bitrat | 8c05da461e90984671ffd87f0e4e28e057cca4d32a0569764dcdcce2d545fac2

Resubmissions

17-04-2024 14:54

240417-r96wzada86 10

17-04-2024 14:54

17-04-2024 14:54

17-04-2024 14:54

17-04-2024 14:54

15-04-2024 13:19

10-04-2024 12:02

10-04-2024 12:02

Analysis

max time kernel
1808s
max time network
1817s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
10-04-2024 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75bff99becc32bcbe56efbe7a75f4d45.exe
Size

7.0MB
MD5

75bff99becc32bcbe56efbe7a75f4d45
SHA1

81bfcc77809161a5254a27d3d4d30548c96fcd5b
SHA256

8c05da461e90984671ffd87f0e4e28e057cca4d32a0569764dcdcce2d545fac2
SHA512

940af628585713a16e685eb5251c0b954bc014460cd4ca33226df2ef260f32af56223eaf1c341862fdf1669c6bafb6e7d9c5efbeb5e437ce5e2fd9905beece69
SSDEEP

49152:uW/1GYdVTXN3r3+LXDIDAKpvuh3jwLN6/VNUKIdI9OiKuDbD2yvAkdm5wrgWX+5z:hXkZL/p

Score

10^/10

bitrat zgrat persistence rat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

obqdy2u226qjiavs42z4z6zgcf6tefsoxaqzjvohmoy7kafdwgqgjkqd.onion:80

Attributes

communication_password
d93b4f1ee6f5b875a4f7fcef966bd09a
tor_process
WinSock

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral4/memory/1060-8-0x00000000055E0000-0x0000000005662000-memory.dmp	family_zgrat_v1
behavioral4/memory/1060-10-0x00000000055E0000-0x000000000565C000-memory.dmp	family_zgrat_v1
behavioral4/memory/1060-9-0x00000000055E0000-0x000000000565C000-memory.dmp	family_zgrat_v1
behavioral4/memory/1060-13-0x00000000055E0000-0x000000000565C000-memory.dmp	family_zgrat_v1
behavioral4/memory/1060-15-0x00000000055E0000-0x000000000565C000-memory.dmp	family_zgrat_v1
behavioral4/memory/1060-17-0x00000000055E0000-0x000000000565C000-memory.dmp	family_zgrat_v1
behavioral4/memory/1060-19-0x00000000055E0000-0x000000000565C000-memory.dmp	family_zgrat_v1
behavioral4/memory/1060-21-0x00000000055E0000-0x000000000565C000-memory.dmp	family_zgrat_v1
behavioral4/memory/1060-23-0x00000000055E0000-0x000000000565C000-memory.dmp	family_zgrat_v1
behavioral4/memory/1060-25-0x00000000055E0000-0x000000000565C000-memory.dmp	family_zgrat_v1
behavioral4/memory/1060-27-0x00000000055E0000-0x000000000565C000-memory.dmp	family_zgrat_v1
behavioral4/memory/1060-29-0x00000000055E0000-0x000000000565C000-memory.dmp	family_zgrat_v1
behavioral4/memory/1060-31-0x00000000055E0000-0x000000000565C000-memory.dmp	family_zgrat_v1
behavioral4/memory/1060-33-0x00000000055E0000-0x000000000565C000-memory.dmp	family_zgrat_v1
behavioral4/memory/1060-35-0x00000000055E0000-0x000000000565C000-memory.dmp	family_zgrat_v1
behavioral4/memory/1060-37-0x00000000055E0000-0x000000000565C000-memory.dmp	family_zgrat_v1
behavioral4/memory/1060-39-0x00000000055E0000-0x000000000565C000-memory.dmp	family_zgrat_v1
behavioral4/memory/1060-41-0x00000000055E0000-0x000000000565C000-memory.dmp	family_zgrat_v1
behavioral4/memory/1060-43-0x00000000055E0000-0x000000000565C000-memory.dmp	family_zgrat_v1
behavioral4/memory/1060-45-0x00000000055E0000-0x000000000565C000-memory.dmp	family_zgrat_v1
behavioral4/memory/1060-47-0x00000000055E0000-0x000000000565C000-memory.dmp	family_zgrat_v1
behavioral4/memory/1060-49-0x00000000055E0000-0x000000000565C000-memory.dmp	family_zgrat_v1
behavioral4/memory/1060-51-0x00000000055E0000-0x000000000565C000-memory.dmp	family_zgrat_v1
behavioral4/memory/1060-53-0x00000000055E0000-0x000000000565C000-memory.dmp	family_zgrat_v1
behavioral4/memory/1060-55-0x00000000055E0000-0x000000000565C000-memory.dmp	family_zgrat_v1
behavioral4/memory/1060-57-0x00000000055E0000-0x000000000565C000-memory.dmp	family_zgrat_v1
behavioral4/memory/1060-59-0x00000000055E0000-0x000000000565C000-memory.dmp	family_zgrat_v1
behavioral4/memory/1060-61-0x00000000055E0000-0x000000000565C000-memory.dmp	family_zgrat_v1
behavioral4/memory/1060-63-0x00000000055E0000-0x000000000565C000-memory.dmp	family_zgrat_v1
behavioral4/memory/1060-65-0x00000000055E0000-0x000000000565C000-memory.dmp	family_zgrat_v1
behavioral4/memory/1060-67-0x00000000055E0000-0x000000000565C000-memory.dmp	family_zgrat_v1
behavioral4/memory/1060-69-0x00000000055E0000-0x000000000565C000-memory.dmp	family_zgrat_v1
behavioral4/memory/1060-71-0x00000000055E0000-0x000000000565C000-memory.dmp	family_zgrat_v1
behavioral4/memory/1060-73-0x00000000055E0000-0x000000000565C000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3084248216-1643706459-906455512-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\","	75bff99becc32bcbe56efbe7a75f4d45.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

