Analysis Overview
SHA256
a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449
Threat Level: Known bad
The file a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449 was found to be: Known bad.
Malicious Activity Summary
BitRAT
Bitrat family
UPX packed file
Unexpected DNS network traffic destination
Executes dropped EXE
ACProtect 1.3x - 1.4x DLL software
Loads dropped DLL
Checks computer location settings
Looks up external IP address via web service
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Unsigned PE
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-07 12:28
Signatures
Bitrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-07 12:28
Reported
2024-05-07 12:48
Platform
win7-20240215-en
Max time kernel
1200s
Max time network
1194s
Command Line
Signatures
BitRAT
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1" | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe
"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
Network
| Country | Destination | Domain | Proto |
| RO | 185.225.17.3:443 | tcp | |
| US | 64.79.152.132:443 | tcp | |
| FR | 37.187.115.157:9001 | tcp | |
| N/A | 127.0.0.1:49226 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| FR | 163.172.149.122:443 | tcp | |
| US | 154.35.175.225:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| NL | 77.247.181.162:443 | tcp | |
| DE | 193.23.244.244:443 | tcp | |
| CZ | 195.123.245.141:443 | tcp | |
| FI | 95.216.202.181:9001 | tcp | |
| DE | 178.254.44.163:5126 | tcp | |
| ES | 5.250.191.234:9001 | tcp | |
| N/A | 127.0.0.1:49327 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| DE | 178.254.44.163:5126 | tcp | |
| ES | 5.250.191.234:9001 | tcp | |
| FR | 178.33.36.64:9090 | tcp | |
| FR | 91.121.219.14:9001 | tcp | |
| N/A | 127.0.0.1:49410 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | myexternalip.com | udp |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| FR | 82.64.20.171:59001 | tcp | |
| N/A | 127.0.0.1:49524 | tcp | |
| DE | 162.19.242.17:1337 | tcp | |
| FI | 65.21.94.13:8443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| FI | 95.217.16.212:587 | tcp | |
| DE | 5.9.66.94:54782 | tcp | |
| FI | 65.109.30.253:28710 | tcp | |
| FI | 194.34.134.13:9010 | tcp | |
| N/A | 127.0.0.1:49594 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 108.53.208.157:443 | tcp | |
| US | 15.204.227.208:9300 | tcp | |
| N/A | 127.0.0.1:49676 | tcp | |
| DE | 89.44.198.199:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| US | 50.7.74.173:9001 | tcp | |
| N/A | 127.0.0.1:49736 | tcp | |
| FR | 91.121.219.14:9001 | tcp | |
| DE | 178.254.44.163:5126 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:49789 | tcp | |
| RO | 185.165.171.84:9001 | tcp | |
| US | 15.204.245.166:9100 | tcp | |
| DE | 185.126.117.202:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:49838 | tcp | |
| DE | 85.10.201.47:9001 | tcp | |
| DE | 185.126.117.202:9001 | tcp | |
| DE | 45.129.182.225:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:49896 | tcp | |
| DE | 81.7.13.84:443 | tcp | |
| US | 135.148.100.92:443 | tcp | |
| CA | 155.248.227.210:9002 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:49954 | tcp | |
| US | 173.255.245.116:9001 | tcp | |
| FI | 194.34.134.13:9010 | tcp | |
| FI | 95.217.199.55:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50004 | tcp | |
| US | 50.7.74.174:443 | tcp | |
| CH | 85.195.244.251:28123 | tcp | |
| DE | 144.76.166.199:9002 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:50053 | tcp | |
| US | 166.70.207.2:9101 | tcp | |
| FR | 146.59.197.114:9001 | tcp | |
| US | 23.82.137.85:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50102 | tcp | |
| US | 108.53.208.157:443 | tcp | |
| LU | 107.189.10.138:9001 | tcp | |
| NL | 77.174.62.158:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| CZ | 31.31.78.49:443 | tcp | |
| N/A | 127.0.0.1:50152 | tcp | |
| CZ | 87.236.197.123:80 | tcp | |
| DE | 185.162.250.173:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| CH | 85.195.244.251:28123 | tcp | |
| N/A | 127.0.0.1:50202 | tcp | |
| N/A | 127.0.0.1:50209 | tcp | |
| GB | 51.38.65.160:9001 | tcp | |
| FR | 90.120.126.232:8080 | tcp | |
| ES | 5.250.191.234:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| DE | 31.185.104.21:443 | tcp | |
| N/A | 127.0.0.1:50275 | tcp | |
| DE | 162.19.242.17:1337 | tcp | |
| US | 15.204.245.166:9100 | tcp | |
| FR | 141.145.208.153:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:50325 | tcp | |
| RO | 185.100.84.212:443 | tcp | |
| DE | 51.77.90.246:8081 | tcp | |
| DE | 136.243.3.194:8000 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| FI | 185.100.86.128:9001 | tcp | |
| N/A | 127.0.0.1:50383 | tcp | |
| DE | 51.77.90.246:8081 | tcp | |
| FR | 51.158.116.203:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| CH | 176.10.107.180:9001 | tcp | |
| N/A | 127.0.0.1:50444 | tcp | |
| FR | 45.158.77.29:9000 | tcp | |
| DE | 185.162.250.173:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50504 | tcp | |
| CH | 176.10.107.180:9001 | tcp | |
| FR | 90.120.126.232:8080 | tcp | |
| NL | 192.42.113.101:9002 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:50553 | tcp | |
| DE | 81.7.16.182:443 | tcp | |
| NL | 77.174.62.158:9001 | tcp | |
| DE | 136.243.3.194:8000 | tcp | |
| DE | 130.61.32.148:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 204.8.156.142:443 | tcp | |
| N/A | 127.0.0.1:50603 | tcp | |
| US | 23.82.137.85:443 | tcp | |
| DE | 78.47.209.122:111 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:50652 | tcp | |
| CA | 149.56.45.200:9001 | tcp | |
| DE | 78.47.209.122:111 | tcp | |
| DE | 162.19.204.163:10000 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:50701 | tcp | |
| MD | 178.17.170.23:9001 | tcp | |
| NL | 192.42.113.101:9002 | tcp | |
| FI | 37.27.106.25:9676 | tcp | |
| DE | 178.254.44.163:5126 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| NL | 185.246.152.22:443 | tcp | |
| N/A | 127.0.0.1:50751 | tcp | |
| NL | 192.42.115.101:9003 | tcp | |
| DE | 144.76.166.199:9002 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:50800 | tcp | |
| MD | 178.17.174.14:9001 | tcp | |
| FI | 65.21.94.13:8443 | tcp | |
| FI | 135.181.63.118:9100 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| CZ | 87.236.197.123:80 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50846 | tcp | |
| SE | 193.11.114.43:9001 | tcp | |
| FI | 65.108.129.218:9993 | tcp | |
| US | 135.148.100.92:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:50895 | tcp | |
| CZ | 31.31.78.49:443 | tcp | |
| FI | 194.34.134.13:9010 | tcp | |
| US | 135.148.53.59:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50953 | tcp | |
| FR | 212.47.233.250:9001 | tcp | |
| GB | 158.220.81.78:443 | tcp | |
| FI | 95.217.109.36:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp |
Files
memory/1732-0-0x0000000000400000-0x0000000000BD8000-memory.dmp
\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
C:\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll
| MD5 | 2384a02c4a1f7ec481adde3a020607d3 |
| SHA1 | 7e848d35a10bf9296c8fa41956a3daa777f86365 |
| SHA256 | c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369 |
| SHA512 | 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503 |
memory/1732-18-0x0000000004050000-0x0000000004454000-memory.dmp
memory/1732-17-0x0000000004050000-0x0000000004454000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
C:\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll
| MD5 | 099983c13bade9554a3c17484e5481f1 |
| SHA1 | a84e69ad9722f999252d59d0ed9a99901a60e564 |
| SHA256 | b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838 |
| SHA512 | 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2 |
C:\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll
| MD5 | b0d98f7157d972190fe0759d4368d320 |
| SHA1 | 5715a533621a2b642aad9616e603c6907d80efc4 |
| SHA256 | 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5 |
| SHA512 | 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496 |
C:\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll
| MD5 | d407cc6d79a08039a6f4b50539e560b8 |
| SHA1 | 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71 |
| SHA256 | 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e |
| SHA512 | 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c |
\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll
| MD5 | add33041af894b67fe34e1dc819b7eb6 |
| SHA1 | 6db46eb021855a587c95479422adcc774a272eeb |
| SHA256 | 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183 |
| SHA512 | bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa |
\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll
| MD5 | c88826ac4bb879622e43ead5bdb95aeb |
| SHA1 | 87d29853649a86f0463bfd9ad887b85eedc21723 |
| SHA256 | c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f |
| SHA512 | f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3 |
memory/2512-37-0x00000000744E0000-0x00000000745A8000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\torrc
| MD5 | 439cd73927f46fde28540391feee8477 |
| SHA1 | ee7fb2aeb7708378abda293b03f5c9ffb6dbc742 |
| SHA256 | d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75 |
| SHA512 | c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319 |
memory/2512-44-0x0000000074600000-0x00000000748CF000-memory.dmp
memory/2512-43-0x00000000748F0000-0x0000000074914000-memory.dmp
memory/2512-42-0x0000000074270000-0x000000007433E000-memory.dmp
memory/2512-41-0x0000000074340000-0x00000000743C8000-memory.dmp
memory/2512-40-0x00000000743D0000-0x00000000744DA000-memory.dmp
memory/2512-35-0x00000000745B0000-0x00000000745F9000-memory.dmp
memory/2512-34-0x00000000010C0000-0x00000000014C4000-memory.dmp
memory/1732-45-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/2512-46-0x00000000010C0000-0x00000000014C4000-memory.dmp
memory/2512-52-0x0000000074270000-0x000000007433E000-memory.dmp
memory/2512-49-0x00000000744E0000-0x00000000745A8000-memory.dmp
memory/1732-54-0x0000000004050000-0x0000000004454000-memory.dmp
memory/2512-56-0x00000000010C0000-0x00000000014C4000-memory.dmp
memory/1732-55-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/2512-57-0x00000000010C0000-0x00000000014C4000-memory.dmp
memory/1732-65-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/2512-66-0x00000000010C0000-0x00000000014C4000-memory.dmp
memory/2512-75-0x00000000010C0000-0x00000000014C4000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdesc-consensus.tmp
| MD5 | 0ce4530144899e61e7151afe7810919f |
| SHA1 | f300561ff8bbd2b426926aced1e576bd2b91d001 |
| SHA256 | 59f1410ba288f348e46546682bc8ae589accfdb2abc49b0b59fed35ed9de32e5 |
| SHA512 | 595a94b645837f8627b703920cec6eda3e6103ae964c91c383679f00b712343b7f8d4656db6efdaceabe8c641cf45d6461ff77cc9fafa263880bc1a0763a83e6 |
memory/2512-95-0x00000000010C0000-0x00000000014C4000-memory.dmp
memory/1380-122-0x0000000074340000-0x00000000743C8000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-certs
| MD5 | df749952011efa4f12b3cfe34569d486 |
| SHA1 | 2c54710b5e9a20d41500b21f74fd50cd7bd08806 |
| SHA256 | bcd0faeb939289393560c7ea285bc6e8d6fb3430ff0fb0da0ed9c2987bce51cc |
| SHA512 | 1e06ffc1029938829a28dbefe7640ae2e08ec3aede067f81876954b679e23fc98ac15f2549dd0e65765ff5ccc2680955f09f01261c3cb68c898a3eb516b97893 |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | abe8853ba369fbe4c0352165442602d4 |
| SHA1 | cb335948c0be5c919003aed5f3c15121f5eefcab |
| SHA256 | a4d1d4773284aea4222d1503b7b4fa2942a70aa7e7d45ab64cb914a37f277e1f |
| SHA512 | 7f7bc28db1d83e31b7ec644b3fbf7ddb1d4fc60815c8844fb1f33c1bf6ce59452988dc95ad928c2bd471102e47c57c7fc509c0a71289159ae983d96bfa73cedc |
memory/1380-121-0x00000000743D0000-0x00000000744DA000-memory.dmp
memory/1380-120-0x00000000744E0000-0x00000000745A8000-memory.dmp
memory/1380-124-0x00000000748F0000-0x0000000074914000-memory.dmp
memory/1380-123-0x0000000074270000-0x000000007433E000-memory.dmp
