Malware Analysis Report

2025-01-03 05:22

Sample ID 230303-t8cb3sae23
Target PlsWork.exe
SHA256 a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449
Tags
bitrat persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449

Threat Level: Known bad

The file PlsWork.exe was found to be: Known bad.

Malicious Activity Summary

bitrat persistence trojan upx

Bitrat family

BitRAT

ACProtect 1.3x - 1.4x DLL software

Loads dropped DLL

UPX packed file

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Looks up external IP address via web service

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Checks processor information in registry

Enumerates system info in registry

Uses Task Scheduler COM API

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-03 16:43

Signatures

Bitrat family

bitrat

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-03 16:43

Reported

2023-03-03 16:46

Platform

win10-20230220-en

Max time kernel

146s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PlsWork.exe"

Signatures

BitRAT

trojan bitrat

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1\uff00" C:\Users\Admin\AppData\Local\Temp\PlsWork.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1" C:\Users\Admin\AppData\Local\Temp\PlsWork.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1ë°€" C:\Users\Admin\AppData\Local\Temp\PlsWork.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2268 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2268 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2268 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2268 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2268 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2268 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2268 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2268 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2268 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2268 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2268 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2268 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2268 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2268 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2268 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2268 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2268 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2268 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2268 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2268 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2268 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2268 wrote to memory of 164 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2268 wrote to memory of 164 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2268 wrote to memory of 164 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2268 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2268 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2268 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2268 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2268 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2268 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2268 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2268 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2268 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2268 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2268 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2268 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2268 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2268 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2268 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2268 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2268 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2268 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2268 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2268 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2268 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2268 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2268 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2268 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PlsWork.exe

"C:\Users\Admin\AppData\Local\Temp\PlsWork.exe"

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

Network

Country Destination Domain Proto
CA 199.58.81.140:443 tcp
US 8.8.8.8:53 140.81.58.199.in-addr.arpa udp
N/A 127.0.0.1:49728 tcp
US 74.123.97.10:443 tcp
FR 51.159.151.6:443 tcp
US 135.148.139.41:6968 tcp
US 8.8.8.8:53 6.151.159.51.in-addr.arpa udp
US 8.8.8.8:53 10.97.123.74.in-addr.arpa udp
US 8.8.8.8:53 41.139.148.135.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 135.148.139.41:6968 tcp
FR 51.159.151.6:443 tcp
US 8.8.8.8:53 myexternalip.com udp
US 34.160.111.145:443 myexternalip.com tcp
US 8.8.8.8:53 145.111.160.34.in-addr.arpa udp
US 8.8.8.8:53 159.164.2.23.in-addr.arpa udp
US 8.8.8.8:53 224.74.101.95.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 34.160.111.145:443 myexternalip.com tcp
N/A 127.0.0.1:49809 tcp
GB 51.105.71.136:443 tcp
N/A 127.0.0.1:49834 tcp
LT 46.148.26.44:9001 tcp
FI 135.181.213.167:9000 tcp
US 8.8.8.8:53 44.26.148.46.in-addr.arpa udp
US 8.8.8.8:53 167.213.181.135.in-addr.arpa udp
LV 185.86.150.58:9001 tcp
US 8.8.8.8:53 58.150.86.185.in-addr.arpa udp
NL 8.238.179.126:80 tcp
N/A 127.0.0.1:45808 tcp
US 34.160.111.145:443 myexternalip.com tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
N/A 127.0.0.1:49896 tcp
N/A 127.0.0.1:49919 tcp
N/A 127.0.0.1:49943 tcp
N/A 127.0.0.1:45808 tcp
US 34.160.111.145:443 myexternalip.com tcp
N/A 127.0.0.1:49966 tcp
N/A 127.0.0.1:49986 tcp
N/A 127.0.0.1:50007 tcp
N/A 127.0.0.1:50027 tcp
US 34.160.111.145:443 myexternalip.com tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:50052 tcp
N/A 127.0.0.1:50073 tcp
N/A 127.0.0.1:50094 tcp
N/A 127.0.0.1:45808 tcp
US 34.160.111.145:443 myexternalip.com tcp
N/A 127.0.0.1:50117 tcp
N/A 127.0.0.1:50141 tcp
N/A 127.0.0.1:50162 tcp

Files

memory/2268-121-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2268-122-0x00000000734B0000-0x00000000734EA000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

memory/1900-151-0x0000000000AE0000-0x0000000000EE4000-memory.dmp

memory/1900-152-0x0000000072AD0000-0x0000000072B98000-memory.dmp

memory/1900-153-0x0000000072A00000-0x0000000072ACE000-memory.dmp

memory/1900-155-0x0000000072920000-0x00000000729A8000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\torrc

