Malware Analysis Report

2024-10-18 21:10

Sample ID 240407-kxh6tahg75
Target 6ec74da2134bd56250ca32be04b9b697
SHA256 1ab1a15e1e4a19c7d77a01f00de5d401bc7ab0ffaa33c332788aadeeedddc386
Tags
bitrat persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1ab1a15e1e4a19c7d77a01f00de5d401bc7ab0ffaa33c332788aadeeedddc386

Threat Level: Known bad

The file 6ec74da2134bd56250ca32be04b9b697 was found to be: Known bad.

Malicious Activity Summary

bitrat persistence trojan upx

BitRAT

Bitrat family

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Executes dropped EXE

Loads dropped DLL

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 08:58

Signatures

Bitrat family

bitrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 08:58

Reported

2024-04-08 09:46

Platform

win7-20240220-en

Max time kernel

596s

Max time network

600s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6ec74da2134bd56250ca32be04b9b697.exe"

Signatures

BitRAT

trojan bitrat

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\java_update = "C:\\Users\\Admin\\AppData\\Local\\Java_update\\java_update.exe" C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6ec74da2134bd56250ca32be04b9b697.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2252 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\6ec74da2134bd56250ca32be04b9b697.exe C:\Users\Admin\AppData\Local\Temp\ttttt.exe
PID 2252 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\6ec74da2134bd56250ca32be04b9b697.exe C:\Users\Admin\AppData\Local\Temp\ttttt.exe
PID 2252 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\6ec74da2134bd56250ca32be04b9b697.exe C:\Users\Admin\AppData\Local\Temp\ttttt.exe
PID 2252 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\6ec74da2134bd56250ca32be04b9b697.exe C:\Users\Admin\AppData\Local\Temp\ttttt.exe
PID 2560 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe
PID 2560 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\ttttt.exe C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6ec74da2134bd56250ca32be04b9b697.exe

"C:\Users\Admin\AppData\Local\Temp\6ec74da2134bd56250ca32be04b9b697.exe"

C:\Users\Admin\AppData\Local\Temp\ttttt.exe

"C:\Users\Admin\AppData\Local\Temp\ttttt.exe"

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

"C:\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe" -f torrc

Network

Country Destination Domain Proto
N/A 127.0.0.1:49246 tcp
DE 94.130.186.5:443 tcp
NL 77.247.181.162:443 tcp
FR 217.182.51.248:443 tcp
N/A 127.0.0.1:45808 tcp
DE 193.23.244.244:443 tcp
NL 51.15.77.244:443 tcp
US 209.126.4.123:443 tcp
US 209.126.4.123:443 tcp
NL 51.15.77.244:443 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:49346 tcp
N/A 127.0.0.1:49384 tcp
GR 185.4.132.148:443 tcp
NL 51.15.77.244:443 tcp
US 209.126.4.123:443 tcp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 myexternalip.com udp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:49486 tcp
N/A 127.0.0.1:49531 tcp
DK 185.96.180.29:443 tcp
US 209.126.4.123:443 tcp
NL 51.15.77.244:443 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:49588 tcp
N/A 127.0.0.1:49621 tcp
AT 37.252.187.111:443 tcp
US 209.126.4.123:443 tcp
NL 51.15.77.244:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:49693 tcp
FR 37.187.20.59:443 tcp
NL 51.15.77.244:443 tcp
US 209.126.4.123:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
DE 62.141.38.69:443 tcp
N/A 127.0.0.1:49757 tcp
US 209.126.4.123:443 tcp
NL 51.15.77.244:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:49817 tcp
N/A 127.0.0.1:49849 tcp
US 199.249.230.83:443 tcp
US 209.126.4.123:443 tcp
NL 51.15.77.244:443 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:49901 tcp
N/A 127.0.0.1:49942 tcp
NL 51.15.77.244:443 tcp
US 209.126.4.123:443 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:49999 tcp
N/A 127.0.0.1:50028 tcp
NL 185.246.152.22:443 tcp
NL 51.15.77.244:443 tcp
US 209.126.4.123:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50084 tcp
N/A 127.0.0.1:50117 tcp
DK 185.96.180.29:443 tcp
US 209.126.4.123:443 tcp
NL 51.15.77.244:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50167 tcp
N/A 127.0.0.1:50205 tcp
DE 81.7.14.253:443 tcp
NL 51.15.77.244:443 tcp
US 209.126.4.123:443 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:50264 tcp
N/A 127.0.0.1:50297 tcp
US 199.184.246.250:443 tcp
US 209.126.4.123:443 tcp
NL 51.15.77.244:443 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:50345 tcp
N/A 127.0.0.1:50382 tcp
US 172.98.193.43:443 tcp
US 209.126.4.123:443 tcp
NL 51.15.77.244:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:50432 tcp
N/A 127.0.0.1:50469 tcp
CZ 46.28.110.244:443 tcp
NL 51.15.77.244:443 tcp
US 209.126.4.123:443 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:50519 tcp
N/A 127.0.0.1:50558 tcp
FR 193.70.112.165:443 tcp
US 209.126.4.123:443 tcp
NL 51.15.77.244:443 tcp
N/A 127.0.0.1:45808 tcp

