000000724E0000-0x00000000725EA000-memory.dmp

memory/1008-456-0x0000000073720000-0x0000000073769000-memory.dmp

memory/1008-455-0x0000000073770000-0x000000007383E000-memory.dmp

memory/1008-479-0x0000000000910000-0x0000000000D14000-memory.dmp

memory/5036-480-0x0000000073230000-0x0000000073269000-memory.dmp

memory/1008-481-0x00000000725F0000-0x00000000728BF000-memory.dmp

memory/1008-482-0x0000000073840000-0x0000000073908000-memory.dmp

memory/1008-484-0x00000000736F0000-0x0000000073714000-memory.dmp

memory/1008-483-0x0000000073770000-0x000000007383E000-memory.dmp