MD5 439cd73927f46fde28540391feee8477
SHA1 ee7fb2aeb7708378abda293b03f5c9ffb6dbc742
SHA256 d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75
SHA512 c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319

memory/1900-154-0x00000000729B0000-0x00000000729F9000-memory.dmp

memory/1900-158-0x00000000727E0000-0x0000000072804000-memory.dmp

memory/1900-157-0x0000000072810000-0x000000007291A000-memory.dmp

memory/1900-161-0x0000000072510000-0x00000000727DF000-memory.dmp

memory/1900-162-0x00000000017B0000-0x0000000001A7F000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdesc-consensus.tmp

MD5 1756674bbccc3d724e7a08c08a6c62cb
SHA1 a98926c8d67e12881b0dbea28586c3be1c78aff2
SHA256 e412d1661645f7e462a71c0f31e50df3d396cb889dcb47b4f29740f581d518d3
SHA512 7b219c7f74572d7028f9389e69487238cfcfcdd03015672a156daaf69ba50f68249223190692e651153bc00f96dd5f2240752288b083c903b946a524eac6ed9c

memory/2268-171-0x0000000072220000-0x000000007225A000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 dc48c77450780b879f755f68f71ac3bb
SHA1 7b819b2b2194da7180903d2051c191ce3e64ae56
SHA256 456544d87a6ae5d0e7c0380f5c9d1dfaee8923dabdd91fe16926d145fbf83329
SHA512 b5aef9b562242e167366231f9598c8e41465533a1cbeda004558af9afb56c8fa78f1212acae812d95d2fa9bf01f9681ec806d5c2d0eedb741a5897deb445e07e

memory/1900-185-0x0000000000AE0000-0x0000000000EE4000-memory.dmp

memory/1900-186-0x0000000072AD0000-0x0000000072B98000-memory.dmp

memory/1900-187-0x0000000072A00000-0x0000000072ACE000-memory.dmp

memory/1900-193-0x0000000000AE0000-0x0000000000EE4000-memory.dmp

memory/1900-202-0x0000000000AE0000-0x0000000000EE4000-memory.dmp

memory/1900-210-0x0000000000AE0000-0x0000000000EE4000-memory.dmp

\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\d46500b0\tor\torrc

MD5 439cd73927f46fde28540391feee8477
SHA1 ee7fb2aeb7708378abda293b03f5c9ffb6dbc742
SHA256 d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75
SHA512 c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319

memory/4844-228-0x0000000000AE0000-0x0000000000EE4000-memory.dmp

memory/4844-229-0x0000000072510000-0x00000000727DF000-memory.dmp

memory/4844-230-0x0000000072AD0000-0x0000000072B98000-memory.dmp

memory/4844-232-0x00000000729B0000-0x00000000729F9000-memory.dmp

memory/4844-231-0x0000000072A00000-0x0000000072ACE000-memory.dmp

memory/4844-233-0x00000000727E0000-0x0000000072804000-memory.dmp

memory/4844-234-0x0000000072810000-0x000000007291A000-memory.dmp

memory/4844-235-0x0000000072920000-0x00000000729A8000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\d46500b0\tor\torrc

MD5 439cd73927f46fde28540391feee8477
SHA1 ee7fb2aeb7708378abda293b03f5c9ffb6dbc742
SHA256 d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75
SHA512 c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 807c520d31c4b4778f3e4bfe08152b3e
SHA1 0463cfcea150f9b91216c9e0e2ef96b45d8595fe
SHA256 98dc95b3de16e1b70a91dca60f620cf10e4ca5fd427cc84da921ada66f8869f7
SHA512 859a3a3c6ae01627e2ceadcbf35989d403940df1ebfd84962b4892d2cdb5485c355a07c9290f1bd499ced9fcfd3f78a7ce63641f769048364a5840ded22e68f0

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdesc-consensus

MD5 1756674bbccc3d724e7a08c08a6c62cb
SHA1 a98926c8d67e12881b0dbea28586c3be1c78aff2
SHA256 e412d1661645f7e462a71c0f31e50df3d396cb889dcb47b4f29740f581d518d3
SHA512 7b219c7f74572d7028f9389e69487238cfcfcdd03015672a156daaf69ba50f68249223190692e651153bc00f96dd5f2240752288b083c903b946a524eac6ed9c

