bitrat | 2d49873798ab5ee10992f377ebb27ee940b1f354b9ec4ebebe687177ea2b214c

max time kernel
1194s
max time network
1200s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-04-2024 03:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
Size

7.6MB
MD5

9b035bad2b8a21fb2c57fd784c89b8d5
SHA1

ee15fad65f3f22df7f54e218176c45d369ebb70f
SHA256

2d49873798ab5ee10992f377ebb27ee940b1f354b9ec4ebebe687177ea2b214c
SHA512

96c0189aba67db2f1c38affa5ac44665566ea17e20e5f749aef771739c81beb96bbcac8ea35aad80cffc9d492e23fcbaefbf03f72011d9bd1ccac36182466dde
SSDEEP

196608:imEljesxwhzav1yo31CPwDv3uFZjeg2EeJUO9WLQUDxtw3iFFrS6XOfTV73cP:balxwZ6v1CPwDv3uFteg2EeJUO9WLjD/

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.32

7ix5nfolcp4ta4mk2dtihev73rw7d2edpbd5tp7sf7zgmpv66fpxnwqd.onion:80

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
dllhost

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

BitRAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral3/memory/5000-0-0x0000000000400000-0x0000000000BAA000-memory.dmp	family_bitrat
behavioral3/memory/5000-58-0x0000000000400000-0x0000000000BAA000-memory.dmp	family_bitrat

ACProtect 1.3x - 1.4x DLL software 7 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\07fa2a3b\tor\libevent-2-1-6.dll	acprotect
C:\Users\Admin\AppData\Local\07fa2a3b\tor\libcrypto-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\07fa2a3b\tor\libwinpthread-1.dll	acprotect
C:\Users\Admin\AppData\Local\07fa2a3b\tor\libssp-0.dll	acprotect
C:\Users\Admin\AppData\Local\07fa2a3b\tor\libgcc_s_sjlj-1.dll	acprotect
C:\Users\Admin\AppData\Local\07fa2a3b\tor\zlib1.dll	acprotect
C:\Users\Admin\AppData\Local\07fa2a3b\tor\libssl-1_1.dll	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe

Executes dropped EXE 45 IoCs

Processes:

dllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exe

pid	process
5072	dllhost.exe
1536	dllhost.exe
2928	dllhost.exe
3464	dllhost.exe
216	dllhost.exe
4384	dllhost.exe
3760	dllhost.exe
4312	dllhost.exe
2592	dllhost.exe
1424	dllhost.exe
4264	dllhost.exe
2248	dllhost.exe
2160	dllhost.exe
3180	dllhost.exe
4228	dllhost.exe
2848	dllhost.exe
3484	dllhost.exe
4408	dllhost.exe
4776	dllhost.exe
2920	dllhost.exe
3012	dllhost.exe
4244	dllhost.exe
4040	dllhost.exe
1652	dllhost.exe
1400	dllhost.exe
3056	dllhost.exe
4816	dllhost.exe
4820	dllhost.exe
2760	dllhost.exe
4156	dllhost.exe
2824	dllhost.exe
2276	dllhost.exe
972	dllhost.exe
3548	dllhost.exe
916	dllhost.exe
3164	dllhost.exe
1300	dllhost.exe
3516	dllhost.exe
2300	dllhost.exe
624	dllhost.exe
4092	dllhost.exe
2368	dllhost.exe
3412	dllhost.exe
4476	dllhost.exe
2712	dllhost.exe

Loads dropped DLL 64 IoCs

Processes:

dllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exe

pid	process
5072	dllhost.exe
5072	dllhost.exe
5072	dllhost.exe
5072	dllhost.exe
5072	dllhost.exe
5072	dllhost.exe
5072	dllhost.exe
5072	dllhost.exe
5072	dllhost.exe
5072	dllhost.exe
1536	dllhost.exe
1536	dllhost.exe
1536	dllhost.exe
1536	dllhost.exe
1536	dllhost.exe
1536	dllhost.exe
1536	dllhost.exe
2928	dllhost.exe
2928	dllhost.exe
2928	dllhost.exe
2928	dllhost.exe
2928	dllhost.exe
2928	dllhost.exe
2928	dllhost.exe
3464	dllhost.exe
3464	dllhost.exe
3464	dllhost.exe
3464	dllhost.exe
3464	dllhost.exe
3464	dllhost.exe
3464	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
4384	dllhost.exe
4384	dllhost.exe
4384	dllhost.exe
4384	dllhost.exe
4384	dllhost.exe
4384	dllhost.exe
4384	dllhost.exe
3760	dllhost.exe
3760	dllhost.exe
3760	dllhost.exe
3760	dllhost.exe
3760	dllhost.exe
3760	dllhost.exe
3760	dllhost.exe
4312	dllhost.exe
4312	dllhost.exe
4312	dllhost.exe
4312	dllhost.exe
4312	dllhost.exe
4312	dllhost.exe
4312	dllhost.exe
2592	dllhost.exe
2592	dllhost.exe
2592	dllhost.exe
2592	dllhost.exe
2592	dllhost.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe	upx
C:\Users\Admin\AppData\Local\07fa2a3b\tor\libevent-2-1-6.dll	upx
behavioral3/memory/5072-27-0x0000000074470000-0x000000007453E000-memory.dmp	upx
C:\Users\Admin\AppData\Local\07fa2a3b\tor\libcrypto-1_1.dll	upx
C:\Users\Admin\AppData\Local\07fa2a3b\tor\libwinpthread-1.dll	upx
C:\Users\Admin\AppData\Local\07fa2a3b\tor\libssp-0.dll	upx
C:\Users\Admin\AppData\Local\07fa2a3b\tor\libgcc_s_sjlj-1.dll	upx
C:\Users\Admin\AppData\Local\07fa2a3b\tor\zlib1.dll	upx
C:\Users\Admin\AppData\Local\07fa2a3b\tor\libssl-1_1.dll	upx
behavioral3/memory/5072-43-0x0000000074180000-0x0000000074208000-memory.dmp	upx
behavioral3/memory/5072-42-0x0000000074320000-0x0000000074369000-memory.dmp	upx
behavioral3/memory/5072-41-0x0000000074210000-0x000000007431A000-memory.dmp	upx
behavioral3/memory/5072-21-0x0000000000590000-0x0000000000994000-memory.dmp	upx
behavioral3/memory/5072-45-0x0000000073EB0000-0x000000007417F000-memory.dmp	upx
behavioral3/memory/5072-48-0x0000000074370000-0x0000000074394000-memory.dmp	upx
behavioral3/memory/5072-47-0x00000000743A0000-0x0000000074468000-memory.dmp	upx
behavioral3/memory/5072-50-0x0000000000590000-0x0000000000994000-memory.dmp	upx
behavioral3/memory/5072-52-0x0000000074470000-0x000000007453E000-memory.dmp	upx
behavioral3/memory/5072-59-0x0000000000590000-0x0000000000994000-memory.dmp	upx
behavioral3/memory/5072-60-0x0000000000590000-0x0000000000994000-memory.dmp	upx
behavioral3/memory/5072-96-0x0000000000590000-0x0000000000994000-memory.dmp	upx
behavioral3/memory/5072-104-0x0000000000590000-0x0000000000994000-memory.dmp	upx
behavioral3/memory/5072-122-0x0000000000590000-0x0000000000994000-memory.dmp	upx
behavioral3/memory/5072-133-0x0000000000590000-0x0000000000994000-memory.dmp	upx
behavioral3/memory/5072-141-0x0000000000590000-0x0000000000994000-memory.dmp	upx
behavioral3/memory/5072-149-0x0000000000590000-0x0000000000994000-memory.dmp	upx
