bitrat | 2d49873798ab5ee10992f377ebb27ee940b1f354b9ec4ebebe687177ea2b214c

max time kernel
1202s
max time network
1203s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-04-2024 11:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
Size

7.6MB
MD5

9b035bad2b8a21fb2c57fd784c89b8d5
SHA1

ee15fad65f3f22df7f54e218176c45d369ebb70f
SHA256

2d49873798ab5ee10992f377ebb27ee940b1f354b9ec4ebebe687177ea2b214c
SHA512

96c0189aba67db2f1c38affa5ac44665566ea17e20e5f749aef771739c81beb96bbcac8ea35aad80cffc9d492e23fcbaefbf03f72011d9bd1ccac36182466dde
SSDEEP

196608:imEljesxwhzav1yo31CPwDv3uFZjeg2EeJUO9WLQUDxtw3iFFrS6XOfTV73cP:balxwZ6v1CPwDv3uFteg2EeJUO9WLjD/

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.32

7ix5nfolcp4ta4mk2dtihev73rw7d2edpbd5tp7sf7zgmpv66fpxnwqd.onion:80

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
dllhost

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

BitRAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral3/memory/4752-0-0x0000000000400000-0x0000000000BAA000-memory.dmp	family_bitrat
behavioral3/memory/4752-45-0x0000000000400000-0x0000000000BAA000-memory.dmp	family_bitrat

ACProtect 1.3x - 1.4x DLL software 7 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\07fa2a3b\tor\libcrypto-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\07fa2a3b\tor\libssp-0.dll	acprotect
C:\Users\Admin\AppData\Local\07fa2a3b\tor\libssl-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\07fa2a3b\tor\libevent-2-1-6.dll	acprotect
C:\Users\Admin\AppData\Local\07fa2a3b\tor\zlib1.dll	acprotect
C:\Users\Admin\AppData\Local\07fa2a3b\tor\libwinpthread-1.dll	acprotect
C:\Users\Admin\AppData\Local\07fa2a3b\tor\libgcc_s_sjlj-1.dll	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe

Executes dropped EXE 45 IoCs

Processes:

dllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exe

pid	process
1712	dllhost.exe
3316	dllhost.exe
224	dllhost.exe
5076	dllhost.exe
872	dllhost.exe
1680	dllhost.exe
3528	dllhost.exe
2648	dllhost.exe
1304	dllhost.exe
4428	dllhost.exe
2644	dllhost.exe
5096	dllhost.exe
1596	dllhost.exe
1552	dllhost.exe
5084	dllhost.exe
4660	dllhost.exe
2308	dllhost.exe
2740	dllhost.exe
3112	dllhost.exe
2976	dllhost.exe
1168	dllhost.exe
1668	dllhost.exe
3912	dllhost.exe
4720	dllhost.exe
888	dllhost.exe
4532	dllhost.exe
3660	dllhost.exe
3116	dllhost.exe
2304	dllhost.exe
3968	dllhost.exe
936	dllhost.exe
5020	dllhost.exe
4188	dllhost.exe
4724	dllhost.exe
2396	dllhost.exe
4364	dllhost.exe
3128	dllhost.exe
3576	dllhost.exe
5116	dllhost.exe
4436	dllhost.exe
3004	dllhost.exe
3112	dllhost.exe
856	dllhost.exe
208	dllhost.exe
2272	dllhost.exe