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-certs

MD5 e5058c0f8c909bcd300f699048f65359
SHA1 9b146c5c768f234265ac1cf5dbd68fd76bc5ffa2
SHA256 f2d21ef26cc522a542317cb70aece1bc7b246c3d4c48cfbb632d1f49de52edb4
SHA512 dce03b18b6d96654c8adcbcfee85e39b8866a1bfa5ba2bd3fa6688edca3bccb9adc1e9be701fd853b74f92f355d4dc8de20b3fce80f272c984983ab36e0db7d5

memory/700-252-0x0000000000AE0000-0x0000000000EE4000-memory.dmp

memory/700-253-0x00000000728D0000-0x0000000072B9F000-memory.dmp

memory/700-254-0x0000000072800000-0x00000000728C8000-memory.dmp

memory/700-255-0x00000000727B0000-0x00000000727F9000-memory.dmp

memory/700-257-0x0000000072610000-0x0000000072698000-memory.dmp

memory/700-256-0x00000000726A0000-0x00000000727AA000-memory.dmp

memory/700-258-0x00000000725E0000-0x0000000072604000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 92675f3f55401855dcac796a88a88f28
SHA1 16bcfda0ad0db337975782f4dfd36c37f073f1e1
SHA256 19c414f076ea0072fbb57baa2f81941d502b180827623609ecfdca95ad9ed866
SHA512 d5dea92f12e12dff9a3e78e6f54bbeceb0385ca87d0368f27c7b7064f84c0a604d198d498e35c3c12308e2e277cfe9b84b79742fa59fbd1d97c70b5bd9d6dfc2

memory/700-259-0x0000000072510000-0x00000000725DE000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\unverified-microdesc-consensus

MD5 1756674bbccc3d724e7a08c08a6c62cb
SHA1 a98926c8d67e12881b0dbea28586c3be1c78aff2
SHA256 e412d1661645f7e462a71c0f31e50df3d396cb889dcb47b4f29740f581d518d3
SHA512 7b219c7f74572d7028f9389e69487238cfcfcdd03015672a156daaf69ba50f68249223190692e651153bc00f96dd5f2240752288b083c903b946a524eac6ed9c

memory/700-269-0x0000000000AE0000-0x0000000000EE4000-memory.dmp

memory/700-277-0x0000000000AE0000-0x0000000000EE4000-memory.dmp

memory/700-285-0x0000000000AE0000-0x0000000000EE4000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\d46500b0\tor\torrc

MD5 439cd73927f46fde28540391feee8477
SHA1 ee7fb2aeb7708378abda293b03f5c9ffb6dbc742
SHA256 d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75
SHA512 c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319

memory/4396-303-0x0000000000AE0000-0x0000000000EE4000-memory.dmp

memory/4396-304-0x00000000728D0000-0x0000000072B9F000-memory.dmp

memory/4396-305-0x0000000072800000-0x00000000728C8000-memory.dmp

memory/4396-306-0x0000000072510000-0x00000000725DE000-memory.dmp

memory/4396-307-0x00000000727B0000-0x00000000727F9000-memory.dmp

memory/4396-309-0x00000000726A0000-0x00000000727AA000-memory.dmp

memory/4396-308-0x00000000725E0000-0x0000000072604000-memory.dmp

memory/4396-311-0x0000000072610000-0x0000000072698000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\torrc

MD5 439cd73927f46fde28540391feee8477
SHA1 ee7fb2aeb7708378abda293b03f5c9ffb6dbc742
SHA256 d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75
SHA512 c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\d46500b0\tor\torrc

MD5 439cd73927f46fde28540391feee8477
SHA1 ee7fb2aeb7708378abda293b03f5c9ffb6dbc742
SHA256 d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75
SHA512 c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319

memory/3680-325-0x0000000000AE0000-0x0000000000EE4000-memory.dmp

memory/3680-327-0x00000000728D0000-0x0000000072B9F000-memory.dmp

memory/3680-329-0x0000000072800000-0x00000000728C8000-memory.dmp

memory/3680-331-0x00000000727B0000-0x00000000727F9000-memory.dmp

memory/3680-333-0x0000000072780000-0x00000000727A4000-memory.dmp

memory/3680-335-0x0000000072670000-0x000000007277A000-memory.dmp

memory/3680-338-0x00000000725E0000-0x0000000072668000-memory.dmp

memory/3680-339-0x0000000072510000-0x00000000725DE000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

