Malware Analysis Report

2025-01-03 05:14

Sample ID 221130-s5szzsdb22
Target ea5b9af55f33912956438ccf8cea5222deb2b471368d68bd3c7e74b695ade0a8
SHA256 ea5b9af55f33912956438ccf8cea5222deb2b471368d68bd3c7e74b695ade0a8
Tags
bitrat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ea5b9af55f33912956438ccf8cea5222deb2b471368d68bd3c7e74b695ade0a8

Threat Level: Known bad

The file ea5b9af55f33912956438ccf8cea5222deb2b471368d68bd3c7e74b695ade0a8 was found to be: Known bad.

Malicious Activity Summary

bitrat trojan upx

BitRAT

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-30 15:42

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-30 15:42

Reported

2022-12-02 14:02

Platform

win10v2004-20220812-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ea5b9af55f33912956438ccf8cea5222deb2b471368d68bd3c7e74b695ade0a8.exe"

Signatures

BitRAT

trojan bitrat

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ea5b9af55f33912956438ccf8cea5222deb2b471368d68bd3c7e74b695ade0a8.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PowerISO.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\PowerISO.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\PowerISO.exe N/A
N/A N/A C:\Users\Admin\Downloads\PowerISO.exe N/A
N/A N/A C:\Users\Admin\Downloads\PowerISO.exe N/A
N/A N/A C:\Users\Admin\Downloads\PowerISO.exe N/A
N/A N/A C:\Users\Admin\Downloads\PowerISO.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E8658416-7CCB-4c1d-A021-AFF0A2EB8004} C:\Users\Admin\AppData\Local\Temp\PowerISO.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ea5b9af55f33912956438ccf8cea5222deb2b471368d68bd3c7e74b695ade0a8.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\Downloads\PowerISO.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PowerISO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PowerISO.exe N/A
N/A N/A C:\Users\Admin\Downloads\PowerISO.exe N/A
N/A N/A C:\Users\Admin\Downloads\PowerISO.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4352 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\ea5b9af55f33912956438ccf8cea5222deb2b471368d68bd3c7e74b695ade0a8.exe C:\Users\Admin\AppData\Local\Temp\PowerISO.exe
PID 4352 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\ea5b9af55f33912956438ccf8cea5222deb2b471368d68bd3c7e74b695ade0a8.exe C:\Users\Admin\AppData\Local\Temp\PowerISO.exe
PID 4352 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\ea5b9af55f33912956438ccf8cea5222deb2b471368d68bd3c7e74b695ade0a8.exe C:\Users\Admin\Downloads\PowerISO.exe
PID 4352 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\ea5b9af55f33912956438ccf8cea5222deb2b471368d68bd3c7e74b695ade0a8.exe C:\Users\Admin\Downloads\PowerISO.exe
PID 4352 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\ea5b9af55f33912956438ccf8cea5222deb2b471368d68bd3c7e74b695ade0a8.exe C:\Users\Admin\Downloads\PowerISO.exe
PID 4396 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\PowerISO.exe C:\Windows\System32\regsvr32.exe
PID 4396 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\PowerISO.exe C:\Windows\System32\regsvr32.exe
PID 4876 wrote to memory of 2340 N/A C:\Users\Admin\Downloads\PowerISO.exe C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe
PID 4876 wrote to memory of 2340 N/A C:\Users\Admin\Downloads\PowerISO.exe C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe
PID 4876 wrote to memory of 2340 N/A C:\Users\Admin\Downloads\PowerISO.exe C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe
PID 4876 wrote to memory of 4996 N/A C:\Users\Admin\Downloads\PowerISO.exe C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe
PID 4876 wrote to memory of 4996 N/A C:\Users\Admin\Downloads\PowerISO.exe C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe
PID 4876 wrote to memory of 4996 N/A C:\Users\Admin\Downloads\PowerISO.exe C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ea5b9af55f33912956438ccf8cea5222deb2b471368d68bd3c7e74b695ade0a8.exe

"C:\Users\Admin\AppData\Local\Temp\ea5b9af55f33912956438ccf8cea5222deb2b471368d68bd3c7e74b695ade0a8.exe"

C:\Users\Admin\AppData\Local\Temp\PowerISO.exe

"C:\Users\Admin\AppData\Local\Temp\PowerISO.exe"

C:\Users\Admin\Downloads\PowerISO.exe

"C:\Users\Admin\Downloads\PowerISO.exe"

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\PWRISOSH.DLL"