memory/1380-119-0x00000000745B0000-0x00000000745F9000-memory.dmp
memory/1380-118-0x0000000074600000-0x00000000748CF000-memory.dmp
memory/1732-109-0x0000000004C60000-0x0000000005064000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new
| MD5 | 17f360dd9dc9c1448c134ef8a4483c92 |
| SHA1 | 20d33bf620ecf5cc49161ee9a27e44b4b9ea13a3 |
| SHA256 | 0d9563de9aa63fc50358f844621fd84aea3857d8a6f0e4e4513862386e21b4b3 |
| SHA512 | b0e16ca0241f2a258d8000551e97f3612ee82e760f8e748e23b35295bbde3838d2c9a8c5acefee7c3f34c04ad8f95b73af00cb059ec621158dc7c4a551bdd251 |
memory/1732-141-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/1380-148-0x0000000074270000-0x000000007433E000-memory.dmp
memory/1380-142-0x00000000010C0000-0x00000000014C4000-memory.dmp
memory/1380-145-0x00000000744E0000-0x00000000745A8000-memory.dmp
memory/1380-143-0x0000000074600000-0x00000000748CF000-memory.dmp
memory/1380-153-0x00000000010C0000-0x00000000014C4000-memory.dmp
memory/1732-161-0x0000000004C60000-0x0000000005064000-memory.dmp
memory/1380-188-0x00000000010C0000-0x00000000014C4000-memory.dmp
memory/1732-201-0x0000000004C60000-0x0000000005064000-memory.dmp
memory/1556-212-0x0000000074230000-0x0000000074254000-memory.dmp
memory/1556-211-0x0000000074260000-0x000000007432E000-memory.dmp
memory/1556-210-0x0000000074610000-0x0000000074698000-memory.dmp
memory/1556-209-0x00000000746A0000-0x00000000747AA000-memory.dmp
memory/1556-208-0x00000000747B0000-0x0000000074878000-memory.dmp
memory/1556-207-0x0000000074880000-0x00000000748C9000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-certs
| MD5 | e2b39a39b660278afa64538d868c0865 |
| SHA1 | 7d73b1a7d46c1e04405d5561d938207b8dde571b |
| SHA256 | c8aefb7dfa49d27d1bc5b581a3d4c547b1f9b9e308236d427bbbcb8be3d160e5 |
| SHA512 | 6d8147c437f29e751af6fee02198d02bf22da8aabdcc8e30660b83ba221cef1f07e5cf310531666746928bd2ab54747dd8d033302b749fc2dbadbcdf0150021a |
memory/1556-205-0x0000000074330000-0x00000000745FF000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | 0e455633020de9c44ec275acb3621988 |
| SHA1 | 7dd1f1b2a662f941d5cf37170d677eb7275e42e9 |
| SHA256 | f662c94dbf7337009020173b64a1bb014cdde744e62aa11e835a0cee78216e4c |
| SHA512 | 867626832693b4ef3d6095cdb247662d9688e76304e2252c153e2016763988ccd3d867532ca6a18f6117f924782f018848ed42bf175fee3e33ea40b00d592727 |
memory/1556-203-0x00000000010C0000-0x00000000014C4000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new
| MD5 | 701dd82acac6e790c88388943b0cb50a |
| SHA1 | 78a2b9ae65b6e4d923386a816c018e116709f5d5 |
| SHA256 | 67c8949bdc75b57ac69588ac4d170320a1efecab581005acad2375079e9264b0 |
| SHA512 | 2fa1ac0bea3aa4ebb678201dc707a6f0d977608103c97dbfdc5872f983921383f11c13a61bd9d787a65c71ba4d5b9c36fbd79a590474384b2b774cdb9d7de5b4 |
memory/1732-237-0x0000000004C60000-0x0000000005064000-memory.dmp
memory/1556-238-0x00000000010C0000-0x00000000014C4000-memory.dmp
memory/1556-239-0x0000000074330000-0x00000000745FF000-memory.dmp
memory/1732-250-0x0000000000BE0000-0x0000000000BEA000-memory.dmp
memory/1732-251-0x0000000000BE0000-0x0000000000BEA000-memory.dmp
memory/1732-290-0x0000000005910000-0x0000000005D14000-memory.dmp
memory/1556-289-0x00000000010C0000-0x00000000014C4000-memory.dmp
memory/2732-306-0x00000000736E0000-0x00000000739AF000-memory.dmp
memory/2732-305-0x00000000748A0000-0x00000000748C4000-memory.dmp
memory/2732-304-0x00000000744A0000-0x000000007456E000-memory.dmp
memory/2732-303-0x0000000074570000-0x00000000745F8000-memory.dmp
memory/2732-302-0x0000000074650000-0x000000007475A000-memory.dmp
memory/2732-301-0x0000000074760000-0x0000000074828000-memory.dmp
memory/2732-300-0x0000000074830000-0x0000000074879000-memory.dmp
memory/2732-299-0x00000000010C0000-0x00000000014C4000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | 7c7bf69b4fdcc5e333edea8d1976c1e6 |
| SHA1 | 0b42b5baab69a082c99931325612d7ace46c264f |
| SHA256 | c90bb78353c5b026efb609b2ed610c8d5e5b05e4d91ad5eb47b25ac1395e4e23 |
| SHA512 | 329f6677f5cd5b9648fa9070e99995589fd39788c84e9bc1a30492649ddabfccfc52a05b395938af6bffd27c2b387a5ebf0ef1f0b2779f5dd9ac2094c16166ac |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs
| MD5 | 5e0a3ff3b12533165e3bc264f3345472 |
| SHA1 | 0b7390cd6135bcab3726b0165334b8a5d8a7e025 |
| SHA256 | 32571ab5a9085edf84f8a7ba917d9f67d7d9f044a9016f81b40f33d21673cee5 |
| SHA512 | 4567ab21cfa027bb791dea90e82a8a184f3f4e8000b236486c703d5aba554bac4eccfdf2372f3008701f1fcb02a4cc50f9d4362ac6a9f4d7c715df5ff815170f |
memory/1732-324-0x0000000000BE0000-0x0000000000BEA000-memory.dmp
memory/1732-323-0x0000000000BE0000-0x0000000000BEA000-memory.dmp
memory/1732-326-0x0000000005910000-0x0000000005D14000-memory.dmp
memory/2732-327-0x00000000010C0000-0x00000000014C4000-memory.dmp
memory/2732-336-0x0000000074760000-0x0000000074828000-memory.dmp
memory/2732-338-0x00000000744A0000-0x000000007456E000-memory.dmp
memory/2732-337-0x0000000074650000-0x000000007475A000-memory.dmp
memory/2732-340-0x00000000736E0000-0x00000000739AF000-memory.dmp
memory/2732-370-0x00000000010C0000-0x00000000014C4000-memory.dmp
memory/1436-371-0x00000000010C0000-0x00000000014C4000-memory.dmp
memory/1436-379-0x00000000748A0000-0x00000000748C4000-memory.dmp
memory/1436-378-0x00000000744A0000-0x000000007456E000-memory.dmp
memory/1436-377-0x0000000074570000-0x00000000745F8000-memory.dmp
memory/1436-376-0x0000000074650000-0x000000007475A000-memory.dmp
memory/1436-375-0x0000000074830000-0x0000000074879000-memory.dmp
memory/1732-374-0x0000000005910000-0x0000000005D14000-memory.dmp
memory/1436-373-0x0000000074760000-0x0000000074828000-memory.dmp
memory/1436-372-0x00000000736E0000-0x00000000739AF000-memory.dmp
memory/1436-403-0x00000000010C0000-0x00000000014C4000-memory.dmp
memory/1436-404-0x00000000736E0000-0x00000000739AF000-memory.dmp
memory/1732-405-0x0000000005910000-0x0000000005D14000-memory.dmp
memory/1944-441-0x00000000744F0000-0x00000000745FA000-memory.dmp
memory/1944-442-0x0000000074680000-0x0000000074708000-memory.dmp
memory/1944-445-0x00000000747E0000-0x0000000074829000-memory.dmp
memory/1944-444-0x0000000074850000-0x0000000074874000-memory.dmp
memory/1944-443-0x00000000738E0000-0x00000000739AE000-memory.dmp
memory/1944-440-0x0000000074710000-0x00000000747D8000-memory.dmp
memory/1944-439-0x0000000073380000-0x000000007364F000-memory.dmp
memory/1944-438-0x00000000010C0000-0x00000000014C4000-memory.dmp
memory/1732-437-0x00000000057D0000-0x0000000005BD4000-memory.dmp
memory/1436-436-0x00000000010C0000-0x00000000014C4000-memory.dmp
memory/1732-458-0x00000000057D0000-0x0000000005BD4000-memory.dmp
memory/1944-467-0x00000000010C0000-0x00000000014C4000-memory.dmp
memory/1944-470-0x00000000738E0000-0x00000000739AE000-memory.dmp
memory/1944-469-0x0000000074710000-0x00000000747D8000-memory.dmp
memory/1944-468-0x0000000073380000-0x000000007364F000-memory.dmp
memory/1732-481-0x0000000003220000-0x000000000322A000-memory.dmp
memory/1732-480-0x0000000003220000-0x000000000322A000-memory.dmp
memory/1944-496-0x00000000010C0000-0x00000000014C4000-memory.dmp
memory/2700-498-0x00000000010C0000-0x00000000014C4000-memory.dmp
memory/1732-497-0x00000000059D0000-0x0000000005DD4000-memory.dmp
memory/1732-511-0x0000000003220000-0x000000000322A000-memory.dmp
memory/1732-510-0x0000000003220000-0x000000000322A000-memory.dmp
memory/2700-521-0x00000000010C0000-0x00000000014C4000-memory.dmp
memory/2700-545-0x00000000010C0000-0x00000000014C4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabACB6.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-07 12:28
Reported
2024-05-07 12:48
Platform
win10-20240404-en
Max time kernel
1196s
Max time network
1201s
Command Line
Signatures
BitRAT
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 87.236.195.203 | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1瀀" | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1䤀" | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1切" | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1\uff00" | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1" | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1ऀ" | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1ë°€" | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe
"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
Network
| Country | Destination | Domain | Proto |
| NL | 128.199.55.207:9001 | tcp | |
| CZ | 46.28.110.244:443 | tcp | |
| DE | 81.7.14.253:443 | tcp | |
| N/A | 127.0.0.1:49802 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | 253.14.7.81.in-addr.arpa | udp |
| DE | 162.19.171.180:9010 | tcp | |
| US | 172.96.172.157:443 | tcp | |
| US | 8.8.8.8:53 | 180.171.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.172.96.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| DE | 185.254.96.139:9300 | tcp | |
| NL | 51.15.37.100:9001 | tcp | |
| US | 8.8.8.8:53 | 100.37.15.51.in-addr.arpa | udp |
| N/A | 127.0.0.1:49926 | tcp | |
| US | 8.8.8.8:53 | 139.96.254.185.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| FR | 164.132.75.248:9001 | tcp | |
| FI | 95.217.109.36:443 | tcp | |
| CZ | 87.236.199.239:80 | tcp | |
| US | 8.8.8.8:53 | 239.199.236.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.75.132.164.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.109.217.95.in-addr.arpa | udp |
| N/A | 127.0.0.1:50029 | tcp | |
| FR | 164.132.75.248:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | myexternalip.com | udp |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| US | 8.8.8.8:53 | 44.118.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| FR | 51.159.176.184:443 | tcp | |
| DE | 176.96.137.199:9000 | tcp | |
| N/A | 127.0.0.1:50129 | tcp | |
| US | 8.8.8.8:53 | 184.176.159.51.in-addr.arpa | udp |
| FR | 164.132.75.248:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50221 | tcp | |
| N/A | 127.0.0.1:50232 | tcp | |
| DE | 178.254.7.88:8443 | tcp | |
| US | 185.150.189.243:9100 | tcp | |
| US | 8.8.8.8:53 | 243.189.150.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| FR | 164.132.75.248:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| FR | 37.187.20.59:443 | tcp | |
| N/A | 127.0.0.1:50323 | tcp | |
| FR | 164.132.75.248:9001 | tcp | |
| US | 8.8.8.8:53 | 59.20.187.37.in-addr.arpa | udp |
| CZ | 87.236.195.203:53 | tcp | |
| US | 8.8.8.8:53 | 203.195.236.87.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50379 | tcp | |
| DE | 185.177.229.20:1080 | tcp | |
| PL | 193.111.26.37:443 | tcp | |
| US | 8.8.8.8:53 | 20.229.177.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.26.111.193.in-addr.arpa | udp |
| FR | 164.132.75.248:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| FR | 212.83.154.33:8443 | tcp | |
| N/A | 127.0.0.1:50442 | tcp | |
| US | 8.8.8.8:53 | 33.154.83.212.in-addr.arpa | udp |
| US | 205.185.125.239:443 | tcp | |
| FR | 164.132.75.248:9001 | tcp | |
| US | 8.8.8.8:53 | 239.125.185.205.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| CA | 192.160.102.164:9001 | tcp | |
| N/A | 127.0.0.1:50511 | tcp | |
| FR | 164.132.75.248:9001 | tcp | |
| NL | 185.14.30.57:9001 | tcp | |
| US | 8.8.8.8:53 | 57.30.14.185.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| FR | 212.47.233.86:9001 | tcp | |
| N/A | 127.0.0.1:50556 | tcp | |
| US | 51.81.56.74:443 | tcp | |
| US | 8.8.8.8:53 | 86.233.47.212.in-addr.arpa | udp |
| FR | 164.132.75.248:9001 | tcp | |
| US | 8.8.8.8:53 | 74.56.81.51.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50593 | tcp | |
| US | 50.7.74.174:443 | tcp | |
| FR | 164.132.75.248:9001 | tcp | |
| DE | 195.201.62.78:9001 | tcp | |
| US | 8.8.8.8:53 | 78.62.201.195.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| HK | 103.109.100.207:9001 | tcp | |
| US | 8.8.8.8:53 | 207.100.109.103.in-addr.arpa | udp |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50639 | tcp | |
| US | 108.53.208.157:443 | tcp | |
| FR | 164.132.75.248:9001 | tcp | |
| PL | 193.111.26.37:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:50702 | tcp | |
| SE | 171.25.193.20:443 | tcp | |