Loads dropped DLL 64 IoCs

Processes:

dllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exe

pid	process
1712	dllhost.exe
1712	dllhost.exe
1712	dllhost.exe
1712	dllhost.exe
1712	dllhost.exe
1712	dllhost.exe
1712	dllhost.exe
1712	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
224	dllhost.exe
224	dllhost.exe
224	dllhost.exe
224	dllhost.exe
224	dllhost.exe
224	dllhost.exe
224	dllhost.exe
5076	dllhost.exe
5076	dllhost.exe
5076	dllhost.exe
5076	dllhost.exe
5076	dllhost.exe
5076	dllhost.exe
5076	dllhost.exe
872	dllhost.exe
872	dllhost.exe
872	dllhost.exe
872	dllhost.exe
872	dllhost.exe
872	dllhost.exe
872	dllhost.exe
1680	dllhost.exe
1680	dllhost.exe
1680	dllhost.exe
1680	dllhost.exe
1680	dllhost.exe
1680	dllhost.exe
1680	dllhost.exe
3528	dllhost.exe
3528	dllhost.exe
3528	dllhost.exe
3528	dllhost.exe
3528	dllhost.exe
3528	dllhost.exe
3528	dllhost.exe
2648	dllhost.exe
2648	dllhost.exe
2648	dllhost.exe
2648	dllhost.exe
2648	dllhost.exe
2648	dllhost.exe
2648	dllhost.exe
1304	dllhost.exe
1304	dllhost.exe
1304	dllhost.exe
1304	dllhost.exe
1304	dllhost.exe
1304	dllhost.exe
1304	dllhost.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe	upx
C:\Users\Admin\AppData\Local\07fa2a3b\tor\libcrypto-1_1.dll	upx
behavioral3/memory/1712-20-0x00000000001B0000-0x00000000005B4000-memory.dmp	upx
C:\Users\Admin\AppData\Local\07fa2a3b\tor\libssp-0.dll	upx
C:\Users\Admin\AppData\Local\07fa2a3b\tor\libssl-1_1.dll	upx
C:\Users\Admin\AppData\Local\07fa2a3b\tor\libevent-2-1-6.dll	upx
C:\Users\Admin\AppData\Local\07fa2a3b\tor\zlib1.dll	upx
C:\Users\Admin\AppData\Local\07fa2a3b\tor\libwinpthread-1.dll	upx
C:\Users\Admin\AppData\Local\07fa2a3b\tor\libgcc_s_sjlj-1.dll	upx
behavioral3/memory/1712-32-0x0000000074600000-0x0000000074649000-memory.dmp	upx
behavioral3/memory/1712-33-0x00000000745D0000-0x00000000745F4000-memory.dmp	upx
behavioral3/memory/1712-34-0x0000000074500000-0x00000000745CE000-memory.dmp	upx
behavioral3/memory/1712-35-0x0000000074430000-0x00000000744F8000-memory.dmp	upx
behavioral3/memory/1712-36-0x00000000743A0000-0x0000000074428000-memory.dmp	upx
behavioral3/memory/1712-37-0x0000000074290000-0x000000007439A000-memory.dmp	upx
behavioral3/memory/1712-39-0x0000000073FC0000-0x000000007428F000-memory.dmp	upx
behavioral3/memory/1712-58-0x00000000001B0000-0x00000000005B4000-memory.dmp	upx
behavioral3/memory/1712-59-0x0000000074600000-0x0000000074649000-memory.dmp	upx
behavioral3/memory/1712-61-0x0000000074500000-0x00000000745CE000-memory.dmp	upx
behavioral3/memory/1712-60-0x00000000745D0000-0x00000000745F4000-memory.dmp	upx
behavioral3/memory/1712-62-0x0000000074430000-0x00000000744F8000-memory.dmp	upx
behavioral3/memory/1712-63-0x00000000743A0000-0x0000000074428000-memory.dmp	upx
behavioral3/memory/1712-64-0x0000000074290000-0x000000007439A000-memory.dmp	upx
behavioral3/memory/1712-65-0x0000000073FC0000-0x000000007428F000-memory.dmp	upx
behavioral3/memory/1712-71-0x00000000001B0000-0x00000000005B4000-memory.dmp	upx
behavioral3/memory/1712-80-0x00000000001B0000-0x00000000005B4000-memory.dmp	upx
