Analysis Overview
SHA256
a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449
Threat Level: Known bad
The file a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449 was found to be: Known bad.
Malicious Activity Summary
Bitrat family
BitRAT
Loads dropped DLL
Checks computer location settings
UPX packed file
ACProtect 1.3x - 1.4x DLL software
Executes dropped EXE
Adds Run key to start application
Looks up external IP address via web service
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: RenamesItself
Suspicious use of SetWindowsHookEx
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-07 12:28
Signatures
Bitrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-07 12:28
Reported
2024-05-07 12:38
Platform
win11-20240419-en
Max time kernel
599s
Max time network
601s
Command Line
Signatures
BitRAT
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1" | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe
"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:49775 | tcp | |
| FR | 37.187.102.186:9001 | tcp | |
| FR | 176.31.103.150:9001 | tcp | |
| AT | 37.252.185.182:8080 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| NL | 192.87.28.28:9001 | tcp | |
| SE | 171.25.193.9:80 | tcp | |
| US | 8.8.8.8:53 | 9.193.25.171.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.28.87.192.in-addr.arpa | udp |
| AT | 89.58.61.42:9001 | tcp | |
| US | 131.153.152.146:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:49910 | tcp | |
| DE | 167.86.74.109:443 | tcp | |
| DE | 144.76.166.199:9002 | tcp | |
| DE | 144.76.166.199:9002 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| DE | 46.4.103.29:9001 | tcp | |
| N/A | 127.0.0.1:50004 | tcp | |
| RO | 31.14.252.98:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| NL | 194.126.173.158:24752 | tcp | |
| N/A | 127.0.0.1:50104 | tcp | |
| DE | 46.4.103.29:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50170 | tcp | |
| NL | 192.42.116.16:443 | tcp | |
| DE | 46.4.103.29:9001 | tcp | |
| US | 135.148.53.61:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:50235 | tcp | |
| FR | 176.31.103.150:9001 | tcp | |
| DE | 46.4.103.29:9001 | tcp | |
| US | 135.148.103.15:8443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| CH | 185.229.90.81:443 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50295 | tcp | |
| DE | 62.141.38.69:443 | tcp | |
| DE | 46.4.103.29:9001 | tcp | |
| US | 135.148.103.15:8443 | tcp | |
| FR | 92.148.137.89:8100 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50354 | tcp | |
| NL | 77.247.181.162:443 | tcp | |
| DE | 46.4.103.29:9001 | tcp | |
| GB | 178.128.32.152:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50412 | tcp | |
| SE | 171.25.193.20:443 | tcp | |
| DE | 46.4.103.29:9001 | tcp | |
| CH | 185.229.90.81:443 | tcp | |
| DE | 195.201.174.108:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:50471 | tcp | |
| US | 173.255.245.116:9001 | tcp | |
| US | 135.148.103.15:8443 | tcp | |
| DE | 46.4.103.29:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| FR | 95.128.43.164:443 | tcp | |
| N/A | 127.0.0.1:50517 | tcp | |
| DE | 46.4.103.29:9001 | tcp | |
| FI | 65.109.30.253:28710 | tcp | |
| US | 84.32.131.84:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50563 | tcp | |
| RU | 213.141.138.174:9001 | tcp | |
| DE | 46.4.103.29:9001 | tcp | |
| NL | 50.118.225.160:8444 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50609 | tcp | |
| FR | 163.172.149.155:443 | tcp | |
| CA | 198.100.153.7:9000 | tcp | |
| DE | 46.4.103.29:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50654 | tcp | |
| DE | 85.10.201.47:9001 | tcp | |
| DE | 46.4.103.29:9001 | tcp | |
| US | 135.148.103.15:8443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
Files
memory/4428-0-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/4428-1-0x0000000074DC0000-0x0000000074DFC000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
C:\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll
| MD5 | 2384a02c4a1f7ec481adde3a020607d3 |
| SHA1 | 7e848d35a10bf9296c8fa41956a3daa777f86365 |
| SHA256 | c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369 |
| SHA512 | 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503 |
C:\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll
| MD5 | 099983c13bade9554a3c17484e5481f1 |
| SHA1 | a84e69ad9722f999252d59d0ed9a99901a60e564 |
| SHA256 | b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838 |
| SHA512 | 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2 |
C:\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
C:\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll
| MD5 | add33041af894b67fe34e1dc819b7eb6 |
| SHA1 | 6db46eb021855a587c95479422adcc774a272eeb |
| SHA256 | 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183 |
| SHA512 | bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa |
C:\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll
| MD5 | d407cc6d79a08039a6f4b50539e560b8 |
| SHA1 | 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71 |
| SHA256 | 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e |
| SHA512 | 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c |
memory/2968-43-0x0000000073DE0000-0x0000000073EEA000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\torrc
| MD5 | 439cd73927f46fde28540391feee8477 |
| SHA1 | ee7fb2aeb7708378abda293b03f5c9ffb6dbc742 |
| SHA256 | d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75 |
| SHA512 | c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319 |
memory/2968-42-0x00000000015F0000-0x00000000018BF000-memory.dmp
memory/2968-41-0x0000000000D40000-0x0000000000DC8000-memory.dmp
memory/2968-40-0x0000000073D50000-0x0000000073DD8000-memory.dmp
memory/2968-39-0x0000000073EF0000-0x00000000741BF000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll
| MD5 | b0d98f7157d972190fe0759d4368d320 |
| SHA1 | 5715a533621a2b642aad9616e603c6907d80efc4 |
| SHA256 | 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5 |
| SHA512 | 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496 |
memory/2968-35-0x00000000741C0000-0x0000000074288000-memory.dmp
memory/2968-31-0x0000000074290000-0x00000000742B4000-memory.dmp
memory/2968-30-0x00000000742C0000-0x0000000074309000-memory.dmp
memory/2968-29-0x0000000074310000-0x00000000743DE000-memory.dmp
memory/2968-26-0x0000000000DE0000-0x00000000011E4000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll
| MD5 | c88826ac4bb879622e43ead5bdb95aeb |
| SHA1 | 87d29853649a86f0463bfd9ad887b85eedc21723 |
| SHA256 | c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f |
| SHA512 | f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3 |
memory/4428-47-0x0000000073A20000-0x0000000073A5C000-memory.dmp
memory/4428-48-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/2968-50-0x0000000074310000-0x00000000743DE000-memory.dmp
memory/2968-56-0x0000000073D50000-0x0000000073DD8000-memory.dmp
memory/2968-54-0x0000000073EF0000-0x00000000741BF000-memory.dmp
memory/2968-53-0x00000000741C0000-0x0000000074288000-memory.dmp
memory/2968-52-0x0000000074290000-0x00000000742B4000-memory.dmp
memory/2968-51-0x00000000742C0000-0x0000000074309000-memory.dmp
memory/2968-49-0x0000000000DE0000-0x00000000011E4000-memory.dmp
memory/4428-57-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/2968-58-0x0000000000DE0000-0x00000000011E4000-memory.dmp
memory/2968-59-0x0000000000DE0000-0x00000000011E4000-memory.dmp
memory/2968-67-0x00000000015F0000-0x00000000018BF000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdesc-consensus
| MD5 | 0ce4530144899e61e7151afe7810919f |
| SHA1 | f300561ff8bbd2b426926aced1e576bd2b91d001 |
| SHA256 | 59f1410ba288f348e46546682bc8ae589accfdb2abc49b0b59fed35ed9de32e5 |
| SHA512 | 595a94b645837f8627b703920cec6eda3e6103ae964c91c383679f00b712343b7f8d4656db6efdaceabe8c641cf45d6461ff77cc9fafa263880bc1a0763a83e6 |
memory/2968-77-0x0000000000DE0000-0x00000000011E4000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new
| MD5 | 69b288ed00969efa96a71f63f7bdce26 |
| SHA1 | 693ec48d213545f10d891f00bf4d080ca0bda830 |
| SHA256 | 45fd8d172efeb1d54833564d1c3b344529f100955bc42f3b3eb2de2f3693972a |
| SHA512 | 1740318fb550404000fac21e1ae994c72aab92783047faedafec8d9e2fb9984620cf237fef7b5f8691b4688f93861aefb23ec4660eb5318faacd7804376e094c |
memory/2968-93-0x0000000000DE0000-0x00000000011E4000-memory.dmp
memory/4428-102-0x0000000074D80000-0x0000000074DBC000-memory.dmp
memory/4428-101-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/2968-104-0x0000000000DE0000-0x00000000011E4000-memory.dmp
memory/2968-113-0x0000000000DE0000-0x00000000011E4000-memory.dmp
memory/2968-122-0x0000000000DE0000-0x00000000011E4000-memory.dmp
memory/2968-150-0x0000000000DE0000-0x00000000011E4000-memory.dmp
memory/2480-160-0x0000000000DE0000-0x00000000011E4000-memory.dmp
memory/2480-167-0x0000000073DF0000-0x0000000073E78000-memory.dmp
memory/2480-166-0x0000000073E80000-0x0000000073F8A000-memory.dmp
memory/2480-165-0x0000000073F90000-0x0000000073FB4000-memory.dmp
memory/2480-164-0x0000000074CE0000-0x0000000074D29000-memory.dmp
memory/2480-163-0x0000000073FC0000-0x000000007408E000-memory.dmp
memory/2480-162-0x0000000074090000-0x0000000074158000-memory.dmp
memory/2480-161-0x0000000074160000-0x000000007442F000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | 0426cb839fb387e5d5931d780c970612 |
| SHA1 | 5b06f4e9d1605744d1292746188df21bafc4e134 |
| SHA256 | aad2ae644667554fa9c177c6a2d43cf10cd2058d31217eaa6283b5d0b5bf0449 |
| SHA512 | 291ac803bf25c8a203f8ac25bc90710a6dc27b91be1b05d430329226a967b8b70134b7f2927a5f49bdf0d5e69e3dd0984b9f1cc01513ac67d221c1e3cbcd99aa |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-certs
| MD5 | d8c504050e8c023bfb1cfbcaad229623 |
| SHA1 | c09f55a2e1ef262904ee240e56b2288ed5a6ac46 |
| SHA256 | f3563eea844a07d161e6425efb23ddadf5e47a71943634720e362c6943d48086 |
| SHA512 | 7638370246ac43e0b17ab3cf321a31f4293a5f0a384956b33b25c5ccefbfb99d705b7f225fd890eb2ee3d29ddcdd2cb33cdc15082cd04311f6002aca66c6cb91 |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new
| MD5 | e17ac067d70b50fbf0305ccdde132aaa |
| SHA1 | b6b2bd34b2d8601fcbf94b29ab92d61df1a03600 |
| SHA256 | ba64944c5396bb5ba30b82281066c043df1d86503e11ffda33854d8fb7b692ef |
| SHA512 | cf91f4f0ddde49e0a31fb4a995bcd1ae97c23c329d60cdc254da5616fc162ae2d526217a9d7fe4974fae7e6a10d20303d6beb6c0b3b5973dd84a64af8e719ee0 |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new
| MD5 | f74f0ce702769b4799ffd2d2ea3d26f8 |
| SHA1 | d651312c6bde68c39c605ce1838bcf91f41c4778 |
| SHA256 | 0f5df6ec7191b62cbd6175de8120507dc67836b32c49f1c833fe496b4ce69319 |
| SHA512 | 7603b4a41c59d4d7a01bebcdafe199188531c56dac15616e1c91dc0efba58af18ac5f3168976525ce32b5ed963f666e6d3ee68d83f662d8d0cadf4abd824093b |