Files

memory/2252-0-0x0000000000170000-0x000000000094C000-memory.dmp

memory/2252-1-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

memory/2252-2-0x000000001B660000-0x000000001B6E0000-memory.dmp

memory/2252-3-0x0000000000140000-0x0000000000148000-memory.dmp

memory/2252-4-0x000000001B660000-0x000000001B6E0000-memory.dmp

memory/2252-6-0x000000001B660000-0x000000001B6E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ttttt.exe

MD5 fb3275ed37c90f2157066dcb2a8e46cb
SHA1 9eca563f4a66414d05ae700bcd57dfbb06644a19
SHA256 b9a5fed33c62e470f337ee1da21e4b1abab7a4b5107aabb01e432d8b32eab9ab
SHA512 408661a5c3b10a46bac7d5f4f0cf20baa4f97da31d1c9e7b994710f5e00de9afd343d3e74f60337058b06530aaca95c66af7698b0da34e9592a49f67933c8671

memory/2252-13-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

\Users\Admin\AppData\Local\a0d62031\tor\adobe.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\a0d62031\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

memory/2560-30-0x00000000040A0000-0x00000000044A4000-memory.dmp

memory/2620-33-0x0000000001210000-0x0000000001614000-memory.dmp

memory/2560-34-0x00000000040A0000-0x00000000044A4000-memory.dmp

\Users\Admin\AppData\Local\a0d62031\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

memory/2620-40-0x0000000074C90000-0x0000000074CD9000-memory.dmp

memory/2620-39-0x0000000074730000-0x00000000749FF000-memory.dmp

C:\Users\Admin\AppData\Local\a0d62031\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\a0d62031\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

memory/2620-43-0x0000000074660000-0x0000000074728000-memory.dmp

\Users\Admin\AppData\Local\a0d62031\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\a0d62031\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\a0d62031\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

memory/2620-53-0x0000000074480000-0x000000007454E000-memory.dmp

memory/2620-49-0x0000000074C00000-0x0000000074C88000-memory.dmp

memory/2620-48-0x0000000074550000-0x000000007465A000-memory.dmp

C:\Users\Admin\AppData\Local\a0d62031\tor\torrc

MD5 aed5236dc2f3c2c8244913bc771a0980
SHA1 24bf716687ea54e3f44f405da94acce3046aba2a
SHA256 69b07fcdeb4c47ad20869ac27c2b39dfe4afcba2e972500d24a5670904226f12
SHA512 ef367214b48860bd704eb52d35881f75cd18fe177be6d49c407e77b6b44dee46f717f578236a14f4028164beaaf616777aaef58b593b8f980a66c5241076c053