behavioral3/memory/1712-92-0x00000000001B0000-0x00000000005B4000-memory.dmp	upx
behavioral3/memory/1712-109-0x00000000001B0000-0x00000000005B4000-memory.dmp	upx
behavioral3/memory/1712-121-0x00000000001B0000-0x00000000005B4000-memory.dmp	upx
behavioral3/memory/1712-129-0x00000000001B0000-0x00000000005B4000-memory.dmp	upx
behavioral3/memory/1712-137-0x00000000001B0000-0x00000000005B4000-memory.dmp	upx
behavioral3/memory/3316-144-0x00000000001B0000-0x00000000005B4000-memory.dmp	upx
behavioral3/memory/3316-154-0x0000000074430000-0x00000000744F8000-memory.dmp	upx
behavioral3/memory/3316-156-0x0000000074500000-0x00000000745CE000-memory.dmp	upx
behavioral3/memory/3316-157-0x0000000074600000-0x0000000074649000-memory.dmp	upx
behavioral3/memory/3316-160-0x0000000074290000-0x000000007439A000-memory.dmp	upx
behavioral3/memory/3316-161-0x00000000743A0000-0x0000000074428000-memory.dmp	upx
behavioral3/memory/3316-163-0x00000000001B0000-0x00000000005B4000-memory.dmp	upx
behavioral3/memory/3316-162-0x0000000073FC0000-0x000000007428F000-memory.dmp	upx
behavioral3/memory/3316-158-0x00000000745D0000-0x00000000745F4000-memory.dmp	upx
behavioral3/memory/3316-166-0x0000000074500000-0x00000000745CE000-memory.dmp	upx
behavioral3/memory/3316-165-0x0000000074430000-0x00000000744F8000-memory.dmp	upx
behavioral3/memory/224-181-0x00000000742B0000-0x0000000074378000-memory.dmp	upx
behavioral3/memory/224-183-0x0000000074230000-0x0000000074254000-memory.dmp	upx
behavioral3/memory/224-185-0x0000000074120000-0x000000007422A000-memory.dmp	upx
behavioral3/memory/224-186-0x0000000074090000-0x0000000074118000-memory.dmp	upx
behavioral3/memory/224-188-0x0000000073FC0000-0x000000007408E000-memory.dmp	upx
behavioral3/memory/224-187-0x0000000074380000-0x000000007464F000-memory.dmp	upx
behavioral3/memory/224-182-0x0000000074260000-0x00000000742A9000-memory.dmp	upx
behavioral3/memory/224-208-0x00000000001B0000-0x00000000005B4000-memory.dmp	upx
behavioral3/memory/224-209-0x0000000074230000-0x0000000074254000-memory.dmp	upx
behavioral3/memory/224-218-0x00000000742B0000-0x0000000074378000-memory.dmp	upx
behavioral3/memory/224-219-0x0000000074260000-0x00000000742A9000-memory.dmp	upx
behavioral3/memory/224-220-0x0000000074120000-0x000000007422A000-memory.dmp	upx
behavioral3/memory/224-221-0x0000000074380000-0x000000007464F000-memory.dmp	upx
behavioral3/memory/224-222-0x0000000073FC0000-0x000000007408E000-memory.dmp	upx
behavioral3/memory/5076-246-0x00000000001B0000-0x00000000005B4000-memory.dmp	upx
behavioral3/memory/5076-248-0x00000000742B0000-0x0000000074378000-memory.dmp	upx
behavioral3/memory/5076-249-0x0000000073FC0000-0x000000007408E000-memory.dmp	upx
behavioral3/memory/5076-251-0x0000000074260000-0x00000000742A9000-memory.dmp	upx
behavioral3/memory/5076-253-0x0000000074230000-0x0000000074254000-memory.dmp	upx
behavioral3/memory/224-256-0x00000000001B0000-0x00000000005B4000-memory.dmp	upx
behavioral3/memory/5076-261-0x0000000074090000-0x0000000074118000-memory.dmp	upx
behavioral3/memory/5076-259-0x0000000074120000-0x000000007422A000-memory.dmp	upx