C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe

"C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe" -f torrc

C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe

"C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe" -f torrc

Network

Country Destination Domain Proto
N/A 8.248.3.254:80 tcp
N/A 8.248.3.254:80 tcp
N/A 8.248.3.254:80 tcp
N/A 45.79.108.130:9001 tcp
N/A 127.0.0.1:49792 tcp
N/A 217.182.75.181:9001 tcp
N/A 127.0.0.1:45808 tcp
N/A 54.36.237.163:443 tcp
N/A 51.81.93.109:443 tcp
N/A 144.217.72.198:443 tcp
N/A 31.165.21.216:9001 tcp
N/A 51.81.93.109:443 tcp
N/A 31.165.21.216:9001 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:49851 tcp
N/A 95.214.54.80:8443 tcp
N/A 87.236.195.216:80 tcp
N/A 51.158.164.63:443 tcp
N/A 93.184.220.29:80 tcp
N/A 127.0.0.1:45808 tcp
N/A 8.8.8.8:53 myexternalip.com udp
N/A 34.160.111.145:443 myexternalip.com tcp

Files

memory/4352-132-0x0000000000F70000-0x0000000001610000-memory.dmp

memory/4352-133-0x00007FFC1E250000-0x00007FFC1ED11000-memory.dmp

memory/4396-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\PowerISO.exe

MD5 b51cde6cfd261226786bca2eb384e4a3
SHA1 61863de730ef6b6839f556120e3f05efee4b1619
SHA256 6bd7624f6fe3cfe0247c18ee82baa56f682f0db24aad6194351135e319ab1021
SHA512 e3b9e24a8a4e89420f9bf5ddd6274310f2318ab2ab63fd51ba1629cc69a4a3fbcebc1ebe0fceded484297293f5350e07ae90ccf45934f6847c7cd51b05e500ea

C:\Users\Admin\AppData\Local\Temp\PowerISO.exe

MD5 b51cde6cfd261226786bca2eb384e4a3
SHA1 61863de730ef6b6839f556120e3f05efee4b1619
SHA256 6bd7624f6fe3cfe0247c18ee82baa56f682f0db24aad6194351135e319ab1021
SHA512 e3b9e24a8a4e89420f9bf5ddd6274310f2318ab2ab63fd51ba1629cc69a4a3fbcebc1ebe0fceded484297293f5350e07ae90ccf45934f6847c7cd51b05e500ea

memory/4876-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\Downloads\PowerISO.exe

MD5 a91474420c19c8f1f5397753731bad08
SHA1 9027129687373bd16b7215b3b0fd7b0773f48ec1
SHA256 bdfdfcb79984673e9824ebe86f8409bc7cb57235dae27a5450038c4c0d28705f
SHA512 d13c0780d05882377633f460010de03b464ee577f2cc07662960622aecf30d186ea7bcd626f6d2d2f5649f983a8e3eb56201dc021ee128d081caf5beadb1581a

C:\Users\Admin\Downloads\PowerISO.exe

MD5 a91474420c19c8f1f5397753731bad08
SHA1 9027129687373bd16b7215b3b0fd7b0773f48ec1
SHA256 bdfdfcb79984673e9824ebe86f8409bc7cb57235dae27a5450038c4c0d28705f
SHA512 d13c0780d05882377633f460010de03b464ee577f2cc07662960622aecf30d186ea7bcd626f6d2d2f5649f983a8e3eb56201dc021ee128d081caf5beadb1581a

memory/4352-140-0x00007FFC1E250000-0x00007FFC1ED11000-memory.dmp

memory/5076-141-0x0000000000000000-mapping.dmp

memory/4876-142-0x0000000000400000-0x0000000000FF7000-memory.dmp

memory/4876-143-0x0000000074400000-0x0000000074439000-memory.dmp

memory/2340-144-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\a59e358a\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

memory/2340-151-0x0000000000420000-0x0000000000824000-memory.dmp

C:\Users\Admin\AppData\Local\a59e358a\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\a59e358a\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\a59e358a\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\a59e358a\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\a59e358a\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

memory/2340-155-0x0000000073830000-0x0000000073879000-memory.dmp

C:\Users\Admin\AppData\Local\a59e358a\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\a59e358a\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\a59e358a\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\a59e358a\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\a59e358a\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\a59e358a\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\a59e358a\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\a59e358a\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\a59e358a\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\a59e358a\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