memory/4428-201-0x00000000739B0000-0x00000000739EC000-memory.dmp
memory/2480-202-0x0000000000DE0000-0x00000000011E4000-memory.dmp
memory/2480-205-0x0000000073FC0000-0x000000007408E000-memory.dmp
memory/2480-204-0x0000000074090000-0x0000000074158000-memory.dmp
memory/2480-203-0x0000000074160000-0x000000007442F000-memory.dmp
memory/2480-242-0x0000000000DE0000-0x00000000011E4000-memory.dmp
memory/2972-253-0x0000000074160000-0x000000007442F000-memory.dmp
memory/2972-252-0x0000000000DE0000-0x00000000011E4000-memory.dmp
memory/2972-254-0x0000000074090000-0x0000000074158000-memory.dmp
memory/2972-261-0x0000000073DF0000-0x0000000073E78000-memory.dmp
memory/2972-260-0x0000000073E80000-0x0000000073F8A000-memory.dmp
memory/2972-259-0x0000000073F90000-0x0000000073FB4000-memory.dmp
memory/2972-258-0x0000000074CE0000-0x0000000074D29000-memory.dmp
memory/2972-257-0x0000000073FC0000-0x000000007408E000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | 503a174104f8abae2c7f25c67a86e829 |
| SHA1 | 05a939900b0b8153938ae30f1fd7491b9c164d52 |
| SHA256 | 215a3f8ea20243f40fc8dd82853d70e0fe4cb8f3e30c3c22dcbd1d771259f939 |
| SHA512 | dd34b9f49a5dc0be9fb6b27559b7bc34599aab36eed4b31c8e53ef37d14123d1e38ae4d9f9e14571fdd498dc0221847044b591ac634c2eaec54e9a726b6a0edd |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs
| MD5 | ae915a4e7f2275799d78af387ed8cc19 |
| SHA1 | 9b41a3b99ada2c39d21d52df3384747a6250f892 |
| SHA256 | 7db2d6e609b48955088871896f5f0354ed6653aa4ccebeebc98ff7ee68b36c62 |
| SHA512 | 010b41a3399b809efd9ca622065d4f5b824d75df915ee651a086d7275172dfd7cb9072139801d4bbca11b9c600e5c42e003a834f55e5ac0f256d835547981799 |
memory/4428-287-0x00000000739B0000-0x00000000739EC000-memory.dmp
memory/2972-288-0x0000000000DE0000-0x00000000011E4000-memory.dmp
memory/2972-291-0x0000000073FC0000-0x000000007408E000-memory.dmp
memory/2972-290-0x0000000074090000-0x0000000074158000-memory.dmp
memory/2972-289-0x0000000074160000-0x000000007442F000-memory.dmp
memory/4428-292-0x0000000074DC0000-0x0000000074DFC000-memory.dmp
memory/4428-309-0x0000000073A20000-0x0000000073A5C000-memory.dmp
memory/2972-327-0x0000000000DE0000-0x00000000011E4000-memory.dmp
memory/1892-342-0x0000000072C80000-0x0000000072F4F000-memory.dmp
memory/1892-341-0x0000000073DF0000-0x0000000073E78000-memory.dmp
memory/1892-340-0x0000000072B70000-0x0000000072C7A000-memory.dmp
memory/1892-339-0x0000000073E80000-0x0000000073EA4000-memory.dmp
memory/1892-338-0x0000000074CE0000-0x0000000074D29000-memory.dmp
memory/1892-337-0x0000000073EB0000-0x0000000073F7E000-memory.dmp
memory/1892-336-0x0000000073F80000-0x0000000074048000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | a8118bfee0e69f50a21165a0377d285d |
| SHA1 | 434a1000713c80dc7faf4d819ee6c808eb279b0b |
| SHA256 | 4eb6d8a3cc74a7fd90cd53cdc586da57d00120c2cb82aaf5013f5e95e27534d6 |
| SHA512 | 21ce4cb41f73f19cba4f97e96b4145d46e3f603b16b5b64d8ccc109f79748c90d491152fa710adb362c5561c2cfb4f868d7c4ed504b45c38b3e7dda7411d9f25 |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs
| MD5 | 47ef005e991fb83255ea44c65237107c |
| SHA1 | e5325dced19f98e3fce2194ef6d69865a8b8e479 |
| SHA256 | 43652fe07e217284e65e0d77b346c5f80e18f270f167a04570fa2da6f6766676 |
| SHA512 | 3632856e4682e7976b34f940087e5db6724a476702a1aa418659ee6de6a38ca69d6fc6d1227c43b63bf4e711b6d23e2b2cf01645b6598b3155475ee989391c9b |
memory/1892-358-0x0000000000DE0000-0x00000000011E4000-memory.dmp
memory/1892-369-0x0000000073E80000-0x0000000073EA4000-memory.dmp
memory/4428-370-0x0000000072940000-0x000000007297C000-memory.dmp
memory/1892-368-0x0000000073EB0000-0x0000000073F7E000-memory.dmp
memory/1892-367-0x0000000073F80000-0x0000000074048000-memory.dmp
memory/1892-371-0x0000000072C80000-0x0000000072F4F000-memory.dmp
memory/4428-381-0x0000000074D80000-0x0000000074DBC000-memory.dmp
memory/1892-392-0x0000000000DE0000-0x00000000011E4000-memory.dmp
memory/1692-402-0x0000000072C80000-0x0000000072F4F000-memory.dmp
memory/1692-401-0x0000000000DE0000-0x00000000011E4000-memory.dmp
memory/1692-409-0x0000000073DF0000-0x0000000073E78000-memory.dmp
memory/1692-408-0x0000000072B70000-0x0000000072C7A000-memory.dmp
memory/1692-407-0x0000000073E80000-0x0000000073EA4000-memory.dmp
memory/1692-406-0x0000000074CE0000-0x0000000074D29000-memory.dmp
memory/1692-405-0x0000000073EB0000-0x0000000073F7E000-memory.dmp
memory/1692-404-0x0000000073F80000-0x0000000074048000-memory.dmp
memory/1692-430-0x0000000000DE0000-0x00000000011E4000-memory.dmp
memory/1692-432-0x0000000073EB0000-0x0000000073F7E000-memory.dmp
memory/1692-431-0x0000000072C80000-0x0000000072F4F000-memory.dmp
memory/1692-451-0x0000000000DE0000-0x00000000011E4000-memory.dmp
memory/3348-453-0x0000000000DE0000-0x00000000011E4000-memory.dmp
memory/3348-458-0x0000000073E80000-0x0000000073EA4000-memory.dmp
memory/3348-460-0x0000000073DF0000-0x0000000073E78000-memory.dmp
memory/3348-459-0x0000000072B70000-0x0000000072C7A000-memory.dmp
memory/3348-457-0x0000000074CE0000-0x0000000074D29000-memory.dmp
memory/3348-456-0x0000000073EB0000-0x0000000073F7E000-memory.dmp
memory/3348-455-0x0000000073F80000-0x0000000074048000-memory.dmp
memory/3348-454-0x0000000072C80000-0x0000000072F4F000-memory.dmp
memory/4428-472-0x00000000739B0000-0x00000000739EC000-memory.dmp
memory/3348-483-0x0000000072C80000-0x0000000072F4F000-memory.dmp
memory/3348-484-0x0000000073F80000-0x0000000074048000-memory.dmp
memory/3348-485-0x0000000073EB0000-0x0000000073F7E000-memory.dmp
memory/3348-482-0x0000000000DE0000-0x00000000011E4000-memory.dmp
memory/3348-504-0x0000000000DE0000-0x00000000011E4000-memory.dmp
memory/2524-512-0x0000000073DF0000-0x0000000073E78000-memory.dmp
memory/2524-511-0x0000000072B70000-0x0000000072C7A000-memory.dmp
memory/2524-510-0x0000000073E80000-0x0000000073EA4000-memory.dmp
memory/2524-509-0x0000000074CE0000-0x0000000074D29000-memory.dmp
memory/2524-508-0x0000000073EB0000-0x0000000073F7E000-memory.dmp
memory/2524-507-0x0000000073F80000-0x0000000074048000-memory.dmp
memory/2524-506-0x0000000072C80000-0x0000000072F4F000-memory.dmp
memory/2524-505-0x0000000000DE0000-0x00000000011E4000-memory.dmp
memory/2524-534-0x0000000000DE0000-0x00000000011E4000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-07 12:28
Reported
2024-05-07 12:38
Platform
win10v2004-20240419-en
Max time kernel
600s
Max time network
601s
Command Line
Signatures
BitRAT
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1" | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe
"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| FR | 193.70.43.76:9001 | tcp | |
| N/A | 127.0.0.1:55550 | tcp | |
| RO | 185.100.85.61:443 | tcp | |
| US | 8.8.8.8:53 | 61.85.100.185.in-addr.arpa | udp |
| BE | 193.190.168.53:9001 | tcp | |
| DE | 185.220.101.201:443 | tcp | |
| US | 8.8.8.8:53 | 53.168.190.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.101.220.185.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| DE | 185.220.101.201:443 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.143.109.104.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | 107.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| GB | 81.0.218.34:443 | tcp | |
| US | 51.81.56.74:443 | tcp | |
| N/A | 127.0.0.1:55703 | tcp | |
| US | 8.8.8.8:53 | 34.218.0.81.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.56.81.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| N/A | 127.0.0.1:45808 | tcp | |
| GB | 81.0.218.34:443 | tcp | |
| US | 8.8.8.8:53 | myexternalip.com | udp |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| US | 8.8.8.8:53 | 44.118.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| N/A | 127.0.0.1:55829 | tcp | |
| DE | 88.99.7.87:9001 | tcp | |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
| FI | 95.216.61.211:443 | tcp | |
| US | 8.8.8.8:53 | 87.7.99.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.61.216.95.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| FR | 85.208.144.164:443 | tcp | |
| N/A | 127.0.0.1:55915 | tcp | |
| LT | 188.214.132.49:9001 | tcp | |
| US | 8.8.8.8:53 | 164.144.208.85.in-addr.arpa | udp |
| DE | 188.68.38.76:9001 | tcp | |
| US | 8.8.8.8:53 | 49.132.214.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.38.68.188.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:55983 | tcp | |
| N/A | 127.0.0.1:55991 | tcp | |
| DK | 185.96.88.29:443 | tcp | |
| FR | 163.172.76.56:9001 | tcp | |
| US | 8.8.8.8:53 | 56.76.172.163.in-addr.arpa | udp |
| FR | 146.59.234.220:443 | tcp | |
| US | 8.8.8.8:53 | 220.234.59.146.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:56077 | tcp | |
| FR | 51.254.147.57:443 | tcp | |
| SE | 193.105.134.187:9001 | tcp | |
| FR | 45.158.77.29:9000 | tcp | |
| US | 8.8.8.8:53 | 187.134.105.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.77.158.45.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| CZ | 46.28.110.244:443 | tcp | |
| N/A | 127.0.0.1:56134 | tcp | |
| GB | 185.164.138.211:9005 | tcp | |
| US | 8.8.8.8:53 | 211.138.164.185.in-addr.arpa | udp |
| CZ | 185.216.35.222:9001 | tcp | |
| US | 8.8.8.8:53 | 222.35.216.185.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:56189 | tcp | |
| DE | 178.254.7.88:8443 | tcp | |
| DE | 5.9.66.94:54782 | tcp | |
| US | 8.8.8.8:53 | 94.66.9.5.in-addr.arpa | udp |
| FR | 178.33.36.64:8080 | tcp | |
| US | 8.8.8.8:53 | 64.36.33.178.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:56242 | tcp | |
| US | 166.70.207.2:9101 | tcp | |
| US | 51.81.56.74:443 | tcp | |
| US | 8.8.8.8:53 | 2.207.70.166.in-addr.arpa | udp |
| DE | 144.91.125.15:9001 | tcp | |
| US | 8.8.8.8:53 | 15.125.91.144.in-addr.arpa | udp |
| DE | 79.137.202.92:443 | tcp | |
| US | 8.8.8.8:53 | 92.202.137.79.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| SE | 193.11.164.243:9001 | tcp | |
| N/A | 127.0.0.1:56297 | tcp | |
| FR | 146.59.234.220:443 | tcp | |
| US | 8.8.8.8:53 | 243.164.11.193.in-addr.arpa | udp |
| CH | 185.183.194.90:443 | tcp | |
| US | 8.8.8.8:53 | 90.194.183.185.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:56360 | tcp | |
| PL | 54.37.139.118:9001 | tcp | |
| FR | 178.33.36.64:8080 | tcp | |
| US | 8.8.8.8:53 | 118.139.37.54.in-addr.arpa | udp |
| FR | 146.59.234.220:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:56406 | tcp | |
| US | 154.35.175.225:443 | tcp | |
| DE | 148.251.51.34:9993 | tcp | |
| US | 8.8.8.8:53 | 34.51.251.148.in-addr.arpa | udp |
| IT | 95.141.32.124:22222 | tcp | |
| US | 8.8.8.8:53 | 124.32.141.95.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| NL | 37.218.242.26:9001 | tcp | |
| US | 8.8.8.8:53 | 26.242.218.37.in-addr.arpa | udp |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:56470 | tcp | |
| CA | 192.160.102.168:9001 | tcp | |