Looks up external IP address via web service 32 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
94	myexternalip.com
151	myexternalip.com
177	myexternalip.com
184	myexternalip.com
246	myexternalip.com
67	myexternalip.com
78	myexternalip.com
101	myexternalip.com
133	myexternalip.com
141	myexternalip.com
253	myexternalip.com
88	myexternalip.com
126	myexternalip.com
158	myexternalip.com
225	myexternalip.com
239	myexternalip.com
274	myexternalip.com
56	myexternalip.com
106	myexternalip.com
199	myexternalip.com
231	myexternalip.com
192	myexternalip.com
213	myexternalip.com
267	myexternalip.com
46	myexternalip.com
113	myexternalip.com
164	myexternalip.com
170	myexternalip.com
219	myexternalip.com
45	myexternalip.com
205	myexternalip.com
261	myexternalip.com

Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Proxy
T1090

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

Processes:

9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe

pid	process
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe

pid process

4752 9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
Token: SeShutdownPrivilege	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe

pid process

4752 9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
4752 9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe

description	pid	process	target process
PID 4752 wrote to memory of 1712	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 1712	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 1712	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 3316	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 3316	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 3316	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 224	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 224	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 224	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 5076	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 5076	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 5076	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 872	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 872	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 872	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 1680	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 1680	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 1680	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 3528	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 3528	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 3528	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 2648	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 2648	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 2648	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 1304	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 1304	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 1304	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 4428	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 4428	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 4428	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 2644	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 2644	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 2644	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 5096	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 5096	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 5096	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 1596	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 1596	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 1596	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 1552	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 1552	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 1552	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 5084	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 5084	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 5084	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 4660	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 4660	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 4660	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 2308	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 2308	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 2308	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 2740	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 2740	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 2740	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 3112	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 3112	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 3112	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 2976	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 2976	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 2976	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 1168	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 1168	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 1168	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe
PID 4752 wrote to memory of 1668	4752	9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe	dllhost.exe

C:\Users\Admin\AppData\Local\Temp\9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4752

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1712

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3316

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:224

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5076

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:872

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1680

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3528

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2648

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1304

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4428

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2644

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:5096

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1596

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1552

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:5084

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4660

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2308

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2740

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3112

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2976

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1168

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1668

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3912

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4720

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:888

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4532

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3660

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3116

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2304

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3968

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:936

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:5020

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4188

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4724

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2396

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4364

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3128

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3576

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:5116

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4436

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3004

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3112

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:856

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:208

C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3804 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:4364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4256 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:2284

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Proxy

T1090

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\07fa2a3b\tor\data\cached-certs
Filesize
20KB

MD5
ec63070733586641f2531fced667aab2

SHA1
926eb68ff87341185d933ba5d0706d7ebab5fd16

SHA256
56f7d2833dea059af0a04d59f932ec5b5f8addf8a24d1f639814189689ffeced

SHA512
4d4c385984cc6ea9c0cb152cdbfb886fce4306071efe8d121bc0d6d9f7dee1d82a9ae5591c561880b4120b61ad68e3e15ea7fb5aab6bde041c2fe99ab09592f2

Download Submit
C:\Users\Admin\AppData\Local\07fa2a3b\tor\data\cached-microdesc-consensus.tmp
Filesize
2.7MB

MD5
375c4aec57cde5ac04e7871137327553

SHA1
feb9c2d155d102fbd628e91c9e7d6cc086654c16

SHA256
bd534c44b7e35497d486c67359741ebbfeec1023be379aba2aceeb49fc805581

SHA512
ae3e3d4433f5063803cbab0d188a1c7283928b0c09bb7d9011d1adb37774910b3812b50ade977934c403a486b65369652094dbc6e916c38f7a575db4945bfa9b

Download Submit
C:\Users\Admin\AppData\Local\07fa2a3b\tor\data\cached-microdescs
Filesize
20.3MB