ACProtect 1.3x - 1.4x DLL software 7 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral4/files/0x000300000000069f-2461.dat	acprotect
behavioral4/files/0x000400000000e6c6-2462.dat	acprotect
behavioral4/files/0x000400000000eda2-2463.dat	acprotect
behavioral4/files/0x000400000000ea36-2469.dat	acprotect
behavioral4/files/0x000400000000ef79-2475.dat	acprotect
behavioral4/files/0x0004000000024f7a-2468.dat	acprotect
behavioral4/files/0x000400000000f375-2474.dat	acprotect

Executes dropped EXE 54 IoCs

pid	Process
3744	WinSock.exe
1916	WinSock.exe
2296	WinSock.exe
2856	WinSock.exe
4440	WinSock.exe
1084	WinSock.exe
3984	WinSock.exe
2184	WinSock.exe
4008	WinSock.exe
3676	WinSock.exe
4392	WinSock.exe
2324	WinSock.exe
2640	WinSock.exe
4872	WinSock.exe
3568	WinSock.exe
3256	WinSock.exe
1620	WinSock.exe
4892	WinSock.exe
3008	WinSock.exe
4680	WinSock.exe
1536	WinSock.exe
2172	WinSock.exe
2180	WinSock.exe
4580	WinSock.exe
432	WinSock.exe
4028	WinSock.exe
796	WinSock.exe
1708	WinSock.exe
2920	WinSock.exe
508	WinSock.exe
2308	WinSock.exe
3144	WinSock.exe
1844	WinSock.exe
3568	WinSock.exe
4796	WinSock.exe
2056	WinSock.exe
416	WinSock.exe
2452	WinSock.exe
4684	WinSock.exe
876	WinSock.exe
3308	WinSock.exe
4992	WinSock.exe
4652	WinSock.exe
1164	WinSock.exe
4468	WinSock.exe
232	WinSock.exe
2280	WinSock.exe
2288	WinSock.exe
2184	WinSock.exe
2132	WinSock.exe
2856	WinSock.exe
2664	WinSock.exe
1084	WinSock.exe
4048	WinSock.exe

Loads dropped DLL 64 IoCs

pid	Process
3744	WinSock.exe
3744	WinSock.exe
3744	WinSock.exe
3744	WinSock.exe
3744	WinSock.exe
3744	WinSock.exe
3744	WinSock.exe
3744	WinSock.exe
3744	WinSock.exe
3744	WinSock.exe
1916	WinSock.exe
1916	WinSock.exe
1916	WinSock.exe
1916	WinSock.exe
1916	WinSock.exe
1916	WinSock.exe
1916	WinSock.exe
2296	WinSock.exe
2296	WinSock.exe
2296	WinSock.exe
2296	WinSock.exe
2296	WinSock.exe
2296	WinSock.exe
2296	WinSock.exe
2856	WinSock.exe
2856	WinSock.exe
2856	WinSock.exe
2856	WinSock.exe
2856	WinSock.exe
2856	WinSock.exe
2856	WinSock.exe
4440	WinSock.exe
4440	WinSock.exe
4440	WinSock.exe
4440	WinSock.exe
4440	WinSock.exe
4440	WinSock.exe
4440	WinSock.exe
1084	WinSock.exe
1084	WinSock.exe
1084	WinSock.exe
1084	WinSock.exe
1084	WinSock.exe
1084	WinSock.exe
1084	WinSock.exe
3984	WinSock.exe
3984	WinSock.exe
3984	WinSock.exe
3984	WinSock.exe
3984	WinSock.exe
3984	WinSock.exe
3984	WinSock.exe
2184	WinSock.exe
2184	WinSock.exe
2184	WinSock.exe
2184	WinSock.exe
2184	WinSock.exe
2184	WinSock.exe
2184	WinSock.exe
4008	WinSock.exe
4008	WinSock.exe
4008	WinSock.exe
4008	WinSock.exe
4008	WinSock.exe