| FR | 51.159.176.184:443 | tcp | |
| US | 8.8.8.8:53 | 20.193.25.171.in-addr.arpa | udp |
| FR | 164.132.75.248:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| DE | 85.10.201.47:9001 | tcp | |
| N/A | 127.0.0.1:50748 | tcp | |
| FR | 164.132.75.248:9001 | tcp | |
| DE | 37.60.243.121:9002 | tcp | |
| US | 8.8.8.8:53 | 121.243.60.37.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50794 | tcp | |
| FR | 163.172.139.104:443 | tcp | |
| FR | 164.132.75.248:9001 | tcp | |
| US | 174.128.250.165:443 | tcp | |
| US | 8.8.8.8:53 | 165.250.128.174.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50840 | tcp | |
| RU | 213.141.138.174:9001 | tcp | |
| DE | 81.169.134.23:443 | tcp | |
| FR | 164.132.75.248:9001 | tcp | |
| US | 8.8.8.8:53 | 23.134.169.81.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50886 | tcp | |
| US | 45.79.108.130:9001 | tcp | |
| FR | 164.132.75.248:9001 | tcp | |
| US | 8.8.8.8:53 | 130.108.79.45.in-addr.arpa | udp |
| DE | 176.96.137.199:9000 | tcp | |
| US | 8.8.8.8:53 | 199.137.96.176.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:50949 | tcp | |
| FI | 185.100.86.182:8080 | tcp | |
| FR | 164.132.75.248:9001 | tcp | |
| CH | 85.195.230.249:9002 | tcp | |
| US | 8.8.8.8:53 | 249.230.195.85.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50994 | tcp | |
| FR | 163.172.149.155:443 | tcp | |
| DE | 185.220.101.196:8443 | tcp | |
| US | 8.8.8.8:53 | 196.101.220.185.in-addr.arpa | udp |
| FR | 164.132.75.248:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:51058 | tcp | |
| DE | 37.120.174.249:443 | tcp | |
| FR | 164.132.75.248:9001 | tcp | |
| US | 8.8.8.8:53 | 249.174.120.37.in-addr.arpa | udp |
| DE | 185.254.96.139:9300 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:51121 | tcp | |
| N/A | 127.0.0.1:51124 | tcp | |
| RO | 185.100.85.61:443 | tcp | |
| FR | 164.132.75.248:9001 | tcp | |
| US | 8.8.8.8:53 | 61.85.100.185.in-addr.arpa | udp |
| NL | 46.17.96.130:443 | tcp | |
| US | 8.8.8.8:53 | 130.96.17.46.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| NL | 5.200.21.144:443 | tcp | |
| N/A | 127.0.0.1:51178 | tcp | |
| FR | 164.132.75.248:9001 | tcp | |
| US | 174.128.250.165:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:51241 | tcp | |
| DE | 185.177.229.20:1080 | tcp | |
| RO | 193.168.143.166:443 | tcp | |
| US | 8.8.8.8:53 | 166.143.168.193.in-addr.arpa | udp |
| FR | 164.132.75.248:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:51286 | tcp | |
| DE | 5.199.142.236:9001 | tcp | |
| US | 172.93.102.139:443 | tcp | |
| US | 8.8.8.8:53 | 139.102.93.172.in-addr.arpa | udp |
| FR | 164.132.75.248:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:51341 | tcp | |
| AT | 37.252.187.111:443 | tcp | |
| FR | 164.132.75.248:9001 | tcp | |
| DE | 195.90.218.46:5443 | tcp | |
| US | 8.8.8.8:53 | 46.218.90.195.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp |
Files
memory/4692-0-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/4692-1-0x00000000743C0000-0x00000000743FA000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
C:\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll
| MD5 | 2384a02c4a1f7ec481adde3a020607d3 |
| SHA1 | 7e848d35a10bf9296c8fa41956a3daa777f86365 |
| SHA256 | c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369 |
| SHA512 | 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503 |
C:\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll
| MD5 | c88826ac4bb879622e43ead5bdb95aeb |
| SHA1 | 87d29853649a86f0463bfd9ad887b85eedc21723 |
| SHA256 | c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f |
| SHA512 | f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3 |
C:\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
C:\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll
| MD5 | d407cc6d79a08039a6f4b50539e560b8 |
| SHA1 | 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71 |
| SHA256 | 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e |
| SHA512 | 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c |
\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll
| MD5 | add33041af894b67fe34e1dc819b7eb6 |
| SHA1 | 6db46eb021855a587c95479422adcc774a272eeb |
| SHA256 | 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183 |
| SHA512 | bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa |
memory/4988-31-0x0000000001170000-0x0000000001574000-memory.dmp
memory/4988-32-0x0000000073990000-0x00000000739D9000-memory.dmp
memory/4988-39-0x0000000073420000-0x00000000736EF000-memory.dmp
memory/4988-40-0x00000000739E0000-0x0000000073AA8000-memory.dmp
memory/4988-38-0x0000000001580000-0x000000000184F000-memory.dmp
memory/4988-37-0x0000000001580000-0x0000000001608000-memory.dmp
memory/4988-36-0x00000000736F0000-0x0000000073778000-memory.dmp
memory/4988-35-0x0000000073780000-0x000000007388A000-memory.dmp
memory/4988-34-0x0000000073890000-0x00000000738B4000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\torrc
| MD5 | 439cd73927f46fde28540391feee8477 |
| SHA1 | ee7fb2aeb7708378abda293b03f5c9ffb6dbc742 |
| SHA256 | d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75 |
| SHA512 | c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319 |
memory/4988-33-0x00000000738C0000-0x000000007398E000-memory.dmp
\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll
| MD5 | b0d98f7157d972190fe0759d4368d320 |
| SHA1 | 5715a533621a2b642aad9616e603c6907d80efc4 |
| SHA256 | 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5 |
| SHA512 | 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496 |
\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll
| MD5 | 099983c13bade9554a3c17484e5481f1 |
| SHA1 | a84e69ad9722f999252d59d0ed9a99901a60e564 |
| SHA256 | b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838 |
| SHA512 | 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2 |
memory/4692-44-0x0000000073150000-0x000000007318A000-memory.dmp
memory/4692-45-0x0000000000400000-0x0000000000BD8000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdesc-consensus.tmp
| MD5 | 0ce4530144899e61e7151afe7810919f |
| SHA1 | f300561ff8bbd2b426926aced1e576bd2b91d001 |
| SHA256 | 59f1410ba288f348e46546682bc8ae589accfdb2abc49b0b59fed35ed9de32e5 |
| SHA512 | 595a94b645837f8627b703920cec6eda3e6103ae964c91c383679f00b712343b7f8d4656db6efdaceabe8c641cf45d6461ff77cc9fafa263880bc1a0763a83e6 |
memory/4988-60-0x0000000073990000-0x00000000739D9000-memory.dmp
memory/4988-64-0x00000000736F0000-0x0000000073778000-memory.dmp
memory/4988-63-0x0000000073780000-0x000000007388A000-memory.dmp
memory/4988-62-0x0000000073890000-0x00000000738B4000-memory.dmp
memory/4988-61-0x00000000738C0000-0x000000007398E000-memory.dmp
memory/4988-58-0x0000000001170000-0x0000000001574000-memory.dmp
memory/4988-59-0x00000000739E0000-0x0000000073AA8000-memory.dmp
memory/4988-65-0x0000000073420000-0x00000000736EF000-memory.dmp
memory/4988-70-0x0000000001170000-0x0000000001574000-memory.dmp
memory/4692-69-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/4988-71-0x0000000001170000-0x0000000001574000-memory.dmp
memory/4988-80-0x0000000001170000-0x0000000001574000-memory.dmp
memory/4988-89-0x0000000001170000-0x0000000001574000-memory.dmp
memory/4692-97-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/4692-98-0x0000000073CC0000-0x0000000073CFA000-memory.dmp
memory/4988-99-0x0000000001170000-0x0000000001574000-memory.dmp
memory/4692-107-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/4988-108-0x0000000001170000-0x0000000001574000-memory.dmp
memory/4988-117-0x0000000001170000-0x0000000001574000-memory.dmp
memory/4988-144-0x0000000001170000-0x0000000001574000-memory.dmp
memory/3028-153-0x0000000001170000-0x0000000001574000-memory.dmp
memory/3028-164-0x00000000738A0000-0x0000000073928000-memory.dmp
memory/3028-163-0x0000000073930000-0x0000000073A3A000-memory.dmp
memory/3028-161-0x0000000074380000-0x00000000743A4000-memory.dmp
memory/3028-160-0x00000000743B0000-0x00000000743F9000-memory.dmp
memory/3028-159-0x0000000073A40000-0x0000000073B0E000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-certs
| MD5 | 54523c33dfd643de2b91b024ef028f6f |
| SHA1 | 81c91a5ecfa31a4d562d1d60f6364f5d923c3bde |
| SHA256 | 36f4342257096342520da5d6e2ddc4c6bbe500f90f8caf7a0c882a6e64c1a12a |
| SHA512 | c0987906d93a4840c57f0f4b116f502c0f2a2b442a9eb0c13ecd50dcc82a3c0ba31ad9bd2c9e0743b0c7ea04769d6d37fcdd456141c319342a141130d8fe6f91 |
memory/3028-157-0x0000000073B10000-0x0000000073BD8000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | e26a82bcf811741099263b3c9700a113 |
| SHA1 | 47ad50b485ceaf44329cc2a562f342764a26ee0f |
| SHA256 | a510e06b99b6ddcb207a4a5e3bc1c3381f2e64d448fbaa4364b51595e418bceb |
| SHA512 | 0f903dfdb8130c332b9dd706e4d8b3458c3d6dc72d3ac0454c89d44816fd1ff74f9b55e3f395a3ce04f15d19d4ee96db524c3c1aa51e2a0ad832f984e7f1f81e |
memory/3028-155-0x0000000073BE0000-0x0000000073EAF000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new
| MD5 | fa618d29e42d0e59db3ea44ce3008ddf |
| SHA1 | a51b4911784367278fac3f8d06f4a3c1fd6132c7 |
| SHA256 | c7d16f954b100b563c92cc88b87fa4d13adee250be09aac4880ae22112e672f5 |
| SHA512 | b31c6f1a8595cc96b1cb1d674b87b8276a3c2d00b1d1f22c45dcf4eecd10b59cd6fa6f1169b5940eef9645f59eee13e58ee201e83fd967bfa8e570c23723bc49 |
memory/4692-190-0x0000000073600000-0x000000007363A000-memory.dmp
memory/3028-191-0x0000000001170000-0x0000000001574000-memory.dmp
memory/3028-192-0x0000000073BE0000-0x0000000073EAF000-memory.dmp
memory/3028-193-0x0000000073A40000-0x0000000073B0E000-memory.dmp
memory/3028-231-0x0000000001170000-0x0000000001574000-memory.dmp
memory/2832-247-0x0000000074380000-0x00000000743A4000-memory.dmp
memory/2832-246-0x00000000738A0000-0x0000000073928000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | a44748566558f0c4931c6258ada7eec2 |
| SHA1 | 2b29c6ee8b3a066b3b1ee304927e01f1a28ff34d |
| SHA256 | d386c46e48fca5d200c5eb59626a407c09956606ba4db7930b33c8c989093659 |
| SHA512 | d9d48f9541f340f80e193ede91225a4ec911efd514783f2912e927d332bdad17f2364361d3b7d339339f027d312add2d322a51cec6c655e8fb0c20893c8a80b1 |
memory/2832-245-0x0000000073A40000-0x0000000073D0F000-memory.dmp
memory/2832-244-0x0000000073930000-0x0000000073A3A000-memory.dmp
memory/2832-243-0x00000000743B0000-0x00000000743F9000-memory.dmp
memory/2832-242-0x0000000073D10000-0x0000000073DDE000-memory.dmp
memory/2832-241-0x0000000073DE0000-0x0000000073EA8000-memory.dmp
memory/2832-240-0x0000000001170000-0x0000000001574000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs
| MD5 | 7b28b90676a624295a7281d33679a392 |
| SHA1 | 679c271ed7612fb7084d4f8fbcfaa8ca3a3202a9 |
| SHA256 | 5890c117004f37960df219febfc83a94533feebb6a87ebda7e9b3fc89925072f |
| SHA512 | 5ef614a41c7e7a77aa93fefce65335f3c45cdaac1022502de37d94caf366f7ff2c14b5b8d137d8ba1ac130ccb971182239ac6925e51f0ff906a3effe634bff14 |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new
| MD5 | 24e66e4b9b3dab7f73086b76ed581918 |
| SHA1 | b407b6947558d5e0f0aa0b5397647f67bec814a4 |
| SHA256 | ca67157ca7f358ed4b0a9d643805d54fafa9a12f8a6e8d99e8b68fc4c3096e95 |
| SHA512 | 4fc7e1509dcc7b3946ca128c98b4a795cb8c2447c752a76b8d2844f4c4701f1c0908c8bbcd1fe511a0eb11de1d4e13d496060dbe8f9958e4d83d47e9e99b66bb |
memory/4692-282-0x0000000073600000-0x000000007363A000-memory.dmp
memory/2832-283-0x0000000001170000-0x0000000001574000-memory.dmp
memory/2832-286-0x0000000073A40000-0x0000000073D0F000-memory.dmp
memory/2832-285-0x0000000073D10000-0x0000000073DDE000-memory.dmp
memory/2832-284-0x0000000073DE0000-0x0000000073EA8000-memory.dmp
memory/4692-287-0x00000000743C0000-0x00000000743FA000-memory.dmp
memory/2832-321-0x0000000001170000-0x0000000001574000-memory.dmp
memory/1396-331-0x0000000073A40000-0x0000000073B0E000-memory.dmp
memory/1396-336-0x0000000073BE0000-0x0000000073EAF000-memory.dmp
memory/1396-335-0x00000000738A0000-0x0000000073928000-memory.dmp
memory/1396-334-0x0000000073930000-0x0000000073A3A000-memory.dmp
memory/1396-333-0x0000000074380000-0x00000000743A4000-memory.dmp