behavioral3/memory/1536-165-0x0000000073EB0000-0x000000007417F000-memory.dmp	upx
behavioral3/memory/1536-162-0x0000000000590000-0x0000000000994000-memory.dmp	upx
behavioral3/memory/1536-167-0x00000000743A0000-0x0000000074468000-memory.dmp	upx
behavioral3/memory/1536-170-0x0000000074470000-0x000000007453E000-memory.dmp	upx
behavioral3/memory/1536-175-0x0000000074370000-0x0000000074394000-memory.dmp	upx
behavioral3/memory/1536-172-0x0000000074320000-0x0000000074369000-memory.dmp	upx
behavioral3/memory/1536-177-0x0000000074210000-0x000000007431A000-memory.dmp	upx
behavioral3/memory/1536-180-0x0000000074180000-0x0000000074208000-memory.dmp	upx
behavioral3/memory/1536-183-0x0000000074470000-0x000000007453E000-memory.dmp	upx
behavioral3/memory/1536-184-0x0000000000590000-0x0000000000994000-memory.dmp	upx
behavioral3/memory/1536-185-0x0000000073EB0000-0x000000007417F000-memory.dmp	upx
behavioral3/memory/1536-186-0x00000000743A0000-0x0000000074468000-memory.dmp	upx
behavioral3/memory/2928-198-0x0000000000590000-0x0000000000994000-memory.dmp	upx
behavioral3/memory/2928-199-0x0000000074270000-0x000000007453F000-memory.dmp	upx
behavioral3/memory/2928-205-0x0000000074150000-0x0000000074199000-memory.dmp	upx
behavioral3/memory/2928-201-0x00000000741A0000-0x0000000074268000-memory.dmp	upx
behavioral3/memory/2928-207-0x0000000074010000-0x000000007411A000-memory.dmp	upx
behavioral3/memory/2928-206-0x0000000074120000-0x0000000074144000-memory.dmp	upx
behavioral3/memory/2928-208-0x0000000073F80000-0x0000000074008000-memory.dmp	upx
behavioral3/memory/2928-210-0x0000000073EB0000-0x0000000073F7E000-memory.dmp	upx
behavioral3/memory/2928-233-0x0000000000590000-0x0000000000994000-memory.dmp	upx
behavioral3/memory/2928-234-0x0000000074270000-0x000000007453F000-memory.dmp	upx
behavioral3/memory/2928-235-0x00000000741A0000-0x0000000074268000-memory.dmp	upx
behavioral3/memory/3464-280-0x0000000000590000-0x0000000000994000-memory.dmp	upx
behavioral3/memory/3464-282-0x0000000074270000-0x000000007453F000-memory.dmp	upx
behavioral3/memory/3464-285-0x00000000741A0000-0x0000000074268000-memory.dmp	upx
behavioral3/memory/2928-287-0x0000000000590000-0x0000000000994000-memory.dmp	upx
behavioral3/memory/3464-286-0x0000000073EB0000-0x0000000073F7E000-memory.dmp	upx
behavioral3/memory/3464-289-0x0000000074150000-0x0000000074199000-memory.dmp	upx
behavioral3/memory/3464-290-0x0000000074120000-0x0000000074144000-memory.dmp	upx
behavioral3/memory/3464-292-0x0000000074010000-0x000000007411A000-memory.dmp	upx
behavioral3/memory/3464-294-0x0000000073F80000-0x0000000074008000-memory.dmp	upx
behavioral3/memory/3464-302-0x0000000073EB0000-0x0000000073F7E000-memory.dmp	upx
behavioral3/memory/3464-301-0x00000000741A0000-0x0000000074268000-memory.dmp	upx
behavioral3/memory/3464-303-0x0000000074150000-0x0000000074199000-memory.dmp	upx
behavioral3/memory/3464-304-0x0000000000590000-0x0000000000994000-memory.dmp	upx
behavioral3/memory/3464-305-0x0000000074270000-0x000000007453F000-memory.dmp	upx
behavioral3/memory/216-317-0x0000000000590000-0x0000000000994000-memory.dmp	upx