UPX packed file 51 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/files/0x000400000000f3e1-2457.dat	upx
behavioral4/files/0x000300000000069f-2461.dat	upx
behavioral4/files/0x000400000000e6c6-2462.dat	upx
behavioral4/files/0x000400000000eda2-2463.dat	upx
behavioral4/memory/3744-2470-0x00000000739C0000-0x00000000739E4000-memory.dmp	upx
behavioral4/files/0x000400000000ea36-2469.dat	upx
behavioral4/files/0x000400000000ef79-2475.dat	upx
behavioral4/memory/3744-2472-0x00000000739F0000-0x0000000073AB8000-memory.dmp	upx
behavioral4/files/0x0004000000024f7a-2468.dat	upx
behavioral4/memory/3744-2465-0x00000000000C0000-0x00000000004C4000-memory.dmp	upx
behavioral4/files/0x000400000000f375-2474.dat	upx
behavioral4/memory/3744-2481-0x00000000738F0000-0x00000000739BE000-memory.dmp	upx
behavioral4/memory/3744-2482-0x00000000012F0000-0x0000000001339000-memory.dmp	upx
behavioral4/memory/3744-2484-0x0000000073700000-0x0000000073788000-memory.dmp	upx
behavioral4/memory/3744-2483-0x0000000073790000-0x000000007389A000-memory.dmp	upx
behavioral4/memory/3744-2490-0x0000000073430000-0x00000000736FF000-memory.dmp	upx
behavioral4/memory/3744-2491-0x00000000738A0000-0x00000000738E9000-memory.dmp	upx
behavioral4/memory/3744-2508-0x00000000000C0000-0x00000000004C4000-memory.dmp	upx
behavioral4/memory/3744-2509-0x00000000739C0000-0x00000000739E4000-memory.dmp	upx
behavioral4/memory/3744-2518-0x00000000739F0000-0x0000000073AB8000-memory.dmp	upx
behavioral4/memory/3744-2519-0x00000000738F0000-0x00000000739BE000-memory.dmp	upx
behavioral4/memory/3744-2605-0x00000000000C0000-0x00000000004C4000-memory.dmp	upx
behavioral4/memory/1916-2606-0x00000000739F0000-0x0000000073AB8000-memory.dmp	upx
behavioral4/memory/1916-2604-0x00000000000C0000-0x00000000004C4000-memory.dmp	upx
behavioral4/memory/1916-2607-0x00000000738F0000-0x00000000739BE000-memory.dmp	upx
behavioral4/memory/1916-2608-0x00000000738A0000-0x00000000738E9000-memory.dmp	upx
behavioral4/memory/1916-2614-0x0000000073790000-0x000000007389A000-memory.dmp	upx
behavioral4/memory/1916-2609-0x00000000739C0000-0x00000000739E4000-memory.dmp	upx
behavioral4/memory/1916-2615-0x0000000073700000-0x0000000073788000-memory.dmp	upx
behavioral4/memory/1916-2616-0x0000000073430000-0x00000000736FF000-memory.dmp	upx
behavioral4/memory/1916-2640-0x00000000000C0000-0x00000000004C4000-memory.dmp	upx
behavioral4/memory/1916-2641-0x00000000739F0000-0x0000000073AB8000-memory.dmp	upx
behavioral4/memory/1916-2642-0x00000000738F0000-0x00000000739BE000-memory.dmp	upx
behavioral4/memory/2296-2672-0x00000000000C0000-0x00000000004C4000-memory.dmp	upx
behavioral4/memory/2296-2673-0x00000000739F0000-0x0000000073AB8000-memory.dmp	upx
behavioral4/memory/2296-2674-0x00000000738F0000-0x00000000739BE000-memory.dmp	upx
behavioral4/memory/2296-2677-0x00000000738A0000-0x00000000738E9000-memory.dmp	upx
behavioral4/memory/2296-2678-0x00000000739C0000-0x00000000739E4000-memory.dmp	upx
behavioral4/memory/2296-2680-0x0000000073790000-0x000000007389A000-memory.dmp	upx
behavioral4/memory/2296-2682-0x0000000073700000-0x0000000073788000-memory.dmp	upx
behavioral4/memory/2296-2684-0x0000000073430000-0x00000000736FF000-memory.dmp	upx
behavioral4/memory/2296-2689-0x00000000739F0000-0x0000000073AB8000-memory.dmp	upx
behavioral4/memory/2296-2690-0x00000000738F0000-0x00000000739BE000-memory.dmp	upx
behavioral4/memory/2296-2691-0x00000000000C0000-0x00000000004C4000-memory.dmp	upx
behavioral4/memory/2856-2756-0x0000000073430000-0x00000000736FF000-memory.dmp	upx
behavioral4/memory/2856-2758-0x00000000739F0000-0x0000000073AB8000-memory.dmp	upx
behavioral4/memory/2856-2760-0x00000000738F0000-0x00000000739BE000-memory.dmp	upx
behavioral4/memory/2856-2761-0x00000000738A0000-0x00000000738E9000-memory.dmp	upx
behavioral4/memory/2856-2762-0x00000000739C0000-0x00000000739E4000-memory.dmp	upx
behavioral4/memory/2856-2763-0x0000000073790000-0x000000007389A000-memory.dmp	upx
behavioral4/memory/1916-2759-0x00000000000C0000-0x00000000004C4000-memory.dmp	upx

Looks up external IP address via web service 31 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
86	myexternalip.com
256	myexternalip.com
263	myexternalip.com
193	myexternalip.com
205	myexternalip.com
237	myexternalip.com
278	myexternalip.com
73	myexternalip.com
93	myexternalip.com
118	myexternalip.com
223	myexternalip.com
15	myexternalip.com
149	myexternalip.com
169	myexternalip.com
243	myexternalip.com
249	myexternalip.com
284	myexternalip.com
80	myexternalip.com
130	myexternalip.com
156	myexternalip.com
46	myexternalip.com
106	myexternalip.com
163	myexternalip.com
175	myexternalip.com
230	myexternalip.com
53	myexternalip.com
199	myexternalip.com
216	myexternalip.com
124	myexternalip.com
138	myexternalip.com
181	myexternalip.com