memory/1396-332-0x00000000743B0000-0x00000000743F9000-memory.dmp
memory/1396-330-0x0000000073B10000-0x0000000073BD8000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | 12c4f1628384b50fb535e4860634e90d |
| SHA1 | 8e09073c82549363e724e2c0cea7c61188dcda04 |
| SHA256 | 16ed2253d2357e3d8cf074a50b569d3d3c9a79bf70a0c3a568a63346b57bbe7e |
| SHA512 | 6f2a51dc23cc46e9cbdb76b5969dd899ecb7531e6e0f1fa36091199d6a73305b730b52738edf8b11a73f37bab80f9f25efac455e746901cdd98c1938fda6be62 |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new
| MD5 | 1556c2329088b6d1e5242e100b7e2ae6 |
| SHA1 | 5e85237bd1b4531d7ce66b3a561c95b928fc10b5 |
| SHA256 | 12e1259cebf60f260e25c0923fd00028fb3edb251eccd4e202b64643a4ce0a2b |
| SHA512 | 059c85bdb331afdb6b17866a10ac117d14ba06635f736d3706697ef12b43f240b7d25b6e6404d18bead2776efe6038fac55b6cc1eb7d7d6f79b8a04d4fccde7e |
memory/1396-355-0x0000000001170000-0x0000000001574000-memory.dmp
memory/4692-367-0x0000000072B60000-0x0000000072B9A000-memory.dmp
memory/1396-366-0x0000000074380000-0x00000000743A4000-memory.dmp
memory/1396-365-0x0000000073A40000-0x0000000073B0E000-memory.dmp
memory/1396-364-0x0000000073B10000-0x0000000073BD8000-memory.dmp
memory/1396-368-0x0000000073BE0000-0x0000000073EAF000-memory.dmp
memory/4692-378-0x0000000073CC0000-0x0000000073CFA000-memory.dmp
memory/1396-420-0x0000000001170000-0x0000000001574000-memory.dmp
memory/4968-421-0x0000000073BE0000-0x0000000073EAF000-memory.dmp
memory/4968-419-0x00000000738A0000-0x0000000073928000-memory.dmp
memory/4968-418-0x0000000073930000-0x0000000073A3A000-memory.dmp
memory/4968-417-0x0000000074380000-0x00000000743A4000-memory.dmp
memory/4968-416-0x00000000743B0000-0x00000000743F9000-memory.dmp
memory/4968-415-0x0000000073A40000-0x0000000073B0E000-memory.dmp
memory/4968-414-0x0000000073B10000-0x0000000073BD8000-memory.dmp
memory/240-424-0x0000000001170000-0x0000000001574000-memory.dmp
memory/240-431-0x00000000738A0000-0x0000000073928000-memory.dmp
memory/240-430-0x0000000073930000-0x0000000073A3A000-memory.dmp
memory/240-429-0x0000000074380000-0x00000000743A4000-memory.dmp
memory/240-440-0x0000000001170000-0x0000000001574000-memory.dmp
memory/240-447-0x00000000738A0000-0x0000000073928000-memory.dmp
memory/240-446-0x0000000073930000-0x0000000073A3A000-memory.dmp
memory/240-445-0x0000000074380000-0x00000000743A4000-memory.dmp
memory/240-444-0x00000000743B0000-0x00000000743F9000-memory.dmp
memory/240-443-0x0000000073A40000-0x0000000073B0E000-memory.dmp
memory/240-442-0x0000000073B10000-0x0000000073BD8000-memory.dmp
memory/240-441-0x0000000073BE0000-0x0000000073EAF000-memory.dmp
memory/240-428-0x00000000743B0000-0x00000000743F9000-memory.dmp
memory/240-427-0x0000000073A40000-0x0000000073B0E000-memory.dmp
memory/240-426-0x0000000073B10000-0x0000000073BD8000-memory.dmp
memory/240-425-0x0000000073BE0000-0x0000000073EAF000-memory.dmp
memory/4968-460-0x0000000001170000-0x0000000001574000-memory.dmp
memory/4968-469-0x0000000073B10000-0x0000000073BD8000-memory.dmp
memory/4968-471-0x0000000074380000-0x00000000743A4000-memory.dmp
memory/4968-470-0x0000000073A40000-0x0000000073B0E000-memory.dmp
memory/4968-472-0x0000000073BE0000-0x0000000073EAF000-memory.dmp
memory/4692-491-0x0000000073600000-0x000000007363A000-memory.dmp
memory/4968-511-0x0000000001170000-0x0000000001574000-memory.dmp
memory/828-515-0x0000000073BE0000-0x0000000073EAF000-memory.dmp
memory/828-514-0x00000000738A0000-0x0000000073928000-memory.dmp
memory/828-513-0x0000000073930000-0x0000000073A3A000-memory.dmp
memory/828-512-0x00000000743B0000-0x00000000743F9000-memory.dmp
memory/828-528-0x0000000001170000-0x0000000001574000-memory.dmp
memory/828-539-0x0000000074380000-0x00000000743A4000-memory.dmp
memory/828-538-0x0000000073A40000-0x0000000073B0E000-memory.dmp
memory/828-537-0x0000000073B10000-0x0000000073BD8000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-07 12:28
Reported
2024-05-07 12:48
Platform
win10v2004-20240419-en
Max time kernel
1199s
Max time network
1203s
Command Line
Signatures
BitRAT
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Executes dropped EXE
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1" | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1먀" | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1\uff00" | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe
"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| CA | 192.160.102.165:9001 | tcp | |
| N/A | 127.0.0.1:49708 | tcp | |
| FR | 212.47.233.250:9001 | tcp | |
| US | 50.7.74.171:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| FR | 51.254.96.208:9001 | tcp | |
| AT | 86.59.21.38:443 | tcp | |
| FR | 178.33.183.251:443 | tcp | |
| US | 8.8.8.8:53 | 208.96.254.51.in-addr.arpa | udp |
| DE | 81.7.13.84:443 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| DE | 37.120.174.249:443 | tcp | |
| NL | 45.66.33.45:443 | tcp | |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.174.120.37.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.143.109.104.in-addr.arpa | udp |
| DE | 212.227.165.251:443 | tcp | |
| US | 64.176.210.130:443 | tcp | |
| US | 8.8.8.8:53 | 130.210.176.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.165.227.212.in-addr.arpa | udp |
| US | 64.176.210.130:443 | tcp | |
| DE | 212.227.165.251:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | myexternalip.com | udp |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| US | 8.8.8.8:53 | 44.118.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.251.17.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:49868 | tcp | |
| DE | 193.31.27.59:9001 | tcp | |
| RO | 193.226.13.80:9001 | tcp | |
| US | 8.8.8.8:53 | 59.27.31.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.13.226.193.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:49968 | tcp | |
| PL | 109.173.233.112:8082 | tcp | |
| DE | 85.215.76.123:9001 | tcp | |
| US | 8.8.8.8:53 | 112.233.173.109.in-addr.arpa | udp |
| NL | 194.126.173.158:24752 | tcp | |
| US | 8.8.8.8:53 | 123.76.215.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.173.126.194.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50050 | tcp | |
| US | 212.227.240.17:8443 | tcp | |
| US | 8.8.8.8:53 | 17.240.227.212.in-addr.arpa | udp |
| US | 23.142.248.63:666 | tcp | |
| US | 8.8.8.8:53 | 63.248.142.23.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50125 | tcp | |
| N/A | 127.0.0.1:50137 | tcp | |
| PL | 217.182.75.181:9001 | tcp | |
| US | 23.83.91.155:443 | tcp | |
| US | 8.8.8.8:53 | 155.91.83.23.in-addr.arpa | udp |
| US | 212.227.240.17:8443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50213 | tcp | |
| US | 45.79.108.130:9001 | tcp | |
| N/A | 127.0.0.1:50224 | tcp | |
| US | 212.227.240.17:8443 | tcp | |
| US | 8.8.8.8:53 | 130.108.79.45.in-addr.arpa | udp |
| DE | 91.229.245.102:9998 | tcp | |
| US | 8.8.8.8:53 | 102.245.229.91.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:50298 | tcp | |
| FR | 93.115.97.242:9001 | tcp | |
| FR | 178.32.136.221:9001 | tcp | |
| US | 8.8.8.8:53 | 242.97.115.93.in-addr.arpa | udp |
| US | 212.227.240.17:8443 | tcp | |
| US | 8.8.8.8:53 | 221.136.32.178.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | 170.117.168.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:50354 | tcp | |
| DE | 85.10.201.47:9001 | tcp | |
| US | 212.227.240.17:8443 | tcp | |
| US | 99.47.29.66:2874 | tcp | |
| US | 8.8.8.8:53 | 66.29.47.99.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| DE | 185.177.229.20:1080 | tcp | |
| N/A | 127.0.0.1:50410 | tcp | |
| US | 8.8.8.8:53 | 20.229.177.185.in-addr.arpa | udp |
| US | 212.227.240.17:8443 | tcp | |
| ES | 143.47.57.133:443 | tcp | |
| US | 8.8.8.8:53 | 133.57.47.143.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| NL | 80.127.137.19:443 | tcp | |
| N/A | 127.0.0.1:50456 | tcp | |
| NL | 86.86.126.113:443 | tcp | |
| US | 8.8.8.8:53 | 113.126.86.86.in-addr.arpa | udp |
| US | 212.227.240.17:8443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| NL | 192.87.28.82:9001 | tcp | |
| N/A | 127.0.0.1:50509 | tcp | |
| DE | 213.206.184.75:9001 | tcp | |
| US | 8.8.8.8:53 | 82.28.87.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.184.206.213.in-addr.arpa | udp |
| US | 212.227.240.17:8443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50555 | tcp | |
| DK | 185.96.180.29:443 | tcp | |
| DE | 128.140.81.180:443 | tcp | |
| US | 212.227.240.17:8443 | tcp | |
| US | 8.8.8.8:53 | 180.81.140.128.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50600 | tcp | |
| DE | 37.157.255.35:9090 | tcp | |
| US | 212.227.240.17:8443 | tcp | |
| DE | 188.68.56.181:9001 | tcp | |
| US | 8.8.8.8:53 | 181.56.68.188.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50646 | tcp | |
| FR | 185.13.39.197:443 | tcp | |
| US | 199.184.215.11:9090 | tcp | |
| US | 212.227.240.17:8443 | tcp | |
| US | 8.8.8.8:53 | 11.215.184.199.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:50691 | tcp | |
| US | 50.7.74.172:443 | tcp | |
| US | 212.227.240.17:8443 | tcp | |
| US | 45.77.112.107:443 | tcp | |
| US | 8.8.8.8:53 | 107.112.77.45.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50746 | tcp | |
| FR | 212.47.233.250:9001 | tcp | |
| FR | 178.32.136.221:9001 | tcp | |
| US | 212.227.240.17:8443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50801 | tcp | |
| NL | 192.87.28.28:9001 | tcp | |
| FR | 94.23.172.32:443 | tcp | |
| US | 8.8.8.8:53 | 28.28.87.192.in-addr.arpa | udp |
| US | 212.227.240.17:8443 | tcp | |
| US | 8.8.8.8:53 | 32.172.23.94.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:50864 | tcp | |
| N/A | 127.0.0.1:50867 | tcp | |
| FR | 37.187.20.59:443 | tcp | |
| NL | 86.86.126.113:443 | tcp | |
| US | 8.8.8.8:53 | 59.20.187.37.in-addr.arpa | udp |
| US | 212.227.240.17:8443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:50938 | tcp | |
| CA | 198.96.155.3:5001 | tcp | |
| US | 212.227.240.17:8443 | tcp | |
| US | 8.8.8.8:53 | 3.155.96.198.in-addr.arpa | udp |
| LT | 91.244.197.76:9001 | tcp | |
| US | 8.8.8.8:53 | 76.197.244.91.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50992 | tcp | |
| N/A | 127.0.0.1:50995 | tcp | |
| FR | 212.83.154.33:8443 | tcp | |
| US | 212.227.240.17:8443 | tcp | |
| US | 8.8.8.8:53 | 33.154.83.212.in-addr.arpa | udp |
| US | 23.83.91.155:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:51048 | tcp | |
| US | 199.184.246.250:443 | tcp | |
| DE | 91.229.245.102:9998 | tcp | |
| US | 212.227.240.17:8443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:51111 | tcp | |
| CZ | 37.157.195.87:443 | tcp | |
| US | 212.227.240.17:8443 | tcp | |
| US | 15.204.227.206:9300 | tcp | |
| US | 8.8.8.8:53 | 206.227.204.15.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:51175 | tcp | |
| DE | 31.185.104.21:443 | tcp | |
| US | 212.227.240.17:8443 | tcp | |
| PL | 109.173.233.112:8082 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:51228 | tcp | |
| DE | 31.185.104.21:443 | tcp | |
| US | 212.227.240.17:8443 | tcp | |
| FR | 94.23.172.32:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| CA | 192.160.102.165:9001 | tcp | |
| N/A | 127.0.0.1:51282 | tcp | |
| US | 212.227.240.17:8443 | tcp | |
| US | 51.81.93.39:443 | tcp | |
| US | 8.8.8.8:53 | 39.93.81.51.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:51336 | tcp | |
| DE | 81.7.14.253:443 | tcp | |
| US | 212.227.240.17:8443 | tcp | |
| US | 8.8.8.8:53 | 253.14.7.81.in-addr.arpa | udp |
| DE | 188.68.56.181:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
Files
memory/2268-0-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/2268-1-0x00000000745B0000-0x00000000745E9000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
memory/3596-19-0x0000000000DC0000-0x00000000011C4000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll
| MD5 | 2384a02c4a1f7ec481adde3a020607d3 |
| SHA1 | 7e848d35a10bf9296c8fa41956a3daa777f86365 |
| SHA256 | c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369 |