memory/4224-353-0x0000000000AE0000-0x0000000000EE4000-memory.dmp

memory/4224-354-0x00000000728D0000-0x0000000072B9F000-memory.dmp

memory/4224-355-0x0000000072800000-0x00000000728C8000-memory.dmp

memory/4224-360-0x0000000072510000-0x00000000725DE000-memory.dmp

memory/4224-359-0x00000000725E0000-0x0000000072668000-memory.dmp

memory/4224-358-0x0000000072670000-0x000000007277A000-memory.dmp

memory/4224-357-0x0000000072780000-0x00000000727A4000-memory.dmp

memory/4224-356-0x00000000727B0000-0x00000000727F9000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

memory/380-371-0x0000000000AE0000-0x0000000000EE4000-memory.dmp

memory/380-372-0x00000000728D0000-0x0000000072B9F000-memory.dmp

memory/380-373-0x0000000072800000-0x00000000728C8000-memory.dmp

memory/380-374-0x00000000727B0000-0x00000000727F9000-memory.dmp

memory/380-376-0x00000000726A0000-0x00000000727AA000-memory.dmp

memory/380-377-0x00000000725E0000-0x0000000072604000-memory.dmp

memory/380-378-0x0000000072510000-0x00000000725DE000-memory.dmp

memory/380-375-0x0000000072610000-0x0000000072698000-memory.dmp

memory/164-389-0x0000000000AE0000-0x0000000000EE4000-memory.dmp

memory/164-390-0x00000000728D0000-0x0000000072B9F000-memory.dmp

memory/164-392-0x00000000727B0000-0x00000000727F9000-memory.dmp

memory/164-391-0x0000000072800000-0x00000000728C8000-memory.dmp

memory/164-393-0x00000000726A0000-0x00000000727AA000-memory.dmp

memory/164-394-0x0000000072610000-0x0000000072698000-memory.dmp

memory/164-395-0x00000000725E0000-0x0000000072604000-memory.dmp

memory/164-396-0x0000000072510000-0x00000000725DE000-memory.dmp

memory/2268-397-0x00000000734B0000-0x00000000734EA000-memory.dmp

memory/932-408-0x0000000000AE0000-0x0000000000EE4000-memory.dmp

memory/932-409-0x00000000728D0000-0x0000000072B9F000-memory.dmp

memory/932-410-0x0000000072800000-0x00000000728C8000-memory.dmp

memory/932-412-0x00000000726A0000-0x00000000727AA000-memory.dmp

memory/932-414-0x00000000725E0000-0x0000000072604000-memory.dmp

memory/932-413-0x0000000072610000-0x0000000072698000-memory.dmp

memory/932-411-0x00000000727B0000-0x00000000727F9000-memory.dmp

memory/932-415-0x0000000072510000-0x00000000725DE000-memory.dmp

memory/932-418-0x0000000072510000-0x00000000725DE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-03 16:43

Reported

2023-03-03 16:45

Platform

win7-20230220-en

Max time kernel

145s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PlsWork.exe"

Signatures

BitRAT

trojan bitrat

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1" C:\Users\Admin\AppData\Local\Temp\PlsWork.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\PlsWork.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\PlsWork.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\PlsWork.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\PlsWork.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\PlsWork.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\PlsWork.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2016 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2016 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2016 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2016 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2016 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2016 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2016 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2016 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2016 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2016 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2016 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2016 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2016 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2016 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2016 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2016 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2016 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2016 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2016 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2016 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PlsWork.exe

"C:\Users\Admin\AppData\Local\Temp\PlsWork.exe"

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

Network

Country Destination Domain Proto
DE 37.157.255.35:9090 tcp
N/A 127.0.0.1:49204 tcp
LU 92.38.163.21:443 tcp
N/A 127.0.0.1:45808 tcp
SK 85.248.227.163:9001 tcp
CZ 37.157.195.87:443 tcp
DE 193.23.244.244:443 tcp
GB 77.68.30.104:9201 tcp
NL 51.15.44.251:443 tcp
DE 82.165.167.46:9001 tcp
N/A 127.0.0.1:45808 tcp
GB 77.68.30.104:9201 tcp
NL 51.15.44.251:443 tcp
N/A 127.0.0.1:49300 tcp
N/A 127.0.0.1:49337 tcp
EE 95.153.32.22:9001 tcp
US 64.31.55.212:443 tcp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 myexternalip.com udp
US 34.160.111.145:443 myexternalip.com tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.169:80 apps.identrust.com tcp
N/A 127.0.0.1:49490 tcp
N/A 127.0.0.1:49533 tcp
N/A 127.0.0.1:45808 tcp
US 34.160.111.145:443 myexternalip.com tcp
US 8.247.211.126:80 tcp