MD5
36af81c16d5323d86ff60537b185deb4

SHA1
ef7eed789708c896bec810e07e63833beccee26c

SHA256
58d0f8f051dad9a06f3960a6fd6241cd4ca9db01a8177c57e55c1206a1bfb498

SHA512
b65037a1c207e506714d4cf84a2e45e717896c05e732f5cfc58c6823c5abb0f44862a963ad2e8d23d27ef85e02e027e23263411a5d1bdbdf6a78488366301a6f

Download Submit
C:\Users\Admin\AppData\Local\07fa2a3b\tor\data\cached-microdescs.new
Filesize
20.3MB

MD5
fc7239e50c2a0ccf5e2f1062ddf5b789

SHA1
76279ef0921816d227d3e8cdf0c186e3b3828a17

SHA256
6b8d735234136522e2d03f464f41d66d597296ea9a5fd65c63e99e09aa4f42d3

SHA512
038e6de2850a81086cb06f6214948be050782809d77183adb724d25f732fe6f9552b0a01828b7e7cece11ff2f0c3da0b73a3dcd1829c41c762cfd3fff67b917e

Download Submit
C:\Users\Admin\AppData\Local\07fa2a3b\tor\data\cached-microdescs.new
Filesize
6.5MB

MD5
d200d1e378fba357bf380a8c0ae7bca6

SHA1
5d0fd45741df1663cdab90a7ea25a89fb0302e1f

SHA256
368a2237b13c9860ddf723f23e7b6600da3ebd3beae11dff63a806eea57a36f9

SHA512
2ae190456869484ace19b67de9184776ca282c4929fb845c006517d70910cabfa99a2063e9e909bf72a7b981a6914b1d9cdc123a97234b4aa693b5abbb2915ed

Download Submit
C:\Users\Admin\AppData\Local\07fa2a3b\tor\data\state
Filesize
9KB

MD5
c9c298db567722a5f205c8115c39bf2f

SHA1
7db924423644b8adabf2e599c0d927708877a84c

SHA256
17d5a01a6240af4d0dfb2928b9eadafdff6063ad133c3d99f31b210a00bc1d84

SHA512
17726f3063bb14d79bab6a4faec0c2d2ede8e10c5361734cafe449658c0ad5b2b2f821d808b2cde699a2aea8293ed933bdc29ad2f057b6e72ff085d42a5785b4

Download Submit
C:\Users\Admin\AppData\Local\07fa2a3b\tor\data\state
Filesize
9KB

MD5
3865f36a3aa62c57308161369b318d44

SHA1
a4430dea00b68e3a5ae3dbeb7a7022b03475a6c0

SHA256
0d0630a06f498bcda5395f2c78c9a248aefff49717ffaf5bc4ad14834c0caa8b

SHA512
1cbfdfc9b7f65d534c7bf3635d498b373c95b0fb8f5a5a6744f22d634d0de498f09b56fa277d1988785c5a12444e224539dac181ce4277112ac76fb1511d1894

Download Submit
C:\Users\Admin\AppData\Local\07fa2a3b\tor\dllhost.exe
Filesize
973KB

MD5
5cfe61ff895c7daa889708665ef05d7b

SHA1
5e58efe30406243fbd58d4968b0492ddeef145f2

SHA256
f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5

SHA512
43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

Download Submit
C:\Users\Admin\AppData\Local\07fa2a3b\tor\libcrypto-1_1.dll
Filesize
1.7MB

MD5
2384a02c4a1f7ec481adde3a020607d3

SHA1
7e848d35a10bf9296c8fa41956a3daa777f86365

SHA256
c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369

SHA512
1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

Download Submit
C:\Users\Admin\AppData\Local\07fa2a3b\tor\libevent-2-1-6.dll
Filesize
366KB

MD5
099983c13bade9554a3c17484e5481f1

SHA1
a84e69ad9722f999252d59d0ed9a99901a60e564

SHA256
b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838

SHA512
89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

Download Submit
C:\Users\Admin\AppData\Local\07fa2a3b\tor\libgcc_s_sjlj-1.dll
Filesize
286KB

MD5
b0d98f7157d972190fe0759d4368d320

SHA1
5715a533621a2b642aad9616e603c6907d80efc4

SHA256
2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5

SHA512
41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

Download Submit
C:\Users\Admin\AppData\Local\07fa2a3b\tor\libssl-1_1.dll
Filesize
439KB

MD5
c88826ac4bb879622e43ead5bdb95aeb

SHA1
87d29853649a86f0463bfd9ad887b85eedc21723

SHA256
c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f

SHA512
f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

Download Submit
C:\Users\Admin\AppData\Local\07fa2a3b\tor\libssp-0.dll
Filesize
88KB

MD5
2c916456f503075f746c6ea649cf9539

SHA1
fa1afc1f3d728c89b2e90e14ca7d88b599580a9d

SHA256
cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6

SHA512
1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

Download Submit
C:\Users\Admin\AppData\Local\07fa2a3b\tor\libwinpthread-1.dll
Filesize
188KB

MD5
d407cc6d79a08039a6f4b50539e560b8

SHA1
21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71

SHA256
92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e

SHA512
378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

Download Submit
C:\Users\Admin\AppData\Local\07fa2a3b\tor\torrc
Filesize
139B

MD5
dbd537e3da06f7d7aeaf58f4decc0c94

SHA1
7e740ea6dcf8545710f99519014e9bb029028a84

SHA256
349b36a467d778e29b96528cdd25d6c34a54be659a9ef516b3833106ceb679b2

SHA512
a84633c420c825b15ef2fc5cf83a6d75fcdddbb06d3b7dc74537d5bc98b5d910d3dec4838f30be3a06373662d2946f156f36bd2e033e0b6089753006ac327a90

Download Submit
C:\Users\Admin\AppData\Local\07fa2a3b\tor\zlib1.dll
Filesize
52KB