| SHA512 | 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503 |
C:\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll
| MD5 | 099983c13bade9554a3c17484e5481f1 |
| SHA1 | a84e69ad9722f999252d59d0ed9a99901a60e564 |
| SHA256 | b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838 |
| SHA512 | 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2 |
C:\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll
| MD5 | add33041af894b67fe34e1dc819b7eb6 |
| SHA1 | 6db46eb021855a587c95479422adcc774a272eeb |
| SHA256 | 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183 |
| SHA512 | bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa |
C:\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll
| MD5 | d407cc6d79a08039a6f4b50539e560b8 |
| SHA1 | 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71 |
| SHA256 | 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e |
| SHA512 | 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c |
C:\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll
| MD5 | b0d98f7157d972190fe0759d4368d320 |
| SHA1 | 5715a533621a2b642aad9616e603c6907d80efc4 |
| SHA256 | 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5 |
| SHA512 | 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496 |
C:\Users\Admin\AppData\Local\d46500b0\tor\torrc
| MD5 | 439cd73927f46fde28540391feee8477 |
| SHA1 | ee7fb2aeb7708378abda293b03f5c9ffb6dbc742 |
| SHA256 | d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75 |
| SHA512 | c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319 |
C:\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll
| MD5 | c88826ac4bb879622e43ead5bdb95aeb |
| SHA1 | 87d29853649a86f0463bfd9ad887b85eedc21723 |
| SHA256 | c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f |
| SHA512 | f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3 |
C:\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
memory/3596-41-0x00000000738E0000-0x00000000739A8000-memory.dmp
memory/3596-40-0x00000000739B0000-0x00000000739D4000-memory.dmp
memory/3596-39-0x00000000739E0000-0x0000000073AAE000-memory.dmp
memory/3596-38-0x0000000073AB0000-0x0000000073AF9000-memory.dmp
memory/3596-42-0x00000000015D0000-0x000000000189F000-memory.dmp
memory/3596-46-0x0000000000860000-0x00000000008E8000-memory.dmp
memory/3596-45-0x0000000073470000-0x00000000734F8000-memory.dmp
memory/3596-44-0x0000000073500000-0x000000007360A000-memory.dmp
memory/3596-43-0x0000000073610000-0x00000000738DF000-memory.dmp
memory/2268-47-0x0000000073140000-0x0000000073179000-memory.dmp
memory/2268-48-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/3596-49-0x0000000000DC0000-0x00000000011C4000-memory.dmp
memory/2268-57-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/3596-58-0x0000000000DC0000-0x00000000011C4000-memory.dmp
memory/3596-66-0x0000000000DC0000-0x00000000011C4000-memory.dmp
memory/3596-67-0x00000000015D0000-0x000000000189F000-memory.dmp
memory/3596-69-0x0000000000DC0000-0x00000000011C4000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdesc-consensus.tmp
| MD5 | 0ce4530144899e61e7151afe7810919f |
| SHA1 | f300561ff8bbd2b426926aced1e576bd2b91d001 |
| SHA256 | 59f1410ba288f348e46546682bc8ae589accfdb2abc49b0b59fed35ed9de32e5 |
| SHA512 | 595a94b645837f8627b703920cec6eda3e6103ae964c91c383679f00b712343b7f8d4656db6efdaceabe8c641cf45d6461ff77cc9fafa263880bc1a0763a83e6 |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new
| MD5 | 47c776474d2ca533fd093715f8a79139 |
| SHA1 | d9aeadf42b5401a370a48773d666fd08434b285a |
| SHA256 | 67fd8fe66db997feb98b479e1625dc6f9f83d786ed28876d872dbdd5602d6074 |
| SHA512 | aa543aa616986fd739c562136affd29f12a6c89b1fc116fee89869339d615cbc8e0769e1dda3284c57d105593c8aa2c2ab9fa3f6adfa099cec2857c69374e9c2 |
memory/3596-93-0x0000000000DC0000-0x00000000011C4000-memory.dmp
memory/2268-109-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/2268-110-0x00000000745D0000-0x0000000074609000-memory.dmp
memory/3596-111-0x0000000000DC0000-0x00000000011C4000-memory.dmp
memory/2268-119-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/3596-120-0x0000000000DC0000-0x00000000011C4000-memory.dmp
memory/2268-134-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/3596-144-0x0000000000DC0000-0x00000000011C4000-memory.dmp
memory/3692-159-0x0000000072290000-0x000000007255F000-memory.dmp
memory/3692-158-0x0000000073130000-0x00000000731B8000-memory.dmp
memory/3692-157-0x00000000731C0000-0x00000000732CA000-memory.dmp
memory/3692-156-0x00000000734A0000-0x00000000734C4000-memory.dmp
memory/3692-155-0x00000000734D0000-0x0000000073519000-memory.dmp
memory/3692-154-0x0000000073520000-0x00000000735EE000-memory.dmp
memory/3692-153-0x00000000735F0000-0x00000000736B8000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | ec8883f5641adebb5a2f825c64a44798 |
| SHA1 | 3f08633ed69279ba6b516398d7976b9590ff2c80 |
| SHA256 | 6b4c3cd8ef149e9904623bf3c6d30ca23bd7a36578206081f9c745dfe6802de9 |
| SHA512 | 72bae187fa530ef92e65b8cf5c7623821ea29ed2fe919974c8c8ca880e5d274238899952e5f3b415888a61a515b7de35b079180b3b6e4d157c4c7970e0ad20f2 |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-certs
| MD5 | c3fa132711a3dd3f5f16847dcd715068 |
| SHA1 | 2bf60a527ff7013becc3b2998540716baf9e5785 |
| SHA256 | 177dec7af0cfe487cbfe7b7b68b35a27383c4b0f7c775e529f3a0ed7a22b9383 |
| SHA512 | a3a99458cac995fd95c66f4de459e96a359ca5c86f942056dc400a94829497ad9b9e9ca9be0468efb3b6070d9b0308227272692cda037f187cf9227f6cffd8ed |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new
| MD5 | 48f390ab04b790127f612c4afbe21153 |
| SHA1 | f2435bd9587dee3d8e8fd0c71fd873a71f8dc8cc |
| SHA256 | b5a4259480fd622d5c5c00d0d98948e3812483dff3345c442ce247b0c9514f6d |
| SHA512 | fa60adac714c4766f08e9fcdd33f6bce971caa81f8b985f002648fceb9df30289358681e0206684538ed6c80f570913ecd4d749022f60703cbf001a75c34d666 |
memory/3692-181-0x0000000000DC0000-0x00000000011C4000-memory.dmp
memory/3692-190-0x00000000735F0000-0x00000000736B8000-memory.dmp
memory/3692-193-0x00000000731C0000-0x00000000732CA000-memory.dmp
memory/2268-194-0x00000000730F0000-0x0000000073129000-memory.dmp
memory/3692-192-0x00000000734A0000-0x00000000734C4000-memory.dmp
memory/3692-191-0x0000000073520000-0x00000000735EE000-memory.dmp
memory/3692-195-0x0000000072290000-0x000000007255F000-memory.dmp
memory/3692-232-0x0000000000DC0000-0x00000000011C4000-memory.dmp
memory/4360-244-0x0000000072290000-0x000000007255F000-memory.dmp
memory/4360-243-0x0000000073130000-0x00000000731B8000-memory.dmp
memory/4360-242-0x00000000731C0000-0x00000000732CA000-memory.dmp
memory/4360-241-0x00000000734D0000-0x0000000073519000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | e1ccae0bfd17bda76ea1930003948d20 |
| SHA1 | c5d3446b70611f392be21f205d0cb12b95b445e0 |
| SHA256 | e6ed3cbc9eacd5e4eaefeb38b79c7f6933368d571a0eca8a5f3cfcdd1290a0bd |
| SHA512 | b9ffe548706f65ee36b619378d5e0999124831d01e23b57662c0a9e5e3a1ff488a58955e7eeb278764fa3c4addd9d087226f738c7b367626e666cd8dc374cc62 |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs
| MD5 | 1541993b8024427b3320ee2e54357b42 |
| SHA1 | ee15b05e0f42fb45c878cce0e601b9a08cbab448 |
| SHA256 | 15425c9d868141bd0e1515d973ab3c82c0b47411b095eb1210cb459ff10826c8 |
| SHA512 | 7d0f67ff49daea71f86995235a27dbd13ba3a339e15ee5db41b26130c4bd3e3908419ebc3317fe2378d38a454e9e01b42432dbb12fe2d48be4e3c06c76e597aa |
memory/4360-260-0x0000000000DC0000-0x00000000011C4000-memory.dmp
memory/4360-270-0x00000000735F0000-0x00000000736B8000-memory.dmp
memory/4360-272-0x00000000734A0000-0x00000000734C4000-memory.dmp
memory/4360-271-0x0000000073520000-0x00000000735EE000-memory.dmp
memory/4360-273-0x0000000072290000-0x000000007255F000-memory.dmp
memory/2268-292-0x00000000745B0000-0x00000000745E9000-memory.dmp
memory/4360-302-0x0000000000DC0000-0x00000000011C4000-memory.dmp
memory/4468-304-0x0000000000DC0000-0x00000000011C4000-memory.dmp
memory/4468-318-0x00000000731C0000-0x00000000732CA000-memory.dmp
memory/4468-317-0x0000000073130000-0x00000000731B8000-memory.dmp
memory/4468-316-0x00000000734A0000-0x00000000734C4000-memory.dmp
memory/4468-315-0x00000000734D0000-0x0000000073519000-memory.dmp
memory/4468-314-0x0000000073520000-0x00000000735EE000-memory.dmp
memory/4468-313-0x0000000072290000-0x000000007255F000-memory.dmp
memory/4468-312-0x00000000735F0000-0x00000000736B8000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | 097b2985537594440ff2f4719cb60cb4 |
| SHA1 | 719896b4d07c0d9e15a299ae4936c91780197d02 |
| SHA256 | 945b9d5a2a66dd97282118b634bcd981b7bf59bf8c0e6ec9cb0440b5c68f769a |
| SHA512 | b069fc7bc78220afd6b89e1f286fbb19ff37488e5bf3510dd476b4edefe80b9988b0017ef2b79b5f84bb5aa04939f3e69a6a7ce3928ec6812502653daae3921e |
memory/2268-324-0x0000000073140000-0x0000000073179000-memory.dmp
memory/4468-343-0x0000000000DC0000-0x00000000011C4000-memory.dmp
memory/4468-344-0x00000000735F0000-0x00000000736B8000-memory.dmp
memory/4468-345-0x0000000072290000-0x000000007255F000-memory.dmp
memory/4468-346-0x0000000073520000-0x00000000735EE000-memory.dmp
memory/4468-373-0x0000000000DC0000-0x00000000011C4000-memory.dmp
memory/3436-387-0x00000000734A0000-0x00000000734C4000-memory.dmp
memory/3436-386-0x0000000073130000-0x00000000731B8000-memory.dmp
memory/3436-385-0x00000000731C0000-0x00000000732CA000-memory.dmp
memory/3436-384-0x00000000734D0000-0x0000000073519000-memory.dmp
memory/3436-383-0x0000000072290000-0x000000007255F000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | 5e7e7748c5d89dbf36f87961dbb03684 |
| SHA1 | 825b3579d8decb38d64bcfc4142a5de64d9c49a8 |
| SHA256 | 27d887f4fccca8c19c9a5b3e2aa3220d5436d1cff2764bb4c703836964b4d77d |
| SHA512 | a53cc1a094b753148e19d54ac25650435ee513a2603cc5da9e3ed09e58c2a5041cdb93e350ec1e6d264944f229ca1f7e7d226ec3ba1e00415823d1be9035df76 |
memory/4576-391-0x0000000000DC0000-0x00000000011C4000-memory.dmp
memory/4576-398-0x0000000073130000-0x00000000731B8000-memory.dmp
memory/4576-397-0x00000000731C0000-0x00000000732CA000-memory.dmp
memory/4576-396-0x00000000734A0000-0x00000000734C4000-memory.dmp
memory/4576-395-0x00000000734D0000-0x0000000073519000-memory.dmp
memory/4576-394-0x0000000073520000-0x00000000735EE000-memory.dmp
memory/4576-393-0x00000000735F0000-0x00000000736B8000-memory.dmp
memory/4576-392-0x0000000072290000-0x000000007255F000-memory.dmp
memory/4576-412-0x00000000734A0000-0x00000000734C4000-memory.dmp
memory/4576-414-0x0000000073130000-0x00000000731B8000-memory.dmp
memory/4576-413-0x00000000731C0000-0x00000000732CA000-memory.dmp
memory/4576-411-0x00000000734D0000-0x0000000073519000-memory.dmp
memory/4576-410-0x0000000073520000-0x00000000735EE000-memory.dmp
memory/4576-409-0x00000000735F0000-0x00000000736B8000-memory.dmp
memory/4576-408-0x0000000072290000-0x000000007255F000-memory.dmp
memory/4576-407-0x0000000000DC0000-0x00000000011C4000-memory.dmp
memory/2268-417-0x00000000745D0000-0x0000000074609000-memory.dmp
memory/3436-436-0x0000000000DC0000-0x00000000011C4000-memory.dmp
memory/3436-437-0x0000000072290000-0x000000007255F000-memory.dmp
memory/3436-440-0x00000000731C0000-0x00000000732CA000-memory.dmp
memory/3436-439-0x0000000073520000-0x00000000735EE000-memory.dmp
memory/3436-438-0x00000000735F0000-0x00000000736B8000-memory.dmp
memory/3436-460-0x0000000000DC0000-0x00000000011C4000-memory.dmp
memory/1212-467-0x00000000734A0000-0x00000000734C4000-memory.dmp
memory/1212-466-0x0000000073130000-0x00000000731B8000-memory.dmp
memory/1212-465-0x00000000731C0000-0x00000000732CA000-memory.dmp
memory/1212-464-0x00000000734D0000-0x0000000073519000-memory.dmp
memory/1212-463-0x0000000073520000-0x00000000735EE000-memory.dmp
memory/1212-462-0x00000000735F0000-0x00000000736B8000-memory.dmp
memory/1212-461-0x0000000072290000-0x000000007255F000-memory.dmp
memory/1500-473-0x00000000734D0000-0x0000000073519000-memory.dmp
memory/1500-472-0x0000000073520000-0x00000000735EE000-memory.dmp
memory/1500-471-0x00000000735F0000-0x00000000736B8000-memory.dmp
memory/1500-470-0x0000000072290000-0x000000007255F000-memory.dmp