Files

memory/2016-54-0x0000000000400000-0x0000000000BD8000-memory.dmp

\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

memory/2016-86-0x0000000003CA0000-0x00000000040A4000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\torrc

MD5 439cd73927f46fde28540391feee8477
SHA1 ee7fb2aeb7708378abda293b03f5c9ffb6dbc742
SHA256 d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75
SHA512 c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319

memory/2016-88-0x0000000003CA0000-0x00000000040A4000-memory.dmp

memory/984-89-0x00000000010E0000-0x00000000014E4000-memory.dmp

memory/984-91-0x0000000074930000-0x0000000074979000-memory.dmp

memory/984-90-0x0000000074390000-0x000000007465F000-memory.dmp

memory/984-92-0x00000000742C0000-0x0000000074388000-memory.dmp

memory/984-93-0x00000000741B0000-0x00000000742BA000-memory.dmp

memory/984-94-0x00000000748A0000-0x0000000074928000-memory.dmp

memory/984-95-0x00000000740E0000-0x00000000741AE000-memory.dmp

memory/984-96-0x0000000074C30000-0x0000000074C54000-memory.dmp

memory/984-99-0x00000000010E0000-0x00000000014E4000-memory.dmp

memory/984-102-0x00000000742C0000-0x0000000074388000-memory.dmp

memory/984-100-0x0000000074390000-0x000000007465F000-memory.dmp

memory/984-105-0x00000000740E0000-0x00000000741AE000-memory.dmp

memory/2016-107-0x0000000003CA0000-0x00000000040A4000-memory.dmp

memory/984-108-0x00000000010E0000-0x00000000014E4000-memory.dmp

memory/984-109-0x00000000010E0000-0x00000000014E4000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdesc-consensus.tmp

MD5 1756674bbccc3d724e7a08c08a6c62cb
SHA1 a98926c8d67e12881b0dbea28586c3be1c78aff2
SHA256 e412d1661645f7e462a71c0f31e50df3d396cb889dcb47b4f29740f581d518d3
SHA512 7b219c7f74572d7028f9389e69487238cfcfcdd03015672a156daaf69ba50f68249223190692e651153bc00f96dd5f2240752288b083c903b946a524eac6ed9c

memory/984-125-0x00000000010E0000-0x00000000014E4000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 e9f65cd516f5d44399dac6bb562c44a6
SHA1 d0ccd32f3ffdf67c1d95fbea66ec454a3b27e68b
SHA256 57ba51c8a093cbd7aa8331cef178be10432336b20e014585f8ffb9764414eb53
SHA512 dfceb30aee7b8318898d714aee5baa543eab350f9c3ed998c0c6a907bd850fc06456b493d3d583066746c020eb5f945214778b2ffd0a1b390ebe62b0eaa82eb3

memory/984-146-0x00000000010E0000-0x00000000014E4000-memory.dmp

memory/984-154-0x00000000010E0000-0x00000000014E4000-memory.dmp

memory/984-162-0x00000000010E0000-0x00000000014E4000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\d46500b0\tor\torrc

MD5 439cd73927f46fde28540391feee8477
SHA1 ee7fb2aeb7708378abda293b03f5c9ffb6dbc742
SHA256 d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75
SHA512 c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319

\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

memory/1620-184-0x00000000010E0000-0x00000000014E4000-memory.dmp

memory/1620-186-0x0000000074390000-0x000000007465F000-memory.dmp

memory/1620-187-0x0000000074930000-0x0000000074979000-memory.dmp

memory/1620-188-0x00000000742C0000-0x0000000074388000-memory.dmp

memory/2016-189-0x00000000048F0000-0x0000000004CF4000-memory.dmp

memory/1620-190-0x00000000741B0000-0x00000000742BA000-memory.dmp

memory/1620-192-0x00000000748A0000-0x0000000074928000-memory.dmp

memory/1620-194-0x00000000740E0000-0x00000000741AE000-memory.dmp

memory/1620-196-0x0000000074C30000-0x0000000074C54000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\d46500b0\tor\torrc

MD5 439cd73927f46fde28540391feee8477
SHA1 ee7fb2aeb7708378abda293b03f5c9ffb6dbc742
SHA256 d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75
SHA512 c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 f6a257abd3cc4ed52670904953f2379a
SHA1 b2571ceaec98b03069b1bda74769edab474bd3c3
SHA256 dc86c5d4104df663e91c694afea24bfea8ee2d6c379b3f020614d429382f71f6
SHA512 2baeff5c8645eb3effd000d3b77d9d32ee60744f240b9e13e461eed99e7cbe1c59079d13f6d3fa4cc6fc02e039b5517f90f5b657bdc8f8fb735657802109cb69