Suspicious use of NtSetInformationThreadHideFromDebugger 34 IoCs

pid	Process
3200	75bff99becc32bcbe56efbe7a75f4d45.exe
3200	75bff99becc32bcbe56efbe7a75f4d45.exe
3200	75bff99becc32bcbe56efbe7a75f4d45.exe
3200	75bff99becc32bcbe56efbe7a75f4d45.exe
3200	75bff99becc32bcbe56efbe7a75f4d45.exe
3200	75bff99becc32bcbe56efbe7a75f4d45.exe
3200	75bff99becc32bcbe56efbe7a75f4d45.exe
3200	75bff99becc32bcbe56efbe7a75f4d45.exe
3200	75bff99becc32bcbe56efbe7a75f4d45.exe
3200	75bff99becc32bcbe56efbe7a75f4d45.exe
3200	75bff99becc32bcbe56efbe7a75f4d45.exe
3200	75bff99becc32bcbe56efbe7a75f4d45.exe
3200	75bff99becc32bcbe56efbe7a75f4d45.exe
3200	75bff99becc32bcbe56efbe7a75f4d45.exe
3200	75bff99becc32bcbe56efbe7a75f4d45.exe
3200	75bff99becc32bcbe56efbe7a75f4d45.exe
3200	75bff99becc32bcbe56efbe7a75f4d45.exe
3200	75bff99becc32bcbe56efbe7a75f4d45.exe
3200	75bff99becc32bcbe56efbe7a75f4d45.exe
3200	75bff99becc32bcbe56efbe7a75f4d45.exe
3200	75bff99becc32bcbe56efbe7a75f4d45.exe
3200	75bff99becc32bcbe56efbe7a75f4d45.exe
3200	75bff99becc32bcbe56efbe7a75f4d45.exe
3200	75bff99becc32bcbe56efbe7a75f4d45.exe
3200	75bff99becc32bcbe56efbe7a75f4d45.exe
3200	75bff99becc32bcbe56efbe7a75f4d45.exe
3200	75bff99becc32bcbe56efbe7a75f4d45.exe
3200	75bff99becc32bcbe56efbe7a75f4d45.exe
3200	75bff99becc32bcbe56efbe7a75f4d45.exe
3200	75bff99becc32bcbe56efbe7a75f4d45.exe
3200	75bff99becc32bcbe56efbe7a75f4d45.exe
3200	75bff99becc32bcbe56efbe7a75f4d45.exe
3200	75bff99becc32bcbe56efbe7a75f4d45.exe
3200	75bff99becc32bcbe56efbe7a75f4d45.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1060 set thread context of 3200	1060	75bff99becc32bcbe56efbe7a75f4d45.exe	87

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1060	75bff99becc32bcbe56efbe7a75f4d45.exe
1060	75bff99becc32bcbe56efbe7a75f4d45.exe
1060	75bff99becc32bcbe56efbe7a75f4d45.exe
1060	75bff99becc32bcbe56efbe7a75f4d45.exe
1060	75bff99becc32bcbe56efbe7a75f4d45.exe
1060	75bff99becc32bcbe56efbe7a75f4d45.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3200	75bff99becc32bcbe56efbe7a75f4d45.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1060	75bff99becc32bcbe56efbe7a75f4d45.exe
Token: SeShutdownPrivilege	3200	75bff99becc32bcbe56efbe7a75f4d45.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3200	75bff99becc32bcbe56efbe7a75f4d45.exe
3200	75bff99becc32bcbe56efbe7a75f4d45.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 2804	1060	75bff99becc32bcbe56efbe7a75f4d45.exe	86
PID 1060 wrote to memory of 2804	1060	75bff99becc32bcbe56efbe7a75f4d45.exe	86
PID 1060 wrote to memory of 2804	1060	75bff99becc32bcbe56efbe7a75f4d45.exe	86
PID 1060 wrote to memory of 3200	1060	75bff99becc32bcbe56efbe7a75f4d45.exe	87
PID 1060 wrote to memory of 3200	1060	75bff99becc32bcbe56efbe7a75f4d45.exe	87
PID 1060 wrote to memory of 3200	1060	75bff99becc32bcbe56efbe7a75f4d45.exe	87
PID 1060 wrote to memory of 3200	1060	75bff99becc32bcbe56efbe7a75f4d45.exe	87
PID 1060 wrote to memory of 3200	1060	75bff99becc32bcbe56efbe7a75f4d45.exe	87
PID 1060 wrote to memory of 3200	1060	75bff99becc32bcbe56efbe7a75f4d45.exe	87
PID 1060 wrote to memory of 3200	1060	75bff99becc32bcbe56efbe7a75f4d45.exe	87
PID 1060 wrote to memory of 3200	1060	75bff99becc32bcbe56efbe7a75f4d45.exe	87
PID 1060 wrote to memory of 3200	1060	75bff99becc32bcbe56efbe7a75f4d45.exe	87
PID 1060 wrote to memory of 3200	1060	75bff99becc32bcbe56efbe7a75f4d45.exe	87
PID 1060 wrote to memory of 3200	1060	75bff99becc32bcbe56efbe7a75f4d45.exe	87
PID 1060 wrote to memory of 3200	1060	75bff99becc32bcbe56efbe7a75f4d45.exe	87
PID 3200 wrote to memory of 3744	3200	75bff99becc32bcbe56efbe7a75f4d45.exe	88
PID 3200 wrote to memory of 3744	3200	75bff99becc32bcbe56efbe7a75f4d45.exe	88
PID 3200 wrote to memory of 3744	3200	75bff99becc32bcbe56efbe7a75f4d45.exe	88
PID 3200 wrote to memory of 1916	3200	75bff99becc32bcbe56efbe7a75f4d45.exe	90
PID 3200 wrote to memory of 1916	3200	75bff99becc32bcbe56efbe7a75f4d45.exe	90
PID 3200 wrote to memory of 1916	3200	75bff99becc32bcbe56efbe7a75f4d45.exe	90
PID 3200 wrote to memory of 2296	3200	75bff99becc32bcbe56efbe7a75f4d45.exe	91
PID 3200 wrote to memory of 2296	3200	75bff99becc32bcbe56efbe7a75f4d45.exe	91
PID 3200 wrote to memory of 2296	3200	75bff99becc32bcbe56efbe7a75f4d45.exe	91
PID 3200 wrote to memory of 2856	3200	75bff99becc32bcbe56efbe7a75f4d45.exe	92
PID 3200 wrote to memory of 2856	3200	75bff99becc32bcbe56efbe7a75f4d45.exe	92
PID 3200 wrote to memory of 2856	3200	75bff99becc32bcbe56efbe7a75f4d45.exe	92
PID 3200 wrote to memory of 4440	3200	75bff99becc32bcbe56efbe7a75f4d45.exe	93
PID 3200 wrote to memory of 4440	3200	75bff99becc32bcbe56efbe7a75f4d45.exe	93
PID 3200 wrote to memory of 4440	3200	75bff99becc32bcbe56efbe7a75f4d45.exe	93
PID 3200 wrote to memory of 1084	3200	75bff99becc32bcbe56efbe7a75f4d45.exe	94
PID 3200 wrote to memory of 1084	3200	75bff99becc32bcbe56efbe7a75f4d45.exe	94
PID 3200 wrote to memory of 1084	3200	75bff99becc32bcbe56efbe7a75f4d45.exe	94
PID 3200 wrote to memory of 3984	3200	75bff99becc32bcbe56efbe7a75f4d45.exe	95
PID 3200 wrote to memory of 3984	3200	75bff99becc32bcbe56efbe7a75f4d45.exe	95
PID 3200 wrote to memory of 3984	3200	75bff99becc32bcbe56efbe7a75f4d45.exe	95
PID 3200 wrote to memory of 2184	3200	75bff99becc32bcbe56efbe7a75f4d45.exe	96
PID 3200 wrote to memory of 2184	3200	75bff99becc32bcbe56efbe7a75f4d45.exe	96
PID 3200 wrote to memory of 2184	3200	75bff99becc32bcbe56efbe7a75f4d45.exe	96
PID 3200 wrote to memory of 4008	3200	75bff99becc32bcbe56efbe7a75f4d45.exe	97
PID 3200 wrote to memory of 4008	3200	75bff99becc32bcbe56efbe7a75f4d45.exe	97
PID 3200 wrote to memory of 4008	3200	75bff99becc32bcbe56efbe7a75f4d45.exe	97
PID 3200 wrote to memory of 3676	3200	75bff99becc32bcbe56efbe7a75f4d45.exe	98
PID 3200 wrote to memory of 3676	3200	75bff99becc32bcbe56efbe7a75f4d45.exe	98
PID 3200 wrote to memory of 3676	3200	75bff99becc32bcbe56efbe7a75f4d45.exe	98
PID 3200 wrote to memory of 4392	3200	75bff99becc32bcbe56efbe7a75f4d45.exe	99
PID 3200 wrote to memory of 4392	3200	75bff99becc32bcbe56efbe7a75f4d45.exe	99
PID 3200 wrote to memory of 4392	3200	75bff99becc32bcbe56efbe7a75f4d45.exe	99
PID 3200 wrote to memory of 2324	3200	75bff99becc32bcbe56efbe7a75f4d45.exe	100
PID 3200 wrote to memory of 2324	3200	75bff99becc32bcbe56efbe7a75f4d45.exe	100
PID 3200 wrote to memory of 2324	3200	75bff99becc32bcbe56efbe7a75f4d45.exe	100
PID 3200 wrote to memory of 2640	3200	75bff99becc32bcbe56efbe7a75f4d45.exe	101
PID 3200 wrote to memory of 2640	3200	75bff99becc32bcbe56efbe7a75f4d45.exe	101
PID 3200 wrote to memory of 2640	3200	75bff99becc32bcbe56efbe7a75f4d45.exe	101
PID 3200 wrote to memory of 4872	3200	75bff99becc32bcbe56efbe7a75f4d45.exe	102
PID 3200 wrote to memory of 4872	3200	75bff99becc32bcbe56efbe7a75f4d45.exe	102
PID 3200 wrote to memory of 4872	3200	75bff99becc32bcbe56efbe7a75f4d45.exe	102
PID 3200 wrote to memory of 3568	3200	75bff99becc32bcbe56efbe7a75f4d45.exe	103
PID 3200 wrote to memory of 3568	3200	75bff99becc32bcbe56efbe7a75f4d45.exe	103
PID 3200 wrote to memory of 3568	3200	75bff99becc32bcbe56efbe7a75f4d45.exe	103
PID 3200 wrote to memory of 3256	3200	75bff99becc32bcbe56efbe7a75f4d45.exe	104
PID 3200 wrote to memory of 3256	3200	75bff99becc32bcbe56efbe7a75f4d45.exe	104
PID 3200 wrote to memory of 3256	3200	75bff99becc32bcbe56efbe7a75f4d45.exe	104
PID 3200 wrote to memory of 1620	3200	75bff99becc32bcbe56efbe7a75f4d45.exe	105