memory/2340-165-0x0000000073880000-0x000000007394E000-memory.dmp

memory/2340-166-0x0000000073760000-0x0000000073828000-memory.dmp

memory/2340-167-0x0000000073730000-0x0000000073754000-memory.dmp

memory/2340-168-0x0000000073620000-0x000000007372A000-memory.dmp

C:\Users\Admin\AppData\Local\a59e358a\tor\torrc

MD5 b286e0ab2c827ec1a57f90b6913030a4
SHA1 6a451c18c5885077cf80af1403e30b6aa17c1e89
SHA256 17b767a932644bf9c0bbfcfdcc9806ad80f8f68e61bbecb034a1c2cf0de14c91
SHA512 bffeb5f631e6e50d36f3e6ffa9c9b0a2fda31ceab22e6f9e2371a39f1430a6a5e7f7723db27c456ca1d3c1996b6fd3b5c842769f8a63dc5ce76ca28134af604e

memory/2340-169-0x0000000073590000-0x0000000073618000-memory.dmp

memory/2340-171-0x0000000001370000-0x00000000013F8000-memory.dmp

memory/2340-172-0x0000000001C20000-0x0000000001EEF000-memory.dmp

memory/2340-173-0x00000000732C0000-0x000000007358F000-memory.dmp

memory/4876-174-0x0000000000400000-0x0000000000FF7000-memory.dmp

memory/4876-175-0x0000000072EB0000-0x0000000072EE9000-memory.dmp

memory/2340-176-0x0000000000420000-0x0000000000824000-memory.dmp

memory/2340-177-0x0000000073830000-0x0000000073879000-memory.dmp

memory/2340-178-0x0000000073880000-0x000000007394E000-memory.dmp

memory/2340-179-0x0000000073760000-0x0000000073828000-memory.dmp

memory/2340-181-0x0000000001C20000-0x0000000001EEF000-memory.dmp

memory/2340-180-0x0000000001370000-0x00000000013F8000-memory.dmp

memory/4876-182-0x0000000073FC0000-0x0000000073FF9000-memory.dmp

memory/4876-183-0x0000000074400000-0x0000000074439000-memory.dmp

memory/2340-184-0x0000000000420000-0x0000000000824000-memory.dmp

memory/2340-185-0x0000000001370000-0x00000000013F8000-memory.dmp

memory/4996-186-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\a59e358a\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\a59e358a\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\a59e358a\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\a59e358a\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\a59e358a\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\a59e358a\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\a59e358a\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\a59e358a\tor\torrc

MD5 b286e0ab2c827ec1a57f90b6913030a4
SHA1 6a451c18c5885077cf80af1403e30b6aa17c1e89
SHA256 17b767a932644bf9c0bbfcfdcc9806ad80f8f68e61bbecb034a1c2cf0de14c91
SHA512 bffeb5f631e6e50d36f3e6ffa9c9b0a2fda31ceab22e6f9e2371a39f1430a6a5e7f7723db27c456ca1d3c1996b6fd3b5c842769f8a63dc5ce76ca28134af604e

C:\Users\Admin\AppData\Local\a59e358a\tor\data\cached-microdesc-consensus

MD5 99bab0f9a3fbfb0b401245631e4ccb45
SHA1 24785996bb1cfa5fa9f626fb98ec370e1a063ab3
SHA256 a455e3b4b23b38ea1f0ff9774d919a4db8b7f5bf7efa67d9f4a3c8c8ae397c8e
SHA512 df0048b0b167b3a72a4bd579a5f73131fbba2be74fd682ab77030419af57e67a8791edd85665980f1dafa04e14fc3f23dbfb941e37c6d2eb35ecd1ad516489fd

C:\Users\Admin\AppData\Local\a59e358a\tor\data\cached-certs

MD5 6ee02b20a4c02ef3a138ac108a2e2c90
SHA1 98627a8f51cf646b016864ec9618189abdf64c79
SHA256 f286537f5e4f4fb873a590b35df77d9f7364538851ae9b33294007ffbc23664e
SHA512 f95f7df86a7a661bdd96aec6516e19dcaef6f80a9e03377c7078356d9ec0a49ff3021fe4a75bc62de784d48ba0fd1b71307ce98db7074e15be961227ef538275