Looks up external IP address via web service 26 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
124	myexternalip.com
232	myexternalip.com
54	myexternalip.com
99	myexternalip.com
138	myexternalip.com
149	myexternalip.com
180	myexternalip.com
187	myexternalip.com
53	myexternalip.com
219	myexternalip.com
66	myexternalip.com
92	myexternalip.com
158	myexternalip.com
213	myexternalip.com
239	myexternalip.com
86	myexternalip.com
110	myexternalip.com
130	myexternalip.com
201	myexternalip.com
225	myexternalip.com
172	myexternalip.com
194	myexternalip.com
117	myexternalip.com
166	myexternalip.com
247	myexternalip.com
254	myexternalip.com

Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Proxy
T1090

Suspicious use of NtSetInformationThreadHideFromDebugger 54 IoCs

Processes:

9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe

pid	process
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe

pid process

5000 9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
Token: SeShutdownPrivilege	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe

pid process

5000 9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
5000 9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe

description	pid	process	target process
PID 5000 wrote to memory of 5072	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 5072	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 5072	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 1536	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 1536	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 1536	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 2928	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 2928	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 2928	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 3464	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 3464	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 3464	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 216	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 216	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 216	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 4384	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 4384	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 4384	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 3760	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 3760	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 3760	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 4312	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 4312	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 4312	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 2592	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 2592	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 2592	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 1424	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 1424	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 1424	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 4264	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 4264	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 4264	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 2248	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 2248	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 2248	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 2160	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 2160	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 2160	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 3180	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 3180	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 3180	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 4228	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 4228	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 4228	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 2848	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 2848	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 2848	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 3484	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 3484	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 3484	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 4408	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 4408	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 4408	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 4776	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 4776	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 4776	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 2920	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 2920	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 2920	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 3012	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 3012	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 3012	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 5000 wrote to memory of 4244	5000	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe

C:\Users\Admin\AppData\Local\Temp\9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5000

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5072

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1536

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2928

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3464

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:216

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4384

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3760

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4312

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2592

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1424

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4264

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2248

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2160

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3180

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4228

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2848

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3484

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4408

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4776

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2920

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3012

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4244

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4040

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1652

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1400

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3056

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4816

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4820

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2760

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4156

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2824

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2276

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:972

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3548

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:916

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3164

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1300

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3516

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2300

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:624

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4092

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2368

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3412

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4476

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2712

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Proxy

T1090

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\07fa2a3b\tor\data\cached-certs
Filesize
15KB

MD5
d4120b009d4d64f9793a464a9352bbe5

SHA1
a9ab3d650ac3effb115fc1c8352fa6b252567ff7

SHA256
3deea267fc8a14c8eeb6985083bc53011f443519ab241945c46738185c2b24a0

SHA512
82d23c0c5de691d1a6fd23c245086d31411451ce31c311d1d6f6f4ca55ba8325674c178d1c6e026e00bbb429a93bb0cab883eed2e0617f91ad6ff7f1b452465f

Download Submit
C:\Users\Admin\AppData\Local\07fa2a3b\tor\data\cached-microdesc-consensus.tmp
Filesize
2.6MB

MD5
fc3cdf12d74519dbccc3ae86a7606462

SHA1
d7d97bfa3973e176ef10b2390c4e199d1f654f54

SHA256
d8f554fcc8c53f1040c8ca606fd59b0b00ecdc7b4f448be0890723b93c3cd5fa

SHA512
89c78c310f2aa3626381e01bf4c865efc83aec3831faee42e8c8c0cd8d4c19c2eacf7cdf0fc10e18f4ebf92aae5f59f00ba6b1e6774bcda3dceb4c552368f3af

Download Submit
C:\Users\Admin\AppData\Local\07fa2a3b\tor\data\cached-microdescs.new
Filesize
20.4MB

MD5
0deb9b4ac0701b37c18c2a4cef97055b

SHA1
38cda7d6334c0a8ce060784dee09437f98d035e5

SHA256
1649372bb3ffbb0ab06092a0bf4f10e801e822e82e972b16dfa54299f3a86a95

SHA512
19039ae2accc7f9f1bc261ea4429b8b430dde21f1f00df84d04fdef83f3b7240a3b8bd1ab92029cdb1c18a393caac53a03c9331b2d61a910581e82595782ff46

Download Submit
C:\Users\Admin\AppData\Local\07fa2a3b\tor\data\cached-microdescs.new
Filesize
7.3MB

MD5
6f8ad63fa0fb8d0ad4d882ae4b9213c9

SHA1
751bb90aff1ec4bfc0d9f5c2717f3cdbb7953223

SHA256
111a542a094b50d0973f6ba8d43160210da8319aafc14b78cbf865df3cdeb150

SHA512
b36024b1ef855a9660794c8f69342c5483530f798c0b78ba1e874a23db83e97ee928f067a1e6f6f617234203dff83bc29aaebed9db5834aed806ef6944b8e3c7

Download Submit
C:\Users\Admin\AppData\Local\07fa2a3b\tor\data\state
Filesize
9KB