C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
"C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
  C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
  2⤵
  PID:2804
- C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
  C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3200
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3744
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1916
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2296
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2856
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4440
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1084
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3984
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2184
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4008
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3676
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4392
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:2324
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:2640
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4872
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3568
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3256
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:1620
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4892
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3008
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4680
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:1536
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:2172
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:2180
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4580
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:432
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4028
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:796
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:1708
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:2920
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:508
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:2308
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3144
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:1844
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3568
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4796
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:2056
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:416
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:2452
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4684
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:876
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:3308
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4992
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4652
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:1164
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4468
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:232
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:2280
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:2288
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:2184
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:2132
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:2856
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:2664
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:1084
- - C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
    "C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
    3⤵
    - Executes dropped EXE
    PID:4048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe

Filesize
973KB

MD5
5cfe61ff895c7daa889708665ef05d7b

SHA1
5e58efe30406243fbd58d4968b0492ddeef145f2

SHA256
f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5

SHA512
43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\data\cached-certs

Filesize
20KB

MD5
9eb820be2571bc8d4970ea02fc8782f2

SHA1
06b1af2e82b6246d85615d1eebd0340b9da6606f

SHA256
8ca9633464ea3476996552766a31775c44171a4fa786b4201f806654b9e659b8

SHA512
3ff2ad77e6e40b0c55ef1d9fb3085153d813986987542234dafc9f6b0975896cbbd26bf318cbf559ddba50d995d88d3c494145ef32bcbd01c8dbca51006631d4

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\data\cached-microdesc-consensus

Filesize
2.6MB

MD5
6fcc4b924d58bbb8462b7ee1961c7977

SHA1
41e1e2d4561bb169144e7d1a08c6a7f3dc731c2d

SHA256
edbc99c46f9d6785d0cedf6fa6de99e6c7a20187a738e29d55258584db2660ed

SHA512
2d3539570f1a6024c291c25a3aed2f61668ec03aa614b92118380a60510fab72878539f0bc3d51e1c8ce20f3b26400c35cd714fcf146dd3288a8da861ee5a6fe

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\data\cached-microdescs

Filesize
20.3MB

MD5
a1fa58cb0b9bd704e8b5b2ca8e0e629f

SHA1
79f41f4c1d42650d4fc0d0c48efab4388144608f

SHA256
509129242a163b42e41ed29e3e24c857fbf6118558caf18a83eddfd3bfd4200b

SHA512
05566d3fcf99f726f8da953e064ae6c33670266ebdd8f3e4e6490b6a2bc245d4cb03e42d0a08cee0b28c48a06633d194be63d2330bcfdc131ece304248659589

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\data\cached-microdescs.new

Filesize
6.8MB

MD5
823150f50f8607eea6f6c02c55f07bc3

SHA1
3d2a131518ccc41af8b832932efb2202102c7ae8

SHA256
a547f209139344f0e3b7dc8a764cc50bcd031b75803e55835f8d453de6d33a20

SHA512
f49abbe128d53b603623e38656ed5a3f3956df69c3a9135ed88ab0fe22f46928c9a60519ee5a0b5bebde58a82a644f50966b8f4e56eb142ab0d2ce7adb1cb654

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\data\cached-microdescs.new

Filesize
20.3MB

MD5
dcf6d1356c33cfe5e31e1a21d0486933

SHA1
388ca27d52f85afc7772e0eeaf3480a4d1e9e4ae

SHA256
b5732d1018b57b81e217433a8f77fc43070b0c44db372308891c41d0420cc19b

SHA512
ae9bc7026a4eead77b43f1f64116dc929e68d9573738cd7ccbeb50b52389c708f8575219b2131994228e8544d3178846b5f5fdf037768455b85fc539a8b1c6a3

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\data\state

Filesize
232B

MD5
e5d5a1d2621324d571a21518afa30db9

SHA1
bee6f9247c90df8b6ed89de9b7fd76ee10c30a01

SHA256
f335e921a6017b5f9e07070a3417c5b2bb99ad8887d743f284ec8fda4e499089

SHA512
4e8bd86459d522b77ef3c4317afe9c371cb6820c255883c2f5f18536b98c141103e5dd1e1450e0868843afd7178749552adae207f5ca7c9be5ed34a34adfabfd

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\data\state

Filesize
5KB

MD5
5aca849b44a2c4246936a37a65f0e204

SHA1
97daaca3e119f617713216796f771af71149a744

SHA256
da2c4ab7db51e1e18bf8eacc5e5d34b95d99cf42f401c2c1f6c7074ffa4b81db

SHA512
f2fba3ea55ceaea105ceee7e99d85d97f1e56c0d746f1df7899684361ba9ae547dc1706aabb54b45ad8804980fa7a6162df388d647b90834e2ba4bb92f42330a

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\data\state

Filesize
3KB

MD5
dd0e988596848bcbf553d043fabad262

SHA1
ef2ac8417a6b834a6af21e0be5c790b55d4d52be

SHA256
83dc3e269af5df2ddd397a452275618bcbf9a296b52bf5446ede1254531ddc32

SHA512
351c53087c7bd36a3a1f7269d7cbc5ce292799c39d49ce921e576fc9369bb8a6a031740624faf4725e6002a1a082cc90abc9b6569c4aef783ea38e41895a0c34

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libcrypto-1_1.dll

Filesize
1.7MB

MD5
2384a02c4a1f7ec481adde3a020607d3

SHA1
7e848d35a10bf9296c8fa41956a3daa777f86365

SHA256
c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369

SHA512
1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libevent-2-1-6.dll

Filesize
366KB

MD5
099983c13bade9554a3c17484e5481f1

SHA1
a84e69ad9722f999252d59d0ed9a99901a60e564

SHA256
b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838

SHA512
89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libgcc_s_sjlj-1.dll

Filesize
286KB

MD5
b0d98f7157d972190fe0759d4368d320

SHA1
5715a533621a2b642aad9616e603c6907d80efc4

SHA256
2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5

SHA512
41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libssl-1_1.dll

Filesize
439KB

MD5
c88826ac4bb879622e43ead5bdb95aeb

SHA1
87d29853649a86f0463bfd9ad887b85eedc21723

SHA256
c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f

SHA512
f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libssp-0.dll

Filesize
88KB

MD5
2c916456f503075f746c6ea649cf9539

SHA1
fa1afc1f3d728c89b2e90e14ca7d88b599580a9d

SHA256
cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6

SHA512
1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libwinpthread-1.dll

Filesize
188KB

MD5
d407cc6d79a08039a6f4b50539e560b8

SHA1
21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71

SHA256
92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e

SHA512
378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\torrc

Filesize
157B

MD5
68afdef35a6105c2b148649bd05901b0

SHA1
828a2b590a95c2a411cc1b0004207747f2571024

SHA256
4e4e4e7f9fb03bcb898ce4f6075e3082d3a341d9fff1955ddf45089f83565622

SHA512
f198da05ec57c8525e6643f7f2c212701d0ab641d2850a28ce4cea7c33ac7b5c75782273bf7f01f95ccf02e27adf7c237ed116c5b0f220c13e70fe0aa7cfc671

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\zlib1.dll

Filesize
52KB

MD5
add33041af894b67fe34e1dc819b7eb6

SHA1
6db46eb021855a587c95479422adcc774a272eeb

SHA256
8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183

SHA512
bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

Download Submit
memory/1060-19-0x00000000055E0000-0x000000000565C000-memory.dmp

Filesize
496KB

Download
memory/1060-65-0x00000000055E0000-0x000000000565C000-memory.dmp

Filesize
496KB

Download
memory/1060-27-0x00000000055E0000-0x000000000565C000-memory.dmp

Filesize
496KB

Download
memory/1060-29-0x00000000055E0000-0x000000000565C000-memory.dmp

Filesize
496KB

Download
memory/1060-31-0x00000000055E0000-0x000000000565C000-memory.dmp

Filesize
496KB

Download
memory/1060-33-0x00000000055E0000-0x000000000565C000-memory.dmp

Filesize
496KB

Download
memory/1060-35-0x00000000055E0000-0x000000000565C000-memory.dmp

Filesize
496KB

Download
memory/1060-37-0x00000000055E0000-0x000000000565C000-memory.dmp

Filesize
496KB

Download
memory/1060-39-0x00000000055E0000-0x000000000565C000-memory.dmp

Filesize
496KB

Download
memory/1060-41-0x00000000055E0000-0x000000000565C000-memory.dmp

Filesize
496KB

Download
memory/1060-43-0x00000000055E0000-0x000000000565C000-memory.dmp

Filesize
496KB

Download
memory/1060-45-0x00000000055E0000-0x000000000565C000-memory.dmp

Filesize
496KB

Download
memory/1060-47-0x00000000055E0000-0x000000000565C000-memory.dmp

Filesize
496KB

Download
memory/1060-49-0x00000000055E0000-0x000000000565C000-memory.dmp

Filesize
496KB

Download
memory/1060-51-0x00000000055E0000-0x000000000565C000-memory.dmp

Filesize
496KB

Download
memory/1060-53-0x00000000055E0000-0x000000000565C000-memory.dmp

Filesize
496KB

Download
memory/1060-55-0x00000000055E0000-0x000000000565C000-memory.dmp

Filesize
496KB

Download
memory/1060-57-0x00000000055E0000-0x000000000565C000-memory.dmp

Filesize
496KB

Download
memory/1060-59-0x00000000055E0000-0x000000000565C000-memory.dmp

Filesize
496KB

Download
memory/1060-61-0x00000000055E0000-0x000000000565C000-memory.dmp

Filesize
496KB

Download
memory/1060-63-0x00000000055E0000-0x000000000565C000-memory.dmp

Filesize
496KB

Download
memory/1060-25-0x00000000055E0000-0x000000000565C000-memory.dmp

Filesize
496KB

Download
memory/1060-67-0x00000000055E0000-0x000000000565C000-memory.dmp

Filesize
496KB

Download
memory/1060-69-0x00000000055E0000-0x000000000565C000-memory.dmp

Filesize
496KB

Download
memory/1060-71-0x00000000055E0000-0x000000000565C000-memory.dmp

Filesize
496KB

Download
memory/1060-73-0x00000000055E0000-0x000000000565C000-memory.dmp

Filesize
496KB

Download
memory/1060-2441-0x00000000747C0000-0x0000000074F71000-memory.dmp

Filesize
7.7MB

Download
memory/1060-23-0x00000000055E0000-0x000000000565C000-memory.dmp

Filesize
496KB

Download
memory/1060-21-0x00000000055E0000-0x000000000565C000-memory.dmp

Filesize
496KB

Download
memory/1060-17-0x00000000055E0000-0x000000000565C000-memory.dmp

Filesize
496KB

Download
memory/1060-15-0x00000000055E0000-0x000000000565C000-memory.dmp

Filesize
496KB

Download
memory/1060-13-0x00000000055E0000-0x000000000565C000-memory.dmp

Filesize
496KB

Download
memory/1060-9-0x00000000055E0000-0x000000000565C000-memory.dmp

Filesize
496KB

Download
memory/1060-11-0x0000000005CF0000-0x0000000005D00000-memory.dmp

Filesize
64KB

Download
memory/1060-10-0x00000000055E0000-0x000000000565C000-memory.dmp

Filesize
496KB

Download
memory/1060-8-0x00000000055E0000-0x0000000005662000-memory.dmp

Filesize
520KB

Download
memory/1060-7-0x00000000083E0000-0x0000000008900000-memory.dmp

Filesize
5.1MB

Download
memory/1060-6-0x00000000747C0000-0x0000000074F71000-memory.dmp

Filesize
7.7MB

Download
memory/1060-5-0x0000000005B50000-0x0000000005B5A000-memory.dmp

Filesize
40KB

Download
memory/1060-4-0x0000000005CF0000-0x0000000005D00000-memory.dmp

Filesize
64KB

Download
memory/1060-0-0x00000000747C0000-0x0000000074F71000-memory.dmp

Filesize
7.7MB

Download
memory/1060-3-0x0000000005B60000-0x0000000005BF2000-memory.dmp

Filesize
584KB

Download
memory/1060-2-0x0000000006070000-0x0000000006616000-memory.dmp

Filesize
5.6MB

Download
memory/1060-1-0x0000000000990000-0x0000000001098000-memory.dmp

Filesize
7.0MB

Download
memory/1916-2614-0x0000000073790000-0x000000007389A000-memory.dmp

Filesize
1.0MB

Download
memory/1916-2606-0x00000000739F0000-0x0000000073AB8000-memory.dmp

Filesize
800KB

Download
memory/1916-2759-0x00000000000C0000-0x00000000004C4000-memory.dmp

Filesize
4.0MB

Download