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-certs

MD5 12ae514e6cada06c2805f0d0fa785566
SHA1 639437a16d725c3619ea8fcfb01900fe7c834fb6
SHA256 c866fc6833525c7eef0f3ad3c00fce05f84b9ad0ef1b1d29749e49c821bfff52
SHA512 6115ce1eae34523c7b68dccf8a82a6b9e2c0b7e02385843ad3f12120202156799a0c39783199ba09c41fe68090a4b7f57a0c77c05926e7c6b05ae631390bf566

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdesc-consensus

MD5 1756674bbccc3d724e7a08c08a6c62cb
SHA1 a98926c8d67e12881b0dbea28586c3be1c78aff2
SHA256 e412d1661645f7e462a71c0f31e50df3d396cb889dcb47b4f29740f581d518d3
SHA512 7b219c7f74572d7028f9389e69487238cfcfcdd03015672a156daaf69ba50f68249223190692e651153bc00f96dd5f2240752288b083c903b946a524eac6ed9c

memory/2016-218-0x00000000048F0000-0x0000000004CF4000-memory.dmp

memory/700-219-0x00000000010E0000-0x00000000014E4000-memory.dmp

memory/700-220-0x00000000740C0000-0x000000007438F000-memory.dmp

memory/700-221-0x00000000748E0000-0x0000000074929000-memory.dmp

memory/700-222-0x0000000074590000-0x0000000074658000-memory.dmp

memory/700-223-0x0000000074480000-0x000000007458A000-memory.dmp

memory/700-224-0x00000000743F0000-0x0000000074478000-memory.dmp

memory/700-225-0x0000000073F90000-0x000000007405E000-memory.dmp

memory/700-226-0x0000000074950000-0x0000000074974000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 21a062034a678e126d910cb34eabbd17
SHA1 58ccf5c989c0bea541fbb62fc566b03fc0f9fdfd
SHA256 1a73ce6493b66051cddc1e6d223af65149621264fb2116b68a42f79e04d004a6
SHA512 a35d5e357ae93665553b9b6b785f8c726d7745dc2737ac790074e2aa548390c48875260dfa1669c77732133ea7984920a64d3d6b8d9de4264f258e8c20f53589

C:\Users\Admin\AppData\Local\d46500b0\tor\data\unverified-microdesc-consensus

MD5 1756674bbccc3d724e7a08c08a6c62cb
SHA1 a98926c8d67e12881b0dbea28586c3be1c78aff2
SHA256 e412d1661645f7e462a71c0f31e50df3d396cb889dcb47b4f29740f581d518d3
SHA512 7b219c7f74572d7028f9389e69487238cfcfcdd03015672a156daaf69ba50f68249223190692e651153bc00f96dd5f2240752288b083c903b946a524eac6ed9c

memory/2016-232-0x00000000048F0000-0x0000000004CF4000-memory.dmp

memory/700-237-0x00000000010E0000-0x00000000014E4000-memory.dmp

memory/2016-245-0x00000000048F0000-0x0000000004CF4000-memory.dmp

memory/700-246-0x00000000010E0000-0x00000000014E4000-memory.dmp

memory/2016-255-0x00000000003F0000-0x00000000003FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabAAC3.tmp

MD5 fc4666cbca561e864e7fdf883a9e6661
SHA1 2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA256 10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512 c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 e71c8443ae0bc2e282c73faead0a6dd3
SHA1 0c110c1b01e68edfacaeae64781a37b1995fa94b
SHA256 95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72
SHA512 b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

C:\Users\Admin\AppData\Local\Temp\TarABF3.tmp

MD5 be2bec6e8c5653136d3e72fe53c98aa3
SHA1 a8182d6db17c14671c3d5766c72e58d87c0810de
SHA256 1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd
SHA512 0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9dc28184d8f4ea4a5cdd88e97d749108
SHA1 e134e6af7999fd65727e6786db3ef7e147640391
SHA256 3fa9552355a5460333dfc81984ffe2f14245d50a0fbd85d6bbb20c2a36c1e31d
SHA512 e6a7eb45f3502fc9bf46e6e2fcf6d7430eab394a4252d7ee5dd8e48143a33ce5b1511f1d90be6c0bf17e3cc122a39c8a5217e0a683d6a36d5f1b4092f3164bff

\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\d46500b0\tor\torrc

MD5 439cd73927f46fde28540391feee8477
SHA1 ee7fb2aeb7708378abda293b03f5c9ffb6dbc742
SHA256 d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75
SHA512 c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319