memory/1500-469-0x0000000000DC0000-0x00000000011C4000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-07 12:28
Reported
2024-05-07 12:48
Platform
win11-20240426-en
Max time kernel
1199s
Max time network
1201s
Command Line
Signatures
BitRAT
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1" | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe
"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
Network
| Country | Destination | Domain | Proto |
| DE | 173.212.254.192:31337 | tcp | |
| US | 8.8.8.8:53 | 192.254.212.173.in-addr.arpa | udp |
| US | 45.76.2.145:443 | tcp | |
| DE | 144.76.162.202:8080 | tcp | |
| US | 8.8.8.8:53 | 145.2.76.45.in-addr.arpa | udp |
| US | 45.76.2.145:443 | tcp | |
| DE | 144.76.162.202:8080 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| US | 8.8.8.8:53 | 44.118.117.34.in-addr.arpa | udp |
| N/A | 127.0.0.1:49770 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| US | 23.134.136.5:9001 | tcp | |
| PL | 95.214.52.187:9001 | tcp | |
| N/A | 127.0.0.1:49921 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| NL | 50.118.225.161:8444 | tcp | |
| GB | 149.102.128.242:443 | tcp | |
| N/A | 127.0.0.1:50006 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| US | 185.124.240.109:9001 | tcp | |
| NL | 50.118.225.161:8444 | tcp | |
| N/A | 127.0.0.1:50095 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| CA | 144.217.32.158:9003 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| DE | 46.165.230.5:443 | tcp | |
| N/A | 127.0.0.1:50171 | tcp | |
| FR | 163.5.159.230:9100 | tcp | |
| NL | 50.118.225.161:8444 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| CH | 176.10.107.180:9001 | tcp | |
| NL | 50.118.225.161:8444 | tcp | |
| N/A | 127.0.0.1:50233 | tcp | |
| FI | 65.108.198.216:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| NL | 95.99.51.184:4433 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| DK | 185.96.88.29:443 | tcp | |
| N/A | 127.0.0.1:50304 | tcp | |
| FR | 178.32.136.221:9001 | tcp | |
| NL | 50.118.225.161:8444 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50382 | tcp | |
| DE | 185.177.229.20:993 | tcp | |
| NL | 50.118.225.161:8444 | tcp | |
| FI | 95.216.22.87:4080 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:50457 | tcp | |
| DK | 185.96.88.29:443 | tcp | |
| NL | 50.118.225.161:8444 | tcp | |
| DE | 88.99.144.235:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50508 | tcp | |
| CZ | 195.123.245.141:443 | tcp | |
| NL | 50.118.225.161:8444 | tcp | |
| US | 67.205.165.67:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50553 | tcp | |
| FR | 176.158.236.102:9001 | tcp | |
| NL | 50.118.225.161:8444 | tcp | |
| DK | 87.104.37.132:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50598 | tcp | |
| FR | 163.172.157.213:443 | tcp | |
| NL | 50.118.225.161:8444 | tcp | |
| US | 51.81.209.9:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:50643 | tcp | |
| CA | 198.96.155.3:5001 | tcp | |
| NL | 50.118.225.161:8444 | tcp | |
| FI | 65.108.74.41:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| FR | 163.172.139.104:443 | tcp | |
| N/A | 127.0.0.1:50707 | tcp | |
| NL | 50.118.225.161:8444 | tcp | |
| US | 128.135.164.40:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50771 | tcp | |
| NL | 192.87.28.82:9001 | tcp | |
| RO | 185.120.145.83:9001 | tcp | |
| NL | 50.118.225.161:8444 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| DK | 185.96.88.29:443 | tcp | |
| FR | 163.172.76.56:9001 | tcp | |
| NL | 50.118.225.161:8444 | tcp | |
| N/A | 127.0.0.1:50834 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| DE | 136.243.214.137:443 | tcp | |
| NL | 50.118.225.161:8444 | tcp | |
| US | 128.135.164.40:443 | tcp | |
| N/A | 127.0.0.1:50879 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| FI | 95.217.16.212:587 | tcp | |
| NL | 50.118.225.161:8444 | tcp | |
| GB | 149.102.128.242:443 | tcp | |
| N/A | 127.0.0.1:50924 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| LU | 92.38.163.21:443 | tcp | |
| BE | 45.128.133.206:443 | tcp | |
| NL | 50.118.225.161:8444 | tcp | |
| N/A | 127.0.0.1:50979 | tcp | |
| GB | 128.232.18.58:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:51025 | tcp | |
| FR | 37.187.102.108:443 | tcp | |
| DE | 46.20.35.116:443 | tcp | |
| NL | 50.118.225.161:8444 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:51070 | tcp | |
| NL | 80.127.137.19:443 | tcp | |
| DE | 213.133.103.134:6969 | tcp | |
| NL | 50.118.225.161:8444 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:51125 | tcp | |
| CA | 192.160.102.169:9001 | tcp | |
| PL | 95.214.52.187:9001 | tcp | |
| NL | 50.118.225.161:8444 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:51188 | tcp | |
| NL | 37.139.8.104:9001 | tcp | |
| CA | 144.217.32.158:9003 | tcp | |
| NL | 50.118.225.161:8444 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| FR | 51.210.148.166:9001 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:51235 | tcp | |
| FR | 217.182.51.248:443 | tcp | |
| N/A | 127.0.0.1:51238 | tcp | |
| NL | 50.118.225.161:8444 | tcp | |
| RO | 185.120.145.83:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| FR | 37.187.102.186:9001 | tcp | |
| MD | 194.180.191.93:9001 | tcp | |
| N/A | 127.0.0.1:51309 | tcp | |
| NL | 50.118.225.161:8444 | tcp | |
| N/A | 127.0.0.1:45808 | tcp |
Files
memory/3656-0-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/3656-1-0x0000000074C40000-0x0000000074C7C000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
C:\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll
| MD5 | 099983c13bade9554a3c17484e5481f1 |
| SHA1 | a84e69ad9722f999252d59d0ed9a99901a60e564 |
| SHA256 | b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838 |
| SHA512 | 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2 |
C:\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll
| MD5 | 2384a02c4a1f7ec481adde3a020607d3 |
| SHA1 | 7e848d35a10bf9296c8fa41956a3daa777f86365 |
| SHA256 | c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369 |
| SHA512 | 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503 |
C:\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
C:\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll
| MD5 | d407cc6d79a08039a6f4b50539e560b8 |
| SHA1 | 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71 |
| SHA256 | 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e |
| SHA512 | 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c |
memory/1332-21-0x0000000000D90000-0x0000000001194000-memory.dmp
memory/1332-38-0x0000000001C40000-0x0000000001CC8000-memory.dmp
memory/1332-39-0x0000000073EB0000-0x0000000073F38000-memory.dmp
memory/1332-43-0x0000000001C40000-0x0000000001F0F000-memory.dmp
memory/1332-42-0x0000000073BE0000-0x0000000073EAF000-memory.dmp
memory/1332-37-0x0000000073F40000-0x000000007400E000-memory.dmp
memory/1332-36-0x0000000074010000-0x000000007411A000-memory.dmp
memory/1332-33-0x0000000074120000-0x0000000074144000-memory.dmp
memory/1332-32-0x0000000074150000-0x0000000074199000-memory.dmp
memory/1332-31-0x00000000741A0000-0x0000000074268000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll
| MD5 | c88826ac4bb879622e43ead5bdb95aeb |
| SHA1 | 87d29853649a86f0463bfd9ad887b85eedc21723 |
| SHA256 | c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f |
| SHA512 | f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3 |
C:\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll
| MD5 | b0d98f7157d972190fe0759d4368d320 |
| SHA1 | 5715a533621a2b642aad9616e603c6907d80efc4 |
| SHA256 | 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5 |
| SHA512 | 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496 |
C:\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll
| MD5 | add33041af894b67fe34e1dc819b7eb6 |
| SHA1 | 6db46eb021855a587c95479422adcc774a272eeb |
| SHA256 | 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183 |
| SHA512 | bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa |
C:\Users\Admin\AppData\Local\d46500b0\tor\torrc
| MD5 | 439cd73927f46fde28540391feee8477 |
| SHA1 | ee7fb2aeb7708378abda293b03f5c9ffb6dbc742 |
| SHA256 | d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75 |
| SHA512 | c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319 |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdesc-consensus
| MD5 | 0ce4530144899e61e7151afe7810919f |
| SHA1 | f300561ff8bbd2b426926aced1e576bd2b91d001 |
| SHA256 | 59f1410ba288f348e46546682bc8ae589accfdb2abc49b0b59fed35ed9de32e5 |
| SHA512 | 595a94b645837f8627b703920cec6eda3e6103ae964c91c383679f00b712343b7f8d4656db6efdaceabe8c641cf45d6461ff77cc9fafa263880bc1a0763a83e6 |
memory/3656-55-0x00000000737B0000-0x00000000737EC000-memory.dmp
memory/3656-56-0x0000000000400000-0x0000000000BD8000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new
| MD5 | 59d172232890298bdd3a31880a0276e0 |
| SHA1 | a549156c62a1a445d8d67ec5085b51a17e25ac47 |
| SHA256 | 918f5219597bc6e6a8d5dc8fccc0578bf7a6a2e7feefa17a69dc78db009de27b |
| SHA512 | 0a3c1d0287d48524ca7584695efa5bc2c9c847e04cb158570808e6e15011a0d105a9d5eb387961adeb98985b48d7393125b6381427704678b2907d634ae00da8 |
memory/1332-77-0x0000000073F40000-0x000000007400E000-memory.dmp
memory/1332-78-0x0000000073EB0000-0x0000000073F38000-memory.dmp
memory/1332-79-0x0000000073BE0000-0x0000000073EAF000-memory.dmp
memory/1332-76-0x0000000074010000-0x000000007411A000-memory.dmp
memory/1332-75-0x0000000074120000-0x0000000074144000-memory.dmp
memory/1332-74-0x0000000074150000-0x0000000074199000-memory.dmp
memory/1332-72-0x0000000000D90000-0x0000000001194000-memory.dmp
memory/1332-73-0x00000000741A0000-0x0000000074268000-memory.dmp
memory/1332-81-0x0000000000D90000-0x0000000001194000-memory.dmp
memory/3656-80-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/1332-82-0x0000000001C40000-0x0000000001CC8000-memory.dmp
memory/1332-83-0x0000000000D90000-0x0000000001194000-memory.dmp
memory/1332-91-0x0000000001C40000-0x0000000001F0F000-memory.dmp
memory/1332-93-0x0000000000D90000-0x0000000001194000-memory.dmp
memory/3656-109-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/1332-110-0x0000000000D90000-0x0000000001194000-memory.dmp
memory/3656-118-0x0000000072C80000-0x0000000072CBC000-memory.dmp
memory/3656-119-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/1332-120-0x0000000000D90000-0x0000000001194000-memory.dmp
memory/1332-129-0x0000000000D90000-0x0000000001194000-memory.dmp
memory/1332-138-0x0000000000D90000-0x0000000001194000-memory.dmp
memory/1332-164-0x0000000000D90000-0x0000000001194000-memory.dmp
memory/1332-165-0x0000000001C40000-0x0000000001CC8000-memory.dmp
memory/2140-181-0x0000000073BF0000-0x0000000073C78000-memory.dmp
memory/2140-180-0x0000000073C80000-0x0000000073D8A000-memory.dmp
memory/2140-179-0x0000000073D90000-0x0000000073DB4000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-certs
| MD5 | 8f716cb8b3e558d4e82d53fa731166be |
| SHA1 | 8801659bd3f141ef72a60b8a8f4524d6c43e41ec |
| SHA256 | 53915cdbe28fda51384b0098ca3b606def31769a1fdf3a1934ea38e685d2f61b |
| SHA512 | d8b96811d77edb50146a22eda706c60e85097e7c7c8d547b735ef4df02246c786ddde55060896972bbacb68002e5d8fb523210c24137991d3a511c7e95a564c2 |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | e26a82bcf811741099263b3c9700a113 |
| SHA1 | 47ad50b485ceaf44329cc2a562f342764a26ee0f |
| SHA256 | a510e06b99b6ddcb207a4a5e3bc1c3381f2e64d448fbaa4364b51595e418bceb |
| SHA512 | 0f903dfdb8130c332b9dd706e4d8b3458c3d6dc72d3ac0454c89d44816fd1ff74f9b55e3f395a3ce04f15d19d4ee96db524c3c1aa51e2a0ad832f984e7f1f81e |
memory/2140-178-0x0000000073DC0000-0x0000000073E09000-memory.dmp
memory/2140-177-0x0000000073E10000-0x0000000073EDE000-memory.dmp
memory/2140-176-0x0000000073EE0000-0x0000000073FA8000-memory.dmp
memory/2140-175-0x0000000073FB0000-0x000000007427F000-memory.dmp
memory/2140-174-0x0000000000D90000-0x0000000001194000-memory.dmp
memory/2140-211-0x0000000000D90000-0x0000000001194000-memory.dmp
memory/2140-212-0x0000000073FB0000-0x000000007427F000-memory.dmp