memory/1916-2641-0x00000000739F0000-0x0000000073AB8000-memory.dmp

Filesize
800KB

Download
memory/1916-2642-0x00000000738F0000-0x00000000739BE000-memory.dmp

Filesize
824KB

Download
memory/1916-2616-0x0000000073430000-0x00000000736FF000-memory.dmp

Filesize
2.8MB

Download
memory/1916-2615-0x0000000073700000-0x0000000073788000-memory.dmp

Filesize
544KB

Download
memory/1916-2609-0x00000000739C0000-0x00000000739E4000-memory.dmp

Filesize
144KB

Download
memory/1916-2640-0x00000000000C0000-0x00000000004C4000-memory.dmp

Filesize
4.0MB

Download
memory/1916-2608-0x00000000738A0000-0x00000000738E9000-memory.dmp

Filesize
292KB

Download
memory/1916-2607-0x00000000738F0000-0x00000000739BE000-memory.dmp

Filesize
824KB

Download
memory/1916-2604-0x00000000000C0000-0x00000000004C4000-memory.dmp

Filesize
4.0MB

Download
memory/2296-2673-0x00000000739F0000-0x0000000073AB8000-memory.dmp

Filesize
800KB

Download
memory/2296-2674-0x00000000738F0000-0x00000000739BE000-memory.dmp

Filesize
824KB

Download
memory/2296-2680-0x0000000073790000-0x000000007389A000-memory.dmp

Filesize
1.0MB

Download
memory/2296-2678-0x00000000739C0000-0x00000000739E4000-memory.dmp

Filesize
144KB

Download
memory/2296-2677-0x00000000738A0000-0x00000000738E9000-memory.dmp

Filesize
292KB

Download
memory/2296-2684-0x0000000073430000-0x00000000736FF000-memory.dmp

Filesize
2.8MB

Download
memory/2296-2689-0x00000000739F0000-0x0000000073AB8000-memory.dmp

Filesize
800KB

Download
memory/2296-2690-0x00000000738F0000-0x00000000739BE000-memory.dmp

Filesize
824KB

Download
memory/2296-2691-0x00000000000C0000-0x00000000004C4000-memory.dmp

Filesize
4.0MB

Download
memory/2296-2682-0x0000000073700000-0x0000000073788000-memory.dmp

Filesize
544KB

Download
memory/2296-2672-0x00000000000C0000-0x00000000004C4000-memory.dmp

Filesize
4.0MB

Download
memory/2856-2756-0x0000000073430000-0x00000000736FF000-memory.dmp

Filesize
2.8MB

Download
memory/2856-2758-0x00000000739F0000-0x0000000073AB8000-memory.dmp

Filesize
800KB

Download
memory/2856-2760-0x00000000738F0000-0x00000000739BE000-memory.dmp

Filesize
824KB

Download
memory/2856-2761-0x00000000738A0000-0x00000000738E9000-memory.dmp

Filesize
292KB

Download
memory/2856-2762-0x00000000739C0000-0x00000000739E4000-memory.dmp

Filesize
144KB

Download
memory/2856-2763-0x0000000073790000-0x000000007389A000-memory.dmp

Filesize
1.0MB

Download
memory/3200-2639-0x0000000072000000-0x000000007203C000-memory.dmp

Filesize
240KB

Download
memory/3200-2568-0x0000000074510000-0x000000007454C000-memory.dmp

Filesize
240KB

Download
memory/3200-2442-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/3200-2444-0x0000000074530000-0x000000007456C000-memory.dmp

Filesize
240KB

Download
memory/3200-2498-0x0000000073000000-0x000000007303C000-memory.dmp

Filesize
240KB

Download
memory/3200-2507-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/3744-2605-0x00000000000C0000-0x00000000004C4000-memory.dmp

Filesize
4.0MB

Download
memory/3744-2508-0x00000000000C0000-0x00000000004C4000-memory.dmp

Filesize
4.0MB

Download
memory/3744-2484-0x0000000073700000-0x0000000073788000-memory.dmp

Filesize
544KB

Download
memory/3744-2485-0x00000000012F0000-0x0000000001378000-memory.dmp

Filesize
544KB

Download
memory/3744-2521-0x0000000001B10000-0x0000000001DDF000-memory.dmp

Filesize
2.8MB

Download
memory/3744-2520-0x00000000012F0000-0x0000000001339000-memory.dmp

Filesize
292KB

Download
memory/3744-2519-0x00000000738F0000-0x00000000739BE000-memory.dmp

Filesize
824KB

Download
memory/3744-2518-0x00000000739F0000-0x0000000073AB8000-memory.dmp

Filesize
800KB

Download
memory/3744-2509-0x00000000739C0000-0x00000000739E4000-memory.dmp

Filesize
144KB

Download
memory/3744-2486-0x0000000001B10000-0x0000000001DDF000-memory.dmp

Filesize
2.8MB

Download
memory/3744-2482-0x00000000012F0000-0x0000000001339000-memory.dmp

Filesize
292KB

Download
memory/3744-2481-0x00000000738F0000-0x00000000739BE000-memory.dmp

Filesize
824KB

Download
memory/3744-2491-0x00000000738A0000-0x00000000738E9000-memory.dmp

Filesize
292KB

Download
memory/3744-2490-0x0000000073430000-0x00000000736FF000-memory.dmp

Filesize
2.8MB

Download
memory/3744-2483-0x0000000073790000-0x000000007389A000-memory.dmp

Filesize
1.0MB

Download
memory/3744-2470-0x00000000739C0000-0x00000000739E4000-memory.dmp

Filesize
144KB

Download
memory/3744-2465-0x00000000000C0000-0x00000000004C4000-memory.dmp

Filesize
4.0MB

Download
memory/3744-2472-0x00000000739F0000-0x0000000073AB8000-memory.dmp

Filesize
800KB

Download