\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

memory/700-365-0x00000000010E0000-0x00000000014E4000-memory.dmp

memory/2016-369-0x0000000005410000-0x0000000005814000-memory.dmp

memory/1256-371-0x00000000010E0000-0x00000000014E4000-memory.dmp

memory/1256-373-0x00000000740C0000-0x000000007438F000-memory.dmp

memory/1256-375-0x00000000748E0000-0x0000000074929000-memory.dmp

memory/1256-376-0x0000000074590000-0x0000000074658000-memory.dmp

memory/1256-378-0x0000000074480000-0x000000007458A000-memory.dmp

memory/1256-379-0x00000000743F0000-0x0000000074478000-memory.dmp

memory/1256-380-0x0000000073F90000-0x000000007405E000-memory.dmp

memory/1256-381-0x0000000074950000-0x0000000074974000-memory.dmp

memory/2016-382-0x00000000003F0000-0x00000000003FA000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\torrc

MD5 439cd73927f46fde28540391feee8477
SHA1 ee7fb2aeb7708378abda293b03f5c9ffb6dbc742
SHA256 d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75
SHA512 c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319

\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

memory/1876-407-0x00000000010E0000-0x00000000014E4000-memory.dmp

memory/1876-409-0x0000000074610000-0x0000000074659000-memory.dmp

memory/1876-408-0x00000000735A0000-0x000000007386F000-memory.dmp

memory/1876-410-0x0000000074540000-0x0000000074608000-memory.dmp

memory/1876-412-0x0000000074300000-0x0000000074388000-memory.dmp

memory/1876-411-0x0000000074430000-0x000000007453A000-memory.dmp

memory/1876-414-0x0000000074900000-0x0000000074924000-memory.dmp

memory/1876-413-0x0000000074230000-0x00000000742FE000-memory.dmp

memory/2016-415-0x0000000005410000-0x0000000005814000-memory.dmp

memory/2016-416-0x0000000005410000-0x0000000005814000-memory.dmp

memory/2016-457-0x0000000003B40000-0x0000000003B4A000-memory.dmp

memory/2016-458-0x0000000003B40000-0x0000000003B4A000-memory.dmp

memory/2016-459-0x0000000005410000-0x0000000005814000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2023-03-03 16:43

Reported

2023-03-03 16:46

Platform

win10v2004-20230220-en

Max time kernel

149s

Max time network

153s

Command Line

C:\Windows\System32\svchost.exe -k netsvcs -p

Signatures

BitRAT

trojan bitrat

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PlsWork.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1" C:\Users\Admin\AppData\Local\Temp\PlsWork.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{5D626932-D1E6-45FC-876B-C4BCA8748390}.catalogItem C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{3855911F-D1F0-4299-ABE6-7E8920345552}.catalogItem C:\Windows\System32\svchost.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\System32\svchost.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\System32\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4440 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4440 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4440 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4440 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4440 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4440 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4440 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4440 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4440 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4440 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4440 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4440 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4440 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4440 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4440 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4440 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4440 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4440 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4440 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4440 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4440 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4440 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4440 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4440 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4440 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4440 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4440 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\PlsWork.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p

C:\Users\Admin\AppData\Local\Temp\PlsWork.exe

"C:\Users\Admin\AppData\Local\Temp\PlsWork.exe"