MD5
62389ee560417603767a7b4cb771a44d

SHA1
ee78b513a8e9f46d01b5d2d2756772f1feef3282

SHA256
fffeb3995b7ab1bc74ba45c9000db7d3d0617f639be4b519007629318033d83b

SHA512
a34a7d0db4d406a13cf2ca72b500a1d22c4c7f656558c9443ae56740daa79b37f2f860f00883f0623b24e8d9bd654e17656590b0d7a0c34ba7db6d1fbec6f689

Download Submit
C:\Users\Admin\AppData\Local\07fa2a3b\tor\data\state
Filesize
8KB

MD5
91dc6b78cb220e8e31245acffd9061fe

SHA1
f2ec7dc9fd79a49de1a4ed9a935a58617212be72

SHA256
b332ff687ebbb080e6c0ea013051c5d06c69398b223dfd929e0dd54ce28ba64d

SHA512
6f16072c8551a7999aa3d23dd10c549228bd75a6d5ecef8c385ea92b03ccbfb6691529b05d45885f96399896a2a4de393ed104a8995bcb897667c3371492b979

Download Submit
C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
Filesize
973KB

MD5
5cfe61ff895c7daa889708665ef05d7b

SHA1
5e58efe30406243fbd58d4968b0492ddeef145f2

SHA256
f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5

SHA512
43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

Download Submit
C:\Users\Admin\AppData\Local\07fa2a3b\tor\libcrypto-1_1.dll
Filesize
1.7MB

MD5
2384a02c4a1f7ec481adde3a020607d3

SHA1
7e848d35a10bf9296c8fa41956a3daa777f86365

SHA256
c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369

SHA512
1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

Download Submit
C:\Users\Admin\AppData\Local\07fa2a3b\tor\libevent-2-1-6.dll
Filesize
366KB

MD5
099983c13bade9554a3c17484e5481f1

SHA1
a84e69ad9722f999252d59d0ed9a99901a60e564

SHA256
b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838

SHA512
89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

Download Submit
C:\Users\Admin\AppData\Local\07fa2a3b\tor\libgcc_s_sjlj-1.dll
Filesize
286KB

MD5
b0d98f7157d972190fe0759d4368d320

SHA1
5715a533621a2b642aad9616e603c6907d80efc4

SHA256
2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5

SHA512
41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

Download Submit
C:\Users\Admin\AppData\Local\07fa2a3b\tor\libssl-1_1.dll
Filesize
439KB

MD5
c88826ac4bb879622e43ead5bdb95aeb

SHA1
87d29853649a86f0463bfd9ad887b85eedc21723

SHA256
c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f

SHA512
f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

Download Submit
C:\Users\Admin\AppData\Local\07fa2a3b\tor\libssp-0.dll
Filesize
88KB

MD5
2c916456f503075f746c6ea649cf9539

SHA1
fa1afc1f3d728c89b2e90e14ca7d88b599580a9d

SHA256
cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6

SHA512
1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

Download Submit
C:\Users\Admin\AppData\Local\07fa2a3b\tor\libwinpthread-1.dll
Filesize
188KB

MD5
d407cc6d79a08039a6f4b50539e560b8

SHA1
21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71

SHA256
92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e

SHA512
378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

Download Submit
C:\Users\Admin\AppData\Local\07fa2a3b\tor\torrc
Filesize
139B

MD5
dbd537e3da06f7d7aeaf58f4decc0c94

SHA1
7e740ea6dcf8545710f99519014e9bb029028a84

SHA256
349b36a467d778e29b96528cdd25d6c34a54be659a9ef516b3833106ceb679b2

SHA512
a84633c420c825b15ef2fc5cf83a6d75fcdddbb06d3b7dc74537d5bc98b5d910d3dec4838f30be3a06373662d2946f156f36bd2e033e0b6089753006ac327a90

Download Submit
C:\Users\Admin\AppData\Local\07fa2a3b\tor\zlib1.dll
Filesize
52KB