memory/2620-54-0x0000000074D30000-0x0000000074D54000-memory.dmp

C:\Users\Admin\AppData\Local\a0d62031\tor\data\cached-microdesc-consensus.tmp

MD5 3d9e913624f11b802d45870d6f87e283
SHA1 e2555c3387e2c2a3cb8b44872c89b41b05807cc5
SHA256 404ace31a22f0f3599cc210b178869cfeb5b3a6357b2197f5806ed7992818740
SHA512 eca3ca6a4fdfa331c3624c5efc647b7b1a7242f39abb678ebe382a81d9f369ac080a0e5d5c251e7bd4577e91cef8944e0c76379780a9f260b9f4450062f3766e

memory/2560-67-0x00000000040A0000-0x00000000044A4000-memory.dmp

memory/2620-68-0x0000000001210000-0x0000000001614000-memory.dmp

memory/2620-69-0x0000000074730000-0x00000000749FF000-memory.dmp

memory/2620-70-0x0000000074C90000-0x0000000074CD9000-memory.dmp

memory/2620-71-0x0000000074660000-0x0000000074728000-memory.dmp

memory/2620-72-0x0000000074550000-0x000000007465A000-memory.dmp

memory/2620-73-0x0000000074C00000-0x0000000074C88000-memory.dmp

memory/2620-74-0x0000000074480000-0x000000007454E000-memory.dmp

memory/2620-76-0x0000000001210000-0x0000000001614000-memory.dmp

memory/2560-81-0x00000000040A0000-0x00000000044A4000-memory.dmp

memory/2620-82-0x0000000001210000-0x0000000001614000-memory.dmp

C:\Users\Admin\AppData\Local\a0d62031\tor\data\cached-microdescs.new

MD5 90e06b35e268d1c1dffc12ba11ed737b
SHA1 745d5839be4452c891804510167a3cb7997ccd03
SHA256 05bf7890a745fa32872c36a530614cefca4b0c0ed90eddc4ed15009a395a1f2e
SHA512 1e0c8c1dec596a059bd4da488ab6f627ec1fdf5c9b8bdd99b9579f992e6c83698d671a735a4490a268430484cb8cfbbd2cd943edff12af66269688bd7b21351f

memory/2620-102-0x0000000001210000-0x0000000001614000-memory.dmp

memory/2620-113-0x0000000001210000-0x0000000001614000-memory.dmp

memory/2620-124-0x0000000001210000-0x0000000001614000-memory.dmp

memory/1660-143-0x0000000001210000-0x0000000001614000-memory.dmp

memory/2560-134-0x0000000004C50000-0x0000000005054000-memory.dmp

memory/1660-145-0x0000000074C90000-0x0000000074CD9000-memory.dmp

memory/1660-149-0x0000000001210000-0x0000000001614000-memory.dmp

memory/1660-147-0x0000000074660000-0x0000000074728000-memory.dmp

memory/1660-152-0x0000000074730000-0x00000000749FF000-memory.dmp

memory/1660-150-0x0000000074550000-0x000000007465A000-memory.dmp

memory/1660-155-0x0000000074C90000-0x0000000074CD9000-memory.dmp

memory/1660-153-0x0000000074C00000-0x0000000074C88000-memory.dmp

memory/1660-157-0x0000000074660000-0x0000000074728000-memory.dmp

memory/1660-156-0x0000000074480000-0x000000007454E000-memory.dmp

memory/1660-158-0x0000000074D30000-0x0000000074D54000-memory.dmp

memory/2292-179-0x0000000001210000-0x0000000001614000-memory.dmp

C:\Users\Admin\AppData\Local\a0d62031\tor\data\cached-certs

MD5 e6449acd4f1bf0d6ab5dbfd8da0478fa
SHA1 a0241f41fceb21317647aaf78d51f030c41c1350
SHA256 879134db64967361ea59dfa36ebb1547e8239948dff09b5595b4364187a1a28d
SHA512 8beec1d2f0d08d2b0711d62b5460e849700980d0fef6aa69cbd9069dccc8edefc261423010a23cce8d9f727540e732c8925d2c6b9e9b489d3fef685e5ff7548f

C:\Users\Admin\AppData\Local\a0d62031\tor\data\state

MD5 1406be218b92305daa9afd32c2ff6baf
SHA1 b729fbd7accd7d3291b9c8da39dc30528dda0f21
SHA256 c731b1b351e891d4ef98b2a8542e7e74e49d57b6936fff821dd383271589e7b8
SHA512 7dfbed000f3381fbf25873c57e681b519f22aa122efcd603b79d5f0eda8712a42f6c4313dc4f5e6ed0000e3bb9ee057493d84557042dfcfbfc3c1ccaa97f3ea7

memory/2292-180-0x0000000074C40000-0x0000000074C89000-memory.dmp

memory/2292-185-0x0000000074930000-0x00000000749F8000-memory.dmp

memory/2292-186-0x0000000074820000-0x000000007492A000-memory.dmp

memory/2292-187-0x0000000074790000-0x0000000074818000-memory.dmp

memory/2292-188-0x00000000742D0000-0x000000007439E000-memory.dmp

memory/2292-189-0x0000000074CB0000-0x0000000074CD4000-memory.dmp

memory/2292-191-0x0000000074460000-0x000000007472F000-memory.dmp

memory/2292-200-0x0000000001210000-0x0000000001614000-memory.dmp

memory/2560-208-0x0000000004C50000-0x0000000005054000-memory.dmp

memory/2292-209-0x0000000001210000-0x0000000001614000-memory.dmp

memory/2292-217-0x0000000001210000-0x0000000001614000-memory.dmp

memory/2560-232-0x00000000003F0000-0x00000000003FA000-memory.dmp

memory/2560-233-0x00000000003F0000-0x00000000003FA000-memory.dmp

memory/2560-272-0x00000000059D0000-0x0000000005DD4000-memory.dmp

memory/1368-276-0x0000000074460000-0x000000007472F000-memory.dmp

memory/1368-279-0x0000000074C40000-0x0000000074C89000-memory.dmp

memory/1368-282-0x0000000074930000-0x00000000749F8000-memory.dmp

memory/1368-285-0x0000000074820000-0x000000007492A000-memory.dmp

memory/1368-273-0x0000000001210000-0x0000000001614000-memory.dmp

memory/1368-288-0x0000000074790000-0x0000000074818000-memory.dmp

memory/1368-291-0x00000000742D0000-0x000000007439E000-memory.dmp

memory/2292-296-0x0000000001210000-0x0000000001614000-memory.dmp

memory/1368-294-0x0000000074CB0000-0x0000000074CD4000-memory.dmp

memory/1368-299-0x0000000074460000-0x000000007472F000-memory.dmp

memory/1368-298-0x0000000001210000-0x0000000001614000-memory.dmp

memory/2148-315-0x00000000749B0000-0x00000000749F9000-memory.dmp

memory/2148-314-0x0000000000350000-0x0000000000754000-memory.dmp

memory/2148-316-0x00000000748E0000-0x00000000749A8000-memory.dmp

memory/2148-317-0x00000000747D0000-0x00000000748DA000-memory.dmp

memory/2148-318-0x00000000746A0000-0x0000000074728000-memory.dmp

memory/2148-319-0x00000000745D0000-0x000000007469E000-memory.dmp

memory/2148-320-0x0000000074C60000-0x0000000074C84000-memory.dmp

memory/2148-321-0x0000000073910000-0x0000000073BDF000-memory.dmp

memory/2560-332-0x00000000003F0000-0x00000000003FA000-memory.dmp

memory/2560-333-0x00000000003F0000-0x00000000003FA000-memory.dmp

memory/2560-334-0x00000000059D0000-0x0000000005DD4000-memory.dmp

memory/2148-343-0x0000000000350000-0x0000000000754000-memory.dmp