| N/A | 207.90.194.2:443 | tcp |
Files
memory/116-0-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/116-1-0x0000000074CA0000-0x0000000074CD9000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
C:\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll
| MD5 | 2384a02c4a1f7ec481adde3a020607d3 |
| SHA1 | 7e848d35a10bf9296c8fa41956a3daa777f86365 |
| SHA256 | c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369 |
| SHA512 | 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503 |
C:\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
C:\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll
| MD5 | c88826ac4bb879622e43ead5bdb95aeb |
| SHA1 | 87d29853649a86f0463bfd9ad887b85eedc21723 |
| SHA256 | c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f |
| SHA512 | f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3 |
C:\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll
| MD5 | d407cc6d79a08039a6f4b50539e560b8 |
| SHA1 | 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71 |
| SHA256 | 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e |
| SHA512 | 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c |
C:\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll
| MD5 | b0d98f7157d972190fe0759d4368d320 |
| SHA1 | 5715a533621a2b642aad9616e603c6907d80efc4 |
| SHA256 | 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5 |
| SHA512 | 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496 |
memory/4992-33-0x00000000741A0000-0x00000000741E9000-memory.dmp
memory/4992-39-0x0000000000E20000-0x0000000000EA8000-memory.dmp
memory/4992-43-0x0000000073B60000-0x0000000073E2F000-memory.dmp
memory/4992-42-0x00000000015B0000-0x000000000187F000-memory.dmp
memory/4992-38-0x0000000073E30000-0x0000000073EB8000-memory.dmp
memory/4992-37-0x0000000073EC0000-0x0000000073FCA000-memory.dmp
memory/4992-32-0x0000000073FD0000-0x000000007409E000-memory.dmp
memory/4992-31-0x00000000740A0000-0x00000000740C4000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\torrc
| MD5 | 439cd73927f46fde28540391feee8477 |
| SHA1 | ee7fb2aeb7708378abda293b03f5c9ffb6dbc742 |
| SHA256 | d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75 |
| SHA512 | c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319 |
memory/4992-30-0x00000000740D0000-0x0000000074198000-memory.dmp
memory/4992-29-0x0000000000380000-0x0000000000784000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll
| MD5 | add33041af894b67fe34e1dc819b7eb6 |
| SHA1 | 6db46eb021855a587c95479422adcc774a272eeb |
| SHA256 | 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183 |
| SHA512 | bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa |
C:\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll
| MD5 | 099983c13bade9554a3c17484e5481f1 |
| SHA1 | a84e69ad9722f999252d59d0ed9a99901a60e564 |
| SHA256 | b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838 |
| SHA512 | 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2 |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdesc-consensus.tmp
| MD5 | dde78eff34a6e66b6ea6d178bc426549 |
| SHA1 | b253863b59f1502d06dfbcd3dd14313fe44c9e78 |
| SHA256 | a869e89870d10561112f15016a20789dae97004d52c3258ddc11e0ebbc91137e |
| SHA512 | 343452cd55b21a98f663e3cede0d29f77545f03c93cb0a3caa06160419991023226e03e957cda1cc3ef9bcfcf0dc7a103f875048971f9b6eb94133448e410141 |
memory/116-58-0x0000000073750000-0x0000000073789000-memory.dmp
memory/116-62-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/4992-70-0x0000000073E30000-0x0000000073EB8000-memory.dmp
memory/4992-71-0x0000000073B60000-0x0000000073E2F000-memory.dmp
memory/4992-69-0x0000000073EC0000-0x0000000073FCA000-memory.dmp
memory/4992-68-0x0000000073FD0000-0x000000007409E000-memory.dmp
memory/4992-67-0x00000000740A0000-0x00000000740C4000-memory.dmp
memory/4992-66-0x00000000740D0000-0x0000000074198000-memory.dmp
memory/4992-64-0x0000000000380000-0x0000000000784000-memory.dmp
memory/4992-65-0x00000000741A0000-0x00000000741E9000-memory.dmp
memory/116-72-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/4992-81-0x0000000000E20000-0x0000000000EA8000-memory.dmp
memory/4992-73-0x0000000000380000-0x0000000000784000-memory.dmp
memory/4992-83-0x0000000000380000-0x0000000000784000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new
| MD5 | 3e8cc605f59eaae7094e0d28684f7adc |
| SHA1 | e3df12b93a941088f6a6fa57226a4537545603f2 |
| SHA256 | b3954d0c474cb280d17bf109562403312ade070f0a17b3ac0534960e71445f88 |
| SHA512 | 9cf6c40b9a52f4624f92ea58cea2222cd49e09d3a100f693c4aa5da312afc64c8d5039bdbeabe66c40f410d871755c7a49870fbc975b0e3e0531d50a79672688 |
memory/4992-93-0x0000000000380000-0x0000000000784000-memory.dmp
memory/116-102-0x0000000074CC0000-0x0000000074CF9000-memory.dmp
memory/116-101-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/4992-103-0x0000000000380000-0x0000000000784000-memory.dmp
memory/116-111-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/4992-112-0x0000000000380000-0x0000000000784000-memory.dmp
memory/4992-127-0x0000000000380000-0x0000000000784000-memory.dmp
memory/4992-155-0x0000000000380000-0x0000000000784000-memory.dmp
memory/2304-165-0x0000000073DD0000-0x0000000073E19000-memory.dmp
memory/2304-167-0x0000000073C00000-0x0000000073C88000-memory.dmp
memory/2304-170-0x0000000073DA0000-0x0000000073DC4000-memory.dmp
memory/2304-169-0x0000000073E20000-0x0000000073EEE000-memory.dmp
memory/2304-168-0x0000000073FC0000-0x000000007428F000-memory.dmp
memory/2304-166-0x0000000073C90000-0x0000000073D9A000-memory.dmp
memory/2304-161-0x0000000073EF0000-0x0000000073FB8000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | c4436df2f37ad19408e0e4cd6f86af40 |
| SHA1 | 3b9b7ca4378c72c69f37d4b72d6dc45d97617b56 |
| SHA256 | f11cc05280c6b8c0b95e7aba74db6d9cb0df75278dca289241a4ce1bd611905c |
| SHA512 | 567cc1c085f30a08aa2c3f89b08d013fb7cceeff8c210d7aab6e785ddb0f83ef9e7c690cc49b29cb0615c26dab180999921a64876bb8ae7084a00fbb6042f05c |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdesc-consensus
| MD5 | 0ce4530144899e61e7151afe7810919f |
| SHA1 | f300561ff8bbd2b426926aced1e576bd2b91d001 |
| SHA256 | 59f1410ba288f348e46546682bc8ae589accfdb2abc49b0b59fed35ed9de32e5 |
| SHA512 | 595a94b645837f8627b703920cec6eda3e6103ae964c91c383679f00b712343b7f8d4656db6efdaceabe8c641cf45d6461ff77cc9fafa263880bc1a0763a83e6 |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-certs
| MD5 | af023f6bada4b432cb4b0006e7644a8b |
| SHA1 | 66a56d1ca6d0c68f438ed62963a1c3451d41d667 |
| SHA256 | df448c2b54ecb7be90a0e8ede35c094c3dab7a189795664fc939571e91c119af |
| SHA512 | 78f4a6ceea5be53c26afa785bd098f62abfc0b9a51aa3d69f9f8bda70534b937db7a6138267cfb2a0d0e47c839fbaa60657fba97f203e5480d46486087b9f943 |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new
| MD5 | fdf9ed5e194fb446e9a1a62b77399c7c |
| SHA1 | 76238f31db13321edd0189f33c95849f812ed936 |
| SHA256 | c49bbe4b32457df32b0a12f0d82756c35fafc6a68b39f2fba0868da4162bdc52 |
| SHA512 | 09348d5a45b35d0bd2ebc6ce02bccda0e21e42fdba0263d7c39e5be19d6e582024df8f8f8c6e198605a185456451a6c2bff988addb7044307a762f9d75e4e214 |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new
| MD5 | 308a07cb8a8a746dd8e4a37770eefa6b |
| SHA1 | 406ed322d3058d2345f37751f038ffc330f81d61 |
| SHA256 | 2f2e81fa8999c834c2d826b03643b3336e638c6f402aec13c5f1e3c4265c885c |
| SHA512 | cf571bb3e3345fe90e76b1824f26ad39c1cb80c4a4643f1ee3e621a2652399f6fcf5a5095c9b83013ce2e1eebdbac8b202426ef26608120e654bcf435ff3189d |
memory/2304-200-0x0000000000380000-0x0000000000784000-memory.dmp
memory/2304-202-0x0000000073DD0000-0x0000000073E19000-memory.dmp
memory/2304-201-0x0000000073EF0000-0x0000000073FB8000-memory.dmp
memory/116-214-0x00000000739C0000-0x00000000739F9000-memory.dmp
memory/2304-213-0x0000000073C00000-0x0000000073C88000-memory.dmp
memory/2304-212-0x0000000073C90000-0x0000000073D9A000-memory.dmp
memory/2304-216-0x0000000073FC0000-0x000000007428F000-memory.dmp
memory/2304-217-0x0000000073E20000-0x0000000073EEE000-memory.dmp
memory/2304-218-0x0000000073DA0000-0x0000000073DC4000-memory.dmp
memory/2304-261-0x0000000000380000-0x0000000000784000-memory.dmp
memory/4304-269-0x0000000000380000-0x0000000000784000-memory.dmp
memory/4304-274-0x0000000073C20000-0x0000000073C69000-memory.dmp
memory/4304-277-0x0000000072A80000-0x0000000072B8A000-memory.dmp
memory/4304-276-0x00000000729F0000-0x0000000072A78000-memory.dmp
memory/4304-275-0x0000000073B30000-0x0000000073B54000-memory.dmp
memory/4304-273-0x0000000073C70000-0x0000000073D3E000-memory.dmp
memory/4304-272-0x0000000073D40000-0x0000000073E08000-memory.dmp
memory/4304-271-0x0000000072B90000-0x0000000072E5F000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | 8b858e4b316cba7226ea7f88cb3e4808 |
| SHA1 | 5cb309b83a652a298ec7340f0fecb2187f5c26ec |
| SHA256 | eeb8b66a82b5d136f62041a64f1e655d0e126c9445c3ba871a0ea3d24e3bd603 |
| SHA512 | 709840706cbe72fe2b84ff95725fd5684d23204cb0811f9659d656bed483a8d69d250a0f1e4d997ac4221138394399ea6723476c2ab73cbef60ba4de261e9c7e |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs
| MD5 | e8cecdbe02c73244c24b1cde3d440e10 |
| SHA1 | 5b63d9a3f55dc11fdcb27e2baa653a3a9c060cbd |
| SHA256 | 8c80e7f7758f14f4c3a0b2cbd281551740ad9bbb7cd6e4be8442dabe8cf14a84 |
| SHA512 | 61b1461cf1fc700c2848d249f21bdd19207eabb88c06e84937552b4ed8df4ee3ff98df74e5ce6527bba2ddeee3e7973ae6670e7a63c2336f58c15b51a6137fb6 |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new
| MD5 | 844f6a82e57e22d2f3b186d055853853 |
| SHA1 | d4ec829e46c90fb20206f9c21a371c2194160db8 |
| SHA256 | ee9134354862e280da0a6e6e71dba0144682e76768387f5ac0aa3f60dcfc6295 |
| SHA512 | c0c2e0e69545b2d3f2996749fa334f7b4df0b41e12ed099cd1d523e8436c90bc3a90d314e64a3e687567ca1dc2741954f5b40f93efa1bf350f1e42ec3a4ace24 |
memory/4304-297-0x0000000072B90000-0x0000000072E5F000-memory.dmp
memory/116-310-0x00000000739C0000-0x00000000739F9000-memory.dmp
memory/4304-309-0x0000000073B30000-0x0000000073B54000-memory.dmp
memory/4304-308-0x0000000073C70000-0x0000000073D3E000-memory.dmp
memory/4304-307-0x0000000073D40000-0x0000000073E08000-memory.dmp
memory/4304-306-0x0000000000380000-0x0000000000784000-memory.dmp
memory/116-312-0x0000000074CA0000-0x0000000074CD9000-memory.dmp
memory/116-330-0x0000000073750000-0x0000000073789000-memory.dmp
memory/4304-341-0x0000000000380000-0x0000000000784000-memory.dmp
memory/3580-355-0x00000000729F0000-0x0000000072A78000-memory.dmp
memory/3580-356-0x0000000072B90000-0x0000000072E5F000-memory.dmp
memory/3580-354-0x0000000072A80000-0x0000000072B8A000-memory.dmp
memory/3580-353-0x0000000073B30000-0x0000000073B54000-memory.dmp
memory/3580-352-0x0000000073C20000-0x0000000073C69000-memory.dmp
memory/3580-351-0x0000000073C70000-0x0000000073D3E000-memory.dmp
memory/3580-350-0x0000000073D40000-0x0000000073E08000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | 2b86e95e6a484f99bfb1a7e4feca0c65 |
| SHA1 | 051ef60461cebadb78f7297a605922f3b3848171 |
| SHA256 | 619973d6ae96384057aa2068c4f6a3f256fb02669020de2aa1064d3d28418c6d |
| SHA512 | a98cb427a6a2f527ae873085f83f21cdea7df37429a9e7e4f5f10b3403541ead67b0be43d6432088e1967abe75b3b1e537c8b6336a10b12bd50ef411ccbf23b0 |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs
| MD5 | 25062967fbc2c59d5e2744e5ee429a58 |
| SHA1 | b2d97c6e86cf81447772e253d00263eecfa74c4d |
| SHA256 | 4bfaecc9b00025c3c3fa3939826bbc3f8838bb7f4bfcf32d314c8a21bd80cb4a |
| SHA512 | b242950c478aacefd2e4d00649dc3432a45af132d0833a60dd20bbb7175d8da220370ad93f0c3968d3d07643906c7b340bda986f85c7b2d75852f6e76fb54802 |
memory/3580-372-0x0000000000380000-0x0000000000784000-memory.dmp
memory/3580-381-0x0000000073D40000-0x0000000073E08000-memory.dmp
memory/3580-382-0x0000000073C70000-0x0000000073D3E000-memory.dmp
memory/3580-383-0x0000000072B90000-0x0000000072E5F000-memory.dmp
memory/116-393-0x0000000074CC0000-0x0000000074CF9000-memory.dmp
memory/3580-404-0x0000000000380000-0x0000000000784000-memory.dmp
memory/2668-418-0x0000000072B90000-0x0000000072E5F000-memory.dmp
memory/2668-417-0x00000000729F0000-0x0000000072A78000-memory.dmp
memory/2668-416-0x0000000072A80000-0x0000000072B8A000-memory.dmp
memory/2668-415-0x0000000073B30000-0x0000000073B54000-memory.dmp
memory/2668-414-0x0000000073C20000-0x0000000073C69000-memory.dmp
memory/2668-413-0x0000000000380000-0x0000000000784000-memory.dmp
memory/4044-424-0x0000000073B30000-0x0000000073B54000-memory.dmp
memory/4044-423-0x0000000072B90000-0x0000000072E5F000-memory.dmp
memory/4044-422-0x00000000729F0000-0x0000000072A78000-memory.dmp
memory/4044-421-0x0000000072A80000-0x0000000072B8A000-memory.dmp
memory/4044-420-0x0000000073C20000-0x0000000073C69000-memory.dmp
memory/4044-433-0x0000000072B90000-0x0000000072E5F000-memory.dmp
memory/4044-435-0x0000000073C70000-0x0000000073D3E000-memory.dmp
memory/4044-436-0x0000000000380000-0x0000000000784000-memory.dmp
memory/4044-434-0x0000000073D40000-0x0000000073E08000-memory.dmp
memory/2668-448-0x0000000000380000-0x0000000000784000-memory.dmp
memory/2668-449-0x0000000073D40000-0x0000000073E08000-memory.dmp
memory/2668-450-0x0000000073C70000-0x0000000073D3E000-memory.dmp
memory/2668-451-0x0000000073B30000-0x0000000073B54000-memory.dmp
memory/2668-461-0x0000000072B90000-0x0000000072E5F000-memory.dmp
memory/2668-498-0x0000000000380000-0x0000000000784000-memory.dmp
memory/4604-500-0x0000000073C20000-0x0000000073C69000-memory.dmp
memory/4604-503-0x0000000073B30000-0x0000000073B54000-memory.dmp
memory/4604-502-0x00000000729F0000-0x0000000072A78000-memory.dmp
memory/4604-501-0x0000000072A80000-0x0000000072B8A000-memory.dmp
memory/4604-499-0x0000000073D40000-0x0000000073E08000-memory.dmp
memory/4604-516-0x0000000000380000-0x0000000000784000-memory.dmp
memory/4604-527-0x0000000073C70000-0x0000000073D3E000-memory.dmp
memory/4604-526-0x0000000073D40000-0x0000000073E08000-memory.dmp
memory/4604-525-0x0000000072B90000-0x0000000072E5F000-memory.dmp
memory/4604-547-0x0000000000380000-0x0000000000784000-memory.dmp
memory/2624-550-0x0000000073C70000-0x0000000073D3E000-memory.dmp
memory/2624-548-0x0000000072B90000-0x0000000072E5F000-memory.dmp
memory/2624-549-0x0000000073D40000-0x0000000073E08000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-07 12:28
Reported
2024-05-07 12:38
Platform
win7-20240220-en
Max time kernel
598s
Max time network
601s
Command Line
Signatures
BitRAT
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1" | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe
"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
Network
| Country | Destination | Domain | Proto |
| FR | 212.129.62.232:443 | tcp | |
| NL | 77.247.181.166:443 | tcp | |
| DE | 185.177.229.16:1080 | tcp | |
| US | 74.91.26.170:80 | tcp | |
| US | 23.83.91.155:443 | tcp | |
| US | 147.135.16.147:443 | tcp | |
| US | 147.135.16.147:443 | tcp | |
| US | 23.83.91.155:443 | tcp | |
| N/A | 127.0.0.1:49231 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:49318 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 74.215.154.5:9002 | tcp | |
| DE | 148.251.183.205:8080 | tcp | |
| US | 139.144.220.112:443 | tcp | |
| N/A | 127.0.0.1:49408 | tcp | |
| US | 74.215.154.5:9002 | tcp | |
| US | 139.144.220.112:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| DE | 45.14.233.190:443 | tcp | |
| AL | 31.171.154.162:443 | tcp | |
| N/A | 127.0.0.1:49488 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | myexternalip.com | udp |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| FR | 163.172.149.122:443 | tcp | |
| DE | 37.120.168.19:9001 | tcp | |
| N/A | 127.0.0.1:49592 | tcp | |
| DE | 94.130.51.212:9090 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| SE | 193.11.114.43:9001 | tcp | |
| N/A | 127.0.0.1:49671 | tcp | |
| DE | 193.41.226.147:9200 | tcp | |
| CA | 198.100.153.7:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:49739 | tcp | |
| DE | 31.185.104.20:443 | tcp | |
| CA | 198.72.127.222:9001 | tcp | |
| IS | 93.95.231.115:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| FR | 193.70.43.76:9001 | tcp | |
| N/A | 127.0.0.1:49791 | tcp | |
| N/A | 127.0.0.1:49798 | tcp | |
| DE | 138.201.202.228:443 | tcp | |
| US | 74.215.154.5:9002 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:49855 | tcp | |
| DE | 148.251.190.229:9010 | tcp | |
| DE | 62.67.28.110:9001 | tcp | |
| RO | 109.102.40.171:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:49904 | tcp | |
| FI | 65.108.231.17:9001 | tcp | |
| SE | 213.114.238.197:9001 | tcp | |
| US | 198.71.53.137:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 99.185.102.97:4433 | tcp | |
| DE | 173.212.254.192:31337 | tcp | |
| N/A | 127.0.0.1:49959 | tcp | |
| US | 66.175.235.244:443 | tcp | |
| US | 139.144.220.112:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50008 | tcp | |
| DE | 85.10.201.47:9001 | tcp | |
| US | 107.155.69.234:9001 | tcp | |
| DE | 138.201.202.228:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50057 | tcp | |
| DE | 185.244.193.141:9001 | tcp | |
| US | 15.204.235.110:9100 | tcp | |
| US | 208.113.200.33:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50107 | tcp | |
| DE | 5.45.111.149:443 | tcp | |
| FR | 95.85.90.130:9001 | tcp | |
| US | 147.135.16.147:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:50157 | tcp | |
| SK | 85.248.227.164:9002 | tcp | |
| DE | 94.16.105.206:9001 | tcp | |
| US | 99.185.102.97:4433 | tcp | |
| N/A | 127.0.0.1:45808 | tcp |
Files
memory/2792-0-0x0000000000400000-0x0000000000BD8000-memory.dmp
\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
C:\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll
| MD5 | 2384a02c4a1f7ec481adde3a020607d3 |
| SHA1 | 7e848d35a10bf9296c8fa41956a3daa777f86365 |
| SHA256 | c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369 |
| SHA512 | 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503 |
memory/2792-17-0x0000000003FE0000-0x00000000043E4000-memory.dmp
memory/2792-20-0x0000000003FE0000-0x00000000043E4000-memory.dmp
memory/2884-31-0x00000000749B0000-0x0000000074C7F000-memory.dmp
\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll
| MD5 | d407cc6d79a08039a6f4b50539e560b8 |
| SHA1 | 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71 |
| SHA256 | 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e |
| SHA512 | 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c |
\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll
| MD5 | b0d98f7157d972190fe0759d4368d320 |
| SHA1 | 5715a533621a2b642aad9616e603c6907d80efc4 |
| SHA256 | 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5 |
| SHA512 | 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496 |
\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll
| MD5 | 099983c13bade9554a3c17484e5481f1 |
| SHA1 | a84e69ad9722f999252d59d0ed9a99901a60e564 |
| SHA256 | b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838 |
| SHA512 | 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2 |
memory/2884-34-0x00000000746F0000-0x0000000074778000-memory.dmp
memory/2884-33-0x0000000074780000-0x000000007488A000-memory.dmp
memory/2884-32-0x0000000074960000-0x00000000749A9000-memory.dmp
\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll
| MD5 | c88826ac4bb879622e43ead5bdb95aeb |
| SHA1 | 87d29853649a86f0463bfd9ad887b85eedc21723 |
| SHA256 | c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f |
| SHA512 | f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3 |
memory/2884-41-0x0000000074D60000-0x0000000074D84000-memory.dmp
\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll
| MD5 | add33041af894b67fe34e1dc819b7eb6 |
| SHA1 | 6db46eb021855a587c95479422adcc774a272eeb |
| SHA256 | 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183 |
| SHA512 | bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa |
memory/2884-39-0x0000000074620000-0x00000000746EE000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\torrc
| MD5 | 439cd73927f46fde28540391feee8477 |
| SHA1 | ee7fb2aeb7708378abda293b03f5c9ffb6dbc742 |
| SHA256 | d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75 |
| SHA512 | c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319 |
memory/2884-36-0x0000000074890000-0x0000000074958000-memory.dmp
memory/2884-35-0x00000000003E0000-0x00000000007E4000-memory.dmp
\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdesc-consensus.tmp
| MD5 | 27ecdde71eb6b5db413c6a49f1299329 |
| SHA1 | ac00d48ab4b3e43a3a2a4adcb340a1b675c036c1 |
| SHA256 | 7cd94a85b50df1a44d6f73afc9616695d7f3fc154e01a8bb8de9a6107790d483 |
| SHA512 | 2bb2a2d6953aad76ade60cfe1d0bf2c10751ed719d2848e1e3bd81127c020fd359c96f452203d402390326409fc0dbfe46bac05f435df152d9da131c1a2775ab |
memory/2792-53-0x0000000000400000-0x0000000000BD8000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new
| MD5 | 974a6a9648c5b192f31dcf8fcac918f4 |
| SHA1 | 728285cafc076f62bb5880c6ddc18735b3a6991e |
| SHA256 | 42c593e3a7263d2ce66d4f4ce60d29bf51439aabd871be7c45c495d83e850bdf |
| SHA512 | d32102e82660f204c43738dbd5391f4a6667c2c01ac60b72baff265ad56051d1bea3d8c40bff4d3fac7a43b0aa1e7e49c8b051870ece9fcda9a5828832a1b51a |
memory/2884-60-0x00000000003E0000-0x00000000007E4000-memory.dmp
memory/2792-68-0x0000000003FE0000-0x00000000043E4000-memory.dmp
memory/2884-67-0x0000000074D60000-0x0000000074D84000-memory.dmp
memory/2884-66-0x0000000074620000-0x00000000746EE000-memory.dmp
memory/2884-64-0x0000000074780000-0x000000007488A000-memory.dmp
memory/2884-61-0x00000000749B0000-0x0000000074C7F000-memory.dmp
memory/2884-65-0x00000000746F0000-0x0000000074778000-memory.dmp
memory/2884-63-0x0000000074890000-0x0000000074958000-memory.dmp
memory/2884-62-0x0000000074960000-0x00000000749A9000-memory.dmp
memory/2792-69-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/2884-70-0x00000000003E0000-0x00000000007E4000-memory.dmp
memory/2884-71-0x00000000003E0000-0x00000000007E4000-memory.dmp
memory/2792-79-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/2884-80-0x00000000003E0000-0x00000000007E4000-memory.dmp
memory/2884-89-0x00000000003E0000-0x00000000007E4000-memory.dmp
memory/2792-121-0x0000000004D00000-0x0000000005104000-memory.dmp
memory/1592-133-0x0000000074D60000-0x0000000074D84000-memory.dmp
memory/1592-132-0x0000000074620000-0x00000000746EE000-memory.dmp
memory/1592-131-0x00000000746F0000-0x0000000074778000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdesc-consensus
| MD5 | 0ce4530144899e61e7151afe7810919f |
| SHA1 | f300561ff8bbd2b426926aced1e576bd2b91d001 |
| SHA256 | 59f1410ba288f348e46546682bc8ae589accfdb2abc49b0b59fed35ed9de32e5 |
| SHA512 | 595a94b645837f8627b703920cec6eda3e6103ae964c91c383679f00b712343b7f8d4656db6efdaceabe8c641cf45d6461ff77cc9fafa263880bc1a0763a83e6 |
memory/1592-129-0x0000000074780000-0x000000007488A000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-certs
| MD5 | d5551f1d43f325505db392bd2d49c132 |
| SHA1 | e5a8bdce895eebe208fbfc8fecdbd3aa7d808cee |
| SHA256 | 1eff37f5029bf926e6fb57168e8c027a6bb12a9a615543de65016115a0c0f9bc |
| SHA512 | 844ac6d018f80f8fe1d91afd003ac400d908618cec824d94e954813871793c58b8c23c78d3b4cf4d234b4e1f3ee69aa0130c257333a38a69178c43b0c58c1218 |
memory/1592-127-0x0000000074890000-0x0000000074958000-memory.dmp
memory/1592-126-0x0000000074960000-0x00000000749A9000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new
| MD5 | d6adc9f5c8e1610dd68f3f57980a9ff5 |
| SHA1 | f79d5f11ac02ed196cc737811fb6c2961bd4cdd5 |
| SHA256 | 8ad216352e32a189700d0f37d75ce5c26de9756475e2f44f8b478625baf72a3d |
| SHA512 | ac237296c15dfcd5377d4c58d738b6ec379739e5f4cb5631c5cbbfe7c53596cd851df177dbb2ad42a9bc507ca0f65c560f35203ab74b4f0202cadcff5c068bff |
memory/1592-125-0x00000000749B0000-0x0000000074C7F000-memory.dmp
memory/1592-124-0x00000000003E0000-0x00000000007E4000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | 760bed48f7f04e0dea60bf128486333d |
| SHA1 | 2dc2253846b157876f2c97efef08b915ca5f7a7c |
| SHA256 | cb4501c944e23e7adfffde9fd1f81ad9c7a55a55e19c11cca0e94d5413999dfe |
| SHA512 | c7c4f9f1f657400004f104350651d7ede3184369a657b95336399ae6520ed811c439cc85e2134773bf93ed11408f73d5b3c83ffe3f1e49aefe73a47a96d3ea58 |
memory/2884-99-0x00000000003E0000-0x00000000007E4000-memory.dmp
memory/2792-143-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/1592-145-0x00000000749B0000-0x0000000074C7F000-memory.dmp
memory/1592-144-0x00000000003E0000-0x00000000007E4000-memory.dmp
memory/1592-153-0x00000000003E0000-0x00000000007E4000-memory.dmp
memory/2792-161-0x0000000004D00000-0x0000000005104000-memory.dmp
memory/1592-181-0x00000000003E0000-0x00000000007E4000-memory.dmp
memory/2792-187-0x0000000004D00000-0x0000000005104000-memory.dmp
memory/1616-203-0x00000000746E0000-0x00000000749AF000-memory.dmp
memory/1616-202-0x00000000745E0000-0x0000000074604000-memory.dmp
memory/1616-201-0x0000000074610000-0x00000000746DE000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-certs
| MD5 | dbb6eaedcf0554252db56ddd86f7dd4d |
| SHA1 | 897932fd5571f6072f2a631a46a631c0dc47679b |
| SHA256 | 029126ec60896d4005bd72091f87719fbefedcdf9d26b86d1e3381712b807cbf |
| SHA512 | 2607c00a409eaacec19ca0ebbed4da82a7216db96cff189a75cb2efd929d078acb58371544474acecf5e0be610ef495b36829731cd07528a0e41e8da256236ab |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | e283b535bb7c053075c9b765ebef221d |
| SHA1 | 6ebd43b0d6cd82c3a8f58a7f474d048186de9e24 |
| SHA256 | 597f078609d541e176bd0f7cd562d49901cabe49adbf89068a07aa428badc7d0 |
| SHA512 | 47ea12db51e51fe45666f6521665617dac95efbc82b12daf6557a41f17c126c85496de8db120b1b377b538083e5c5d33add5dd77c8d3301909d0042853f7e6a6 |
memory/1616-200-0x00000000749C0000-0x0000000074A48000-memory.dmp
memory/1616-199-0x0000000074A50000-0x0000000074B5A000-memory.dmp
memory/1616-198-0x0000000074B60000-0x0000000074C28000-memory.dmp
memory/1616-197-0x0000000074C30000-0x0000000074C79000-memory.dmp
memory/1616-196-0x00000000003E0000-0x00000000007E4000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs
| MD5 | c8ded144c778f4947f78b818dd2a6ca9 |
| SHA1 | cd6e05ceb9c876e53271e0aa3172454fa21f7374 |
| SHA256 | f6d5ef7e5e6255c6f56a80c4e93df249ccd98aca5db63d40ed34391835eb6f3b |
| SHA512 | e1732f7f5f33d0575c5beef8ce1f9f9156061748009e758779d584c13709611a6265750235ef8a220f1fc907933e010e4ce61e68381b75d3eec7bc9251e9812f |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new
| MD5 | 0369d12158b1f8b36344973d01f2ee0b |
| SHA1 | cd1f8e5ad3a1f9eae49a53cd37e0a05ba780dc3b |
| SHA256 | a8e63128611376c0b07247d9115ff37c08ebf6d1d8684ad071b76f61c0b8d72f |
| SHA512 | 9601c114149586eecae78fa93a141271b3293a7e197dd43f78be55012415348c1fdb91fa4f6fca9bfaaa92a10737d849e4f6176e000a2f14a3427353eb737024 |
memory/2792-228-0x0000000004D00000-0x0000000005104000-memory.dmp
memory/1616-229-0x00000000003E0000-0x00000000007E4000-memory.dmp
memory/1616-239-0x0000000074610000-0x00000000746DE000-memory.dmp
memory/1616-238-0x0000000074B60000-0x0000000074C28000-memory.dmp
memory/1616-240-0x00000000746E0000-0x00000000749AF000-memory.dmp
memory/1616-273-0x00000000003E0000-0x00000000007E4000-memory.dmp
memory/2064-276-0x0000000074C30000-0x0000000074C79000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | 40dcc8dfb231d93452ecd6f7a30e238b |
| SHA1 | 92ba93eaeeac71d2876b7aade25283892080338e |
| SHA256 | f6fa2aa1a43b13996bd8af8e9ed3e8037fe2349998ba00ec5689c870aebd51b9 |
| SHA512 | 6d976e7c526c80ad7ebfff8dd18b86f2412095fa1b4df0da1f4ea6ad005adb33a2a7686b0a9d101522d66e5ef9120f1384117e32c3670b623fcb6997149da89a |
memory/2064-282-0x00000000745E0000-0x0000000074604000-memory.dmp
memory/2064-281-0x0000000074610000-0x00000000746DE000-memory.dmp
memory/2064-279-0x00000000749C0000-0x0000000074A48000-memory.dmp
memory/2064-278-0x0000000074A50000-0x0000000074B5A000-memory.dmp
memory/2064-277-0x0000000074B60000-0x0000000074C28000-memory.dmp
memory/2064-275-0x00000000746E0000-0x00000000749AF000-memory.dmp
memory/2064-274-0x00000000003E0000-0x00000000007E4000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new
| MD5 | 60f5ca9fedf0fb9a26f6c1461644e24f |
| SHA1 | 8f79cf8ef55696d6746ebaa46efbd0e29b07dc7d |
| SHA256 | 217342d45c42cfd6b7e41a1c68571ace4124175708e3b79f18d27190b57c1213 |
| SHA512 | 407627f685eef40d52f315a67a1b59c1d31a1016088e4e0dd7e39139d7507d35aa33814d83cfa423471f47033d62e8213b04f59be59ea393eca6853259ddd132 |
memory/2792-308-0x0000000004D00000-0x0000000005104000-memory.dmp
memory/2064-309-0x00000000003E0000-0x00000000007E4000-memory.dmp
memory/2064-310-0x00000000746E0000-0x00000000749AF000-memory.dmp
memory/2064-312-0x0000000074610000-0x00000000746DE000-memory.dmp
memory/2064-311-0x0000000074B60000-0x0000000074C28000-memory.dmp
memory/2792-323-0x0000000000D80000-0x0000000000D8A000-memory.dmp
memory/2064-356-0x00000000003E0000-0x00000000007E4000-memory.dmp
memory/1908-372-0x0000000074920000-0x00000000749A8000-memory.dmp
memory/1908-371-0x0000000074A00000-0x0000000074B0A000-memory.dmp
memory/1908-370-0x0000000074B10000-0x0000000074BD8000-memory.dmp
memory/1908-375-0x0000000073A90000-0x0000000073D5F000-memory.dmp
memory/1908-374-0x0000000074C50000-0x0000000074C74000-memory.dmp
memory/1908-373-0x0000000074850000-0x000000007491E000-memory.dmp
memory/1908-369-0x0000000074BE0000-0x0000000074C29000-memory.dmp
memory/1908-368-0x00000000003E0000-0x00000000007E4000-memory.dmp
memory/2792-362-0x00000000059D0000-0x0000000005DD4000-memory.dmp
memory/2792-387-0x0000000000D80000-0x0000000000D8A000-memory.dmp
memory/2792-389-0x00000000059D0000-0x0000000005DD4000-memory.dmp
memory/1908-390-0x00000000003E0000-0x00000000007E4000-memory.dmp
memory/1908-399-0x0000000074B10000-0x0000000074BD8000-memory.dmp
memory/1908-400-0x0000000074850000-0x000000007491E000-memory.dmp
memory/1908-402-0x0000000073A90000-0x0000000073D5F000-memory.dmp
memory/2792-413-0x0000000004830000-0x000000000483A000-memory.dmp
memory/2792-412-0x0000000004830000-0x000000000483A000-memory.dmp
memory/2012-444-0x00000000003E0000-0x00000000007E4000-memory.dmp
memory/2012-443-0x0000000074C00000-0x0000000074C24000-memory.dmp
memory/2012-442-0x0000000073C90000-0x0000000073D5E000-memory.dmp
memory/2012-441-0x0000000074A30000-0x0000000074AB8000-memory.dmp
memory/2012-440-0x00000000748A0000-0x00000000749AA000-memory.dmp
memory/2012-439-0x0000000074AC0000-0x0000000074B88000-memory.dmp
memory/2012-438-0x0000000074B90000-0x0000000074BD9000-memory.dmp
memory/2012-437-0x0000000073730000-0x00000000739FF000-memory.dmp
memory/1908-436-0x00000000003E0000-0x00000000007E4000-memory.dmp
memory/2792-456-0x0000000004830000-0x000000000483A000-memory.dmp
memory/2792-457-0x0000000004830000-0x000000000483A000-memory.dmp
memory/2792-458-0x0000000005B10000-0x0000000005F14000-memory.dmp
memory/2012-468-0x0000000073730000-0x00000000739FF000-memory.dmp
memory/2012-470-0x0000000073C90000-0x0000000073D5E000-memory.dmp
memory/2012-469-0x0000000074AC0000-0x0000000074B88000-memory.dmp
memory/2012-471-0x00000000003E0000-0x00000000007E4000-memory.dmp
memory/2456-505-0x00000000003E0000-0x00000000007E4000-memory.dmp
memory/2792-504-0x00000000058D0000-0x0000000005CD4000-memory.dmp
memory/2012-503-0x00000000003E0000-0x00000000007E4000-memory.dmp
memory/2792-526-0x00000000058D0000-0x0000000005CD4000-memory.dmp
memory/2456-527-0x00000000003E0000-0x00000000007E4000-memory.dmp
memory/2456-547-0x00000000003E0000-0x00000000007E4000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-07 12:28
Reported
2024-05-07 12:38
Platform
win10-20240404-en
Max time kernel
599s
Max time network
601s
Command Line
Signatures
BitRAT
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1\ue900" | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1" | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1\uff00" | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1ë°€" | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1\ueb00" | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe
"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
Network
| Country | Destination | Domain | Proto |
| FR | 217.182.51.248:443 | tcp | |
| RO | 185.225.17.3:443 | tcp | |
| US | 128.31.0.13:443 | tcp | |
| US | 8.8.8.8:53 | 13.0.31.128.in-addr.arpa | udp |
| DK | 87.104.37.132:443 | tcp | |
| CA | 144.217.103.5:8443 | tcp | |
| US | 8.8.8.8:53 | 5.103.217.144.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.37.104.87.in-addr.arpa | udp |
| N/A | 127.0.0.1:49804 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| CA | 144.217.103.5:8443 | tcp | |