MD5
add33041af894b67fe34e1dc819b7eb6

SHA1
6db46eb021855a587c95479422adcc774a272eeb

SHA256
8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183

SHA512
bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

Download Submit
memory/216-325-0x0000000073EB0000-0x0000000073F7E000-memory.dmp

Filesize
824KB

Download
memory/216-323-0x0000000074010000-0x000000007411A000-memory.dmp

Filesize
1.0MB

Download
memory/216-318-0x00000000741A0000-0x0000000074268000-memory.dmp

Filesize
800KB

Download
memory/216-317-0x0000000000590000-0x0000000000994000-memory.dmp

Filesize
4.0MB

Download
memory/216-324-0x0000000073F80000-0x0000000074008000-memory.dmp

Filesize
544KB

Download
memory/216-326-0x0000000074270000-0x000000007453F000-memory.dmp

Filesize
2.8MB

Download
memory/216-320-0x0000000074120000-0x0000000074144000-memory.dmp

Filesize
144KB

Download
memory/216-319-0x0000000074150000-0x0000000074199000-memory.dmp

Filesize
292KB

Download
memory/1536-172-0x0000000074320000-0x0000000074369000-memory.dmp

Filesize
292KB

Download
memory/1536-165-0x0000000073EB0000-0x000000007417F000-memory.dmp

Filesize
2.8MB

Download
memory/1536-183-0x0000000074470000-0x000000007453E000-memory.dmp

Filesize
824KB

Download
memory/1536-177-0x0000000074210000-0x000000007431A000-memory.dmp

Filesize
1.0MB

Download
memory/1536-175-0x0000000074370000-0x0000000074394000-memory.dmp

Filesize
144KB

Download
memory/1536-170-0x0000000074470000-0x000000007453E000-memory.dmp

Filesize
824KB

Download
memory/1536-180-0x0000000074180000-0x0000000074208000-memory.dmp

Filesize
544KB

Download
memory/1536-167-0x00000000743A0000-0x0000000074468000-memory.dmp

Filesize
800KB

Download
memory/1536-162-0x0000000000590000-0x0000000000994000-memory.dmp

Filesize
4.0MB

Download
memory/1536-184-0x0000000000590000-0x0000000000994000-memory.dmp

Filesize
4.0MB

Download
memory/1536-185-0x0000000073EB0000-0x000000007417F000-memory.dmp

Filesize
2.8MB

Download
memory/1536-186-0x00000000743A0000-0x0000000074468000-memory.dmp

Filesize
800KB

Download
memory/2928-198-0x0000000000590000-0x0000000000994000-memory.dmp

Filesize
4.0MB

Download
memory/2928-199-0x0000000074270000-0x000000007453F000-memory.dmp

Filesize
2.8MB

Download
memory/2928-235-0x00000000741A0000-0x0000000074268000-memory.dmp

Filesize
800KB

Download
memory/2928-205-0x0000000074150000-0x0000000074199000-memory.dmp

Filesize
292KB

Download
memory/2928-210-0x0000000073EB0000-0x0000000073F7E000-memory.dmp

Filesize
824KB

Download
memory/2928-234-0x0000000074270000-0x000000007453F000-memory.dmp

Filesize
2.8MB

Download
memory/2928-233-0x0000000000590000-0x0000000000994000-memory.dmp

Filesize
4.0MB

Download
memory/2928-201-0x00000000741A0000-0x0000000074268000-memory.dmp

Filesize
800KB

Download
memory/2928-207-0x0000000074010000-0x000000007411A000-memory.dmp

Filesize
1.0MB

Download
memory/2928-287-0x0000000000590000-0x0000000000994000-memory.dmp

Filesize
4.0MB

Download
memory/2928-206-0x0000000074120000-0x0000000074144000-memory.dmp

Filesize
144KB

Download
memory/2928-208-0x0000000073F80000-0x0000000074008000-memory.dmp

Filesize
544KB

Download
memory/3464-282-0x0000000074270000-0x000000007453F000-memory.dmp

Filesize
2.8MB

Download
memory/3464-289-0x0000000074150000-0x0000000074199000-memory.dmp

Filesize
292KB

Download
memory/3464-285-0x00000000741A0000-0x0000000074268000-memory.dmp

Filesize
800KB

Download