memory/2140-213-0x0000000073EE0000-0x0000000073FA8000-memory.dmp
memory/2140-214-0x0000000073E10000-0x0000000073EDE000-memory.dmp
memory/2140-242-0x0000000000D90000-0x0000000001194000-memory.dmp
memory/3304-257-0x0000000073C80000-0x0000000073D8A000-memory.dmp
memory/3304-256-0x0000000073D90000-0x0000000073DB4000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | 76bcfb16dfbdf72bdc587e3eff17cc66 |
| SHA1 | d25f9bc07f1673505723468f751048afcd7b702f |
| SHA256 | 1aa99f87e2fed0a42b7d43bf12ee565b30f1037e58c8b9bae41345e603933a1d |
| SHA512 | dda40e8e6473edf01c03ad875dd68106365ccaa97d1876b03319a71fa6e95a7aa8402d83899e4b2a59cc20bc256fd64941abeb52b490726ccfe6cddea627c6eb |
memory/3304-258-0x0000000073BF0000-0x0000000073C78000-memory.dmp
memory/3304-255-0x0000000073DC0000-0x0000000073E09000-memory.dmp
memory/3304-254-0x0000000073E10000-0x0000000073EDE000-memory.dmp
memory/3304-253-0x0000000073EE0000-0x0000000073FA8000-memory.dmp
memory/3304-252-0x0000000073FB0000-0x000000007427F000-memory.dmp
memory/3304-251-0x0000000000D90000-0x0000000001194000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs
| MD5 | 531a48cfda385a9b99f397823414c0ec |
| SHA1 | d3ca6918ce7b976132f55f1acecd369d21b0e036 |
| SHA256 | c222f36050dad1098339d40b92c9952c12ccc83cb3d9686859458fe86233f182 |
| SHA512 | 2367c5494589508965fcd2501ef432f27f7a8c07ee16a420d172c30e085b8b71f918684cdf8650dad663cb31d8df2efa5b20d5f76fcd265ca7517858f0a10a5b |
memory/3304-282-0x0000000000D90000-0x0000000001194000-memory.dmp
memory/3304-283-0x0000000073FB0000-0x000000007427F000-memory.dmp
memory/3304-284-0x0000000073EE0000-0x0000000073FA8000-memory.dmp
memory/3304-285-0x0000000073E10000-0x0000000073EDE000-memory.dmp
memory/3656-304-0x0000000074C40000-0x0000000074C7C000-memory.dmp
memory/3304-324-0x0000000000D90000-0x0000000001194000-memory.dmp
memory/228-338-0x0000000073BF0000-0x0000000073C78000-memory.dmp
memory/228-337-0x0000000073C80000-0x0000000073D8A000-memory.dmp
memory/228-336-0x0000000073D90000-0x0000000073DB4000-memory.dmp
memory/228-335-0x0000000073EE0000-0x00000000741AF000-memory.dmp
memory/228-334-0x0000000073DC0000-0x0000000073E09000-memory.dmp
memory/228-333-0x0000000073E10000-0x0000000073EDE000-memory.dmp
memory/228-340-0x00000000741B0000-0x0000000074278000-memory.dmp
memory/3656-339-0x00000000737B0000-0x00000000737EC000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | 108ff4a959a167451dbfba561fba72bd |
| SHA1 | 670b78cfc76816c3e9585023cc90c9d74db2a2e4 |
| SHA256 | b41d3908f40ad845fae0bcade28195cb34846affb7ad712a7041d76dbde3a8aa |
| SHA512 | 527c79b4a25ccdd70754873be2480294133374ae73ff8546925e6dcee724a2875116f9c8e3b8bd9001aed6e4af82257cbbae2a5d7b6a961f83fe43ed1bee1f55 |
memory/228-355-0x0000000000D90000-0x0000000001194000-memory.dmp
memory/228-364-0x0000000073E10000-0x0000000073EDE000-memory.dmp
memory/228-365-0x0000000073EE0000-0x00000000741AF000-memory.dmp
memory/228-366-0x00000000741B0000-0x0000000074278000-memory.dmp
memory/228-394-0x0000000000D90000-0x0000000001194000-memory.dmp
memory/2716-403-0x0000000000D90000-0x0000000001194000-memory.dmp
memory/2716-404-0x0000000073FB0000-0x000000007427F000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | 35a69de8f44a09f92590c366811a65b5 |
| SHA1 | abc5fbf4f0cd5649ae069fb29a281925c9527513 |
| SHA256 | 788fc7c1141648d1077695ce39af292fd168b34ac77f1d5ba630058367a085af |
| SHA512 | 279142f5db4f70d448d61aac9d62f52290eb1e4f5368262fdca6c211aae92768c8d2709ef3fc8f3183d7425af2d22391382714ca50eae3b5e2645426836cb3d3 |
memory/2716-410-0x0000000073D90000-0x0000000073DB4000-memory.dmp
memory/2716-409-0x0000000073BF0000-0x0000000073C78000-memory.dmp
memory/2716-408-0x0000000073C80000-0x0000000073D8A000-memory.dmp
memory/2716-407-0x0000000073DC0000-0x0000000073E09000-memory.dmp
memory/2716-406-0x0000000073E10000-0x0000000073EDE000-memory.dmp
memory/2716-405-0x0000000073EE0000-0x0000000073FA8000-memory.dmp
memory/2716-425-0x0000000000D90000-0x0000000001194000-memory.dmp
memory/2716-434-0x0000000073FB0000-0x000000007427F000-memory.dmp
memory/2716-436-0x0000000073E10000-0x0000000073EDE000-memory.dmp
memory/2716-435-0x0000000073EE0000-0x0000000073FA8000-memory.dmp
memory/2716-456-0x0000000000D90000-0x0000000001194000-memory.dmp
memory/4956-463-0x0000000073D90000-0x0000000073DB4000-memory.dmp
memory/4956-466-0x0000000001850000-0x00000000018D8000-memory.dmp
memory/4956-465-0x0000000073BF0000-0x0000000073C78000-memory.dmp
memory/4956-464-0x0000000073C80000-0x0000000073D8A000-memory.dmp
memory/4956-462-0x0000000073DC0000-0x0000000073E09000-memory.dmp
memory/4956-461-0x0000000073E10000-0x0000000073EDE000-memory.dmp
memory/4956-460-0x0000000073EE0000-0x0000000073FA8000-memory.dmp
memory/4956-459-0x0000000073FB0000-0x000000007427F000-memory.dmp
memory/4956-458-0x0000000000D90000-0x0000000001194000-memory.dmp
memory/4956-487-0x0000000000D90000-0x0000000001194000-memory.dmp
memory/4956-488-0x0000000073FB0000-0x000000007427F000-memory.dmp
memory/4956-490-0x0000000073E10000-0x0000000073EDE000-memory.dmp
memory/4956-491-0x0000000001850000-0x00000000018D8000-memory.dmp
memory/4956-489-0x0000000073EE0000-0x0000000073FA8000-memory.dmp
memory/4956-521-0x0000000001850000-0x00000000018D8000-memory.dmp
memory/4956-520-0x0000000000D90000-0x0000000001194000-memory.dmp
memory/4460-522-0x0000000000D90000-0x0000000001194000-memory.dmp
memory/4460-526-0x0000000073DC0000-0x0000000073E09000-memory.dmp
memory/4460-529-0x0000000073BF0000-0x0000000073C78000-memory.dmp
memory/4460-528-0x0000000073C80000-0x0000000073D8A000-memory.dmp
memory/4460-527-0x0000000073D90000-0x0000000073DB4000-memory.dmp
memory/4460-525-0x0000000073E10000-0x0000000073EDE000-memory.dmp
memory/4460-524-0x0000000073EE0000-0x0000000073FA8000-memory.dmp
memory/4460-523-0x0000000073FB0000-0x000000007427F000-memory.dmp
memory/4460-550-0x0000000000D90000-0x0000000001194000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-07 12:28
Reported
2024-05-07 12:48
Platform
win7-20240419-en
Max time kernel
1200s
Max time network
1203s
Command Line
Signatures
BitRAT
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1" | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe
"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
Network
| Country | Destination | Domain | Proto |
| GR | 185.4.132.148:443 | tcp | |
| N/A | 127.0.0.1:49223 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| NL | 51.15.40.38:9001 | tcp | |
| KZ | 45.80.208.110:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| NL | 51.15.40.38:9001 | tcp | |
| KZ | 45.80.208.110:9001 | tcp | |
| FI | 65.108.231.17:9001 | tcp | |
| N/A | 127.0.0.1:49338 | tcp | |
| US | 71.105.213.33:9001 | tcp | |
| GB | 144.48.81.160:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:49423 | tcp | |
| UA | 91.203.5.141:9001 | tcp | |
| US | 71.105.213.33:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | myexternalip.com | udp |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:49519 | tcp | |
| DE | 91.143.88.2:443 | tcp | |
| UA | 91.203.5.141:9001 | tcp | |
| US | 71.105.213.33:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| US | 173.255.245.116:9001 | tcp | |
| N/A | 127.0.0.1:49608 | tcp | |
| US | 71.105.213.33:9001 | tcp | |
| UA | 91.203.5.141:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| CA | 192.160.102.170:9001 | tcp | |
| N/A | 127.0.0.1:49675 | tcp | |
| UA | 91.203.5.141:9001 | tcp | |
| US | 71.105.213.33:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:49744 | tcp | |
| DE | 185.94.29.93:443 | tcp | |
| UA | 91.203.5.141:9001 | tcp | |
| US | 71.105.213.33:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:49798 | tcp | |
| RO | 185.100.85.61:443 | tcp | |
| US | 71.105.213.33:9001 | tcp | |
| UA | 91.203.5.141:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| FR | 193.70.43.76:9001 | tcp | |
| N/A | 127.0.0.1:49847 | tcp | |
| US | 71.105.213.33:9001 | tcp | |
| UA | 91.203.5.141:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:49896 | tcp | |
| US | 204.8.96.64:443 | tcp | |
| US | 71.105.213.33:9001 | tcp | |
| UA | 91.203.5.141:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:49945 | tcp | |
| FR | 212.83.154.33:8443 | tcp | |
| UA | 91.203.5.141:9001 | tcp | |
| US | 71.105.213.33:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:49995 | tcp | |
| US | 128.31.0.13:443 | tcp | |
| UA | 91.203.5.141:9001 | tcp | |
| US | 71.105.213.33:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50044 | tcp | |
| DE | 136.243.214.137:443 | tcp | |
| UA | 91.203.5.141:9001 | tcp | |
| US | 71.105.213.33:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50093 | tcp | |
| MD | 178.17.174.14:9001 | tcp | |
| US | 71.105.213.33:9001 | tcp | |
| UA | 91.203.5.141:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50143 | tcp | |
| FI | 65.108.231.17:9001 | tcp | |
| UA | 91.203.5.141:9001 | tcp | |
| US | 71.105.213.33:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| PL | 51.38.134.104:443 | tcp | |
| N/A | 127.0.0.1:50198 | tcp | |
| US | 71.105.213.33:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| UA | 91.203.5.141:9001 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50248 | tcp | |
| DE | 185.177.229.20:1080 | tcp | |
| N/A | 127.0.0.1:50255 | tcp | |
| UA | 91.203.5.141:9001 | tcp | |
| US | 71.105.213.33:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50313 | tcp | |
| FR | 176.158.236.102:9001 | tcp | |
| US | 71.105.213.33:9001 | tcp | |
| UA | 91.203.5.141:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| NL | 77.247.181.166:443 | tcp | |
| N/A | 127.0.0.1:50363 | tcp | |
| UA | 91.203.5.141:9001 | tcp | |
| US | 71.105.213.33:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:50420 | tcp | |
| DE | 185.177.229.20:1080 | tcp | |
| UA | 91.203.5.141:9001 | tcp | |
| US | 71.105.213.33:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:50469 | tcp | |
| DK | 85.235.250.88:443 | tcp | |
| US | 71.105.213.33:9001 | tcp | |
| UA | 91.203.5.141:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| DE | 193.23.244.244:443 | tcp | |
| N/A | 127.0.0.1:50526 | tcp | |
| UA | 91.203.5.141:9001 | tcp | |
| US | 71.105.213.33:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50577 | tcp | |
| FR | 37.187.115.157:9001 | tcp | |
| US | 71.105.213.33:9001 | tcp | |
| UA | 91.203.5.141:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| DE | 62.141.38.69:443 | tcp | |
| N/A | 127.0.0.1:50627 | tcp | |
| UA | 91.203.5.141:9001 | tcp | |
| US | 71.105.213.33:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50685 | tcp | |
| FR | 163.172.53.84:443 | tcp | |
| US | 71.105.213.33:9001 | tcp | |
| UA | 91.203.5.141:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| US | 50.7.74.173:9001 | tcp | |
| N/A | 127.0.0.1:50744 | tcp | |
| UA | 91.203.5.141:9001 | tcp | |
| US | 71.105.213.33:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| SK | 85.248.227.164:9002 | tcp | |
| N/A | 127.0.0.1:50802 | tcp | |
| UA | 91.203.5.141:9001 | tcp | |
| US | 71.105.213.33:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:50859 | tcp | |
| CZ | 31.31.78.49:443 | tcp | |
| UA | 91.203.5.141:9001 | tcp | |
| US | 71.105.213.33:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:50908 | tcp | |
| CZ | 37.157.195.87:443 | tcp | |
| UA | 91.203.5.141:9001 | tcp | |
| US | 71.105.213.33:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:50957 | tcp | |
| RU | 213.141.138.174:9001 | tcp | |
| US | 71.105.213.33:9001 | tcp | |
| UA | 91.203.5.141:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp |
Files
memory/1576-0-0x0000000000400000-0x0000000000BD8000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
C:\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll
| MD5 | 2384a02c4a1f7ec481adde3a020607d3 |
| SHA1 | 7e848d35a10bf9296c8fa41956a3daa777f86365 |
| SHA256 | c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369 |
| SHA512 | 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503 |