MD5
add33041af894b67fe34e1dc819b7eb6

SHA1
6db46eb021855a587c95479422adcc774a272eeb

SHA256
8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183

SHA512
bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

Download Submit
memory/224-188-0x0000000073FC0000-0x000000007408E000-memory.dmp

Filesize
824KB

Download
memory/224-186-0x0000000074090000-0x0000000074118000-memory.dmp

Filesize
544KB

Download
memory/224-222-0x0000000073FC0000-0x000000007408E000-memory.dmp

Filesize
824KB

Download
memory/224-182-0x0000000074260000-0x00000000742A9000-memory.dmp

Filesize
292KB

Download
memory/224-187-0x0000000074380000-0x000000007464F000-memory.dmp

Filesize
2.8MB

Download
memory/224-218-0x00000000742B0000-0x0000000074378000-memory.dmp

Filesize
800KB

Download
memory/224-220-0x0000000074120000-0x000000007422A000-memory.dmp

Filesize
1.0MB

Download
memory/224-221-0x0000000074380000-0x000000007464F000-memory.dmp

Filesize
2.8MB

Download
memory/224-185-0x0000000074120000-0x000000007422A000-memory.dmp

Filesize
1.0MB

Download
memory/224-183-0x0000000074230000-0x0000000074254000-memory.dmp

Filesize
144KB

Download
memory/224-181-0x00000000742B0000-0x0000000074378000-memory.dmp

Filesize
800KB

Download
memory/224-256-0x00000000001B0000-0x00000000005B4000-memory.dmp

Filesize
4.0MB

Download
memory/224-219-0x0000000074260000-0x00000000742A9000-memory.dmp

Filesize
292KB

Download
memory/224-208-0x00000000001B0000-0x00000000005B4000-memory.dmp

Filesize
4.0MB

Download
memory/224-209-0x0000000074230000-0x0000000074254000-memory.dmp

Filesize
144KB

Download
memory/872-317-0x0000000074380000-0x000000007464F000-memory.dmp

Filesize
2.8MB

Download
memory/872-285-0x0000000074230000-0x0000000074254000-memory.dmp

Filesize
144KB

Download
memory/872-316-0x0000000074090000-0x0000000074118000-memory.dmp

Filesize
544KB

Download
memory/872-315-0x0000000074120000-0x000000007422A000-memory.dmp

Filesize
1.0MB

Download
memory/872-314-0x0000000074230000-0x0000000074254000-memory.dmp

Filesize
144KB

Download
memory/872-287-0x0000000074380000-0x000000007464F000-memory.dmp

Filesize
2.8MB

Download
memory/872-313-0x0000000074260000-0x00000000742A9000-memory.dmp

Filesize
292KB

Download
memory/872-286-0x0000000074090000-0x0000000074118000-memory.dmp

Filesize
544KB

Download
memory/872-284-0x00000000742B0000-0x0000000074378000-memory.dmp

Filesize
800KB

Download
memory/872-289-0x0000000073FC0000-0x000000007408E000-memory.dmp

Filesize
824KB

Download
memory/872-312-0x00000000742B0000-0x0000000074378000-memory.dmp

Filesize
800KB

Download
memory/872-303-0x00000000001B0000-0x00000000005B4000-memory.dmp

Filesize
4.0MB

Download
memory/1712-58-0x00000000001B0000-0x00000000005B4000-memory.dmp

Filesize
4.0MB

Download
memory/1712-121-0x00000000001B0000-0x00000000005B4000-memory.dmp

Filesize
4.0MB

Download
memory/1712-65-0x0000000073FC0000-0x000000007428F000-memory.dmp

Filesize
2.8MB

Download
memory/1712-129-0x00000000001B0000-0x00000000005B4000-memory.dmp

Filesize
4.0MB

Download
memory/1712-92-0x00000000001B0000-0x00000000005B4000-memory.dmp

Filesize
4.0MB

Download
memory/1712-63-0x00000000743A0000-0x0000000074428000-memory.dmp

Filesize
544KB

Download
memory/1712-109-0x00000000001B0000-0x00000000005B4000-memory.dmp

Filesize
4.0MB

Download
memory/1712-91-0x0000000001370000-0x000000000163F000-memory.dmp

Filesize
2.8MB

Download
memory/1712-62-0x0000000074430000-0x00000000744F8000-memory.dmp

Filesize
800KB

Download
memory/1712-60-0x00000000745D0000-0x00000000745F4000-memory.dmp

Filesize
144KB

Download
memory/1712-61-0x0000000074500000-0x00000000745CE000-memory.dmp

Filesize
824KB

Download
memory/1712-59-0x0000000074600000-0x0000000074649000-memory.dmp

Filesize
292KB

Download