C:\Users\Admin\AppData\Local\a59e358a\tor\data\state

MD5 97eeb2ac82210dddbcb0acae700ea508
SHA1 476a4291fb7d0b9fd835bc56341cd0b4c5c13f40
SHA256 7c330fbc6be19a20a3167f195ab39dcea2c190f277a798c48f775d5742460e34
SHA512 be78fc5162046713e10be1503261c159072ba472b72aa42bf97e56d5ca986b3b24a00925172dae1194a89d79a595caca4f9bcc70ab2dc30b9b90e8523feb0cf8

memory/4996-199-0x0000000000420000-0x0000000000824000-memory.dmp

memory/4996-200-0x0000000073720000-0x00000000739EF000-memory.dmp

memory/4996-202-0x0000000073530000-0x0000000073579000-memory.dmp

memory/4996-201-0x0000000073580000-0x000000007364E000-memory.dmp

memory/4996-203-0x0000000073500000-0x0000000073524000-memory.dmp

memory/4996-205-0x00000000733F0000-0x00000000734FA000-memory.dmp

memory/4996-206-0x0000000073360000-0x00000000733E8000-memory.dmp

memory/4996-204-0x0000000073650000-0x0000000073718000-memory.dmp

C:\Users\Admin\AppData\Local\a59e358a\tor\data\cached-microdescs.new

MD5 f038f29108ed72d798c29aebd5486859
SHA1 92ebf1bec36090f8150078beeee7e14b96edfade
SHA256 fe62cb8ce09d1db0aee08cd53f8880e3fdd07ab3eee0a19040a1ea2facd9ba16
SHA512 8ffd5ce3604eced86c26e5c957f641fe18c60cdd8763fe2e992d2568766c24afe3b590036cb054a64ce701bd0137e182b0e7628627708f4d0d4d400e35ecb217

C:\Users\Admin\AppData\Local\a59e358a\tor\data\unverified-microdesc-consensus

MD5 99bab0f9a3fbfb0b401245631e4ccb45
SHA1 24785996bb1cfa5fa9f626fb98ec370e1a063ab3
SHA256 a455e3b4b23b38ea1f0ff9774d919a4db8b7f5bf7efa67d9f4a3c8c8ae397c8e
SHA512 df0048b0b167b3a72a4bd579a5f73131fbba2be74fd682ab77030419af57e67a8791edd85665980f1dafa04e14fc3f23dbfb941e37c6d2eb35ecd1ad516489fd

memory/4996-209-0x0000000000420000-0x0000000000824000-memory.dmp

memory/4876-210-0x0000000073120000-0x0000000073159000-memory.dmp

memory/4876-211-0x0000000073FC0000-0x0000000073FF9000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-30 15:42

Reported

2022-12-02 14:03

Platform

win7-20220901-en

Max time kernel

146s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ea5b9af55f33912956438ccf8cea5222deb2b471368d68bd3c7e74b695ade0a8.exe"