C:\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
C:\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll
| MD5 | 099983c13bade9554a3c17484e5481f1 |
| SHA1 | a84e69ad9722f999252d59d0ed9a99901a60e564 |
| SHA256 | b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838 |
| SHA512 | 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2 |
C:\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll
| MD5 | b0d98f7157d972190fe0759d4368d320 |
| SHA1 | 5715a533621a2b642aad9616e603c6907d80efc4 |
| SHA256 | 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5 |
| SHA512 | 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496 |
\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll
| MD5 | d407cc6d79a08039a6f4b50539e560b8 |
| SHA1 | 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71 |
| SHA256 | 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e |
| SHA512 | 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c |
C:\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll
| MD5 | c88826ac4bb879622e43ead5bdb95aeb |
| SHA1 | 87d29853649a86f0463bfd9ad887b85eedc21723 |
| SHA256 | c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f |
| SHA512 | f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3 |
\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll
| MD5 | add33041af894b67fe34e1dc819b7eb6 |
| SHA1 | 6db46eb021855a587c95479422adcc774a272eeb |
| SHA256 | 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183 |
| SHA512 | bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa |
C:\Users\Admin\AppData\Local\d46500b0\tor\torrc
| MD5 | 439cd73927f46fde28540391feee8477 |
| SHA1 | ee7fb2aeb7708378abda293b03f5c9ffb6dbc742 |
| SHA256 | d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75 |
| SHA512 | c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319 |
memory/1576-35-0x0000000003EE0000-0x00000000042E4000-memory.dmp
memory/1576-36-0x0000000003EE0000-0x00000000042E4000-memory.dmp
memory/2576-41-0x00000000744A0000-0x0000000074528000-memory.dmp
memory/2576-44-0x0000000074760000-0x0000000074A2F000-memory.dmp
memory/2576-43-0x0000000075110000-0x0000000075134000-memory.dmp
memory/2576-42-0x00000000743D0000-0x000000007449E000-memory.dmp
memory/2576-40-0x0000000074530000-0x000000007463A000-memory.dmp
memory/2576-39-0x0000000074640000-0x0000000074708000-memory.dmp
memory/2576-38-0x0000000074710000-0x0000000074759000-memory.dmp
memory/2576-37-0x0000000000360000-0x0000000000764000-memory.dmp
memory/1576-45-0x0000000000400000-0x0000000000BD8000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdesc-consensus.tmp
| MD5 | 0ce4530144899e61e7151afe7810919f |
| SHA1 | f300561ff8bbd2b426926aced1e576bd2b91d001 |
| SHA256 | 59f1410ba288f348e46546682bc8ae589accfdb2abc49b0b59fed35ed9de32e5 |
| SHA512 | 595a94b645837f8627b703920cec6eda3e6103ae964c91c383679f00b712343b7f8d4656db6efdaceabe8c641cf45d6461ff77cc9fafa263880bc1a0763a83e6 |
memory/2576-54-0x0000000000360000-0x0000000000764000-memory.dmp
memory/1576-63-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/1576-64-0x0000000003EE0000-0x00000000042E4000-memory.dmp
memory/2576-66-0x0000000000360000-0x0000000000764000-memory.dmp
memory/2576-74-0x0000000000360000-0x0000000000764000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new
| MD5 | da3a6c954609398707dbe5f8388f9b38 |
| SHA1 | 9def956c8eec8a1e3fa1a4ed0af5036c2121dd93 |
| SHA256 | ba85ae609d4e89ef2a018eb287e79f891d4289e711eb2e52d31f62e5fca346f2 |
| SHA512 | 3c639f3935e9a8e69663b6a6e5ff5b70d95acb3919d03cc1bf31185a4f0d084e431bef92e485467b735599ef51d02c30e507c38c4f338a63a590ad24dc8e09f7 |
memory/1576-84-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/2576-86-0x0000000000360000-0x0000000000764000-memory.dmp
memory/2576-98-0x0000000000360000-0x0000000000764000-memory.dmp
memory/2576-107-0x0000000000360000-0x0000000000764000-memory.dmp
memory/1576-121-0x0000000004B10000-0x0000000004F14000-memory.dmp
memory/2812-130-0x0000000000360000-0x0000000000764000-memory.dmp
memory/2812-137-0x00000000743D0000-0x000000007449E000-memory.dmp
memory/2812-136-0x0000000075110000-0x0000000075134000-memory.dmp
memory/2812-135-0x00000000744A0000-0x0000000074528000-memory.dmp
memory/2812-134-0x0000000074530000-0x000000007463A000-memory.dmp
memory/2812-133-0x0000000074640000-0x0000000074708000-memory.dmp
memory/2812-132-0x0000000074710000-0x0000000074759000-memory.dmp
memory/2812-131-0x0000000074760000-0x0000000074A2F000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-certs
| MD5 | 0eb218599ac8c5df41e69ea08a029729 |
| SHA1 | 735040ed7a6b393b7aff721f5f6e7e2a308bc155 |
| SHA256 | daf87d3168dee81587e83927b85d3aefcdfbffa6e34895c465e16bbd2ed0dcec |
| SHA512 | 9b4c05572522431d5394a94d0faa7e9d79f1f2a04dafb2812d5b4bc5822d3a55017ab4c9cf314701bfb5c5ddd31eb8d447f61e9adf3ecc0c9f38009823a78a85 |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | ec8883f5641adebb5a2f825c64a44798 |
| SHA1 | 3f08633ed69279ba6b516398d7976b9590ff2c80 |
| SHA256 | 6b4c3cd8ef149e9904623bf3c6d30ca23bd7a36578206081f9c745dfe6802de9 |
| SHA512 | 72bae187fa530ef92e65b8cf5c7623821ea29ed2fe919974c8c8ca880e5d274238899952e5f3b415888a61a515b7de35b079180b3b6e4d157c4c7970e0ad20f2 |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new
| MD5 | 1c0e46e35c77996503008c95eed95704 |
| SHA1 | c615061598dd69a6edc81299a810a919abadf988 |
| SHA256 | 62a552238c960c86c458adf01a5d04b0e43804be11873afd886db3dfc402981f |
| SHA512 | 3d44d5aa18821e0b05c95b512d34601b3ad097ec071d88434f811c477abdeffe1fb3b3cf8b2b32b39d97bec27587a3eb12412ab41b36e723f32d3c88a3d60d12 |
memory/1576-149-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/2812-151-0x0000000074760000-0x0000000074A2F000-memory.dmp
memory/2812-156-0x00000000743D0000-0x000000007449E000-memory.dmp
memory/2812-153-0x0000000074640000-0x0000000074708000-memory.dmp
memory/2812-150-0x0000000000360000-0x0000000000764000-memory.dmp
memory/2812-159-0x0000000000360000-0x0000000000764000-memory.dmp
memory/1576-167-0x0000000004B10000-0x0000000004F14000-memory.dmp
memory/2812-200-0x0000000000360000-0x0000000000764000-memory.dmp
memory/908-212-0x0000000074910000-0x00000000749D8000-memory.dmp
memory/908-216-0x0000000074390000-0x00000000743B4000-memory.dmp
memory/908-217-0x0000000074490000-0x000000007475F000-memory.dmp
memory/908-215-0x00000000743C0000-0x000000007448E000-memory.dmp
memory/908-214-0x0000000074770000-0x00000000747F8000-memory.dmp
memory/908-213-0x0000000074800000-0x000000007490A000-memory.dmp
memory/908-211-0x00000000749E0000-0x0000000074A29000-memory.dmp
memory/908-210-0x0000000000360000-0x0000000000764000-memory.dmp
memory/1576-209-0x0000000004B10000-0x0000000004F14000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | e77086bf415c21bef5a7a953001df1f7 |
| SHA1 | cd46afb397671b73c9681a4c7fe9df6cb2a0866f |
| SHA256 | f2ae206396f28e51fa836bc4c7c1789fe3cce7a54af0cb2115605f7a455113a0 |
| SHA512 | 5f59582379aa13ed362f6298f6cfd6daa68203f25d277d45a07afbae0fa036c82f6a787bcbb31c694890fefa24bc690feefa757caca9d552468977d760a92790 |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs
| MD5 | 0270ac2b8b9f6f03b9f4406e2279c5bb |
| SHA1 | de4da4861cbe6cf295e91c9248a56c66d3ec3fca |
| SHA256 | c1cb575488b030400c9acab83ab6a36e0dcd5dff06ba4f208c98e23eb6a77ff7 |
| SHA512 | 1fa7620569728e9524dc38984586d3d145a053540ef3ac90d924686bf1dce7014c04aba471fe30f95451cda2073e3eeb05a39f09541aafe20c09091816742546 |
memory/1576-233-0x0000000004B10000-0x0000000004F14000-memory.dmp
memory/908-244-0x00000000743C0000-0x000000007448E000-memory.dmp
memory/908-243-0x0000000074910000-0x00000000749D8000-memory.dmp
memory/908-242-0x0000000000360000-0x0000000000764000-memory.dmp
memory/908-245-0x0000000074490000-0x000000007475F000-memory.dmp
memory/1576-256-0x0000000000D70000-0x0000000000D7A000-memory.dmp
memory/1576-255-0x0000000000D70000-0x0000000000D7A000-memory.dmp
memory/1576-288-0x00000000059C0000-0x0000000005DC4000-memory.dmp
memory/908-287-0x0000000000360000-0x0000000000764000-memory.dmp
memory/2732-302-0x0000000074600000-0x00000000746CE000-memory.dmp
memory/2732-304-0x0000000073840000-0x0000000073B0F000-memory.dmp
memory/2732-303-0x0000000074A00000-0x0000000074A24000-memory.dmp
memory/2732-301-0x00000000746D0000-0x0000000074758000-memory.dmp
memory/2732-300-0x00000000747B0000-0x00000000748BA000-memory.dmp
memory/2732-299-0x00000000748C0000-0x0000000074988000-memory.dmp
memory/2732-298-0x0000000074990000-0x00000000749D9000-memory.dmp
memory/2732-297-0x0000000000360000-0x0000000000764000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | be144c58368e18884589ffd3cd54806d |
| SHA1 | 15ec3d853fcb21d3cac8e97146b49bf05e235f99 |
| SHA256 | b2e8543f42f1cd2c36353bd59e8b914a296c40c73fd8b67bc1ee72f2dce3bf66 |
| SHA512 | 8547ba99ca7989c50449353703d3ad0fabbd05fa02c4871313a034bcbb837b163248a8c577f601bf809ff2cbd970d7cefd17b2dc10fd32872c6ac9ae2bacbd83 |
memory/1576-319-0x0000000000D70000-0x0000000000D7A000-memory.dmp
memory/1576-318-0x0000000000D70000-0x0000000000D7A000-memory.dmp
memory/1576-321-0x00000000059C0000-0x0000000005DC4000-memory.dmp
memory/2732-322-0x0000000000360000-0x0000000000764000-memory.dmp
memory/2732-333-0x00000000746D0000-0x0000000074758000-memory.dmp
memory/2732-335-0x0000000074A00000-0x0000000074A24000-memory.dmp
memory/2732-334-0x0000000074600000-0x00000000746CE000-memory.dmp
memory/2732-332-0x00000000747B0000-0x00000000748BA000-memory.dmp
memory/2732-331-0x00000000748C0000-0x0000000074988000-memory.dmp
memory/2732-336-0x0000000073840000-0x0000000073B0F000-memory.dmp
memory/1576-347-0x0000000004770000-0x000000000477A000-memory.dmp
memory/1576-348-0x0000000004770000-0x000000000477A000-memory.dmp
memory/2732-367-0x0000000000360000-0x0000000000764000-memory.dmp
memory/2012-383-0x00000000747E0000-0x0000000074868000-memory.dmp
memory/2012-384-0x0000000073A40000-0x0000000073B0E000-memory.dmp
memory/2012-386-0x00000000734E0000-0x00000000737AF000-memory.dmp
memory/2012-385-0x00000000749B0000-0x00000000749D4000-memory.dmp
memory/2012-382-0x0000000074650000-0x000000007475A000-memory.dmp
memory/2012-381-0x0000000074870000-0x0000000074938000-memory.dmp
memory/2012-380-0x0000000074940000-0x0000000074989000-memory.dmp
memory/2012-379-0x0000000000360000-0x0000000000764000-memory.dmp
memory/1576-400-0x0000000004770000-0x000000000477A000-memory.dmp
memory/1576-399-0x0000000004770000-0x000000000477A000-memory.dmp
memory/1576-401-0x0000000005B50000-0x0000000005F54000-memory.dmp
memory/2012-412-0x0000000073A40000-0x0000000073B0E000-memory.dmp
memory/2012-411-0x0000000074870000-0x0000000074938000-memory.dmp
memory/2012-410-0x0000000000360000-0x0000000000764000-memory.dmp
memory/2012-414-0x00000000734E0000-0x00000000737AF000-memory.dmp
memory/2012-437-0x0000000000360000-0x0000000000764000-memory.dmp
memory/948-442-0x00000000747B0000-0x00000000748BA000-memory.dmp
memory/948-446-0x0000000073840000-0x0000000073B0F000-memory.dmp
memory/948-445-0x0000000074A00000-0x0000000074A24000-memory.dmp
memory/948-444-0x0000000074600000-0x00000000746CE000-memory.dmp
memory/948-443-0x00000000746D0000-0x0000000074758000-memory.dmp
memory/948-441-0x00000000748C0000-0x0000000074988000-memory.dmp
memory/948-440-0x0000000074990000-0x00000000749D9000-memory.dmp
memory/948-439-0x0000000000360000-0x0000000000764000-memory.dmp
memory/1576-438-0x0000000005B50000-0x0000000005F54000-memory.dmp
memory/1576-460-0x0000000004620000-0x000000000462A000-memory.dmp
memory/1576-459-0x0000000004620000-0x000000000462A000-memory.dmp
memory/1576-461-0x0000000005B50000-0x0000000005F54000-memory.dmp
memory/948-470-0x0000000000360000-0x0000000000764000-memory.dmp
memory/948-472-0x0000000074600000-0x00000000746CE000-memory.dmp
memory/948-471-0x00000000748C0000-0x0000000074988000-memory.dmp
memory/948-474-0x0000000073840000-0x0000000073B0F000-memory.dmp
memory/1576-484-0x0000000004770000-0x000000000477A000-memory.dmp
memory/948-507-0x0000000000360000-0x0000000000764000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabAEE7.tmp
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |