Malware Analysis Report

2024-10-18 21:10

Sample ID 240407-jrvf8agd3w
Target 6ec74da2134bd56250ca32be04b9b697
SHA256 1ab1a15e1e4a19c7d77a01f00de5d401bc7ab0ffaa33c332788aadeeedddc386
Tags
bitrat persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1ab1a15e1e4a19c7d77a01f00de5d401bc7ab0ffaa33c332788aadeeedddc386

Threat Level: Known bad

The file 6ec74da2134bd56250ca32be04b9b697 was found to be: Known bad.

Malicious Activity Summary

bitrat persistence trojan upx

BitRAT

Bitrat family

ACProtect 1.3x - 1.4x DLL software

Loads dropped DLL

UPX packed file

Executes dropped EXE

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 07:54

Signatures

Bitrat family

bitrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 07:54

Reported

2024-04-07 08:15

Platform

win7-20240221-en

Max time kernel

597s

Max time network

603s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6ec74da2134bd56250ca32be04b9b697.exe"

Signatures

BitRAT

trojan bitrat

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\java_update = "C:\\Users\\Admin\\AppData\\Local\\Java_update\\java_update.exe" C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6ec74da2134bd56250ca32be04b9b697.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2472 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\6ec74da2134bd56250ca32be04b9b697.exe C:\Users\Admin\AppData\Local\Temp\ttttt.exe
PID 2472 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\6ec74da2134bd56250ca32be04b9b697.exe C:\Users\Admin\AppData\Local\Temp\ttttt.exe
PID 2472 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\6ec74da2134bd56250ca32be04b9b697.exe C:\Users\Admin\AppData\Local\Temp\ttttt.exe
PID 2472 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\6ec74da2134bd56250ca32be04b9b697.exe C:\Users\Admin\AppData\Local\Temp\ttttt.exe
PID 2500 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2500 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6ec74da2134bd56250ca32be04b9b697.exe

"C:\Users\Admin\AppData\Local\Temp\6ec74da2134bd56250ca32be04b9b697.exe"

C:\Users\Admin\AppData\Local\Temp\ttttt.exe

"C:\Users\Admin\AppData\Local\Temp\ttttt.exe"

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

Network

Country Destination Domain Proto
N/A 127.0.0.1:49244 tcp
US 128.31.0.13:443 tcp
GB 82.165.201.150:443 tcp
US 172.96.172.157:443 tcp
N/A 127.0.0.1:45808 tcp
US 209.127.116.162:443 tcp
US 172.96.172.157:443 tcp
GB 82.165.201.150:443 tcp
N/A 127.0.0.1:45808 tcp
US 209.127.116.162:443 tcp
US 8.8.8.8:53 myexternalip.com udp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:49359 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:49413 tcp
DE 81.7.14.253:443 tcp
US 172.96.172.157:443 tcp
GB 82.165.201.150:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:49483 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:49536 tcp
SE 171.25.193.25:443 tcp
GB 82.165.201.150:443 tcp
US 172.96.172.157:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:49592 tcp
N/A 127.0.0.1:49624 tcp
RO 185.100.85.61:443 tcp
GB 82.165.201.150:443 tcp
US 172.96.172.157:443 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:49675 tcp
N/A 127.0.0.1:49708 tcp
US 199.184.246.250:443 tcp
GB 82.165.201.150:443 tcp
US 172.96.172.157:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:49766 tcp
N/A 127.0.0.1:49800 tcp
FR 51.254.147.57:443 tcp
GB 82.165.201.150:443 tcp
US 172.96.172.157:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:49866 tcp
N/A 127.0.0.1:49899 tcp
US 50.7.74.174:443 tcp
US 172.96.172.157:443 tcp
GB 82.165.201.150:443 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:49957 tcp
FR 185.13.39.197:443 tcp
N/A 127.0.0.1:49991 tcp
US 172.96.172.157:443 tcp
GB 82.165.201.150:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50058 tcp
US 204.8.156.142:443 tcp
US 172.96.172.157:443 tcp
GB 82.165.201.150:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50117 tcp
N/A 127.0.0.1:50150 tcp
NL 77.247.181.164:443 tcp
GB 82.165.201.150:443 tcp
US 172.96.172.157:443 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:50209 tcp
N/A 127.0.0.1:50243 tcp
FR 62.210.254.132:443 tcp
US 172.96.172.157:443 tcp
GB 82.165.201.150:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50305 tcp
N/A 127.0.0.1:50338 tcp
PL 51.38.134.104:443 tcp
GB 82.165.201.150:443 tcp
US 172.96.172.157:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50407 tcp
DE 37.120.174.249:443 tcp
GB 82.165.201.150:443 tcp
US 172.96.172.157:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50468 tcp
N/A 127.0.0.1:50499 tcp
FR 163.172.176.167:443 tcp
US 172.96.172.157:443 tcp
GB 82.165.201.150:443 tcp

Files

memory/2472-0-0x0000000000180000-0x000000000095C000-memory.dmp

memory/2472-1-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

memory/2472-2-0x000000001B6B0000-0x000000001B730000-memory.dmp

memory/2472-3-0x0000000000160000-0x0000000000168000-memory.dmp

memory/2472-4-0x000000001B6B0000-0x000000001B730000-memory.dmp

memory/2472-6-0x000000001B6B0000-0x000000001B730000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ttttt.exe

MD5 fb3275ed37c90f2157066dcb2a8e46cb
SHA1 9eca563f4a66414d05ae700bcd57dfbb06644a19
SHA256 b9a5fed33c62e470f337ee1da21e4b1abab7a4b5107aabb01e432d8b32eab9ab
SHA512 408661a5c3b10a46bac7d5f4f0cf20baa4f97da31d1c9e7b994710f5e00de9afd343d3e74f60337058b06530aaca95c66af7698b0da34e9592a49f67933c8671

memory/2472-13-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

memory/2500-32-0x0000000003B70000-0x0000000003F74000-memory.dmp

C:\Users\Admin\AppData\Local\a0d62031\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

memory/2552-33-0x0000000000C60000-0x0000000001064000-memory.dmp

memory/2500-34-0x0000000003B70000-0x0000000003F74000-memory.dmp

C:\Users\Admin\AppData\Local\a0d62031\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

memory/2552-40-0x00000000745C0000-0x0000000074609000-memory.dmp

\Users\Admin\AppData\Local\a0d62031\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

memory/2552-43-0x0000000073FA0000-0x0000000074068000-memory.dmp

C:\Users\Admin\AppData\Local\a0d62031\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

memory/2552-46-0x0000000073E90000-0x0000000073F9A000-memory.dmp

memory/2552-49-0x0000000074530000-0x00000000745B8000-memory.dmp

C:\Users\Admin\AppData\Local\a0d62031\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\a0d62031\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

memory/2552-54-0x0000000074870000-0x0000000074894000-memory.dmp

memory/2552-52-0x0000000073DC0000-0x0000000073E8E000-memory.dmp

\Users\Admin\AppData\Local\a0d62031\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

memory/2552-37-0x0000000074070000-0x000000007433F000-memory.dmp

C:\Users\Admin\AppData\Local\a0d62031\tor\torrc

MD5 aed5236dc2f3c2c8244913bc771a0980
SHA1 24bf716687ea54e3f44f405da94acce3046aba2a
SHA256 69b07fcdeb4c47ad20869ac27c2b39dfe4afcba2e972500d24a5670904226f12
SHA512 ef367214b48860bd704eb52d35881f75cd18fe177be6d49c407e77b6b44dee46f717f578236a14f4028164beaaf616777aaef58b593b8f980a66c5241076c053

memory/2500-58-0x0000000003B70000-0x0000000003F74000-memory.dmp

memory/2552-65-0x0000000000C60000-0x0000000001064000-memory.dmp

C:\Users\Admin\AppData\Local\a0d62031\tor\data\cached-microdesc-consensus.tmp

MD5 dfa55fd7926aaa64e863aef6e728410e
SHA1 b74f5e363e6aa070d85ef986d9905f1f5435f200
SHA256 04415cf26f3bdcc2c7aede2881ec215acae7696e001b19b18c8f0afd9800bcab
SHA512 abbf86bcc8eb0c169c2e278bc6f694ac80a69b32fd99aaf1fc2a6669414694322e08a8371b1c39dd25d777535e075ad3a1aed47c9dbc3ca3e05b643153e35313

memory/2500-69-0x0000000003B70000-0x0000000003F74000-memory.dmp

memory/2552-71-0x0000000000C60000-0x0000000001064000-memory.dmp

memory/2552-73-0x0000000074070000-0x000000007433F000-memory.dmp

memory/2552-74-0x00000000745C0000-0x0000000074609000-memory.dmp

memory/2552-77-0x0000000073E90000-0x0000000073F9A000-memory.dmp

memory/2552-78-0x0000000074530000-0x00000000745B8000-memory.dmp

memory/2552-75-0x0000000073FA0000-0x0000000074068000-memory.dmp

memory/2552-81-0x0000000074870000-0x0000000074894000-memory.dmp

memory/2552-79-0x0000000073DC0000-0x0000000073E8E000-memory.dmp

C:\Users\Admin\AppData\Local\a0d62031\tor\data\cached-microdescs.new

MD5 bda6e0919cb21ceab9e31f6c881f66d6
SHA1 b7a1808929dca853ebc3964c56fca4ff1f234c7d
SHA256 af7a5137e4116bc9ba9b0617690c6c09d52bca34492acaad67378f21fe0ea5b6
SHA512 4b5ef31c339d6d320e6c4e1be41783cdd457a7cfb4d475400fc98a471288cc3533471323ea67e309b11f7bd6e442ef115c41412f5e6b9305dea76ed2ea012536

memory/2552-94-0x0000000000C60000-0x0000000001064000-memory.dmp

memory/2552-102-0x0000000000C60000-0x0000000001064000-memory.dmp

memory/2552-113-0x0000000000C60000-0x0000000001064000-memory.dmp

memory/2500-124-0x00000000003B0000-0x00000000003BA000-memory.dmp

memory/2500-125-0x00000000003B0000-0x00000000003BA000-memory.dmp

memory/2552-142-0x0000000000C60000-0x0000000001064000-memory.dmp

memory/2500-158-0x0000000005670000-0x0000000005A74000-memory.dmp

memory/2060-166-0x0000000000C60000-0x0000000001064000-memory.dmp

memory/2060-173-0x0000000073FA0000-0x0000000074068000-memory.dmp

memory/2060-172-0x0000000074530000-0x00000000745B8000-memory.dmp

memory/2060-170-0x0000000073E90000-0x0000000073F9A000-memory.dmp

memory/2060-168-0x00000000745C0000-0x0000000074609000-memory.dmp

memory/2060-167-0x0000000074070000-0x000000007433F000-memory.dmp

memory/2060-162-0x0000000000C60000-0x0000000001064000-memory.dmp

memory/2060-176-0x0000000074870000-0x0000000074894000-memory.dmp

memory/2060-174-0x0000000073DC0000-0x0000000073E8E000-memory.dmp

memory/2500-180-0x0000000005670000-0x0000000005A74000-memory.dmp

memory/2500-181-0x00000000003B0000-0x00000000003BA000-memory.dmp

memory/2500-182-0x00000000003B0000-0x00000000003BA000-memory.dmp

memory/2500-184-0x0000000004700000-0x000000000470A000-memory.dmp

memory/2500-183-0x0000000004700000-0x000000000470A000-memory.dmp

memory/2364-199-0x0000000000300000-0x0000000000704000-memory.dmp

memory/2364-204-0x00000000732B0000-0x00000000733BA000-memory.dmp

memory/2364-201-0x00000000733C0000-0x0000000073488000-memory.dmp

memory/2364-200-0x0000000073E10000-0x0000000073E59000-memory.dmp

memory/2364-205-0x00000000734A0000-0x0000000073528000-memory.dmp

memory/2364-206-0x0000000074540000-0x0000000074564000-memory.dmp

C:\Users\Admin\AppData\Local\a0d62031\tor\data\cached-certs

MD5 e2ad643453705e9873b1bfc08e64769c
SHA1 d4e8c38b4d73d86cc130bf70a3ac08ab5c46d59d
SHA256 6e9647bb68033ed999fecc03087e97ca36bf24fb78edc2097ab2a86863d5fbd5
SHA512 5d33d20acc8915f03413e1701b803a99c1290b60c0f4184e1427bf04bb402a32a7378db6ea91d0513417eb3a7d07dddd1de8b0f53dbe580c174a14a58667188d

memory/2364-209-0x0000000073E60000-0x000000007412F000-memory.dmp

C:\Users\Admin\AppData\Local\a0d62031\tor\data\state

MD5 d2af601b9294190d3e1cd68f6f2bbc39
SHA1 30d8b96491c714137bf9de6ca0a00bdf1af1fc88
SHA256 91a914a8c979380c251e8290b3896bd1091525b4d039d6799ff60db7e2990b29
SHA512 6a4cfe173b87a29946b9936db9c8d822189c12464c4dc0e136706b354e28713a0fd6d0b0adf3ad118ee835a5061fb253dd5ab1c352ff75ab846aa9366a0161e1

memory/2364-212-0x00000000731E0000-0x00000000732AE000-memory.dmp

C:\Users\Admin\AppData\Local\a0d62031\tor\data\cached-microdescs.new

MD5 7222fd582c7b0686c50b1492fe79d4e8
SHA1 adb8b738632e11ec9ae4d85e0092edc01d899f96
SHA256 d5c6d21214bb6dc944c9794d913920b176a4dc28a37e8de6b22bcf478bd19be2
SHA512 79e314f712b5f433af12d6fa355dbb797b1c278815053a9760e5645217f390d5b9c838760c28c988e6361958999c337d91e0ff76cc1f8764488e004df2fad7d5

memory/2364-220-0x0000000000300000-0x0000000000704000-memory.dmp

memory/2364-221-0x0000000073E60000-0x000000007412F000-memory.dmp

memory/2364-222-0x0000000073E10000-0x0000000073E59000-memory.dmp

memory/2364-223-0x00000000733C0000-0x0000000073488000-memory.dmp

memory/2364-225-0x00000000734A0000-0x0000000073528000-memory.dmp

memory/2364-224-0x00000000732B0000-0x00000000733BA000-memory.dmp

memory/2500-228-0x0000000004700000-0x000000000470A000-memory.dmp

memory/2364-229-0x0000000000300000-0x0000000000704000-memory.dmp

memory/2500-237-0x0000000005A80000-0x0000000005E84000-memory.dmp

memory/2500-249-0x0000000004700000-0x000000000470A000-memory.dmp

memory/2500-250-0x0000000004700000-0x000000000470A000-memory.dmp

memory/2640-268-0x0000000073E60000-0x000000007412F000-memory.dmp

memory/2640-270-0x0000000073E10000-0x0000000073E59000-memory.dmp

memory/2640-273-0x00000000733C0000-0x0000000073488000-memory.dmp

memory/2640-276-0x00000000732B0000-0x00000000733BA000-memory.dmp

memory/2640-279-0x00000000734A0000-0x0000000073528000-memory.dmp

memory/2640-282-0x00000000731E0000-0x00000000732AE000-memory.dmp

memory/2364-284-0x0000000000300000-0x0000000000704000-memory.dmp

memory/2640-287-0x0000000000300000-0x0000000000704000-memory.dmp

memory/2640-285-0x0000000074540000-0x0000000074564000-memory.dmp

memory/2640-291-0x0000000073E60000-0x000000007412F000-memory.dmp

memory/2640-292-0x0000000073E10000-0x0000000073E59000-memory.dmp

memory/2640-293-0x00000000733C0000-0x0000000073488000-memory.dmp

memory/2500-294-0x0000000004700000-0x000000000470A000-memory.dmp

memory/2500-295-0x0000000004700000-0x000000000470A000-memory.dmp

memory/1736-310-0x0000000000CF0000-0x00000000010F4000-memory.dmp

memory/1736-311-0x00000000740E0000-0x0000000074129000-memory.dmp

memory/1736-312-0x0000000074010000-0x00000000740D8000-memory.dmp