Malware Analysis Report

2024-09-22 21:58

Sample ID 240507-pnc1naff7z
Target a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449
SHA256 a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449
Tags
bitrat persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449

Threat Level: Known bad

The file a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449 was found to be: Known bad.

Malicious Activity Summary

bitrat persistence trojan upx

Bitrat family

BitRAT

Loads dropped DLL

Checks computer location settings

UPX packed file

ACProtect 1.3x - 1.4x DLL software

Executes dropped EXE

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: RenamesItself

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-07 12:28

Signatures

Bitrat family

bitrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-07 12:28

Reported

2024-05-07 12:38

Platform

win11-20240419-en

Max time kernel

599s

Max time network

601s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"

Signatures

BitRAT

trojan bitrat

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1" C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4428 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4428 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4428 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4428 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4428 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4428 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4428 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4428 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4428 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4428 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4428 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4428 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4428 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4428 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4428 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4428 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4428 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4428 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4428 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4428 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4428 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4428 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4428 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4428 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4428 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4428 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4428 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4428 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4428 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4428 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4428 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4428 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4428 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4428 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4428 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4428 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4428 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4428 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4428 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4428 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4428 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4428 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe

"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

Network

Country Destination Domain Proto
N/A 127.0.0.1:49775 tcp
FR 37.187.102.186:9001 tcp
FR 176.31.103.150:9001 tcp
AT 37.252.185.182:8080 tcp
N/A 127.0.0.1:45808 tcp
NL 192.87.28.28:9001 tcp
SE 171.25.193.9:80 tcp
US 8.8.8.8:53 9.193.25.171.in-addr.arpa udp
US 8.8.8.8:53 28.28.87.192.in-addr.arpa udp
AT 89.58.61.42:9001 tcp
US 131.153.152.146:443 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:49910 tcp
DE 167.86.74.109:443 tcp
DE 144.76.166.199:9002 tcp
DE 144.76.166.199:9002 tcp
N/A 127.0.0.1:45808 tcp
DE 46.4.103.29:9001 tcp
N/A 127.0.0.1:50004 tcp
RO 31.14.252.98:9001 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
NL 194.126.173.158:24752 tcp
N/A 127.0.0.1:50104 tcp
DE 46.4.103.29:9001 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50170 tcp
NL 192.42.116.16:443 tcp
DE 46.4.103.29:9001 tcp
US 135.148.53.61:443 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:50235 tcp
FR 176.31.103.150:9001 tcp
DE 46.4.103.29:9001 tcp
US 135.148.103.15:8443 tcp
N/A 127.0.0.1:45808 tcp
CH 185.229.90.81:443 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50295 tcp
DE 62.141.38.69:443 tcp
DE 46.4.103.29:9001 tcp
US 135.148.103.15:8443 tcp
FR 92.148.137.89:8100 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50354 tcp
NL 77.247.181.162:443 tcp
DE 46.4.103.29:9001 tcp
GB 178.128.32.152:9001 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50412 tcp
SE 171.25.193.20:443 tcp
DE 46.4.103.29:9001 tcp
CH 185.229.90.81:443 tcp
DE 195.201.174.108:9001 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:50471 tcp
US 173.255.245.116:9001 tcp
US 135.148.103.15:8443 tcp
DE 46.4.103.29:9001 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
FR 95.128.43.164:443 tcp
N/A 127.0.0.1:50517 tcp
DE 46.4.103.29:9001 tcp
FI 65.109.30.253:28710 tcp
US 84.32.131.84:9001 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50563 tcp
RU 213.141.138.174:9001 tcp
DE 46.4.103.29:9001 tcp
NL 50.118.225.160:8444 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50609 tcp
FR 163.172.149.155:443 tcp
CA 198.100.153.7:9000 tcp
DE 46.4.103.29:9001 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50654 tcp
DE 85.10.201.47:9001 tcp
DE 46.4.103.29:9001 tcp
US 135.148.103.15:8443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp

Files

memory/4428-0-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/4428-1-0x0000000074DC0000-0x0000000074DFC000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

memory/2968-43-0x0000000073DE0000-0x0000000073EEA000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\torrc

MD5 439cd73927f46fde28540391feee8477
SHA1 ee7fb2aeb7708378abda293b03f5c9ffb6dbc742
SHA256 d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75
SHA512 c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319

memory/2968-42-0x00000000015F0000-0x00000000018BF000-memory.dmp

memory/2968-41-0x0000000000D40000-0x0000000000DC8000-memory.dmp

memory/2968-40-0x0000000073D50000-0x0000000073DD8000-memory.dmp

memory/2968-39-0x0000000073EF0000-0x00000000741BF000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

memory/2968-35-0x00000000741C0000-0x0000000074288000-memory.dmp

memory/2968-31-0x0000000074290000-0x00000000742B4000-memory.dmp

memory/2968-30-0x00000000742C0000-0x0000000074309000-memory.dmp

memory/2968-29-0x0000000074310000-0x00000000743DE000-memory.dmp

memory/2968-26-0x0000000000DE0000-0x00000000011E4000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

memory/4428-47-0x0000000073A20000-0x0000000073A5C000-memory.dmp

memory/4428-48-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2968-50-0x0000000074310000-0x00000000743DE000-memory.dmp

memory/2968-56-0x0000000073D50000-0x0000000073DD8000-memory.dmp

memory/2968-54-0x0000000073EF0000-0x00000000741BF000-memory.dmp

memory/2968-53-0x00000000741C0000-0x0000000074288000-memory.dmp

memory/2968-52-0x0000000074290000-0x00000000742B4000-memory.dmp

memory/2968-51-0x00000000742C0000-0x0000000074309000-memory.dmp

memory/2968-49-0x0000000000DE0000-0x00000000011E4000-memory.dmp

memory/4428-57-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2968-58-0x0000000000DE0000-0x00000000011E4000-memory.dmp

memory/2968-59-0x0000000000DE0000-0x00000000011E4000-memory.dmp

memory/2968-67-0x00000000015F0000-0x00000000018BF000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdesc-consensus

MD5 0ce4530144899e61e7151afe7810919f
SHA1 f300561ff8bbd2b426926aced1e576bd2b91d001
SHA256 59f1410ba288f348e46546682bc8ae589accfdb2abc49b0b59fed35ed9de32e5
SHA512 595a94b645837f8627b703920cec6eda3e6103ae964c91c383679f00b712343b7f8d4656db6efdaceabe8c641cf45d6461ff77cc9fafa263880bc1a0763a83e6

memory/2968-77-0x0000000000DE0000-0x00000000011E4000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 69b288ed00969efa96a71f63f7bdce26
SHA1 693ec48d213545f10d891f00bf4d080ca0bda830
SHA256 45fd8d172efeb1d54833564d1c3b344529f100955bc42f3b3eb2de2f3693972a
SHA512 1740318fb550404000fac21e1ae994c72aab92783047faedafec8d9e2fb9984620cf237fef7b5f8691b4688f93861aefb23ec4660eb5318faacd7804376e094c

memory/2968-93-0x0000000000DE0000-0x00000000011E4000-memory.dmp

memory/4428-102-0x0000000074D80000-0x0000000074DBC000-memory.dmp

memory/4428-101-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2968-104-0x0000000000DE0000-0x00000000011E4000-memory.dmp

memory/2968-113-0x0000000000DE0000-0x00000000011E4000-memory.dmp

memory/2968-122-0x0000000000DE0000-0x00000000011E4000-memory.dmp

memory/2968-150-0x0000000000DE0000-0x00000000011E4000-memory.dmp

memory/2480-160-0x0000000000DE0000-0x00000000011E4000-memory.dmp

memory/2480-167-0x0000000073DF0000-0x0000000073E78000-memory.dmp

memory/2480-166-0x0000000073E80000-0x0000000073F8A000-memory.dmp

memory/2480-165-0x0000000073F90000-0x0000000073FB4000-memory.dmp

memory/2480-164-0x0000000074CE0000-0x0000000074D29000-memory.dmp

memory/2480-163-0x0000000073FC0000-0x000000007408E000-memory.dmp

memory/2480-162-0x0000000074090000-0x0000000074158000-memory.dmp

memory/2480-161-0x0000000074160000-0x000000007442F000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 0426cb839fb387e5d5931d780c970612
SHA1 5b06f4e9d1605744d1292746188df21bafc4e134
SHA256 aad2ae644667554fa9c177c6a2d43cf10cd2058d31217eaa6283b5d0b5bf0449
SHA512 291ac803bf25c8a203f8ac25bc90710a6dc27b91be1b05d430329226a967b8b70134b7f2927a5f49bdf0d5e69e3dd0984b9f1cc01513ac67d221c1e3cbcd99aa

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-certs

MD5 d8c504050e8c023bfb1cfbcaad229623
SHA1 c09f55a2e1ef262904ee240e56b2288ed5a6ac46
SHA256 f3563eea844a07d161e6425efb23ddadf5e47a71943634720e362c6943d48086
SHA512 7638370246ac43e0b17ab3cf321a31f4293a5f0a384956b33b25c5ccefbfb99d705b7f225fd890eb2ee3d29ddcdd2cb33cdc15082cd04311f6002aca66c6cb91

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 e17ac067d70b50fbf0305ccdde132aaa
SHA1 b6b2bd34b2d8601fcbf94b29ab92d61df1a03600
SHA256 ba64944c5396bb5ba30b82281066c043df1d86503e11ffda33854d8fb7b692ef
SHA512 cf91f4f0ddde49e0a31fb4a995bcd1ae97c23c329d60cdc254da5616fc162ae2d526217a9d7fe4974fae7e6a10d20303d6beb6c0b3b5973dd84a64af8e719ee0

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 f74f0ce702769b4799ffd2d2ea3d26f8
SHA1 d651312c6bde68c39c605ce1838bcf91f41c4778
SHA256 0f5df6ec7191b62cbd6175de8120507dc67836b32c49f1c833fe496b4ce69319
SHA512 7603b4a41c59d4d7a01bebcdafe199188531c56dac15616e1c91dc0efba58af18ac5f3168976525ce32b5ed963f666e6d3ee68d83f662d8d0cadf4abd824093b

memory/4428-201-0x00000000739B0000-0x00000000739EC000-memory.dmp

memory/2480-202-0x0000000000DE0000-0x00000000011E4000-memory.dmp

memory/2480-205-0x0000000073FC0000-0x000000007408E000-memory.dmp

memory/2480-204-0x0000000074090000-0x0000000074158000-memory.dmp

memory/2480-203-0x0000000074160000-0x000000007442F000-memory.dmp

memory/2480-242-0x0000000000DE0000-0x00000000011E4000-memory.dmp

memory/2972-253-0x0000000074160000-0x000000007442F000-memory.dmp

memory/2972-252-0x0000000000DE0000-0x00000000011E4000-memory.dmp

memory/2972-254-0x0000000074090000-0x0000000074158000-memory.dmp

memory/2972-261-0x0000000073DF0000-0x0000000073E78000-memory.dmp

memory/2972-260-0x0000000073E80000-0x0000000073F8A000-memory.dmp

memory/2972-259-0x0000000073F90000-0x0000000073FB4000-memory.dmp

memory/2972-258-0x0000000074CE0000-0x0000000074D29000-memory.dmp

memory/2972-257-0x0000000073FC0000-0x000000007408E000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 503a174104f8abae2c7f25c67a86e829
SHA1 05a939900b0b8153938ae30f1fd7491b9c164d52
SHA256 215a3f8ea20243f40fc8dd82853d70e0fe4cb8f3e30c3c22dcbd1d771259f939
SHA512 dd34b9f49a5dc0be9fb6b27559b7bc34599aab36eed4b31c8e53ef37d14123d1e38ae4d9f9e14571fdd498dc0221847044b591ac634c2eaec54e9a726b6a0edd

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs

MD5 ae915a4e7f2275799d78af387ed8cc19
SHA1 9b41a3b99ada2c39d21d52df3384747a6250f892
SHA256 7db2d6e609b48955088871896f5f0354ed6653aa4ccebeebc98ff7ee68b36c62
SHA512 010b41a3399b809efd9ca622065d4f5b824d75df915ee651a086d7275172dfd7cb9072139801d4bbca11b9c600e5c42e003a834f55e5ac0f256d835547981799

memory/4428-287-0x00000000739B0000-0x00000000739EC000-memory.dmp

memory/2972-288-0x0000000000DE0000-0x00000000011E4000-memory.dmp

memory/2972-291-0x0000000073FC0000-0x000000007408E000-memory.dmp

memory/2972-290-0x0000000074090000-0x0000000074158000-memory.dmp

memory/2972-289-0x0000000074160000-0x000000007442F000-memory.dmp

memory/4428-292-0x0000000074DC0000-0x0000000074DFC000-memory.dmp

memory/4428-309-0x0000000073A20000-0x0000000073A5C000-memory.dmp

memory/2972-327-0x0000000000DE0000-0x00000000011E4000-memory.dmp

memory/1892-342-0x0000000072C80000-0x0000000072F4F000-memory.dmp

memory/1892-341-0x0000000073DF0000-0x0000000073E78000-memory.dmp

memory/1892-340-0x0000000072B70000-0x0000000072C7A000-memory.dmp

memory/1892-339-0x0000000073E80000-0x0000000073EA4000-memory.dmp

memory/1892-338-0x0000000074CE0000-0x0000000074D29000-memory.dmp

memory/1892-337-0x0000000073EB0000-0x0000000073F7E000-memory.dmp

memory/1892-336-0x0000000073F80000-0x0000000074048000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 a8118bfee0e69f50a21165a0377d285d
SHA1 434a1000713c80dc7faf4d819ee6c808eb279b0b
SHA256 4eb6d8a3cc74a7fd90cd53cdc586da57d00120c2cb82aaf5013f5e95e27534d6
SHA512 21ce4cb41f73f19cba4f97e96b4145d46e3f603b16b5b64d8ccc109f79748c90d491152fa710adb362c5561c2cfb4f868d7c4ed504b45c38b3e7dda7411d9f25

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs

MD5 47ef005e991fb83255ea44c65237107c
SHA1 e5325dced19f98e3fce2194ef6d69865a8b8e479
SHA256 43652fe07e217284e65e0d77b346c5f80e18f270f167a04570fa2da6f6766676
SHA512 3632856e4682e7976b34f940087e5db6724a476702a1aa418659ee6de6a38ca69d6fc6d1227c43b63bf4e711b6d23e2b2cf01645b6598b3155475ee989391c9b

memory/1892-358-0x0000000000DE0000-0x00000000011E4000-memory.dmp

memory/1892-369-0x0000000073E80000-0x0000000073EA4000-memory.dmp

memory/4428-370-0x0000000072940000-0x000000007297C000-memory.dmp

memory/1892-368-0x0000000073EB0000-0x0000000073F7E000-memory.dmp

memory/1892-367-0x0000000073F80000-0x0000000074048000-memory.dmp

memory/1892-371-0x0000000072C80000-0x0000000072F4F000-memory.dmp

memory/4428-381-0x0000000074D80000-0x0000000074DBC000-memory.dmp

memory/1892-392-0x0000000000DE0000-0x00000000011E4000-memory.dmp

memory/1692-402-0x0000000072C80000-0x0000000072F4F000-memory.dmp

memory/1692-401-0x0000000000DE0000-0x00000000011E4000-memory.dmp

memory/1692-409-0x0000000073DF0000-0x0000000073E78000-memory.dmp

memory/1692-408-0x0000000072B70000-0x0000000072C7A000-memory.dmp

memory/1692-407-0x0000000073E80000-0x0000000073EA4000-memory.dmp

memory/1692-406-0x0000000074CE0000-0x0000000074D29000-memory.dmp

memory/1692-405-0x0000000073EB0000-0x0000000073F7E000-memory.dmp

memory/1692-404-0x0000000073F80000-0x0000000074048000-memory.dmp

memory/1692-430-0x0000000000DE0000-0x00000000011E4000-memory.dmp

memory/1692-432-0x0000000073EB0000-0x0000000073F7E000-memory.dmp

memory/1692-431-0x0000000072C80000-0x0000000072F4F000-memory.dmp

memory/1692-451-0x0000000000DE0000-0x00000000011E4000-memory.dmp

memory/3348-453-0x0000000000DE0000-0x00000000011E4000-memory.dmp

memory/3348-458-0x0000000073E80000-0x0000000073EA4000-memory.dmp

memory/3348-460-0x0000000073DF0000-0x0000000073E78000-memory.dmp

memory/3348-459-0x0000000072B70000-0x0000000072C7A000-memory.dmp

memory/3348-457-0x0000000074CE0000-0x0000000074D29000-memory.dmp

memory/3348-456-0x0000000073EB0000-0x0000000073F7E000-memory.dmp

memory/3348-455-0x0000000073F80000-0x0000000074048000-memory.dmp

memory/3348-454-0x0000000072C80000-0x0000000072F4F000-memory.dmp

memory/4428-472-0x00000000739B0000-0x00000000739EC000-memory.dmp

memory/3348-483-0x0000000072C80000-0x0000000072F4F000-memory.dmp

memory/3348-484-0x0000000073F80000-0x0000000074048000-memory.dmp

memory/3348-485-0x0000000073EB0000-0x0000000073F7E000-memory.dmp

memory/3348-482-0x0000000000DE0000-0x00000000011E4000-memory.dmp

memory/3348-504-0x0000000000DE0000-0x00000000011E4000-memory.dmp

memory/2524-512-0x0000000073DF0000-0x0000000073E78000-memory.dmp

memory/2524-511-0x0000000072B70000-0x0000000072C7A000-memory.dmp

memory/2524-510-0x0000000073E80000-0x0000000073EA4000-memory.dmp

memory/2524-509-0x0000000074CE0000-0x0000000074D29000-memory.dmp

memory/2524-508-0x0000000073EB0000-0x0000000073F7E000-memory.dmp

memory/2524-507-0x0000000073F80000-0x0000000074048000-memory.dmp

memory/2524-506-0x0000000072C80000-0x0000000072F4F000-memory.dmp

memory/2524-505-0x0000000000DE0000-0x00000000011E4000-memory.dmp

memory/2524-534-0x0000000000DE0000-0x00000000011E4000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-07 12:28

Reported

2024-05-07 12:38

Platform

win10v2004-20240419-en

Max time kernel

600s

Max time network

601s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"

Signatures

BitRAT

trojan bitrat

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1" C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 116 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 116 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 116 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 116 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 116 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 116 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 116 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 116 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 116 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 116 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 116 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 116 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 116 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 116 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 116 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 116 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 116 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 116 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 116 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 116 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 116 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 116 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 116 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 116 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 116 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 116 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 116 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 116 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 116 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 116 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 116 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 116 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 116 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 116 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 116 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 116 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 116 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 116 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 116 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 116 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 116 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 116 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe

"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
FR 193.70.43.76:9001 tcp
N/A 127.0.0.1:55550 tcp
RO 185.100.85.61:443 tcp
US 8.8.8.8:53 61.85.100.185.in-addr.arpa udp
BE 193.190.168.53:9001 tcp
DE 185.220.101.201:443 tcp
US 8.8.8.8:53 53.168.190.193.in-addr.arpa udp
US 8.8.8.8:53 201.101.220.185.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
DE 185.220.101.201:443 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 107.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
GB 81.0.218.34:443 tcp
US 51.81.56.74:443 tcp
N/A 127.0.0.1:55703 tcp
US 8.8.8.8:53 34.218.0.81.in-addr.arpa udp
US 8.8.8.8:53 74.56.81.51.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
N/A 127.0.0.1:45808 tcp
GB 81.0.218.34:443 tcp
US 8.8.8.8:53 myexternalip.com udp
US 34.117.118.44:443 myexternalip.com tcp
US 8.8.8.8:53 44.118.117.34.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
N/A 127.0.0.1:55829 tcp
DE 88.99.7.87:9001 tcp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp
FI 95.216.61.211:443 tcp
US 8.8.8.8:53 87.7.99.88.in-addr.arpa udp
US 8.8.8.8:53 211.61.216.95.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
FR 85.208.144.164:443 tcp
N/A 127.0.0.1:55915 tcp
LT 188.214.132.49:9001 tcp
US 8.8.8.8:53 164.144.208.85.in-addr.arpa udp
DE 188.68.38.76:9001 tcp
US 8.8.8.8:53 49.132.214.188.in-addr.arpa udp
US 8.8.8.8:53 76.38.68.188.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:55983 tcp
N/A 127.0.0.1:55991 tcp
DK 185.96.88.29:443 tcp
FR 163.172.76.56:9001 tcp
US 8.8.8.8:53 56.76.172.163.in-addr.arpa udp
FR 146.59.234.220:443 tcp
US 8.8.8.8:53 220.234.59.146.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:56077 tcp
FR 51.254.147.57:443 tcp
SE 193.105.134.187:9001 tcp
FR 45.158.77.29:9000 tcp
US 8.8.8.8:53 187.134.105.193.in-addr.arpa udp
US 8.8.8.8:53 29.77.158.45.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
CZ 46.28.110.244:443 tcp
N/A 127.0.0.1:56134 tcp
GB 185.164.138.211:9005 tcp
US 8.8.8.8:53 211.138.164.185.in-addr.arpa udp
CZ 185.216.35.222:9001 tcp
US 8.8.8.8:53 222.35.216.185.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:56189 tcp
DE 178.254.7.88:8443 tcp
DE 5.9.66.94:54782 tcp
US 8.8.8.8:53 94.66.9.5.in-addr.arpa udp
FR 178.33.36.64:8080 tcp
US 8.8.8.8:53 64.36.33.178.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:56242 tcp
US 166.70.207.2:9101 tcp
US 51.81.56.74:443 tcp
US 8.8.8.8:53 2.207.70.166.in-addr.arpa udp
DE 144.91.125.15:9001 tcp
US 8.8.8.8:53 15.125.91.144.in-addr.arpa udp
DE 79.137.202.92:443 tcp
US 8.8.8.8:53 92.202.137.79.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
SE 193.11.164.243:9001 tcp
N/A 127.0.0.1:56297 tcp
FR 146.59.234.220:443 tcp
US 8.8.8.8:53 243.164.11.193.in-addr.arpa udp
CH 185.183.194.90:443 tcp
US 8.8.8.8:53 90.194.183.185.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:56360 tcp
PL 54.37.139.118:9001 tcp
FR 178.33.36.64:8080 tcp
US 8.8.8.8:53 118.139.37.54.in-addr.arpa udp
FR 146.59.234.220:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:56406 tcp
US 154.35.175.225:443 tcp
DE 148.251.51.34:9993 tcp
US 8.8.8.8:53 34.51.251.148.in-addr.arpa udp
IT 95.141.32.124:22222 tcp
US 8.8.8.8:53 124.32.141.95.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
NL 37.218.242.26:9001 tcp
US 8.8.8.8:53 26.242.218.37.in-addr.arpa udp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:56470 tcp
CA 192.160.102.168:9001 tcp
N/A 207.90.194.2:443 tcp

Files

memory/116-0-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/116-1-0x0000000074CA0000-0x0000000074CD9000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

memory/4992-33-0x00000000741A0000-0x00000000741E9000-memory.dmp

memory/4992-39-0x0000000000E20000-0x0000000000EA8000-memory.dmp

memory/4992-43-0x0000000073B60000-0x0000000073E2F000-memory.dmp

memory/4992-42-0x00000000015B0000-0x000000000187F000-memory.dmp

memory/4992-38-0x0000000073E30000-0x0000000073EB8000-memory.dmp

memory/4992-37-0x0000000073EC0000-0x0000000073FCA000-memory.dmp

memory/4992-32-0x0000000073FD0000-0x000000007409E000-memory.dmp

memory/4992-31-0x00000000740A0000-0x00000000740C4000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\torrc

MD5 439cd73927f46fde28540391feee8477
SHA1 ee7fb2aeb7708378abda293b03f5c9ffb6dbc742
SHA256 d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75
SHA512 c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319

memory/4992-30-0x00000000740D0000-0x0000000074198000-memory.dmp

memory/4992-29-0x0000000000380000-0x0000000000784000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdesc-consensus.tmp

MD5 dde78eff34a6e66b6ea6d178bc426549
SHA1 b253863b59f1502d06dfbcd3dd14313fe44c9e78
SHA256 a869e89870d10561112f15016a20789dae97004d52c3258ddc11e0ebbc91137e
SHA512 343452cd55b21a98f663e3cede0d29f77545f03c93cb0a3caa06160419991023226e03e957cda1cc3ef9bcfcf0dc7a103f875048971f9b6eb94133448e410141

memory/116-58-0x0000000073750000-0x0000000073789000-memory.dmp

memory/116-62-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/4992-70-0x0000000073E30000-0x0000000073EB8000-memory.dmp

memory/4992-71-0x0000000073B60000-0x0000000073E2F000-memory.dmp

memory/4992-69-0x0000000073EC0000-0x0000000073FCA000-memory.dmp

memory/4992-68-0x0000000073FD0000-0x000000007409E000-memory.dmp

memory/4992-67-0x00000000740A0000-0x00000000740C4000-memory.dmp

memory/4992-66-0x00000000740D0000-0x0000000074198000-memory.dmp

memory/4992-64-0x0000000000380000-0x0000000000784000-memory.dmp

memory/4992-65-0x00000000741A0000-0x00000000741E9000-memory.dmp

memory/116-72-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/4992-81-0x0000000000E20000-0x0000000000EA8000-memory.dmp

memory/4992-73-0x0000000000380000-0x0000000000784000-memory.dmp

memory/4992-83-0x0000000000380000-0x0000000000784000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 3e8cc605f59eaae7094e0d28684f7adc
SHA1 e3df12b93a941088f6a6fa57226a4537545603f2
SHA256 b3954d0c474cb280d17bf109562403312ade070f0a17b3ac0534960e71445f88
SHA512 9cf6c40b9a52f4624f92ea58cea2222cd49e09d3a100f693c4aa5da312afc64c8d5039bdbeabe66c40f410d871755c7a49870fbc975b0e3e0531d50a79672688

memory/4992-93-0x0000000000380000-0x0000000000784000-memory.dmp

memory/116-102-0x0000000074CC0000-0x0000000074CF9000-memory.dmp

memory/116-101-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/4992-103-0x0000000000380000-0x0000000000784000-memory.dmp

memory/116-111-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/4992-112-0x0000000000380000-0x0000000000784000-memory.dmp

memory/4992-127-0x0000000000380000-0x0000000000784000-memory.dmp

memory/4992-155-0x0000000000380000-0x0000000000784000-memory.dmp

memory/2304-165-0x0000000073DD0000-0x0000000073E19000-memory.dmp

memory/2304-167-0x0000000073C00000-0x0000000073C88000-memory.dmp

memory/2304-170-0x0000000073DA0000-0x0000000073DC4000-memory.dmp

memory/2304-169-0x0000000073E20000-0x0000000073EEE000-memory.dmp

memory/2304-168-0x0000000073FC0000-0x000000007428F000-memory.dmp

memory/2304-166-0x0000000073C90000-0x0000000073D9A000-memory.dmp

memory/2304-161-0x0000000073EF0000-0x0000000073FB8000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 c4436df2f37ad19408e0e4cd6f86af40
SHA1 3b9b7ca4378c72c69f37d4b72d6dc45d97617b56
SHA256 f11cc05280c6b8c0b95e7aba74db6d9cb0df75278dca289241a4ce1bd611905c
SHA512 567cc1c085f30a08aa2c3f89b08d013fb7cceeff8c210d7aab6e785ddb0f83ef9e7c690cc49b29cb0615c26dab180999921a64876bb8ae7084a00fbb6042f05c

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdesc-consensus

MD5 0ce4530144899e61e7151afe7810919f
SHA1 f300561ff8bbd2b426926aced1e576bd2b91d001
SHA256 59f1410ba288f348e46546682bc8ae589accfdb2abc49b0b59fed35ed9de32e5
SHA512 595a94b645837f8627b703920cec6eda3e6103ae964c91c383679f00b712343b7f8d4656db6efdaceabe8c641cf45d6461ff77cc9fafa263880bc1a0763a83e6

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-certs

MD5 af023f6bada4b432cb4b0006e7644a8b
SHA1 66a56d1ca6d0c68f438ed62963a1c3451d41d667
SHA256 df448c2b54ecb7be90a0e8ede35c094c3dab7a189795664fc939571e91c119af
SHA512 78f4a6ceea5be53c26afa785bd098f62abfc0b9a51aa3d69f9f8bda70534b937db7a6138267cfb2a0d0e47c839fbaa60657fba97f203e5480d46486087b9f943

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 fdf9ed5e194fb446e9a1a62b77399c7c
SHA1 76238f31db13321edd0189f33c95849f812ed936
SHA256 c49bbe4b32457df32b0a12f0d82756c35fafc6a68b39f2fba0868da4162bdc52
SHA512 09348d5a45b35d0bd2ebc6ce02bccda0e21e42fdba0263d7c39e5be19d6e582024df8f8f8c6e198605a185456451a6c2bff988addb7044307a762f9d75e4e214

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 308a07cb8a8a746dd8e4a37770eefa6b
SHA1 406ed322d3058d2345f37751f038ffc330f81d61
SHA256 2f2e81fa8999c834c2d826b03643b3336e638c6f402aec13c5f1e3c4265c885c
SHA512 cf571bb3e3345fe90e76b1824f26ad39c1cb80c4a4643f1ee3e621a2652399f6fcf5a5095c9b83013ce2e1eebdbac8b202426ef26608120e654bcf435ff3189d

memory/2304-200-0x0000000000380000-0x0000000000784000-memory.dmp

memory/2304-202-0x0000000073DD0000-0x0000000073E19000-memory.dmp

memory/2304-201-0x0000000073EF0000-0x0000000073FB8000-memory.dmp

memory/116-214-0x00000000739C0000-0x00000000739F9000-memory.dmp

memory/2304-213-0x0000000073C00000-0x0000000073C88000-memory.dmp

memory/2304-212-0x0000000073C90000-0x0000000073D9A000-memory.dmp

memory/2304-216-0x0000000073FC0000-0x000000007428F000-memory.dmp

memory/2304-217-0x0000000073E20000-0x0000000073EEE000-memory.dmp

memory/2304-218-0x0000000073DA0000-0x0000000073DC4000-memory.dmp

memory/2304-261-0x0000000000380000-0x0000000000784000-memory.dmp

memory/4304-269-0x0000000000380000-0x0000000000784000-memory.dmp

memory/4304-274-0x0000000073C20000-0x0000000073C69000-memory.dmp

memory/4304-277-0x0000000072A80000-0x0000000072B8A000-memory.dmp

memory/4304-276-0x00000000729F0000-0x0000000072A78000-memory.dmp

memory/4304-275-0x0000000073B30000-0x0000000073B54000-memory.dmp

memory/4304-273-0x0000000073C70000-0x0000000073D3E000-memory.dmp

memory/4304-272-0x0000000073D40000-0x0000000073E08000-memory.dmp

memory/4304-271-0x0000000072B90000-0x0000000072E5F000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 8b858e4b316cba7226ea7f88cb3e4808
SHA1 5cb309b83a652a298ec7340f0fecb2187f5c26ec
SHA256 eeb8b66a82b5d136f62041a64f1e655d0e126c9445c3ba871a0ea3d24e3bd603
SHA512 709840706cbe72fe2b84ff95725fd5684d23204cb0811f9659d656bed483a8d69d250a0f1e4d997ac4221138394399ea6723476c2ab73cbef60ba4de261e9c7e

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs

MD5 e8cecdbe02c73244c24b1cde3d440e10
SHA1 5b63d9a3f55dc11fdcb27e2baa653a3a9c060cbd
SHA256 8c80e7f7758f14f4c3a0b2cbd281551740ad9bbb7cd6e4be8442dabe8cf14a84
SHA512 61b1461cf1fc700c2848d249f21bdd19207eabb88c06e84937552b4ed8df4ee3ff98df74e5ce6527bba2ddeee3e7973ae6670e7a63c2336f58c15b51a6137fb6

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 844f6a82e57e22d2f3b186d055853853
SHA1 d4ec829e46c90fb20206f9c21a371c2194160db8
SHA256 ee9134354862e280da0a6e6e71dba0144682e76768387f5ac0aa3f60dcfc6295
SHA512 c0c2e0e69545b2d3f2996749fa334f7b4df0b41e12ed099cd1d523e8436c90bc3a90d314e64a3e687567ca1dc2741954f5b40f93efa1bf350f1e42ec3a4ace24

memory/4304-297-0x0000000072B90000-0x0000000072E5F000-memory.dmp

memory/116-310-0x00000000739C0000-0x00000000739F9000-memory.dmp

memory/4304-309-0x0000000073B30000-0x0000000073B54000-memory.dmp

memory/4304-308-0x0000000073C70000-0x0000000073D3E000-memory.dmp

memory/4304-307-0x0000000073D40000-0x0000000073E08000-memory.dmp

memory/4304-306-0x0000000000380000-0x0000000000784000-memory.dmp

memory/116-312-0x0000000074CA0000-0x0000000074CD9000-memory.dmp

memory/116-330-0x0000000073750000-0x0000000073789000-memory.dmp

memory/4304-341-0x0000000000380000-0x0000000000784000-memory.dmp

memory/3580-355-0x00000000729F0000-0x0000000072A78000-memory.dmp

memory/3580-356-0x0000000072B90000-0x0000000072E5F000-memory.dmp

memory/3580-354-0x0000000072A80000-0x0000000072B8A000-memory.dmp

memory/3580-353-0x0000000073B30000-0x0000000073B54000-memory.dmp

memory/3580-352-0x0000000073C20000-0x0000000073C69000-memory.dmp

memory/3580-351-0x0000000073C70000-0x0000000073D3E000-memory.dmp

memory/3580-350-0x0000000073D40000-0x0000000073E08000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 2b86e95e6a484f99bfb1a7e4feca0c65
SHA1 051ef60461cebadb78f7297a605922f3b3848171
SHA256 619973d6ae96384057aa2068c4f6a3f256fb02669020de2aa1064d3d28418c6d
SHA512 a98cb427a6a2f527ae873085f83f21cdea7df37429a9e7e4f5f10b3403541ead67b0be43d6432088e1967abe75b3b1e537c8b6336a10b12bd50ef411ccbf23b0