memory/3464-305-0x0000000074270000-0x000000007453F000-memory.dmp

Filesize
2.8MB

Download
memory/3464-304-0x0000000000590000-0x0000000000994000-memory.dmp

Filesize
4.0MB

Download
memory/3464-286-0x0000000073EB0000-0x0000000073F7E000-memory.dmp

Filesize
824KB

Download
memory/3464-303-0x0000000074150000-0x0000000074199000-memory.dmp

Filesize
292KB

Download
memory/3464-301-0x00000000741A0000-0x0000000074268000-memory.dmp

Filesize
800KB

Download
memory/3464-302-0x0000000073EB0000-0x0000000073F7E000-memory.dmp

Filesize
824KB

Download
memory/3464-294-0x0000000073F80000-0x0000000074008000-memory.dmp

Filesize
544KB

Download
memory/3464-292-0x0000000074010000-0x000000007411A000-memory.dmp

Filesize
1.0MB

Download
memory/3464-290-0x0000000074120000-0x0000000074144000-memory.dmp

Filesize
144KB

Download
memory/3464-280-0x0000000000590000-0x0000000000994000-memory.dmp

Filesize
4.0MB

Download
memory/5000-58-0x0000000000400000-0x0000000000BAA000-memory.dmp

Filesize
7.7MB

Download
memory/5000-121-0x0000000074620000-0x0000000074659000-memory.dmp

Filesize
228KB

Download
memory/5000-49-0x0000000073AA0000-0x0000000073AD9000-memory.dmp

Filesize
228KB

Download
memory/5000-1-0x0000000074FF0000-0x0000000075029000-memory.dmp

Filesize
228KB

Download
memory/5000-0-0x0000000000400000-0x0000000000BAA000-memory.dmp

Filesize
7.7MB

Download
memory/5072-59-0x0000000000590000-0x0000000000994000-memory.dmp

Filesize
4.0MB

Download
memory/5072-104-0x0000000000590000-0x0000000000994000-memory.dmp

Filesize
4.0MB

Download
memory/5072-47-0x00000000743A0000-0x0000000074468000-memory.dmp

Filesize
800KB

Download
memory/5072-46-0x0000000001D40000-0x000000000200F000-memory.dmp

Filesize
2.8MB

Download
memory/5072-50-0x0000000000590000-0x0000000000994000-memory.dmp

Filesize
4.0MB

Download
memory/5072-52-0x0000000074470000-0x000000007453E000-memory.dmp

Filesize
824KB

Download
memory/5072-149-0x0000000000590000-0x0000000000994000-memory.dmp

Filesize
4.0MB

Download
memory/5072-60-0x0000000000590000-0x0000000000994000-memory.dmp

Filesize
4.0MB

Download
memory/5072-68-0x0000000001D40000-0x0000000001D89000-memory.dmp

Filesize
292KB

Download
memory/5072-69-0x0000000001D40000-0x000000000200F000-memory.dmp

Filesize
2.8MB

Download
memory/5072-96-0x0000000000590000-0x0000000000994000-memory.dmp

Filesize
4.0MB

Download
memory/5072-48-0x0000000074370000-0x0000000074394000-memory.dmp

Filesize
144KB

Download
memory/5072-122-0x0000000000590000-0x0000000000994000-memory.dmp

Filesize
4.0MB

Download
memory/5072-133-0x0000000000590000-0x0000000000994000-memory.dmp

Filesize
4.0MB

Download
memory/5072-45-0x0000000073EB0000-0x000000007417F000-memory.dmp

Filesize
2.8MB

Download
memory/5072-21-0x0000000000590000-0x0000000000994000-memory.dmp

Filesize
4.0MB

Download
memory/5072-41-0x0000000074210000-0x000000007431A000-memory.dmp

Filesize
1.0MB

Download
memory/5072-44-0x0000000001D40000-0x0000000001DC8000-memory.dmp

Filesize
544KB

Download
memory/5072-42-0x0000000074320000-0x0000000074369000-memory.dmp

Filesize
292KB

Download
memory/5072-43-0x0000000074180000-0x0000000074208000-memory.dmp

Filesize
544KB

Download
memory/5072-37-0x0000000001D40000-0x0000000001D89000-memory.dmp

Filesize
292KB

Download
memory/5072-27-0x0000000074470000-0x000000007453E000-memory.dmp

Filesize
824KB

Download
memory/5072-141-0x0000000000590000-0x0000000000994000-memory.dmp

Filesize
4.0MB

Download