| DK | 87.104.37.132:443 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| FI | 135.181.63.118:9100 | tcp | |
| N/A | 127.0.0.1:49945 | tcp | |
| US | 152.86.12.4:420 | tcp | |
| US | 8.8.8.8:53 | 118.63.181.135.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.12.86.152.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | myexternalip.com | udp |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| US | 8.8.8.8:53 | 88.16.208.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.118.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.190.18.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:50041 | tcp | |
| DE | 85.215.42.225:9001 | tcp | |
| FI | 135.181.63.118:9100 | tcp | |
| US | 8.8.8.8:53 | 225.42.215.85.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 199.184.215.11:9090 | tcp | |
| US | 8.8.8.8:53 | 11.215.184.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| N/A | 127.0.0.1:50138 | tcp | |
| NL | 194.126.173.158:24752 | tcp | |
| FI | 135.181.63.118:9100 | tcp | |
| US | 8.8.8.8:53 | 158.173.126.194.in-addr.arpa | udp |
| DE | 85.215.42.225:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50205 | tcp | |
| DK | 185.96.88.29:443 | tcp | |
| DE | 85.215.42.225:9001 | tcp | |
| FI | 135.181.63.118:9100 | tcp | |
| DE | 159.69.71.228:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | 228.71.69.159.in-addr.arpa | udp |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50263 | tcp | |
| CA | 192.160.102.165:9001 | tcp | |
| DE | 85.215.42.225:9001 | tcp | |
| FI | 135.181.63.118:9100 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| SE | 109.105.109.162:60784 | tcp | |
| N/A | 127.0.0.1:50321 | tcp | |
| DE | 85.215.42.225:9001 | tcp | |
| US | 8.8.8.8:53 | 162.109.105.109.in-addr.arpa | udp |
| FI | 135.181.63.118:9100 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| CA | 149.56.141.138:9001 | tcp | |
| N/A | 127.0.0.1:50397 | tcp | |
| DE | 85.215.42.225:9001 | tcp | |
| FI | 135.181.63.118:9100 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50474 | tcp | |
| DE | 5.45.111.149:443 | tcp | |
| DE | 85.215.42.225:9001 | tcp | |
| US | 8.8.8.8:53 | 149.111.45.5.in-addr.arpa | udp |
| FI | 135.181.63.118:9100 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| US | 166.70.207.2:9101 | tcp | |
| N/A | 127.0.0.1:50533 | tcp | |
| FI | 135.181.63.118:9100 | tcp | |
| US | 8.8.8.8:53 | 2.207.70.166.in-addr.arpa | udp |
| DE | 85.215.42.225:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50579 | tcp | |
| CA | 192.160.102.170:9001 | tcp | |
| FI | 135.181.63.118:9100 | tcp | |
| DE | 85.215.42.225:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:50641 | tcp | |
| US | 50.7.74.170:9001 | tcp | |
| FI | 135.181.63.118:9100 | tcp | |
| DE | 85.215.42.225:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp |
Files
memory/4024-0-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/4024-1-0x0000000073550000-0x000000007358A000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
memory/2788-14-0x0000000000C30000-0x0000000001034000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll
| MD5 | 2384a02c4a1f7ec481adde3a020607d3 |
| SHA1 | 7e848d35a10bf9296c8fa41956a3daa777f86365 |
| SHA256 | c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369 |
| SHA512 | 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503 |
C:\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll
| MD5 | 099983c13bade9554a3c17484e5481f1 |
| SHA1 | a84e69ad9722f999252d59d0ed9a99901a60e564 |
| SHA256 | b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838 |
| SHA512 | 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2 |
C:\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll
| MD5 | add33041af894b67fe34e1dc819b7eb6 |
| SHA1 | 6db46eb021855a587c95479422adcc774a272eeb |
| SHA256 | 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183 |
| SHA512 | bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa |
\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll
| MD5 | d407cc6d79a08039a6f4b50539e560b8 |
| SHA1 | 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71 |
| SHA256 | 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e |
| SHA512 | 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c |
\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll
| MD5 | b0d98f7157d972190fe0759d4368d320 |
| SHA1 | 5715a533621a2b642aad9616e603c6907d80efc4 |
| SHA256 | 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5 |
| SHA512 | 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496 |
\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll
| MD5 | c88826ac4bb879622e43ead5bdb95aeb |
| SHA1 | 87d29853649a86f0463bfd9ad887b85eedc21723 |
| SHA256 | c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f |
| SHA512 | f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3 |
\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
memory/2788-31-0x0000000072B40000-0x0000000072C08000-memory.dmp
memory/2788-35-0x00000000728A0000-0x00000000728C4000-memory.dmp
memory/2788-34-0x00000000728D0000-0x0000000072958000-memory.dmp
memory/2788-33-0x0000000072960000-0x0000000072A6A000-memory.dmp
memory/2788-32-0x0000000072A70000-0x0000000072B3E000-memory.dmp
memory/2788-38-0x00000000735D0000-0x0000000073619000-memory.dmp
memory/2788-37-0x00000000725D0000-0x000000007289F000-memory.dmp
memory/2788-36-0x0000000001800000-0x0000000001ACF000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\torrc
| MD5 | 439cd73927f46fde28540391feee8477 |
| SHA1 | ee7fb2aeb7708378abda293b03f5c9ffb6dbc742 |
| SHA256 | d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75 |
| SHA512 | c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319 |
memory/4024-42-0x00000000722C0000-0x00000000722FA000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdesc-consensus.tmp
| MD5 | 0ce4530144899e61e7151afe7810919f |
| SHA1 | f300561ff8bbd2b426926aced1e576bd2b91d001 |
| SHA256 | 59f1410ba288f348e46546682bc8ae589accfdb2abc49b0b59fed35ed9de32e5 |
| SHA512 | 595a94b645837f8627b703920cec6eda3e6103ae964c91c383679f00b712343b7f8d4656db6efdaceabe8c641cf45d6461ff77cc9fafa263880bc1a0763a83e6 |
memory/4024-51-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/2788-55-0x0000000000C30000-0x0000000001034000-memory.dmp
memory/2788-60-0x00000000728D0000-0x0000000072958000-memory.dmp
memory/2788-59-0x0000000072960000-0x0000000072A6A000-memory.dmp
memory/2788-58-0x0000000072A70000-0x0000000072B3E000-memory.dmp
memory/2788-56-0x0000000072B40000-0x0000000072C08000-memory.dmp
memory/2788-62-0x00000000725D0000-0x000000007289F000-memory.dmp
memory/2788-61-0x00000000728A0000-0x00000000728C4000-memory.dmp
memory/4024-67-0x0000000000400000-0x0000000000BD8000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new
| MD5 | 3cda87820c038d2979c9bbe1e7002f64 |
| SHA1 | d3b7d38e1fad5a25c741e2070a2b5ce4048d583b |
| SHA256 | 1a767ec1d446eb3db6c507cf4c3b82fe1feb21e55f209a0e358fe16715d1fc36 |
| SHA512 | 80d3a0031942e1ef0ffbf2dbb41e6c12daeed45bf3710e9e755b9990b9d373d880b0c46f92f67ec48c4c064adc3248e1874c96e52a24e86bda6cd8c69a7a56c3 |
memory/2788-71-0x0000000000C30000-0x0000000001034000-memory.dmp
memory/2788-72-0x0000000000C30000-0x0000000001034000-memory.dmp
memory/2788-82-0x0000000000C30000-0x0000000001034000-memory.dmp
memory/2788-91-0x0000000000C30000-0x0000000001034000-memory.dmp
memory/4024-99-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/4024-100-0x0000000072E20000-0x0000000072E5A000-memory.dmp
memory/2788-101-0x0000000000C30000-0x0000000001034000-memory.dmp
memory/4024-109-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/2788-110-0x0000000000C30000-0x0000000001034000-memory.dmp
memory/2788-122-0x0000000000C30000-0x0000000001034000-memory.dmp
memory/2788-153-0x0000000000C30000-0x0000000001034000-memory.dmp
memory/4212-168-0x00000000725D0000-0x000000007289F000-memory.dmp
memory/4212-167-0x00000000728D0000-0x0000000072958000-memory.dmp
memory/4212-166-0x0000000072960000-0x0000000072A6A000-memory.dmp
memory/4212-165-0x00000000728A0000-0x00000000728C4000-memory.dmp
memory/4212-164-0x00000000735D0000-0x0000000073619000-memory.dmp
memory/4212-163-0x0000000072A70000-0x0000000072B3E000-memory.dmp
memory/4212-162-0x0000000072B40000-0x0000000072C08000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | 0426cb839fb387e5d5931d780c970612 |
| SHA1 | 5b06f4e9d1605744d1292746188df21bafc4e134 |
| SHA256 | aad2ae644667554fa9c177c6a2d43cf10cd2058d31217eaa6283b5d0b5bf0449 |
| SHA512 | 291ac803bf25c8a203f8ac25bc90710a6dc27b91be1b05d430329226a967b8b70134b7f2927a5f49bdf0d5e69e3dd0984b9f1cc01513ac67d221c1e3cbcd99aa |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-certs
| MD5 | 6fca2f1300d50b8fceef62317f69da09 |
| SHA1 | 6006c752e82a84a0b05fee1f6f5e355fe2f461d4 |
| SHA256 | 5193bd0c613f1f9580170220020e1383fb7aad43cf279afbe80d3a0d0b4aa0f5 |
| SHA512 | 280bbd6227eadef4f6a0c7d57cef11a607a698d26127c96a286fb797a3eabb01eb67c04bb002166a50c95ed4c87b7fa49fb5c20b67384df74a1210e05659d1ba |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new
| MD5 | a601e0e01f58700aa0863dd77be45056 |
| SHA1 | 758d54d7b9eb3e6fe3c76b5979f0181baa2ded45 |
| SHA256 | 9616f409d12228ed3656a1f4aad7a444fcc10a8693e4b69908254ed47c6ee7c9 |
| SHA512 | 6ed01ed2570316607efed5e2897cff05c37cbee15c97f46f78688771ee42ad2638d6083acbe2e9e4ec2453fc1f047ecb129293bc4d82ea35f5f527b51d2b6135 |
memory/4212-190-0x0000000000C30000-0x0000000001034000-memory.dmp
memory/4212-199-0x0000000072B40000-0x0000000072C08000-memory.dmp
memory/4024-202-0x0000000072DF0000-0x0000000072E2A000-memory.dmp
memory/4212-201-0x00000000728A0000-0x00000000728C4000-memory.dmp
memory/4212-200-0x0000000072A70000-0x0000000072B3E000-memory.dmp
memory/4212-203-0x00000000725D0000-0x000000007289F000-memory.dmp
memory/4212-237-0x0000000000C30000-0x0000000001034000-memory.dmp
memory/3564-252-0x00000000725E0000-0x0000000072668000-memory.dmp
memory/3564-253-0x0000000072950000-0x0000000072C1F000-memory.dmp
memory/3564-251-0x0000000072670000-0x000000007277A000-memory.dmp
memory/3564-250-0x0000000072780000-0x00000000727A4000-memory.dmp
memory/3564-249-0x00000000735D0000-0x0000000073619000-memory.dmp
memory/3564-248-0x00000000727B0000-0x000000007287E000-memory.dmp
memory/3564-247-0x0000000072880000-0x0000000072948000-memory.dmp
memory/3564-246-0x0000000000C30000-0x0000000001034000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | 1621db80ab491397beff148d561561fa |
| SHA1 | e80363112b53038f74112a4054557969f3c0251d |
| SHA256 | b60db38a840762db5a4c5f3741fb11942f2c5432966cb414798050797df61d66 |
| SHA512 | 40833bdf8ddead8634f471526f919eb173aa17c66898353b54f4e0e85fc0711ef4451a3e5c17feff72a6927b9e54e4b3c935057b7d00c2dc16fcc700e7a3655e |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs
| MD5 | 7e6a139bc899bbcd05a1f17a872dbd74 |
| SHA1 | 8fc3866e3c708ad1c78f13e2433edde0866d981c |
| SHA256 | 3b9bf01fa52338612e1c98aedaca98b33fadd5adf40d4abf6aeaa634a958474e |
| SHA512 | 7c874c7a36b6dfba5df2f7b0a50c91380db9668332a62087efae1794529e1b2df51d0050234094d6f7266b2c94f23ef3b105a3fb4a13ca55a54177710747e1e9 |
memory/3564-269-0x0000000000C30000-0x0000000001034000-memory.dmp
memory/3564-278-0x0000000072880000-0x0000000072948000-memory.dmp
memory/4024-281-0x0000000071CE0000-0x0000000071D1A000-memory.dmp
memory/3564-280-0x0000000072780000-0x00000000727A4000-memory.dmp
memory/3564-279-0x00000000727B0000-0x000000007287E000-memory.dmp
memory/3564-283-0x0000000072950000-0x0000000072C1F000-memory.dmp
memory/4024-293-0x0000000073550000-0x000000007358A000-memory.dmp
memory/4024-303-0x00000000722C0000-0x00000000722FA000-memory.dmp
memory/3564-324-0x0000000000C30000-0x0000000001034000-memory.dmp
memory/3400-336-0x0000000072950000-0x0000000072C1F000-memory.dmp
memory/3400-337-0x00000000727B0000-0x000000007287E000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | 118e1fa7c8274f00c8f2713678fc5da4 |
| SHA1 | 14306e633a27d5e934cccb6f7f8ef9124218db3a |
| SHA256 | 70ffc0874c78a8894db9e58c45cc15643abd1328d81a51bd762ac74679b214a6 |
| SHA512 | c0035aafb197d97d516b601d40ffb29dae13c764240ffe43be825ff8f138a857f81c9ec96d9182542cd3692dacba2a2a0d61a7fc2bc52e75f6d2f29c12806602 |
memory/3400-342-0x0000000072880000-0x0000000072948000-memory.dmp
memory/3400-341-0x00000000725E0000-0x0000000072668000-memory.dmp
memory/3400-340-0x0000000072670000-0x000000007277A000-memory.dmp
memory/3400-339-0x0000000072780000-0x00000000727A4000-memory.dmp
memory/3400-338-0x00000000735D0000-0x0000000073619000-memory.dmp
memory/3400-357-0x0000000000C30000-0x0000000001034000-memory.dmp
memory/3400-367-0x0000000072950000-0x0000000072C1F000-memory.dmp
memory/3400-368-0x00000000727B0000-0x000000007287E000-memory.dmp
memory/3400-369-0x0000000072880000-0x0000000072948000-memory.dmp
memory/4024-370-0x0000000072E20000-0x0000000072E5A000-memory.dmp
memory/3400-389-0x0000000000C30000-0x0000000001034000-memory.dmp
memory/760-401-0x0000000072950000-0x0000000072C1F000-memory.dmp
memory/760-400-0x00000000725E0000-0x0000000072668000-memory.dmp
memory/760-399-0x0000000072670000-0x000000007277A000-memory.dmp
memory/760-398-0x00000000735D0000-0x0000000073619000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | 2bb91d1189efb9830651baaf663514bd |
| SHA1 | eda4b0f211d75b3badf283b969d143e3fd387bbd |
| SHA256 | b655ae4e865f0d120652e2c9f2e1637d745241986480327db49eca8c4999f580 |
| SHA512 | 8069c0bb1aa208c3b940a7408b226e81e89b277d1a2bb78ebab54e05b5aac2e0987408c9b5b7d33d2da6f3568ce0e590d90b703e0fac6857cadca28cd18655ca |
memory/760-416-0x0000000000C30000-0x0000000001034000-memory.dmp
memory/760-426-0x00000000727B0000-0x000000007287E000-memory.dmp
memory/760-427-0x0000000072780000-0x00000000727A4000-memory.dmp
memory/760-425-0x0000000072880000-0x0000000072948000-memory.dmp
memory/760-429-0x0000000072950000-0x0000000072C1F000-memory.dmp
memory/760-448-0x0000000000C30000-0x0000000001034000-memory.dmp
memory/1320-452-0x00000000725E0000-0x0000000072668000-memory.dmp
memory/1320-451-0x0000000072670000-0x000000007277A000-memory.dmp
memory/1320-450-0x00000000735D0000-0x0000000073619000-memory.dmp
memory/1320-453-0x0000000072950000-0x0000000072C1F000-memory.dmp
memory/4024-457-0x0000000072DF0000-0x0000000072E2A000-memory.dmp
memory/1320-467-0x0000000000C30000-0x0000000001034000-memory.dmp
memory/1320-478-0x0000000072780000-0x00000000727A4000-memory.dmp
memory/1320-477-0x00000000727B0000-0x000000007287E000-memory.dmp
memory/1320-476-0x0000000072880000-0x0000000072948000-memory.dmp
memory/1320-480-0x0000000072950000-0x0000000072C1F000-memory.dmp
memory/1320-499-0x0000000000C30000-0x0000000001034000-memory.dmp
memory/4660-503-0x0000000072950000-0x0000000072C1F000-memory.dmp
memory/4660-502-0x00000000725E0000-0x0000000072668000-memory.dmp
memory/4660-501-0x0000000072670000-0x000000007277A000-memory.dmp
memory/4660-500-0x00000000735D0000-0x0000000073619000-memory.dmp
memory/4660-516-0x0000000000C30000-0x0000000001034000-memory.dmp
memory/4660-527-0x0000000072780000-0x00000000727A4000-memory.dmp
memory/4660-526-0x00000000727B0000-0x000000007287E000-memory.dmp
memory/4660-525-0x0000000072880000-0x0000000072948000-memory.dmp
memory/4660-528-0x0000000072950000-0x0000000072C1F000-memory.dmp
memory/4660-566-0x0000000000C30000-0x0000000001034000-memory.dmp
memory/3688-573-0x00000000725E0000-0x0000000072604000-memory.dmp
memory/3688-572-0x0000000072610000-0x0000000072698000-memory.dmp
memory/3688-571-0x00000000726A0000-0x00000000727AA000-memory.dmp
memory/3688-570-0x00000000735D0000-0x0000000073619000-memory.dmp
memory/3688-569-0x00000000727B0000-0x000000007287E000-memory.dmp
memory/3688-568-0x0000000072880000-0x0000000072948000-memory.dmp
memory/3688-567-0x0000000072950000-0x0000000072C1F000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-07 12:28
Reported
2024-05-07 12:38
Platform
win10v2004-20240419-en
Max time kernel
597s
Max time network
601s
Command Line
Signatures
BitRAT
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1" | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe
"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 18.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| BG | 213.183.60.21:443 | tcp | |
| N/A | 127.0.0.1:60250 | tcp | |
| FR | 163.172.157.213:443 | tcp | |
| FR | 163.172.176.167:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| FR | 212.47.229.2:9001 | tcp | |
| US | 154.35.175.225:443 | tcp | |
| US | 8.8.8.8:53 | 2.229.47.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 15.204.141.10:443 | tcp | |
| NL | 51.15.50.36:9001 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.50.15.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.141.204.15.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.251.17.2.in-addr.arpa | udp |
| US | 15.204.141.10:443 | tcp | |
| NL | 51.15.50.36:9001 | tcp | |
| NL | 51.15.89.200:9001 | tcp | |
| N/A | 127.0.0.1:60415 | tcp | |
| US | 8.8.8.8:53 | 200.89.15.51.in-addr.arpa | udp |
| DE | 93.90.74.30:9090 | tcp | |
| US | 8.8.8.8:53 | 30.74.90.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | myexternalip.com | udp |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| US | 8.8.8.8:53 | 44.118.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.190.18.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:60514 | tcp | |
| US | 15.204.183.156:8443 | tcp | |
| NL | 51.15.89.200:9001 | tcp | |
| US | 8.8.8.8:53 | 156.183.204.15.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:60604 | tcp | |
| NO | 185.243.218.202:14443 | tcp | |
| US | 8.8.8.8:53 | 202.218.243.185.in-addr.arpa | udp |
| NL | 51.15.89.200:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:60673 | tcp | |
| N/A | 127.0.0.1:60685 | tcp | |
| US | 199.184.246.250:443 | tcp | |
| NL | 51.15.89.200:9001 | tcp | |
| NO | 185.243.218.202:14443 | tcp | |
| FI | 65.21.94.13:5443 | tcp | |
| US | 8.8.8.8:53 | 13.94.21.65.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:60782 | tcp | |
| FR | 95.128.43.164:443 | tcp | |
| NO | 185.243.218.202:14443 | tcp | |
| US | 8.8.8.8:53 | 164.43.128.95.in-addr.arpa | udp |
| NL | 51.15.89.200:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:60838 | tcp | |
| FR | 51.15.179.153:995 | tcp | |
| NO | 185.243.218.202:14443 | tcp | |
| NL | 51.15.89.200:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:60897 | tcp | |
| CA | 192.160.102.169:9001 | tcp | |
| NL | 51.15.89.200:9001 | tcp | |
| NO | 185.243.218.202:14443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:60947 | tcp | |
| DK | 185.96.88.29:443 | tcp | |
| NO | 185.243.218.202:14443 | tcp | |
| NL | 51.15.89.200:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:61018 | tcp | |
| NL | 95.85.8.226:443 | tcp | |
| NL | 51.15.89.200:9001 | tcp | |
| NO | 185.243.218.202:14443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:61064 | tcp | |
| SE | 193.11.114.46:9003 | tcp | |
| NL | 51.15.89.200:9001 | tcp | |
| US | 8.8.8.8:53 | 46.114.11.193.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| NO | 185.243.218.202:14443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:61111 | tcp | |
| DE | 5.45.111.149:443 | tcp | |
| NO | 185.243.218.202:14443 | tcp | |
| US | 8.8.8.8:53 | 149.111.45.5.in-addr.arpa | udp |
| NL | 51.15.89.200:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:61160 | tcp | |
| DE | 131.188.40.188:11180 | tcp | |
| NL | 51.15.89.200:9001 | tcp | |
| US | 8.8.8.8:53 | 188.40.188.131.in-addr.arpa | udp |
| NL | 141.148.237.212:8081 | tcp | |
| US | 8.8.8.8:53 | 212.237.148.141.in-addr.arpa | udp |
| NO | 185.243.218.202:14443 | tcp |
Files
memory/2996-0-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/2996-1-0x00000000750B0000-0x00000000750E9000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
C:\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll
| MD5 | 2384a02c4a1f7ec481adde3a020607d3 |
| SHA1 | 7e848d35a10bf9296c8fa41956a3daa777f86365 |
| SHA256 | c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369 |
| SHA512 | 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503 |
C:\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
C:\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll
| MD5 | c88826ac4bb879622e43ead5bdb95aeb |
| SHA1 | 87d29853649a86f0463bfd9ad887b85eedc21723 |
| SHA256 | c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f |
| SHA512 | f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3 |
C:\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll
| MD5 | b0d98f7157d972190fe0759d4368d320 |
| SHA1 | 5715a533621a2b642aad9616e603c6907d80efc4 |
| SHA256 | 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5 |
| SHA512 | 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496 |
C:\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll
| MD5 | d407cc6d79a08039a6f4b50539e560b8 |
| SHA1 | 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71 |
| SHA256 | 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e |
| SHA512 | 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c |
C:\Users\Admin\AppData\Local\d46500b0\tor\torrc
| MD5 | 439cd73927f46fde28540391feee8477 |
| SHA1 | ee7fb2aeb7708378abda293b03f5c9ffb6dbc742 |
| SHA256 | d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75 |
| SHA512 | c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319 |
C:\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll
| MD5 | add33041af894b67fe34e1dc819b7eb6 |
| SHA1 | 6db46eb021855a587c95479422adcc774a272eeb |
| SHA256 | 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183 |