Signatures

BitRAT

trojan bitrat

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea5b9af55f33912956438ccf8cea5222deb2b471368d68bd3c7e74b695ade0a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea5b9af55f33912956438ccf8cea5222deb2b471368d68bd3c7e74b695ade0a8.exe N/A
N/A N/A C:\Users\Admin\Downloads\PowerISO.exe N/A
N/A N/A C:\Users\Admin\Downloads\PowerISO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe N/A
N/A N/A C:\Users\Admin\Downloads\PowerISO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe N/A
N/A N/A C:\Users\Admin\Downloads\PowerISO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\PowerISO.exe N/A
N/A N/A C:\Users\Admin\Downloads\PowerISO.exe N/A
N/A N/A C:\Users\Admin\Downloads\PowerISO.exe N/A
N/A N/A C:\Users\Admin\Downloads\PowerISO.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E8658416-7CCB-4c1d-A021-AFF0A2EB8004} C:\Users\Admin\AppData\Local\Temp\PowerISO.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ea5b9af55f33912956438ccf8cea5222deb2b471368d68bd3c7e74b695ade0a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\PowerISO.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\Downloads\PowerISO.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PowerISO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PowerISO.exe N/A
N/A N/A C:\Users\Admin\Downloads\PowerISO.exe N/A
N/A N/A C:\Users\Admin\Downloads\PowerISO.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1196 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\ea5b9af55f33912956438ccf8cea5222deb2b471368d68bd3c7e74b695ade0a8.exe C:\Users\Admin\AppData\Local\Temp\PowerISO.exe
PID 1196 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\ea5b9af55f33912956438ccf8cea5222deb2b471368d68bd3c7e74b695ade0a8.exe C:\Users\Admin\AppData\Local\Temp\PowerISO.exe
PID 1196 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\ea5b9af55f33912956438ccf8cea5222deb2b471368d68bd3c7e74b695ade0a8.exe C:\Users\Admin\AppData\Local\Temp\PowerISO.exe
PID 1964 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\PowerISO.exe C:\Windows\System32\regsvr32.exe
PID 1964 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\PowerISO.exe C:\Windows\System32\regsvr32.exe
PID 1964 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\PowerISO.exe C:\Windows\System32\regsvr32.exe
PID 1964 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\PowerISO.exe C:\Windows\System32\regsvr32.exe
PID 1964 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\PowerISO.exe C:\Windows\System32\regsvr32.exe
PID 1196 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\ea5b9af55f33912956438ccf8cea5222deb2b471368d68bd3c7e74b695ade0a8.exe C:\Users\Admin\Downloads\PowerISO.exe
PID 1196 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\ea5b9af55f33912956438ccf8cea5222deb2b471368d68bd3c7e74b695ade0a8.exe C:\Users\Admin\Downloads\PowerISO.exe
PID 1196 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\ea5b9af55f33912956438ccf8cea5222deb2b471368d68bd3c7e74b695ade0a8.exe C:\Users\Admin\Downloads\PowerISO.exe
PID 1196 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\ea5b9af55f33912956438ccf8cea5222deb2b471368d68bd3c7e74b695ade0a8.exe C:\Users\Admin\Downloads\PowerISO.exe
PID 1120 wrote to memory of 1656 N/A C:\Users\Admin\Downloads\PowerISO.exe C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe
PID 1120 wrote to memory of 1656 N/A C:\Users\Admin\Downloads\PowerISO.exe C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe
PID 1120 wrote to memory of 1656 N/A C:\Users\Admin\Downloads\PowerISO.exe C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe
PID 1120 wrote to memory of 1656 N/A C:\Users\Admin\Downloads\PowerISO.exe C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe
PID 1120 wrote to memory of 1948 N/A C:\Users\Admin\Downloads\PowerISO.exe C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe
PID 1120 wrote to memory of 1948 N/A C:\Users\Admin\Downloads\PowerISO.exe C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe
PID 1120 wrote to memory of 1948 N/A C:\Users\Admin\Downloads\PowerISO.exe C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe
PID 1120 wrote to memory of 1948 N/A C:\Users\Admin\Downloads\PowerISO.exe C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe
PID 1120 wrote to memory of 1696 N/A C:\Users\Admin\Downloads\PowerISO.exe C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe
PID 1120 wrote to memory of 1696 N/A C:\Users\Admin\Downloads\PowerISO.exe C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe
PID 1120 wrote to memory of 1696 N/A C:\Users\Admin\Downloads\PowerISO.exe C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe
PID 1120 wrote to memory of 1696 N/A C:\Users\Admin\Downloads\PowerISO.exe C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ea5b9af55f33912956438ccf8cea5222deb2b471368d68bd3c7e74b695ade0a8.exe

"C:\Users\Admin\AppData\Local\Temp\ea5b9af55f33912956438ccf8cea5222deb2b471368d68bd3c7e74b695ade0a8.exe"

C:\Users\Admin\AppData\Local\Temp\PowerISO.exe

"C:\Users\Admin\AppData\Local\Temp\PowerISO.exe"

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\PWRISOSH.DLL"

C:\Users\Admin\Downloads\PowerISO.exe

"C:\Users\Admin\Downloads\PowerISO.exe"

C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe

"C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe" -f torrc

C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe

"C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe" -f torrc

C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe

"C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe" -f torrc

Network

Country Destination Domain Proto
N/A 127.0.0.1:49204 tcp
N/A 193.70.43.76:9001 tcp
N/A 96.253.78.108:443 tcp
N/A 127.0.0.1:45808 tcp
N/A 37.157.255.35:9090 tcp
N/A 185.96.180.29:443 tcp
N/A 37.187.102.108:443 tcp
N/A 199.58.81.140:443 tcp
N/A 127.0.0.1:45808 tcp
N/A 54.36.205.38:9001 tcp
N/A 95.216.101.247:443 tcp
N/A 23.82.136.232:443 tcp
N/A 85.214.128.156:443 tcp
N/A 54.36.205.38:9001 tcp
N/A 95.216.101.247:443 tcp
N/A 127.0.0.1:49243 tcp
N/A 217.182.196.71:443 tcp
N/A 31.207.89.76:9001 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:49277 tcp
N/A 46.4.115.73:443 tcp
N/A 198.98.62.56:9941 tcp
N/A 127.0.0.1:45808 tcp

Files

memory/1196-54-0x000000013F050000-0x000000013F6F0000-memory.dmp

memory/1196-55-0x0000000000646000-0x0000000000665000-memory.dmp

memory/1196-56-0x000007FEFB641000-0x000007FEFB643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PowerISO.exe

MD5 b51cde6cfd261226786bca2eb384e4a3
SHA1 61863de730ef6b6839f556120e3f05efee4b1619
SHA256 6bd7624f6fe3cfe0247c18ee82baa56f682f0db24aad6194351135e319ab1021
SHA512 e3b9e24a8a4e89420f9bf5ddd6274310f2318ab2ab63fd51ba1629cc69a4a3fbcebc1ebe0fceded484297293f5350e07ae90ccf45934f6847c7cd51b05e500ea

memory/1964-59-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\PowerISO.exe

MD5 b51cde6cfd261226786bca2eb384e4a3
SHA1 61863de730ef6b6839f556120e3f05efee4b1619
SHA256 6bd7624f6fe3cfe0247c18ee82baa56f682f0db24aad6194351135e319ab1021
SHA512 e3b9e24a8a4e89420f9bf5ddd6274310f2318ab2ab63fd51ba1629cc69a4a3fbcebc1ebe0fceded484297293f5350e07ae90ccf45934f6847c7cd51b05e500ea

\Users\Admin\AppData\Local\Temp\PowerISO.exe

MD5 b51cde6cfd261226786bca2eb384e4a3
SHA1 61863de730ef6b6839f556120e3f05efee4b1619
SHA256 6bd7624f6fe3cfe0247c18ee82baa56f682f0db24aad6194351135e319ab1021
SHA512 e3b9e24a8a4e89420f9bf5ddd6274310f2318ab2ab63fd51ba1629cc69a4a3fbcebc1ebe0fceded484297293f5350e07ae90ccf45934f6847c7cd51b05e500ea

memory/1492-62-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\PowerISO.exe

MD5 b51cde6cfd261226786bca2eb384e4a3
SHA1 61863de730ef6b6839f556120e3f05efee4b1619
SHA256 6bd7624f6fe3cfe0247c18ee82baa56f682f0db24aad6194351135e319ab1021
SHA512 e3b9e24a8a4e89420f9bf5ddd6274310f2318ab2ab63fd51ba1629cc69a4a3fbcebc1ebe0fceded484297293f5350e07ae90ccf45934f6847c7cd51b05e500ea

C:\Users\Admin\Downloads\PowerISO.exe

MD5 a91474420c19c8f1f5397753731bad08
SHA1 9027129687373bd16b7215b3b0fd7b0773f48ec1
SHA256 bdfdfcb79984673e9824ebe86f8409bc7cb57235dae27a5450038c4c0d28705f
SHA512 d13c0780d05882377633f460010de03b464ee577f2cc07662960622aecf30d186ea7bcd626f6d2d2f5649f983a8e3eb56201dc021ee128d081caf5beadb1581a

memory/1120-65-0x0000000000000000-mapping.dmp

memory/1196-67-0x0000000000646000-0x0000000000665000-memory.dmp

memory/1120-68-0x0000000074E41000-0x0000000074E43000-memory.dmp

memory/1120-69-0x0000000000400000-0x0000000000FF7000-memory.dmp

memory/1120-70-0x0000000000400000-0x0000000000FF7000-memory.dmp

\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

memory/1656-73-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\a59e358a\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\a59e358a\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

\Users\Admin\AppData\Local\a59e358a\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

\Users\Admin\AppData\Local\a59e358a\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\a59e358a\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

\Users\Admin\AppData\Local\a59e358a\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

memory/1120-82-0x0000000003F80000-0x0000000004384000-memory.dmp

memory/1120-83-0x0000000003F80000-0x0000000004384000-memory.dmp

memory/1656-84-0x00000000000B0000-0x00000000004B4000-memory.dmp

memory/1656-86-0x0000000074370000-0x00000000743B9000-memory.dmp

memory/1656-85-0x0000000073E10000-0x00000000740DF000-memory.dmp

memory/1656-87-0x0000000073D40000-0x0000000073E08000-memory.dmp

C:\Users\Admin\AppData\Local\a59e358a\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\a59e358a\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\a59e358a\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\a59e358a\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\a59e358a\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\a59e358a\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\a59e358a\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\a59e358a\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\a59e358a\tor\torrc

MD5 b286e0ab2c827ec1a57f90b6913030a4
SHA1 6a451c18c5885077cf80af1403e30b6aa17c1e89
SHA256 17b767a932644bf9c0bbfcfdcc9806ad80f8f68e61bbecb034a1c2cf0de14c91
SHA512 bffeb5f631e6e50d36f3e6ffa9c9b0a2fda31ceab22e6f9e2371a39f1430a6a5e7f7723db27c456ca1d3c1996b6fd3b5c842769f8a63dc5ce76ca28134af604e

memory/1656-97-0x0000000073C30000-0x0000000073D3A000-memory.dmp

memory/1656-98-0x00000000742E0000-0x0000000074368000-memory.dmp

memory/1656-99-0x0000000073B60000-0x0000000073C2E000-memory.dmp

memory/1656-100-0x0000000074410000-0x0000000074434000-memory.dmp

memory/1120-101-0x0000000003F80000-0x0000000004384000-memory.dmp

memory/1120-102-0x0000000003F80000-0x0000000004384000-memory.dmp

memory/1656-103-0x00000000000B0000-0x00000000004B4000-memory.dmp

memory/1656-106-0x0000000073D40000-0x0000000073E08000-memory.dmp

memory/1656-105-0x0000000074370000-0x00000000743B9000-memory.dmp

memory/1656-104-0x0000000073E10000-0x00000000740DF000-memory.dmp

memory/1948-108-0x0000000000000000-mapping.dmp

memory/1656-109-0x00000000000B0000-0x00000000004B4000-memory.dmp

\Users\Admin\AppData\Local\a59e358a\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\a59e358a\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\a59e358a\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\a59e358a\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\a59e358a\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

\Users\Admin\AppData\Local\a59e358a\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

\Users\Admin\AppData\Local\a59e358a\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\a59e358a\tor\data\state

MD5 a76f5b6371eef2df179239f98f0fc049
SHA1 59a2310d31c17c007b1dc6e0b253bf396979389e
SHA256 98fb0415a51ef3babc12f18c224b84703674bea9d0ced4edf203c236a6fc464e
SHA512 70fdd5b0bbd3a8d85204932e2cc22f01845b130729c4a40022883ff101c18a81be7a08b6ab8875947b38e2e327407308eac59d55e425f75f17105533ebc2739c

C:\Users\Admin\AppData\Local\a59e358a\tor\data\cached-certs

MD5 da648c7cbb023d0957f9b1d4b51cdcb5
SHA1 68e72ad394b3b8459ff5883e404fce016200a764
SHA256 40f4e1db1dfc03cc4f6a617332126a812e71eec7fb94b5a666e1af62be83ecae
SHA512 f9662ec27e2e678d658fe6a03ecc35ec1f85c2b939d8f5bd1bb384f772bf2299f0af3274c092afcfc0787f8814497e233010141cbb43720e51b929c99d18e3f9

C:\Users\Admin\AppData\Local\a59e358a\tor\torrc

MD5 b286e0ab2c827ec1a57f90b6913030a4
SHA1 6a451c18c5885077cf80af1403e30b6aa17c1e89
SHA256 17b767a932644bf9c0bbfcfdcc9806ad80f8f68e61bbecb034a1c2cf0de14c91
SHA512 bffeb5f631e6e50d36f3e6ffa9c9b0a2fda31ceab22e6f9e2371a39f1430a6a5e7f7723db27c456ca1d3c1996b6fd3b5c842769f8a63dc5ce76ca28134af604e

C:\Users\Admin\AppData\Local\a59e358a\tor\data\cached-microdesc-consensus

MD5 1586557a98b12769b55dc0093f38e2b7
SHA1 348d477c238c6e97491365184cd894029b95cb1f
SHA256 280496ab70481b438112a25021b9546fd7f08eb93256e52f7b383c425021a337
SHA512 497c0016484f74f1adde3ff728be7d358151198eed426fde36208de59d665536efdd18d67a2249efb47d109a7725f0b9099161232e16a900636d3d517bd1fa86

memory/1120-123-0x0000000004C30000-0x0000000005034000-memory.dmp

memory/1948-124-0x00000000000B0000-0x00000000004B4000-memory.dmp

memory/1948-125-0x0000000073B60000-0x0000000073C2E000-memory.dmp

C:\Users\Admin\AppData\Local\a59e358a\tor\data\cached-microdescs.new

MD5 1d501a0f4a56f8d24e5a76f314a81fc7
SHA1 46a73f9a22f0c528082f428482f457dc6c465aab
SHA256 c20411e7e36a17fe1aed788c2cfe943991596210c8fa172b7f2e5828a17da230
SHA512 873b663243c9158ab1012e64bc80a9d7fbd9496eeebf982a305b4466dff74ec5f9b3bd4824697a4104366347f2beb6b66136aac971ac91d9256e15a853ae670c

memory/1948-128-0x0000000073E10000-0x00000000740DF000-memory.dmp

memory/1948-129-0x0000000074370000-0x00000000743B9000-memory.dmp

memory/1948-130-0x0000000073D40000-0x0000000073E08000-memory.dmp

memory/1948-131-0x0000000073C30000-0x0000000073D3A000-memory.dmp

memory/1948-132-0x00000000742E0000-0x0000000074368000-memory.dmp

memory/1948-126-0x0000000074410000-0x0000000074434000-memory.dmp

C:\Users\Admin\AppData\Local\a59e358a\tor\data\unverified-microdesc-consensus

MD5 1586557a98b12769b55dc0093f38e2b7
SHA1 348d477c238c6e97491365184cd894029b95cb1f
SHA256 280496ab70481b438112a25021b9546fd7f08eb93256e52f7b383c425021a337
SHA512 497c0016484f74f1adde3ff728be7d358151198eed426fde36208de59d665536efdd18d67a2249efb47d109a7725f0b9099161232e16a900636d3d517bd1fa86

memory/1120-134-0x0000000004C30000-0x0000000005034000-memory.dmp

memory/1948-135-0x00000000000B0000-0x00000000004B4000-memory.dmp

memory/1696-137-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

memory/1948-138-0x00000000000B0000-0x00000000004B4000-memory.dmp

\Users\Admin\AppData\Local\a59e358a\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\a59e358a\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\a59e358a\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

\Users\Admin\AppData\Local\a59e358a\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

\Users\Admin\AppData\Local\a59e358a\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

\Users\Admin\AppData\Local\a59e358a\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\a59e358a\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\a59e358a\tor\TORBUILD.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

memory/1120-148-0x0000000004C30000-0x0000000005034000-memory.dmp

C:\Users\Admin\AppData\Local\a59e358a\tor\data\state

MD5 3f35c137b1ba38d7deeb3f41d0c76757
SHA1 2d89311693094f418af96a1b40cf96af7808b2c4
SHA256 e5b6066c60ccae7bd6ec767423eff233f27784250909d7198117d9c13da94fc2
SHA512 625e88a11aa1a63b168dae2a34ccdda6211eec30028233c1be7f7c97b9678b1a2043b6a65aa60f5d066a0df07593790f6b5693445e50700fb3230630a4445089

memory/1696-151-0x00000000000B0000-0x00000000004B4000-memory.dmp

memory/1696-152-0x0000000073D40000-0x0000000073E08000-memory.dmp

C:\Users\Admin\AppData\Local\a59e358a\tor\torrc

MD5 b286e0ab2c827ec1a57f90b6913030a4
SHA1 6a451c18c5885077cf80af1403e30b6aa17c1e89
SHA256 17b767a932644bf9c0bbfcfdcc9806ad80f8f68e61bbecb034a1c2cf0de14c91
SHA512 bffeb5f631e6e50d36f3e6ffa9c9b0a2fda31ceab22e6f9e2371a39f1430a6a5e7f7723db27c456ca1d3c1996b6fd3b5c842769f8a63dc5ce76ca28134af604e

memory/1696-153-0x00000000742E0000-0x0000000074368000-memory.dmp

memory/1696-154-0x0000000073B60000-0x0000000073C2E000-memory.dmp

memory/1696-155-0x0000000074410000-0x0000000074434000-memory.dmp

memory/1696-156-0x0000000073E10000-0x00000000740DF000-memory.dmp

memory/1696-157-0x0000000074370000-0x00000000743B9000-memory.dmp

memory/1696-158-0x0000000073C30000-0x0000000073D3A000-memory.dmp

C:\Users\Admin\AppData\Local\a59e358a\tor\data\cached-microdescs

MD5 3115384c860ad547d847171d333f30da
SHA1 b97c820d6b1adf4bb8529ece167f9a702736f509
SHA256 c905628eb90718c4ea06ec5e871cdd060680a00a58a05e9203e056004774a0c1
SHA512 dfc2226a781c96edaa7afc1824cda10197d03e6ec6b94af6e8168705b08a9a92351c7363376a2b62448a3114d44276bffa7a60d1ccd62a590b2d26636c00d334

memory/1696-160-0x00000000000B0000-0x00000000004B4000-memory.dmp