memory/1712-137-0x00000000001B0000-0x00000000005B4000-memory.dmp

Filesize
4.0MB

Download
memory/1712-64-0x0000000074290000-0x000000007439A000-memory.dmp

Filesize
1.0MB

Download
memory/1712-71-0x00000000001B0000-0x00000000005B4000-memory.dmp

Filesize
4.0MB

Download
memory/1712-80-0x00000000001B0000-0x00000000005B4000-memory.dmp

Filesize
4.0MB

Download
memory/1712-41-0x0000000001370000-0x000000000163F000-memory.dmp

Filesize
2.8MB

Download
memory/1712-39-0x0000000073FC0000-0x000000007428F000-memory.dmp

Filesize
2.8MB

Download
memory/1712-37-0x0000000074290000-0x000000007439A000-memory.dmp

Filesize
1.0MB

Download
memory/1712-36-0x00000000743A0000-0x0000000074428000-memory.dmp

Filesize
544KB

Download
memory/1712-35-0x0000000074430000-0x00000000744F8000-memory.dmp

Filesize
800KB

Download
memory/1712-34-0x0000000074500000-0x00000000745CE000-memory.dmp

Filesize
824KB

Download
memory/1712-33-0x00000000745D0000-0x00000000745F4000-memory.dmp

Filesize
144KB

Download
memory/1712-32-0x0000000074600000-0x0000000074649000-memory.dmp

Filesize
292KB

Download
memory/1712-20-0x00000000001B0000-0x00000000005B4000-memory.dmp

Filesize
4.0MB

Download
memory/3316-162-0x0000000073FC0000-0x000000007428F000-memory.dmp

Filesize
2.8MB

Download
memory/3316-154-0x0000000074430000-0x00000000744F8000-memory.dmp

Filesize
800KB

Download
memory/3316-144-0x00000000001B0000-0x00000000005B4000-memory.dmp

Filesize
4.0MB

Download
memory/3316-156-0x0000000074500000-0x00000000745CE000-memory.dmp

Filesize
824KB

Download
memory/3316-157-0x0000000074600000-0x0000000074649000-memory.dmp

Filesize
292KB

Download
memory/3316-160-0x0000000074290000-0x000000007439A000-memory.dmp

Filesize
1.0MB

Download
memory/3316-165-0x0000000074430000-0x00000000744F8000-memory.dmp

Filesize
800KB

Download
memory/3316-161-0x00000000743A0000-0x0000000074428000-memory.dmp

Filesize
544KB

Download
memory/3316-163-0x00000000001B0000-0x00000000005B4000-memory.dmp

Filesize
4.0MB

Download
memory/3316-158-0x00000000745D0000-0x00000000745F4000-memory.dmp

Filesize
144KB

Download
memory/3316-166-0x0000000074500000-0x00000000745CE000-memory.dmp

Filesize
824KB

Download
memory/4752-117-0x0000000074730000-0x0000000074769000-memory.dmp

Filesize
228KB

Download
memory/4752-0-0x0000000000400000-0x0000000000BAA000-memory.dmp

Filesize
7.7MB

Download
memory/4752-1-0x0000000075100000-0x0000000075139000-memory.dmp

Filesize
228KB

Download
memory/4752-45-0x0000000000400000-0x0000000000BAA000-memory.dmp

Filesize
7.7MB

Download
memory/4752-46-0x0000000073BB0000-0x0000000073BE9000-memory.dmp

Filesize
228KB

Download
memory/5076-253-0x0000000074230000-0x0000000074254000-memory.dmp

Filesize
144KB

Download
memory/5076-259-0x0000000074120000-0x000000007422A000-memory.dmp

Filesize
1.0MB

Download
memory/5076-261-0x0000000074090000-0x0000000074118000-memory.dmp

Filesize
544KB

Download
memory/5076-270-0x00000000001B0000-0x00000000005B4000-memory.dmp

Filesize
4.0MB

Download
memory/5076-251-0x0000000074260000-0x00000000742A9000-memory.dmp

Filesize
292KB

Download
memory/5076-249-0x0000000073FC0000-0x000000007408E000-memory.dmp

Filesize
824KB

Download
memory/5076-246-0x00000000001B0000-0x00000000005B4000-memory.dmp

Filesize
4.0MB

Download
memory/5076-248-0x00000000742B0000-0x0000000074378000-memory.dmp

Filesize
800KB

Download
memory/5076-263-0x0000000074380000-0x000000007464F000-memory.dmp

Filesize
2.8MB

Download
memory/5076-269-0x0000000074230000-0x0000000074254000-memory.dmp

Filesize
144KB

Download
memory/5076-271-0x00000000742B0000-0x0000000074378000-memory.dmp

Filesize
800KB

Download
memory/5076-272-0x0000000073FC0000-0x000000007408E000-memory.dmp

Filesize
824KB

Download
memory/5076-273-0x0000000074260000-0x00000000742A9000-memory.dmp

Filesize
292KB

Download