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs

MD5 25062967fbc2c59d5e2744e5ee429a58
SHA1 b2d97c6e86cf81447772e253d00263eecfa74c4d
SHA256 4bfaecc9b00025c3c3fa3939826bbc3f8838bb7f4bfcf32d314c8a21bd80cb4a
SHA512 b242950c478aacefd2e4d00649dc3432a45af132d0833a60dd20bbb7175d8da220370ad93f0c3968d3d07643906c7b340bda986f85c7b2d75852f6e76fb54802

memory/3580-372-0x0000000000380000-0x0000000000784000-memory.dmp

memory/3580-381-0x0000000073D40000-0x0000000073E08000-memory.dmp

memory/3580-382-0x0000000073C70000-0x0000000073D3E000-memory.dmp

memory/3580-383-0x0000000072B90000-0x0000000072E5F000-memory.dmp

memory/116-393-0x0000000074CC0000-0x0000000074CF9000-memory.dmp

memory/3580-404-0x0000000000380000-0x0000000000784000-memory.dmp

memory/2668-418-0x0000000072B90000-0x0000000072E5F000-memory.dmp

memory/2668-417-0x00000000729F0000-0x0000000072A78000-memory.dmp

memory/2668-416-0x0000000072A80000-0x0000000072B8A000-memory.dmp

memory/2668-415-0x0000000073B30000-0x0000000073B54000-memory.dmp

memory/2668-414-0x0000000073C20000-0x0000000073C69000-memory.dmp

memory/2668-413-0x0000000000380000-0x0000000000784000-memory.dmp

memory/4044-424-0x0000000073B30000-0x0000000073B54000-memory.dmp

memory/4044-423-0x0000000072B90000-0x0000000072E5F000-memory.dmp

memory/4044-422-0x00000000729F0000-0x0000000072A78000-memory.dmp

memory/4044-421-0x0000000072A80000-0x0000000072B8A000-memory.dmp

memory/4044-420-0x0000000073C20000-0x0000000073C69000-memory.dmp

memory/4044-433-0x0000000072B90000-0x0000000072E5F000-memory.dmp

memory/4044-435-0x0000000073C70000-0x0000000073D3E000-memory.dmp

memory/4044-436-0x0000000000380000-0x0000000000784000-memory.dmp

memory/4044-434-0x0000000073D40000-0x0000000073E08000-memory.dmp

memory/2668-448-0x0000000000380000-0x0000000000784000-memory.dmp

memory/2668-449-0x0000000073D40000-0x0000000073E08000-memory.dmp

memory/2668-450-0x0000000073C70000-0x0000000073D3E000-memory.dmp

memory/2668-451-0x0000000073B30000-0x0000000073B54000-memory.dmp

memory/2668-461-0x0000000072B90000-0x0000000072E5F000-memory.dmp

memory/2668-498-0x0000000000380000-0x0000000000784000-memory.dmp

memory/4604-500-0x0000000073C20000-0x0000000073C69000-memory.dmp

memory/4604-503-0x0000000073B30000-0x0000000073B54000-memory.dmp

memory/4604-502-0x00000000729F0000-0x0000000072A78000-memory.dmp

memory/4604-501-0x0000000072A80000-0x0000000072B8A000-memory.dmp

memory/4604-499-0x0000000073D40000-0x0000000073E08000-memory.dmp

memory/4604-516-0x0000000000380000-0x0000000000784000-memory.dmp

memory/4604-527-0x0000000073C70000-0x0000000073D3E000-memory.dmp

memory/4604-526-0x0000000073D40000-0x0000000073E08000-memory.dmp

memory/4604-525-0x0000000072B90000-0x0000000072E5F000-memory.dmp

memory/4604-547-0x0000000000380000-0x0000000000784000-memory.dmp

memory/2624-550-0x0000000073C70000-0x0000000073D3E000-memory.dmp

memory/2624-548-0x0000000072B90000-0x0000000072E5F000-memory.dmp

memory/2624-549-0x0000000073D40000-0x0000000073E08000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-07 12:28

Reported

2024-05-07 12:38

Platform

win7-20240220-en

Max time kernel

598s

Max time network

601s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"

Signatures

BitRAT

trojan bitrat

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1" C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2792 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2792 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe

"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

Network

Country Destination Domain Proto
FR 212.129.62.232:443 tcp
NL 77.247.181.166:443 tcp
DE 185.177.229.16:1080 tcp
US 74.91.26.170:80 tcp
US 23.83.91.155:443 tcp
US 147.135.16.147:443 tcp
US 147.135.16.147:443 tcp
US 23.83.91.155:443 tcp
N/A 127.0.0.1:49231 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:49318 tcp
N/A 127.0.0.1:45808 tcp
US 74.215.154.5:9002 tcp
DE 148.251.183.205:8080 tcp
US 139.144.220.112:443 tcp
N/A 127.0.0.1:49408 tcp
US 74.215.154.5:9002 tcp
US 139.144.220.112:443 tcp
N/A 127.0.0.1:45808 tcp
DE 45.14.233.190:443 tcp
AL 31.171.154.162:443 tcp
N/A 127.0.0.1:49488 tcp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 myexternalip.com udp
US 34.117.118.44:443 myexternalip.com tcp
FR 163.172.149.122:443 tcp
DE 37.120.168.19:9001 tcp
N/A 127.0.0.1:49592 tcp
DE 94.130.51.212:9090 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
SE 193.11.114.43:9001 tcp
N/A 127.0.0.1:49671 tcp
DE 193.41.226.147:9200 tcp
CA 198.100.153.7:9001 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:49739 tcp
DE 31.185.104.20:443 tcp
CA 198.72.127.222:9001 tcp
IS 93.95.231.115:9001 tcp
N/A 127.0.0.1:45808 tcp
FR 193.70.43.76:9001 tcp
N/A 127.0.0.1:49791 tcp
N/A 127.0.0.1:49798 tcp
DE 138.201.202.228:443 tcp
US 74.215.154.5:9002 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:49855 tcp
DE 148.251.190.229:9010 tcp
DE 62.67.28.110:9001 tcp
RO 109.102.40.171:443 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:49904 tcp
FI 65.108.231.17:9001 tcp
SE 213.114.238.197:9001 tcp
US 198.71.53.137:443 tcp
N/A 127.0.0.1:45808 tcp
US 99.185.102.97:4433 tcp
DE 173.212.254.192:31337 tcp
N/A 127.0.0.1:49959 tcp
US 66.175.235.244:443 tcp
US 139.144.220.112:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50008 tcp
DE 85.10.201.47:9001 tcp
US 107.155.69.234:9001 tcp
DE 138.201.202.228:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50057 tcp
DE 185.244.193.141:9001 tcp
US 15.204.235.110:9100 tcp
US 208.113.200.33:9001 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50107 tcp
DE 5.45.111.149:443 tcp
FR 95.85.90.130:9001 tcp
US 147.135.16.147:443 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:50157 tcp
SK 85.248.227.164:9002 tcp
DE 94.16.105.206:9001 tcp
US 99.185.102.97:4433 tcp
N/A 127.0.0.1:45808 tcp

Files

memory/2792-0-0x0000000000400000-0x0000000000BD8000-memory.dmp

\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

memory/2792-17-0x0000000003FE0000-0x00000000043E4000-memory.dmp

memory/2792-20-0x0000000003FE0000-0x00000000043E4000-memory.dmp

memory/2884-31-0x00000000749B0000-0x0000000074C7F000-memory.dmp

\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

memory/2884-34-0x00000000746F0000-0x0000000074778000-memory.dmp

memory/2884-33-0x0000000074780000-0x000000007488A000-memory.dmp

memory/2884-32-0x0000000074960000-0x00000000749A9000-memory.dmp

\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

memory/2884-41-0x0000000074D60000-0x0000000074D84000-memory.dmp

\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

memory/2884-39-0x0000000074620000-0x00000000746EE000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\torrc

MD5 439cd73927f46fde28540391feee8477
SHA1 ee7fb2aeb7708378abda293b03f5c9ffb6dbc742
SHA256 d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75
SHA512 c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319

memory/2884-36-0x0000000074890000-0x0000000074958000-memory.dmp

memory/2884-35-0x00000000003E0000-0x00000000007E4000-memory.dmp

\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdesc-consensus.tmp

MD5 27ecdde71eb6b5db413c6a49f1299329
SHA1 ac00d48ab4b3e43a3a2a4adcb340a1b675c036c1
SHA256 7cd94a85b50df1a44d6f73afc9616695d7f3fc154e01a8bb8de9a6107790d483
SHA512 2bb2a2d6953aad76ade60cfe1d0bf2c10751ed719d2848e1e3bd81127c020fd359c96f452203d402390326409fc0dbfe46bac05f435df152d9da131c1a2775ab

memory/2792-53-0x0000000000400000-0x0000000000BD8000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 974a6a9648c5b192f31dcf8fcac918f4
SHA1 728285cafc076f62bb5880c6ddc18735b3a6991e
SHA256 42c593e3a7263d2ce66d4f4ce60d29bf51439aabd871be7c45c495d83e850bdf
SHA512 d32102e82660f204c43738dbd5391f4a6667c2c01ac60b72baff265ad56051d1bea3d8c40bff4d3fac7a43b0aa1e7e49c8b051870ece9fcda9a5828832a1b51a

memory/2884-60-0x00000000003E0000-0x00000000007E4000-memory.dmp

memory/2792-68-0x0000000003FE0000-0x00000000043E4000-memory.dmp

memory/2884-67-0x0000000074D60000-0x0000000074D84000-memory.dmp

memory/2884-66-0x0000000074620000-0x00000000746EE000-memory.dmp

memory/2884-64-0x0000000074780000-0x000000007488A000-memory.dmp

memory/2884-61-0x00000000749B0000-0x0000000074C7F000-memory.dmp

memory/2884-65-0x00000000746F0000-0x0000000074778000-memory.dmp

memory/2884-63-0x0000000074890000-0x0000000074958000-memory.dmp

memory/2884-62-0x0000000074960000-0x00000000749A9000-memory.dmp

memory/2792-69-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2884-70-0x00000000003E0000-0x00000000007E4000-memory.dmp

memory/2884-71-0x00000000003E0000-0x00000000007E4000-memory.dmp

memory/2792-79-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2884-80-0x00000000003E0000-0x00000000007E4000-memory.dmp

memory/2884-89-0x00000000003E0000-0x00000000007E4000-memory.dmp

memory/2792-121-0x0000000004D00000-0x0000000005104000-memory.dmp

memory/1592-133-0x0000000074D60000-0x0000000074D84000-memory.dmp

memory/1592-132-0x0000000074620000-0x00000000746EE000-memory.dmp

memory/1592-131-0x00000000746F0000-0x0000000074778000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdesc-consensus

MD5 0ce4530144899e61e7151afe7810919f
SHA1 f300561ff8bbd2b426926aced1e576bd2b91d001
SHA256 59f1410ba288f348e46546682bc8ae589accfdb2abc49b0b59fed35ed9de32e5
SHA512 595a94b645837f8627b703920cec6eda3e6103ae964c91c383679f00b712343b7f8d4656db6efdaceabe8c641cf45d6461ff77cc9fafa263880bc1a0763a83e6

memory/1592-129-0x0000000074780000-0x000000007488A000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-certs

MD5 d5551f1d43f325505db392bd2d49c132
SHA1 e5a8bdce895eebe208fbfc8fecdbd3aa7d808cee
SHA256 1eff37f5029bf926e6fb57168e8c027a6bb12a9a615543de65016115a0c0f9bc
SHA512 844ac6d018f80f8fe1d91afd003ac400d908618cec824d94e954813871793c58b8c23c78d3b4cf4d234b4e1f3ee69aa0130c257333a38a69178c43b0c58c1218

memory/1592-127-0x0000000074890000-0x0000000074958000-memory.dmp

memory/1592-126-0x0000000074960000-0x00000000749A9000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 d6adc9f5c8e1610dd68f3f57980a9ff5
SHA1 f79d5f11ac02ed196cc737811fb6c2961bd4cdd5
SHA256 8ad216352e32a189700d0f37d75ce5c26de9756475e2f44f8b478625baf72a3d
SHA512 ac237296c15dfcd5377d4c58d738b6ec379739e5f4cb5631c5cbbfe7c53596cd851df177dbb2ad42a9bc507ca0f65c560f35203ab74b4f0202cadcff5c068bff

memory/1592-125-0x00000000749B0000-0x0000000074C7F000-memory.dmp

memory/1592-124-0x00000000003E0000-0x00000000007E4000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 760bed48f7f04e0dea60bf128486333d
SHA1 2dc2253846b157876f2c97efef08b915ca5f7a7c
SHA256 cb4501c944e23e7adfffde9fd1f81ad9c7a55a55e19c11cca0e94d5413999dfe
SHA512 c7c4f9f1f657400004f104350651d7ede3184369a657b95336399ae6520ed811c439cc85e2134773bf93ed11408f73d5b3c83ffe3f1e49aefe73a47a96d3ea58

memory/2884-99-0x00000000003E0000-0x00000000007E4000-memory.dmp

memory/2792-143-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/1592-145-0x00000000749B0000-0x0000000074C7F000-memory.dmp

memory/1592-144-0x00000000003E0000-0x00000000007E4000-memory.dmp

memory/1592-153-0x00000000003E0000-0x00000000007E4000-memory.dmp

memory/2792-161-0x0000000004D00000-0x0000000005104000-memory.dmp

memory/1592-181-0x00000000003E0000-0x00000000007E4000-memory.dmp

memory/2792-187-0x0000000004D00000-0x0000000005104000-memory.dmp

memory/1616-203-0x00000000746E0000-0x00000000749AF000-memory.dmp

memory/1616-202-0x00000000745E0000-0x0000000074604000-memory.dmp

memory/1616-201-0x0000000074610000-0x00000000746DE000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-certs

MD5 dbb6eaedcf0554252db56ddd86f7dd4d
SHA1 897932fd5571f6072f2a631a46a631c0dc47679b
SHA256 029126ec60896d4005bd72091f87719fbefedcdf9d26b86d1e3381712b807cbf
SHA512 2607c00a409eaacec19ca0ebbed4da82a7216db96cff189a75cb2efd929d078acb58371544474acecf5e0be610ef495b36829731cd07528a0e41e8da256236ab

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 e283b535bb7c053075c9b765ebef221d
SHA1 6ebd43b0d6cd82c3a8f58a7f474d048186de9e24
SHA256 597f078609d541e176bd0f7cd562d49901cabe49adbf89068a07aa428badc7d0
SHA512 47ea12db51e51fe45666f6521665617dac95efbc82b12daf6557a41f17c126c85496de8db120b1b377b538083e5c5d33add5dd77c8d3301909d0042853f7e6a6

memory/1616-200-0x00000000749C0000-0x0000000074A48000-memory.dmp

memory/1616-199-0x0000000074A50000-0x0000000074B5A000-memory.dmp

memory/1616-198-0x0000000074B60000-0x0000000074C28000-memory.dmp

memory/1616-197-0x0000000074C30000-0x0000000074C79000-memory.dmp

memory/1616-196-0x00000000003E0000-0x00000000007E4000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs

MD5 c8ded144c778f4947f78b818dd2a6ca9
SHA1 cd6e05ceb9c876e53271e0aa3172454fa21f7374
SHA256 f6d5ef7e5e6255c6f56a80c4e93df249ccd98aca5db63d40ed34391835eb6f3b
SHA512 e1732f7f5f33d0575c5beef8ce1f9f9156061748009e758779d584c13709611a6265750235ef8a220f1fc907933e010e4ce61e68381b75d3eec7bc9251e9812f

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 0369d12158b1f8b36344973d01f2ee0b
SHA1 cd1f8e5ad3a1f9eae49a53cd37e0a05ba780dc3b
SHA256 a8e63128611376c0b07247d9115ff37c08ebf6d1d8684ad071b76f61c0b8d72f
SHA512 9601c114149586eecae78fa93a141271b3293a7e197dd43f78be55012415348c1fdb91fa4f6fca9bfaaa92a10737d849e4f6176e000a2f14a3427353eb737024

memory/2792-228-0x0000000004D00000-0x0000000005104000-memory.dmp

memory/1616-229-0x00000000003E0000-0x00000000007E4000-memory.dmp

memory/1616-239-0x0000000074610000-0x00000000746DE000-memory.dmp

memory/1616-238-0x0000000074B60000-0x0000000074C28000-memory.dmp

memory/1616-240-0x00000000746E0000-0x00000000749AF000-memory.dmp

memory/1616-273-0x00000000003E0000-0x00000000007E4000-memory.dmp

memory/2064-276-0x0000000074C30000-0x0000000074C79000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 40dcc8dfb231d93452ecd6f7a30e238b
SHA1 92ba93eaeeac71d2876b7aade25283892080338e
SHA256 f6fa2aa1a43b13996bd8af8e9ed3e8037fe2349998ba00ec5689c870aebd51b9
SHA512 6d976e7c526c80ad7ebfff8dd18b86f2412095fa1b4df0da1f4ea6ad005adb33a2a7686b0a9d101522d66e5ef9120f1384117e32c3670b623fcb6997149da89a

memory/2064-282-0x00000000745E0000-0x0000000074604000-memory.dmp

memory/2064-281-0x0000000074610000-0x00000000746DE000-memory.dmp

memory/2064-279-0x00000000749C0000-0x0000000074A48000-memory.dmp

memory/2064-278-0x0000000074A50000-0x0000000074B5A000-memory.dmp

memory/2064-277-0x0000000074B60000-0x0000000074C28000-memory.dmp

memory/2064-275-0x00000000746E0000-0x00000000749AF000-memory.dmp

memory/2064-274-0x00000000003E0000-0x00000000007E4000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 60f5ca9fedf0fb9a26f6c1461644e24f
SHA1 8f79cf8ef55696d6746ebaa46efbd0e29b07dc7d
SHA256 217342d45c42cfd6b7e41a1c68571ace4124175708e3b79f18d27190b57c1213
SHA512 407627f685eef40d52f315a67a1b59c1d31a1016088e4e0dd7e39139d7507d35aa33814d83cfa423471f47033d62e8213b04f59be59ea393eca6853259ddd132

memory/2792-308-0x0000000004D00000-0x0000000005104000-memory.dmp

memory/2064-309-0x00000000003E0000-0x00000000007E4000-memory.dmp

memory/2064-310-0x00000000746E0000-0x00000000749AF000-memory.dmp

memory/2064-312-0x0000000074610000-0x00000000746DE000-memory.dmp

memory/2064-311-0x0000000074B60000-0x0000000074C28000-memory.dmp

memory/2792-323-0x0000000000D80000-0x0000000000D8A000-memory.dmp

memory/2064-356-0x00000000003E0000-0x00000000007E4000-memory.dmp

memory/1908-372-0x0000000074920000-0x00000000749A8000-memory.dmp

memory/1908-371-0x0000000074A00000-0x0000000074B0A000-memory.dmp

memory/1908-370-0x0000000074B10000-0x0000000074BD8000-memory.dmp

memory/1908-375-0x0000000073A90000-0x0000000073D5F000-memory.dmp

memory/1908-374-0x0000000074C50000-0x0000000074C74000-memory.dmp

memory/1908-373-0x0000000074850000-0x000000007491E000-memory.dmp

memory/1908-369-0x0000000074BE0000-0x0000000074C29000-memory.dmp

memory/1908-368-0x00000000003E0000-0x00000000007E4000-memory.dmp

memory/2792-362-0x00000000059D0000-0x0000000005DD4000-memory.dmp

memory/2792-387-0x0000000000D80000-0x0000000000D8A000-memory.dmp

memory/2792-389-0x00000000059D0000-0x0000000005DD4000-memory.dmp

memory/1908-390-0x00000000003E0000-0x00000000007E4000-memory.dmp

memory/1908-399-0x0000000074B10000-0x0000000074BD8000-memory.dmp

memory/1908-400-0x0000000074850000-0x000000007491E000-memory.dmp

memory/1908-402-0x0000000073A90000-0x0000000073D5F000-memory.dmp

memory/2792-413-0x0000000004830000-0x000000000483A000-memory.dmp

memory/2792-412-0x0000000004830000-0x000000000483A000-memory.dmp

memory/2012-444-0x00000000003E0000-0x00000000007E4000-memory.dmp

memory/2012-443-0x0000000074C00000-0x0000000074C24000-memory.dmp

memory/2012-442-0x0000000073C90000-0x0000000073D5E000-memory.dmp

memory/2012-441-0x0000000074A30000-0x0000000074AB8000-memory.dmp

memory/2012-440-0x00000000748A0000-0x00000000749AA000-memory.dmp

memory/2012-439-0x0000000074AC0000-0x0000000074B88000-memory.dmp

memory/2012-438-0x0000000074B90000-0x0000000074BD9000-memory.dmp

memory/2012-437-0x0000000073730000-0x00000000739FF000-memory.dmp

memory/1908-436-0x00000000003E0000-0x00000000007E4000-memory.dmp

memory/2792-456-0x0000000004830000-0x000000000483A000-memory.dmp

memory/2792-457-0x0000000004830000-0x000000000483A000-memory.dmp

memory/2792-458-0x0000000005B10000-0x0000000005F14000-memory.dmp

memory/2012-468-0x0000000073730000-0x00000000739FF000-memory.dmp

memory/2012-470-0x0000000073C90000-0x0000000073D5E000-memory.dmp

memory/2012-469-0x0000000074AC0000-0x0000000074B88000-memory.dmp

memory/2012-471-0x00000000003E0000-0x00000000007E4000-memory.dmp

memory/2456-505-0x00000000003E0000-0x00000000007E4000-memory.dmp

memory/2792-504-0x00000000058D0000-0x0000000005CD4000-memory.dmp

memory/2012-503-0x00000000003E0000-0x00000000007E4000-memory.dmp

memory/2792-526-0x00000000058D0000-0x0000000005CD4000-memory.dmp

memory/2456-527-0x00000000003E0000-0x00000000007E4000-memory.dmp

memory/2456-547-0x00000000003E0000-0x00000000007E4000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-07 12:28

Reported

2024-05-07 12:38

Platform

win10-20240404-en

Max time kernel

599s

Max time network

601s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"

Signatures

BitRAT

trojan bitrat

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1\ue900" C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1" C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1\uff00" C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1ë°€" C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1\ueb00" C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4024 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4024 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4024 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4024 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4024 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4024 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4024 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4024 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4024 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4024 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4024 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4024 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4024 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4024 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4024 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4024 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4024 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4024 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4024 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4024 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4024 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4024 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4024 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4024 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4024 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4024 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4024 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4024 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4024 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4024 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4024 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4024 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4024 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4024 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4024 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4024 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe

"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

Network

Country Destination Domain Proto
FR 217.182.51.248:443 tcp
RO 185.225.17.3:443 tcp
US 128.31.0.13:443 tcp
US 8.8.8.8:53 13.0.31.128.in-addr.arpa udp
DK 87.104.37.132:443 tcp
CA 144.217.103.5:8443 tcp
US 8.8.8.8:53 5.103.217.144.in-addr.arpa udp
US 8.8.8.8:53 132.37.104.87.in-addr.arpa udp
N/A 127.0.0.1:49804 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:45808 tcp
CA 144.217.103.5:8443 tcp
DK 87.104.37.132:443 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
FI 135.181.63.118:9100 tcp
N/A 127.0.0.1:49945 tcp
US 152.86.12.4:420 tcp
US 8.8.8.8:53 118.63.181.135.in-addr.arpa udp
US 8.8.8.8:53 4.12.86.152.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 myexternalip.com udp
US 34.117.118.44:443 myexternalip.com tcp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 42.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 44.118.117.34.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 80.190.18.2.in-addr.arpa udp
N/A 127.0.0.1:50041 tcp
DE 85.215.42.225:9001 tcp
FI 135.181.63.118:9100 tcp
US 8.8.8.8:53 225.42.215.85.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 199.184.215.11:9090 tcp
US 8.8.8.8:53 11.215.184.199.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
N/A 127.0.0.1:50138 tcp
NL 194.126.173.158:24752 tcp
FI 135.181.63.118:9100 tcp
US 8.8.8.8:53 158.173.126.194.in-addr.arpa udp
DE 85.215.42.225:9001 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50205 tcp
DK 185.96.88.29:443 tcp
DE 85.215.42.225:9001 tcp
FI 135.181.63.118:9100 tcp
DE 159.69.71.228:9001 tcp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 228.71.69.159.in-addr.arpa udp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50263 tcp
CA 192.160.102.165:9001 tcp
DE 85.215.42.225:9001 tcp
FI 135.181.63.118:9100 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
SE 109.105.109.162:60784 tcp
N/A 127.0.0.1:50321 tcp
DE 85.215.42.225:9001 tcp
US 8.8.8.8:53 162.109.105.109.in-addr.arpa udp
FI 135.181.63.118:9100 tcp
N/A 127.0.0.1:45808 tcp
CA 149.56.141.138:9001 tcp
N/A 127.0.0.1:50397 tcp
DE 85.215.42.225:9001 tcp
FI 135.181.63.118:9100 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50474 tcp
DE 5.45.111.149:443 tcp
DE 85.215.42.225:9001 tcp
US 8.8.8.8:53 149.111.45.5.in-addr.arpa udp
FI 135.181.63.118:9100 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
US 166.70.207.2:9101 tcp
N/A 127.0.0.1:50533 tcp
FI 135.181.63.118:9100 tcp
US 8.8.8.8:53 2.207.70.166.in-addr.arpa udp
DE 85.215.42.225:9001 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50579 tcp
CA 192.160.102.170:9001 tcp
FI 135.181.63.118:9100 tcp
DE 85.215.42.225:9001 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:50641 tcp
US 50.7.74.170:9001 tcp
FI 135.181.63.118:9100 tcp
DE 85.215.42.225:9001 tcp
N/A 127.0.0.1:45808 tcp

Files

memory/4024-0-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/4024-1-0x0000000073550000-0x000000007358A000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

memory/2788-14-0x0000000000C30000-0x0000000001034000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

memory/2788-31-0x0000000072B40000-0x0000000072C08000-memory.dmp

memory/2788-35-0x00000000728A0000-0x00000000728C4000-memory.dmp

memory/2788-34-0x00000000728D0000-0x0000000072958000-memory.dmp

memory/2788-33-0x0000000072960000-0x0000000072A6A000-memory.dmp

memory/2788-32-0x0000000072A70000-0x0000000072B3E000-memory.dmp

memory/2788-38-0x00000000735D0000-0x0000000073619000-memory.dmp

memory/2788-37-0x00000000725D0000-0x000000007289F000-memory.dmp

memory/2788-36-0x0000000001800000-0x0000000001ACF000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\torrc

MD5 439cd73927f46fde28540391feee8477
SHA1 ee7fb2aeb7708378abda293b03f5c9ffb6dbc742
SHA256 d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75
SHA512 c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319

memory/4024-42-0x00000000722C0000-0x00000000722FA000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdesc-consensus.tmp

MD5 0ce4530144899e61e7151afe7810919f
SHA1 f300561ff8bbd2b426926aced1e576bd2b91d001
SHA256 59f1410ba288f348e46546682bc8ae589accfdb2abc49b0b59fed35ed9de32e5
SHA512 595a94b645837f8627b703920cec6eda3e6103ae964c91c383679f00b712343b7f8d4656db6efdaceabe8c641cf45d6461ff77cc9fafa263880bc1a0763a83e6

memory/4024-51-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2788-55-0x0000000000C30000-0x0000000001034000-memory.dmp

memory/2788-60-0x00000000728D0000-0x0000000072958000-memory.dmp

memory/2788-59-0x0000000072960000-0x0000000072A6A000-memory.dmp

memory/2788-58-0x0000000072A70000-0x0000000072B3E000-memory.dmp

memory/2788-56-0x0000000072B40000-0x0000000072C08000-memory.dmp

memory/2788-62-0x00000000725D0000-0x000000007289F000-memory.dmp

memory/2788-61-0x00000000728A0000-0x00000000728C4000-memory.dmp

memory/4024-67-0x0000000000400000-0x0000000000BD8000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 3cda87820c038d2979c9bbe1e7002f64
SHA1 d3b7d38e1fad5a25c741e2070a2b5ce4048d583b
SHA256 1a767ec1d446eb3db6c507cf4c3b82fe1feb21e55f209a0e358fe16715d1fc36
SHA512 80d3a0031942e1ef0ffbf2dbb41e6c12daeed45bf3710e9e755b9990b9d373d880b0c46f92f67ec48c4c064adc3248e1874c96e52a24e86bda6cd8c69a7a56c3

memory/2788-71-0x0000000000C30000-0x0000000001034000-memory.dmp

memory/2788-72-0x0000000000C30000-0x0000000001034000-memory.dmp

memory/2788-82-0x0000000000C30000-0x0000000001034000-memory.dmp

memory/2788-91-0x0000000000C30000-0x0000000001034000-memory.dmp

memory/4024-99-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/4024-100-0x0000000072E20000-0x0000000072E5A000-memory.dmp

memory/2788-101-0x0000000000C30000-0x0000000001034000-memory.dmp

memory/4024-109-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2788-110-0x0000000000C30000-0x0000000001034000-memory.dmp

memory/2788-122-0x0000000000C30000-0x0000000001034000-memory.dmp

memory/2788-153-0x0000000000C30000-0x0000000001034000-memory.dmp

memory/4212-168-0x00000000725D0000-0x000000007289F000-memory.dmp

memory/4212-167-0x00000000728D0000-0x0000000072958000-memory.dmp

memory/4212-166-0x0000000072960000-0x0000000072A6A000-memory.dmp

memory/4212-165-0x00000000728A0000-0x00000000728C4000-memory.dmp

memory/4212-164-0x00000000735D0000-0x0000000073619000-memory.dmp

memory/4212-163-0x0000000072A70000-0x0000000072B3E000-memory.dmp

memory/4212-162-0x0000000072B40000-0x0000000072C08000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 0426cb839fb387e5d5931d780c970612
SHA1 5b06f4e9d1605744d1292746188df21bafc4e134
SHA256 aad2ae644667554fa9c177c6a2d43cf10cd2058d31217eaa6283b5d0b5bf0449
SHA512 291ac803bf25c8a203f8ac25bc90710a6dc27b91be1b05d430329226a967b8b70134b7f2927a5f49bdf0d5e69e3dd0984b9f1cc01513ac67d221c1e3cbcd99aa

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-certs

MD5 6fca2f1300d50b8fceef62317f69da09
SHA1 6006c752e82a84a0b05fee1f6f5e355fe2f461d4
SHA256 5193bd0c613f1f9580170220020e1383fb7aad43cf279afbe80d3a0d0b4aa0f5
SHA512 280bbd6227eadef4f6a0c7d57cef11a607a698d26127c96a286fb797a3eabb01eb67c04bb002166a50c95ed4c87b7fa49fb5c20b67384df74a1210e05659d1ba

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 a601e0e01f58700aa0863dd77be45056
SHA1 758d54d7b9eb3e6fe3c76b5979f0181baa2ded45
SHA256 9616f409d12228ed3656a1f4aad7a444fcc10a8693e4b69908254ed47c6ee7c9
SHA512 6ed01ed2570316607efed5e2897cff05c37cbee15c97f46f78688771ee42ad2638d6083acbe2e9e4ec2453fc1f047ecb129293bc4d82ea35f5f527b51d2b6135

memory/4212-190-0x0000000000C30000-0x0000000001034000-memory.dmp

memory/4212-199-0x0000000072B40000-0x0000000072C08000-memory.dmp

memory/4024-202-0x0000000072DF0000-0x0000000072E2A000-memory.dmp

memory/4212-201-0x00000000728A0000-0x00000000728C4000-memory.dmp

memory/4212-200-0x0000000072A70000-0x0000000072B3E000-memory.dmp

memory/4212-203-0x00000000725D0000-0x000000007289F000-memory.dmp

memory/4212-237-0x0000000000C30000-0x0000000001034000-memory.dmp

memory/3564-252-0x00000000725E0000-0x0000000072668000-memory.dmp

memory/3564-253-0x0000000072950000-0x0000000072C1F000-memory.dmp

memory/3564-251-0x0000000072670000-0x000000007277A000-memory.dmp

memory/3564-250-0x0000000072780000-0x00000000727A4000-memory.dmp

memory/3564-249-0x00000000735D0000-0x0000000073619000-memory.dmp

memory/3564-248-0x00000000727B0000-0x000000007287E000-memory.dmp

memory/3564-247-0x0000000072880000-0x0000000072948000-memory.dmp

memory/3564-246-0x0000000000C30000-0x0000000001034000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 1621db80ab491397beff148d561561fa
SHA1 e80363112b53038f74112a4054557969f3c0251d
SHA256 b60db38a840762db5a4c5f3741fb11942f2c5432966cb414798050797df61d66
SHA512 40833bdf8ddead8634f471526f919eb173aa17c66898353b54f4e0e85fc0711ef4451a3e5c17feff72a6927b9e54e4b3c935057b7d00c2dc16fcc700e7a3655e

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs

MD5 7e6a139bc899bbcd05a1f17a872dbd74
SHA1 8fc3866e3c708ad1c78f13e2433edde0866d981c
SHA256 3b9bf01fa52338612e1c98aedaca98b33fadd5adf40d4abf6aeaa634a958474e
SHA512 7c874c7a36b6dfba5df2f7b0a50c91380db9668332a62087efae1794529e1b2df51d0050234094d6f7266b2c94f23ef3b105a3fb4a13ca55a54177710747e1e9

memory/3564-269-0x0000000000C30000-0x0000000001034000-memory.dmp

memory/3564-278-0x0000000072880000-0x0000000072948000-memory.dmp

memory/4024-281-0x0000000071CE0000-0x0000000071D1A000-memory.dmp

memory/3564-280-0x0000000072780000-0x00000000727A4000-memory.dmp

memory/3564-279-0x00000000727B0000-0x000000007287E000-memory.dmp

memory/3564-283-0x0000000072950000-0x0000000072C1F000-memory.dmp

memory/4024-293-0x0000000073550000-0x000000007358A000-memory.dmp

memory/4024-303-0x00000000722C0000-0x00000000722FA000-memory.dmp

memory/3564-324-0x0000000000C30000-0x0000000001034000-memory.dmp

memory/3400-336-0x0000000072950000-0x0000000072C1F000-memory.dmp

memory/3400-337-0x00000000727B0000-0x000000007287E000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 118e1fa7c8274f00c8f2713678fc5da4
SHA1 14306e633a27d5e934cccb6f7f8ef9124218db3a
SHA256 70ffc0874c78a8894db9e58c45cc15643abd1328d81a51bd762ac74679b214a6
SHA512 c0035aafb197d97d516b601d40ffb29dae13c764240ffe43be825ff8f138a857f81c9ec96d9182542cd3692dacba2a2a0d61a7fc2bc52e75f6d2f29c12806602

memory/3400-342-0x0000000072880000-0x0000000072948000-memory.dmp

memory/3400-341-0x00000000725E0000-0x0000000072668000-memory.dmp

memory/3400-340-0x0000000072670000-0x000000007277A000-memory.dmp

memory/3400-339-0x0000000072780000-0x00000000727A4000-memory.dmp

memory/3400-338-0x00000000735D0000-0x0000000073619000-memory.dmp

memory/3400-357-0x0000000000C30000-0x0000000001034000-memory.dmp

memory/3400-367-0x0000000072950000-0x0000000072C1F000-memory.dmp

memory/3400-368-0x00000000727B0000-0x000000007287E000-memory.dmp

memory/3400-369-0x0000000072880000-0x0000000072948000-memory.dmp

memory/4024-370-0x0000000072E20000-0x0000000072E5A000-memory.dmp

memory/3400-389-0x0000000000C30000-0x0000000001034000-memory.dmp

memory/760-401-0x0000000072950000-0x0000000072C1F000-memory.dmp

memory/760-400-0x00000000725E0000-0x0000000072668000-memory.dmp

memory/760-399-0x0000000072670000-0x000000007277A000-memory.dmp

memory/760-398-0x00000000735D0000-0x0000000073619000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 2bb91d1189efb9830651baaf663514bd
SHA1 eda4b0f211d75b3badf283b969d143e3fd387bbd
SHA256 b655ae4e865f0d120652e2c9f2e1637d745241986480327db49eca8c4999f580
SHA512 8069c0bb1aa208c3b940a7408b226e81e89b277d1a2bb78ebab54e05b5aac2e0987408c9b5b7d33d2da6f3568ce0e590d90b703e0fac6857cadca28cd18655ca

memory/760-416-0x0000000000C30000-0x0000000001034000-memory.dmp

memory/760-426-0x00000000727B0000-0x000000007287E000-memory.dmp

memory/760-427-0x0000000072780000-0x00000000727A4000-memory.dmp

memory/760-425-0x0000000072880000-0x0000000072948000-memory.dmp

memory/760-429-0x0000000072950000-0x0000000072C1F000-memory.dmp

memory/760-448-0x0000000000C30000-0x0000000001034000-memory.dmp

memory/1320-452-0x00000000725E0000-0x0000000072668000-memory.dmp

memory/1320-451-0x0000000072670000-0x000000007277A000-memory.dmp

memory/1320-450-0x00000000735D0000-0x0000000073619000-memory.dmp

memory/1320-453-0x0000000072950000-0x0000000072C1F000-memory.dmp

memory/4024-457-0x0000000072DF0000-0x0000000072E2A000-memory.dmp

memory/1320-467-0x0000000000C30000-0x0000000001034000-memory.dmp

memory/1320-478-0x0000000072780000-0x00000000727A4000-memory.dmp

memory/1320-477-0x00000000727B0000-0x000000007287E000-memory.dmp

memory/1320-476-0x0000000072880000-0x0000000072948000-memory.dmp

memory/1320-480-0x0000000072950000-0x0000000072C1F000-memory.dmp

memory/1320-499-0x0000000000C30000-0x0000000001034000-memory.dmp

memory/4660-503-0x0000000072950000-0x0000000072C1F000-memory.dmp

memory/4660-502-0x00000000725E0000-0x0000000072668000-memory.dmp

memory/4660-501-0x0000000072670000-0x000000007277A000-memory.dmp

memory/4660-500-0x00000000735D0000-0x0000000073619000-memory.dmp

memory/4660-516-0x0000000000C30000-0x0000000001034000-memory.dmp

memory/4660-527-0x0000000072780000-0x00000000727A4000-memory.dmp

memory/4660-526-0x00000000727B0000-0x000000007287E000-memory.dmp

memory/4660-525-0x0000000072880000-0x0000000072948000-memory.dmp

memory/4660-528-0x0000000072950000-0x0000000072C1F000-memory.dmp

memory/4660-566-0x0000000000C30000-0x0000000001034000-memory.dmp

memory/3688-573-0x00000000725E0000-0x0000000072604000-memory.dmp

memory/3688-572-0x0000000072610000-0x0000000072698000-memory.dmp

memory/3688-571-0x00000000726A0000-0x00000000727AA000-memory.dmp

memory/3688-570-0x00000000735D0000-0x0000000073619000-memory.dmp

memory/3688-569-0x00000000727B0000-0x000000007287E000-memory.dmp

memory/3688-568-0x0000000072880000-0x0000000072948000-memory.dmp

memory/3688-567-0x0000000072950000-0x0000000072C1F000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-07 12:28

Reported

2024-05-07 12:38

Platform

win10v2004-20240419-en

Max time kernel

597s

Max time network

601s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"

Signatures

BitRAT

trojan bitrat

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1" C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2996 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2996 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2996 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2996 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2996 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2996 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2996 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2996 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2996 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2996 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2996 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2996 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2996 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2996 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2996 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2996 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2996 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2996 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2996 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2996 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2996 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2996 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2996 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2996 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2996 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2996 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2996 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2996 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2996 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2996 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2996 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2996 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2996 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2996 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2996 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2996 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2996 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2996 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2996 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2996 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2996 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2996 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe

"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 18.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
BG 213.183.60.21:443 tcp
N/A 127.0.0.1:60250 tcp
FR 163.172.157.213:443 tcp
FR 163.172.176.167:443 tcp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
FR 212.47.229.2:9001 tcp
US 154.35.175.225:443 tcp
US 8.8.8.8:53 2.229.47.212.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 15.204.141.10:443 tcp
NL 51.15.50.36:9001 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 36.50.15.51.in-addr.arpa udp
US 8.8.8.8:53 10.141.204.15.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
US 15.204.141.10:443 tcp
NL 51.15.50.36:9001 tcp
NL 51.15.89.200:9001 tcp
N/A 127.0.0.1:60415 tcp
US 8.8.8.8:53 200.89.15.51.in-addr.arpa udp
DE 93.90.74.30:9090 tcp
US 8.8.8.8:53 30.74.90.93.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 myexternalip.com udp
US 34.117.118.44:443 myexternalip.com tcp
US 8.8.8.8:53 44.118.117.34.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 80.190.18.2.in-addr.arpa udp
N/A 127.0.0.1:60514 tcp
US 15.204.183.156:8443 tcp
NL 51.15.89.200:9001 tcp
US 8.8.8.8:53 156.183.204.15.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:60604 tcp
NO 185.243.218.202:14443 tcp
US 8.8.8.8:53 202.218.243.185.in-addr.arpa udp
NL 51.15.89.200:9001 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:60673 tcp
N/A 127.0.0.1:60685 tcp
US 199.184.246.250:443 tcp
NL 51.15.89.200:9001 tcp
NO 185.243.218.202:14443 tcp
FI 65.21.94.13:5443 tcp
US 8.8.8.8:53 13.94.21.65.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:60782 tcp
FR 95.128.43.164:443 tcp
NO 185.243.218.202:14443 tcp
US 8.8.8.8:53 164.43.128.95.in-addr.arpa udp
NL 51.15.89.200:9001 tcp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp
N/A 127.0.0.1:60838 tcp
FR 51.15.179.153:995 tcp
NO 185.243.218.202:14443 tcp
NL 51.15.89.200:9001 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:60897 tcp
CA 192.160.102.169:9001 tcp
NL 51.15.89.200:9001 tcp
NO 185.243.218.202:14443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:60947 tcp
DK 185.96.88.29:443 tcp
NO 185.243.218.202:14443 tcp
NL 51.15.89.200:9001 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:61018 tcp
NL 95.85.8.226:443 tcp
NL 51.15.89.200:9001 tcp
NO 185.243.218.202:14443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:61064 tcp
SE 193.11.114.46:9003 tcp
NL 51.15.89.200:9001 tcp
US 8.8.8.8:53 46.114.11.193.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
NO 185.243.218.202:14443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:61111 tcp
DE 5.45.111.149:443 tcp
NO 185.243.218.202:14443 tcp
US 8.8.8.8:53 149.111.45.5.in-addr.arpa udp
NL 51.15.89.200:9001 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:61160 tcp
DE 131.188.40.188:11180 tcp
NL 51.15.89.200:9001 tcp
US 8.8.8.8:53 188.40.188.131.in-addr.arpa udp
NL 141.148.237.212:8081 tcp
US 8.8.8.8:53 212.237.148.141.in-addr.arpa udp
NO 185.243.218.202:14443 tcp

Files

memory/2996-0-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2996-1-0x00000000750B0000-0x00000000750E9000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\d46500b0\tor\torrc

MD5 439cd73927f46fde28540391feee8477
SHA1 ee7fb2aeb7708378abda293b03f5c9ffb6dbc742
SHA256 d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75
SHA512 c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319

C:\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

memory/4040-30-0x0000000074410000-0x0000000074459000-memory.dmp

memory/4040-29-0x0000000074460000-0x000000007452E000-memory.dmp

memory/4040-28-0x0000000074530000-0x00000000745F8000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

memory/4040-22-0x0000000000200000-0x0000000000604000-memory.dmp

memory/4040-41-0x00000000743E0000-0x0000000074404000-memory.dmp

memory/4040-42-0x00000000742D0000-0x00000000743DA000-memory.dmp

memory/4040-44-0x00000000014B0000-0x0000000001538000-memory.dmp

memory/4040-45-0x00000000014B0000-0x000000000177F000-memory.dmp

memory/4040-46-0x0000000073F70000-0x000000007423F000-memory.dmp

memory/4040-43-0x0000000074240000-0x00000000742C8000-memory.dmp

memory/2996-47-0x0000000073C40000-0x0000000073C79000-memory.dmp

memory/2996-48-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/4040-50-0x0000000074460000-0x000000007452E000-memory.dmp

memory/4040-52-0x0000000074410000-0x0000000074459000-memory.dmp

memory/4040-51-0x0000000074530000-0x00000000745F8000-memory.dmp

memory/4040-49-0x0000000000200000-0x0000000000604000-memory.dmp

memory/2996-57-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/4040-58-0x0000000000200000-0x0000000000604000-memory.dmp

memory/4040-59-0x0000000000200000-0x0000000000604000-memory.dmp

memory/4040-67-0x00000000014B0000-0x0000000001538000-memory.dmp

memory/4040-68-0x00000000014B0000-0x000000000177F000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdesc-consensus.tmp

MD5 0ce4530144899e61e7151afe7810919f
SHA1 f300561ff8bbd2b426926aced1e576bd2b91d001
SHA256 59f1410ba288f348e46546682bc8ae589accfdb2abc49b0b59fed35ed9de32e5
SHA512 595a94b645837f8627b703920cec6eda3e6103ae964c91c383679f00b712343b7f8d4656db6efdaceabe8c641cf45d6461ff77cc9fafa263880bc1a0763a83e6

memory/4040-78-0x0000000000200000-0x0000000000604000-memory.dmp

memory/4040-87-0x0000000000200000-0x0000000000604000-memory.dmp

memory/2996-99-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2996-100-0x00000000750D0000-0x0000000075109000-memory.dmp

memory/4040-101-0x0000000000200000-0x0000000000604000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 dfa8b5787509c317bbe7c4956ae4ee61
SHA1 ae3d0d514a34206fdb6513ee37078433d87b9ce5
SHA256 f2506aca75376ffe8cdf303113880a27a29ce70d9d22dba9f14c90adba9af6c5
SHA512 1d8f58d122b458c75cf7dc499a2f93e2dcc2b0cab2fee7a267c60eff5d9e9a6a064e9f6b1398551809e895e14238d2bf7f58988ddaa05e3d1925d3f752102413

memory/2996-110-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/4040-111-0x0000000000200000-0x0000000000604000-memory.dmp

memory/4040-130-0x0000000000200000-0x0000000000604000-memory.dmp

memory/4040-157-0x0000000000200000-0x0000000000604000-memory.dmp

memory/3844-171-0x0000000074010000-0x0000000074098000-memory.dmp

memory/3844-172-0x00000000743D0000-0x000000007469F000-memory.dmp

memory/3844-170-0x00000000740A0000-0x00000000741AA000-memory.dmp

memory/3844-169-0x00000000741B0000-0x00000000741D4000-memory.dmp

memory/3844-168-0x00000000741E0000-0x0000000074229000-memory.dmp

memory/3844-167-0x0000000074230000-0x00000000742FE000-memory.dmp

memory/3844-166-0x0000000074300000-0x00000000743C8000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 c4436df2f37ad19408e0e4cd6f86af40
SHA1 3b9b7ca4378c72c69f37d4b72d6dc45d97617b56
SHA256 f11cc05280c6b8c0b95e7aba74db6d9cb0df75278dca289241a4ce1bd611905c
SHA512 567cc1c085f30a08aa2c3f89b08d013fb7cceeff8c210d7aab6e785ddb0f83ef9e7c690cc49b29cb0615c26dab180999921a64876bb8ae7084a00fbb6042f05c

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-certs

MD5 5d919374dbddc43d8727da8e296542a3
SHA1 3f72e550f2c833a9d82e3b97cdf89dbaa64158cc
SHA256 4d0edd91b5d93fcaf30883952c8ac9d0b840210e8be370e07ca07d009c3dd462
SHA512 f4e3fb5e3e6ce605bbf5703d02414bfd4b7cdfbc6e1cf05db9ce809d4134bf034d8614951e84ea6e703d0d9018de59c81990751bb4ec42ad7c6a6b7cae7fcce8

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 3b24a2bb5c55392ac76f43e45d460b98
SHA1 0e7dd30f878d580311822dbb1aef3f9c82b1eaab
SHA256 4c97a7c8488e830ffa74c0190a49f4c633113bb6fa304c6c072217699c651235
SHA512 2b0f729a4a05d8c134883dedc4d61365f90c6fdff2f9285255dacaf636f99c07af66e86e4c751a83c82dc396bc2cc485f7b7763227f0519fcb86343885b42bf6

memory/3844-194-0x0000000000200000-0x0000000000604000-memory.dmp

memory/3844-203-0x0000000074300000-0x00000000743C8000-memory.dmp

memory/3844-205-0x00000000741B0000-0x00000000741D4000-memory.dmp

memory/3844-204-0x0000000074230000-0x00000000742FE000-memory.dmp

memory/2996-206-0x0000000073BD0000-0x0000000073C09000-memory.dmp

memory/3844-207-0x00000000743D0000-0x000000007469F000-memory.dmp

memory/3844-241-0x0000000000200000-0x0000000000604000-memory.dmp

memory/4316-255-0x0000000072E40000-0x0000000072EC8000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 10376ccffe2767c55b8bbbec648da33a
SHA1 e9d5861e880e194e26939c36b398a57d10bea606
SHA256 8420eff47de63af3e6736a586e1b4810b001729edd30f852fd3e8ed09ff44fbc
SHA512 1f3a58483f8774c170b783fb83fd12feba5d3033978a80bab8430229192279682e55eb8a0eabb00945e8dfa10a169aa8bcb1a2528a87404b06759619b0d1367a

memory/4316-256-0x0000000072FE0000-0x00000000732AF000-memory.dmp

memory/4316-250-0x0000000074150000-0x0000000074218000-memory.dmp

memory/4316-254-0x0000000072ED0000-0x0000000072FDA000-memory.dmp

memory/4316-253-0x0000000073F40000-0x0000000073F64000-memory.dmp

memory/4316-252-0x0000000074030000-0x0000000074079000-memory.dmp

memory/4316-251-0x0000000074080000-0x000000007414E000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs

MD5 b7630e025ed89104b699ff10805b5607
SHA1 bd2d304aa3a24ad211875a9927dbde6b5b2c8f35
SHA256 88168fa40f5acff043de1c87b8ac718747277f59cf35c0ae02ff243e58484b08
SHA512 f1438e57e3eb6cee0a63a4140c4397a58dde39b04b7c1b54a5ff221329211a496947d04c1b0bf5b3df97a997b42d57281934c948660d9fcea1ebf08623b9d2fe

memory/4316-272-0x0000000000200000-0x0000000000604000-memory.dmp

memory/4316-281-0x0000000074150000-0x0000000074218000-memory.dmp

memory/4316-283-0x0000000073F40000-0x0000000073F64000-memory.dmp

memory/2996-284-0x0000000072C60000-0x0000000072C99000-memory.dmp

memory/4316-282-0x0000000074080000-0x000000007414E000-memory.dmp

memory/4316-285-0x0000000072FE0000-0x00000000732AF000-memory.dmp

memory/2996-296-0x00000000750B0000-0x00000000750E9000-memory.dmp

memory/2996-314-0x0000000073C40000-0x0000000073C79000-memory.dmp

memory/4316-325-0x0000000000200000-0x0000000000604000-memory.dmp

memory/3044-340-0x0000000072E40000-0x0000000072EC8000-memory.dmp

memory/3044-341-0x0000000072FE0000-0x00000000732AF000-memory.dmp

memory/3044-339-0x0000000072ED0000-0x0000000072FDA000-memory.dmp

memory/3044-338-0x0000000073F40000-0x0000000073F64000-memory.dmp

memory/3044-337-0x0000000074030000-0x0000000074079000-memory.dmp

memory/3044-336-0x0000000074080000-0x000000007414E000-memory.dmp

memory/3044-335-0x0000000074150000-0x0000000074218000-memory.dmp

memory/3044-334-0x0000000000200000-0x0000000000604000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 51e01a505ae87bb158b2bdb853fb3d92
SHA1 03d17b08649aa74eaa9377f99360c132272c1485
SHA256 a6f3d941c92c604eb564bd679c2a930ec7785f3577948f6554c1b94b960b5039
SHA512 e6ddbf321e2755fca0a6583c3341a3af4f6e6becd6694311c6eef4285cb34ddaa59a7adfe5abb7b2f80f4cc8064bc1a5b1520967a90a237ce3b9812e5ba60a8d

memory/3044-356-0x0000000000200000-0x0000000000604000-memory.dmp

memory/3044-367-0x0000000073F40000-0x0000000073F64000-memory.dmp

memory/3044-368-0x0000000072ED0000-0x0000000072FDA000-memory.dmp

memory/3044-366-0x0000000074080000-0x000000007414E000-memory.dmp

memory/3044-365-0x0000000074150000-0x0000000074218000-memory.dmp

memory/3044-369-0x0000000072FE0000-0x00000000732AF000-memory.dmp

memory/2996-379-0x00000000750D0000-0x0000000075109000-memory.dmp

memory/3044-390-0x0000000000200000-0x0000000000604000-memory.dmp

memory/2276-404-0x0000000072FE0000-0x00000000732AF000-memory.dmp

memory/2276-403-0x0000000073F40000-0x0000000073F64000-memory.dmp

memory/2276-402-0x0000000072E40000-0x0000000072EC8000-memory.dmp

memory/2276-401-0x0000000072ED0000-0x0000000072FDA000-memory.dmp

memory/2276-400-0x0000000074030000-0x0000000074079000-memory.dmp

memory/2276-399-0x0000000074150000-0x0000000074218000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 81eaf0e446635325ab4aa184ad725b1c
SHA1 ae78618be3b85547bb7c47cbe81334b0d6a124a2
SHA256 9923f3e80e4c00291dd0c9057ac2af9c3dc63c63a7a3af3d0986296e09b9416b
SHA512 d3fdc6879a749130a91812691e58a75536e1be44526f12f4e5f9f33361cfd5e9a9db42cc040b482697ac172253934fa1662ff416a66c74f043e27dc825bf6822

memory/3020-408-0x0000000000200000-0x0000000000604000-memory.dmp

memory/3020-414-0x0000000072ED0000-0x0000000072FDA000-memory.dmp

memory/3020-413-0x0000000073F40000-0x0000000073F64000-memory.dmp

memory/3020-412-0x0000000074030000-0x0000000074079000-memory.dmp

memory/3020-411-0x0000000074080000-0x000000007414E000-memory.dmp

memory/3020-410-0x0000000074150000-0x0000000074218000-memory.dmp

memory/3020-409-0x0000000072FE0000-0x00000000732AF000-memory.dmp

memory/3020-415-0x0000000072E40000-0x0000000072EC8000-memory.dmp

memory/3020-427-0x0000000074080000-0x000000007414E000-memory.dmp

memory/3020-426-0x0000000074150000-0x0000000074218000-memory.dmp

memory/3020-425-0x0000000072FE0000-0x00000000732AF000-memory.dmp

memory/3020-424-0x0000000000200000-0x0000000000604000-memory.dmp

memory/2276-440-0x0000000000200000-0x0000000000604000-memory.dmp

memory/2276-450-0x0000000074080000-0x000000007414E000-memory.dmp

memory/2276-449-0x0000000074150000-0x0000000074218000-memory.dmp

memory/2276-451-0x0000000072FE0000-0x00000000732AF000-memory.dmp

memory/2996-479-0x0000000073BD0000-0x0000000073C09000-memory.dmp

memory/2276-498-0x0000000000200000-0x0000000000604000-memory.dmp

memory/1624-500-0x0000000074150000-0x0000000074218000-memory.dmp

memory/1624-505-0x0000000072E40000-0x0000000072EC8000-memory.dmp

memory/1624-504-0x0000000072ED0000-0x0000000072FDA000-memory.dmp

memory/1624-503-0x0000000073F40000-0x0000000073F64000-memory.dmp

memory/1624-502-0x0000000074030000-0x0000000074079000-memory.dmp

memory/1624-501-0x0000000074080000-0x000000007414E000-memory.dmp

memory/1624-499-0x0000000072FE0000-0x00000000732AF000-memory.dmp

memory/1624-526-0x0000000000200000-0x0000000000604000-memory.dmp

memory/1624-527-0x0000000072FE0000-0x00000000732AF000-memory.dmp