| SHA512 | bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa |
memory/4040-30-0x0000000074410000-0x0000000074459000-memory.dmp
memory/4040-29-0x0000000074460000-0x000000007452E000-memory.dmp
memory/4040-28-0x0000000074530000-0x00000000745F8000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll
| MD5 | 099983c13bade9554a3c17484e5481f1 |
| SHA1 | a84e69ad9722f999252d59d0ed9a99901a60e564 |
| SHA256 | b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838 |
| SHA512 | 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2 |
memory/4040-22-0x0000000000200000-0x0000000000604000-memory.dmp
memory/4040-41-0x00000000743E0000-0x0000000074404000-memory.dmp
memory/4040-42-0x00000000742D0000-0x00000000743DA000-memory.dmp
memory/4040-44-0x00000000014B0000-0x0000000001538000-memory.dmp
memory/4040-45-0x00000000014B0000-0x000000000177F000-memory.dmp
memory/4040-46-0x0000000073F70000-0x000000007423F000-memory.dmp
memory/4040-43-0x0000000074240000-0x00000000742C8000-memory.dmp
memory/2996-47-0x0000000073C40000-0x0000000073C79000-memory.dmp
memory/2996-48-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/4040-50-0x0000000074460000-0x000000007452E000-memory.dmp
memory/4040-52-0x0000000074410000-0x0000000074459000-memory.dmp
memory/4040-51-0x0000000074530000-0x00000000745F8000-memory.dmp
memory/4040-49-0x0000000000200000-0x0000000000604000-memory.dmp
memory/2996-57-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/4040-58-0x0000000000200000-0x0000000000604000-memory.dmp
memory/4040-59-0x0000000000200000-0x0000000000604000-memory.dmp
memory/4040-67-0x00000000014B0000-0x0000000001538000-memory.dmp
memory/4040-68-0x00000000014B0000-0x000000000177F000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdesc-consensus.tmp
| MD5 | 0ce4530144899e61e7151afe7810919f |
| SHA1 | f300561ff8bbd2b426926aced1e576bd2b91d001 |
| SHA256 | 59f1410ba288f348e46546682bc8ae589accfdb2abc49b0b59fed35ed9de32e5 |
| SHA512 | 595a94b645837f8627b703920cec6eda3e6103ae964c91c383679f00b712343b7f8d4656db6efdaceabe8c641cf45d6461ff77cc9fafa263880bc1a0763a83e6 |
memory/4040-78-0x0000000000200000-0x0000000000604000-memory.dmp
memory/4040-87-0x0000000000200000-0x0000000000604000-memory.dmp
memory/2996-99-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/2996-100-0x00000000750D0000-0x0000000075109000-memory.dmp
memory/4040-101-0x0000000000200000-0x0000000000604000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new
| MD5 | dfa8b5787509c317bbe7c4956ae4ee61 |
| SHA1 | ae3d0d514a34206fdb6513ee37078433d87b9ce5 |
| SHA256 | f2506aca75376ffe8cdf303113880a27a29ce70d9d22dba9f14c90adba9af6c5 |
| SHA512 | 1d8f58d122b458c75cf7dc499a2f93e2dcc2b0cab2fee7a267c60eff5d9e9a6a064e9f6b1398551809e895e14238d2bf7f58988ddaa05e3d1925d3f752102413 |
memory/2996-110-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/4040-111-0x0000000000200000-0x0000000000604000-memory.dmp
memory/4040-130-0x0000000000200000-0x0000000000604000-memory.dmp
memory/4040-157-0x0000000000200000-0x0000000000604000-memory.dmp
memory/3844-171-0x0000000074010000-0x0000000074098000-memory.dmp
memory/3844-172-0x00000000743D0000-0x000000007469F000-memory.dmp
memory/3844-170-0x00000000740A0000-0x00000000741AA000-memory.dmp
memory/3844-169-0x00000000741B0000-0x00000000741D4000-memory.dmp
memory/3844-168-0x00000000741E0000-0x0000000074229000-memory.dmp
memory/3844-167-0x0000000074230000-0x00000000742FE000-memory.dmp
memory/3844-166-0x0000000074300000-0x00000000743C8000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | c4436df2f37ad19408e0e4cd6f86af40 |
| SHA1 | 3b9b7ca4378c72c69f37d4b72d6dc45d97617b56 |
| SHA256 | f11cc05280c6b8c0b95e7aba74db6d9cb0df75278dca289241a4ce1bd611905c |
| SHA512 | 567cc1c085f30a08aa2c3f89b08d013fb7cceeff8c210d7aab6e785ddb0f83ef9e7c690cc49b29cb0615c26dab180999921a64876bb8ae7084a00fbb6042f05c |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-certs
| MD5 | 5d919374dbddc43d8727da8e296542a3 |
| SHA1 | 3f72e550f2c833a9d82e3b97cdf89dbaa64158cc |
| SHA256 | 4d0edd91b5d93fcaf30883952c8ac9d0b840210e8be370e07ca07d009c3dd462 |
| SHA512 | f4e3fb5e3e6ce605bbf5703d02414bfd4b7cdfbc6e1cf05db9ce809d4134bf034d8614951e84ea6e703d0d9018de59c81990751bb4ec42ad7c6a6b7cae7fcce8 |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new
| MD5 | 3b24a2bb5c55392ac76f43e45d460b98 |
| SHA1 | 0e7dd30f878d580311822dbb1aef3f9c82b1eaab |
| SHA256 | 4c97a7c8488e830ffa74c0190a49f4c633113bb6fa304c6c072217699c651235 |
| SHA512 | 2b0f729a4a05d8c134883dedc4d61365f90c6fdff2f9285255dacaf636f99c07af66e86e4c751a83c82dc396bc2cc485f7b7763227f0519fcb86343885b42bf6 |
memory/3844-194-0x0000000000200000-0x0000000000604000-memory.dmp
memory/3844-203-0x0000000074300000-0x00000000743C8000-memory.dmp
memory/3844-205-0x00000000741B0000-0x00000000741D4000-memory.dmp
memory/3844-204-0x0000000074230000-0x00000000742FE000-memory.dmp
memory/2996-206-0x0000000073BD0000-0x0000000073C09000-memory.dmp
memory/3844-207-0x00000000743D0000-0x000000007469F000-memory.dmp
memory/3844-241-0x0000000000200000-0x0000000000604000-memory.dmp
memory/4316-255-0x0000000072E40000-0x0000000072EC8000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | 10376ccffe2767c55b8bbbec648da33a |
| SHA1 | e9d5861e880e194e26939c36b398a57d10bea606 |
| SHA256 | 8420eff47de63af3e6736a586e1b4810b001729edd30f852fd3e8ed09ff44fbc |
| SHA512 | 1f3a58483f8774c170b783fb83fd12feba5d3033978a80bab8430229192279682e55eb8a0eabb00945e8dfa10a169aa8bcb1a2528a87404b06759619b0d1367a |
memory/4316-256-0x0000000072FE0000-0x00000000732AF000-memory.dmp
memory/4316-250-0x0000000074150000-0x0000000074218000-memory.dmp
memory/4316-254-0x0000000072ED0000-0x0000000072FDA000-memory.dmp
memory/4316-253-0x0000000073F40000-0x0000000073F64000-memory.dmp
memory/4316-252-0x0000000074030000-0x0000000074079000-memory.dmp
memory/4316-251-0x0000000074080000-0x000000007414E000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs
| MD5 | b7630e025ed89104b699ff10805b5607 |
| SHA1 | bd2d304aa3a24ad211875a9927dbde6b5b2c8f35 |
| SHA256 | 88168fa40f5acff043de1c87b8ac718747277f59cf35c0ae02ff243e58484b08 |
| SHA512 | f1438e57e3eb6cee0a63a4140c4397a58dde39b04b7c1b54a5ff221329211a496947d04c1b0bf5b3df97a997b42d57281934c948660d9fcea1ebf08623b9d2fe |
memory/4316-272-0x0000000000200000-0x0000000000604000-memory.dmp
memory/4316-281-0x0000000074150000-0x0000000074218000-memory.dmp
memory/4316-283-0x0000000073F40000-0x0000000073F64000-memory.dmp
memory/2996-284-0x0000000072C60000-0x0000000072C99000-memory.dmp
memory/4316-282-0x0000000074080000-0x000000007414E000-memory.dmp
memory/4316-285-0x0000000072FE0000-0x00000000732AF000-memory.dmp
memory/2996-296-0x00000000750B0000-0x00000000750E9000-memory.dmp
memory/2996-314-0x0000000073C40000-0x0000000073C79000-memory.dmp
memory/4316-325-0x0000000000200000-0x0000000000604000-memory.dmp
memory/3044-340-0x0000000072E40000-0x0000000072EC8000-memory.dmp
memory/3044-341-0x0000000072FE0000-0x00000000732AF000-memory.dmp
memory/3044-339-0x0000000072ED0000-0x0000000072FDA000-memory.dmp
memory/3044-338-0x0000000073F40000-0x0000000073F64000-memory.dmp
memory/3044-337-0x0000000074030000-0x0000000074079000-memory.dmp
memory/3044-336-0x0000000074080000-0x000000007414E000-memory.dmp
memory/3044-335-0x0000000074150000-0x0000000074218000-memory.dmp
memory/3044-334-0x0000000000200000-0x0000000000604000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | 51e01a505ae87bb158b2bdb853fb3d92 |
| SHA1 | 03d17b08649aa74eaa9377f99360c132272c1485 |
| SHA256 | a6f3d941c92c604eb564bd679c2a930ec7785f3577948f6554c1b94b960b5039 |
| SHA512 | e6ddbf321e2755fca0a6583c3341a3af4f6e6becd6694311c6eef4285cb34ddaa59a7adfe5abb7b2f80f4cc8064bc1a5b1520967a90a237ce3b9812e5ba60a8d |
memory/3044-356-0x0000000000200000-0x0000000000604000-memory.dmp
memory/3044-367-0x0000000073F40000-0x0000000073F64000-memory.dmp
memory/3044-368-0x0000000072ED0000-0x0000000072FDA000-memory.dmp
memory/3044-366-0x0000000074080000-0x000000007414E000-memory.dmp
memory/3044-365-0x0000000074150000-0x0000000074218000-memory.dmp
memory/3044-369-0x0000000072FE0000-0x00000000732AF000-memory.dmp
memory/2996-379-0x00000000750D0000-0x0000000075109000-memory.dmp
memory/3044-390-0x0000000000200000-0x0000000000604000-memory.dmp
memory/2276-404-0x0000000072FE0000-0x00000000732AF000-memory.dmp
memory/2276-403-0x0000000073F40000-0x0000000073F64000-memory.dmp
memory/2276-402-0x0000000072E40000-0x0000000072EC8000-memory.dmp
memory/2276-401-0x0000000072ED0000-0x0000000072FDA000-memory.dmp
memory/2276-400-0x0000000074030000-0x0000000074079000-memory.dmp
memory/2276-399-0x0000000074150000-0x0000000074218000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | 81eaf0e446635325ab4aa184ad725b1c |
| SHA1 | ae78618be3b85547bb7c47cbe81334b0d6a124a2 |
| SHA256 | 9923f3e80e4c00291dd0c9057ac2af9c3dc63c63a7a3af3d0986296e09b9416b |
| SHA512 | d3fdc6879a749130a91812691e58a75536e1be44526f12f4e5f9f33361cfd5e9a9db42cc040b482697ac172253934fa1662ff416a66c74f043e27dc825bf6822 |
memory/3020-408-0x0000000000200000-0x0000000000604000-memory.dmp
memory/3020-414-0x0000000072ED0000-0x0000000072FDA000-memory.dmp
memory/3020-413-0x0000000073F40000-0x0000000073F64000-memory.dmp
memory/3020-412-0x0000000074030000-0x0000000074079000-memory.dmp
memory/3020-411-0x0000000074080000-0x000000007414E000-memory.dmp
memory/3020-410-0x0000000074150000-0x0000000074218000-memory.dmp
memory/3020-409-0x0000000072FE0000-0x00000000732AF000-memory.dmp
memory/3020-415-0x0000000072E40000-0x0000000072EC8000-memory.dmp
memory/3020-427-0x0000000074080000-0x000000007414E000-memory.dmp
memory/3020-426-0x0000000074150000-0x0000000074218000-memory.dmp
memory/3020-425-0x0000000072FE0000-0x00000000732AF000-memory.dmp
memory/3020-424-0x0000000000200000-0x0000000000604000-memory.dmp
memory/2276-440-0x0000000000200000-0x0000000000604000-memory.dmp
memory/2276-450-0x0000000074080000-0x000000007414E000-memory.dmp
memory/2276-449-0x0000000074150000-0x0000000074218000-memory.dmp
memory/2276-451-0x0000000072FE0000-0x00000000732AF000-memory.dmp
memory/2996-479-0x0000000073BD0000-0x0000000073C09000-memory.dmp
memory/2276-498-0x0000000000200000-0x0000000000604000-memory.dmp
memory/1624-500-0x0000000074150000-0x0000000074218000-memory.dmp
memory/1624-505-0x0000000072E40000-0x0000000072EC8000-memory.dmp
memory/1624-504-0x0000000072ED0000-0x0000000072FDA000-memory.dmp
memory/1624-503-0x0000000073F40000-0x0000000073F64000-memory.dmp
memory/1624-502-0x0000000074030000-0x0000000074079000-memory.dmp
memory/1624-501-0x0000000074080000-0x000000007414E000-memory.dmp
memory/1624-499-0x0000000072FE0000-0x00000000732AF000-memory.dmp
memory/1624-526-0x0000000000200000-0x0000000000604000-memory.dmp
memory/1624-527-0x0000000072FE0000-0x00000000732AF000-memory.dmp