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 254.33.24.67.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
US 8.8.8.8:53 84.150.43.20.in-addr.arpa udp
US 8.8.8.8:53 164.113.223.173.in-addr.arpa udp
US 8.8.8.8:53 57.103.197.20.in-addr.arpa udp
AT 86.59.21.38:443 tcp
N/A 127.0.0.1:49760 tcp
US 8.8.8.8:53 38.21.59.86.in-addr.arpa udp
RO 185.100.85.61:443 tcp
US 8.8.8.8:53 61.85.100.185.in-addr.arpa udp
US 147.135.65.26:443 tcp
DE 185.220.101.210:8443 tcp
DE 178.63.40.99:9090 tcp
US 8.8.8.8:53 210.101.220.185.in-addr.arpa udp
US 8.8.8.8:53 99.40.63.178.in-addr.arpa udp
US 8.8.8.8:53 26.65.135.147.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
DE 185.220.101.210:8443 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
DE 178.63.40.99:9090 tcp
US 8.8.8.8:53 96.108.152.52.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 myexternalip.com udp
US 34.160.111.145:443 myexternalip.com tcp
US 8.8.8.8:53 145.111.160.34.in-addr.arpa udp
US 8.8.8.8:53 116.172.5.23.in-addr.arpa udp
US 8.8.8.8:53 99.143.109.104.in-addr.arpa udp
US 34.160.111.145:443 myexternalip.com tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:49863 tcp
N/A 127.0.0.1:49892 tcp
DE 91.143.80.230:443 tcp
US 8.8.8.8:53 230.80.143.91.in-addr.arpa udp
DE 94.130.142.182:8443 tcp
US 8.8.8.8:53 182.142.130.94.in-addr.arpa udp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 34.160.111.145:443 myexternalip.com tcp
US 8.8.8.8:53 126.211.247.8.in-addr.arpa udp
FR 54.36.205.38:9001 tcp
US 8.8.8.8:53 38.205.36.54.in-addr.arpa udp
DE 91.143.80.230:443 tcp
N/A 127.0.0.1:49951 tcp
N/A 127.0.0.1:49985 tcp
US 8.8.8.8:53 udp
N/A 127.0.0.1:45808 tcp
US 34.160.111.145:443 myexternalip.com tcp
N/A 127.0.0.1:50031 tcp
N/A 127.0.0.1:50059 tcp
DE 217.182.196.65:443 tcp
FR 54.36.205.38:9001 tcp
US 8.8.8.8:53 65.196.182.217.in-addr.arpa udp
DE 91.143.80.230:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.160.111.145:443 myexternalip.com tcp
N/A 127.0.0.1:50105 tcp
N/A 127.0.0.1:50126 tcp
DE 81.7.13.84:443 tcp
FR 54.36.205.38:9001 tcp
DE 91.143.80.230:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.160.111.145:443 myexternalip.com tcp

Files

memory/4440-133-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/4440-136-0x0000000074500000-0x0000000074539000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

memory/4596-169-0x00000000009C0000-0x0000000000DC4000-memory.dmp

memory/4596-170-0x0000000073930000-0x00000000739FE000-memory.dmp

memory/4596-171-0x0000000073A00000-0x0000000073A49000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\torrc

MD5 439cd73927f46fde28540391feee8477
SHA1 ee7fb2aeb7708378abda293b03f5c9ffb6dbc742
SHA256 d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75
SHA512 c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319

memory/4596-176-0x0000000073720000-0x000000007382A000-memory.dmp

memory/4596-175-0x0000000073830000-0x0000000073854000-memory.dmp

memory/4596-177-0x0000000073690000-0x0000000073718000-memory.dmp

memory/4596-178-0x00000000014E0000-0x0000000001568000-memory.dmp

memory/4596-179-0x00000000733C0000-0x000000007368F000-memory.dmp

memory/4596-180-0x0000000001D40000-0x000000000200F000-memory.dmp

memory/4596-181-0x0000000073860000-0x0000000073928000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdesc-consensus.tmp

MD5 1756674bbccc3d724e7a08c08a6c62cb
SHA1 a98926c8d67e12881b0dbea28586c3be1c78aff2
SHA256 e412d1661645f7e462a71c0f31e50df3d396cb889dcb47b4f29740f581d518d3
SHA512 7b219c7f74572d7028f9389e69487238cfcfcdd03015672a156daaf69ba50f68249223190692e651153bc00f96dd5f2240752288b083c903b946a524eac6ed9c

memory/4440-202-0x0000000072FB0000-0x0000000072FE9000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 5604c1e5b2f9c95d6ba2c8389dd77898
SHA1 741dcf3c352840e7b981e4503c43c2758db184af
SHA256 0c9517af71935da357e37f77e4b6bc3fe956f6053de07e08ebef43d3fe6b8bcb
SHA512 72e86a2097e4980cc8b3a1b5809a17c957a056a422d26f386cd0c9ececfd55c30daedc1e55019fa1c56706e5b41b06c7c3fc3ff8fb6664b2cabaf5d0abf25772

memory/4596-213-0x00000000009C0000-0x0000000000DC4000-memory.dmp

memory/4596-214-0x0000000073930000-0x00000000739FE000-memory.dmp

memory/4596-221-0x00000000009C0000-0x0000000000DC4000-memory.dmp

memory/4596-222-0x00000000014E0000-0x0000000001568000-memory.dmp

memory/4596-229-0x00000000009C0000-0x0000000000DC4000-memory.dmp

memory/4596-237-0x00000000009C0000-0x0000000000DC4000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

memory/884-254-0x00000000009C0000-0x0000000000DC4000-memory.dmp

memory/884-255-0x00000000733C0000-0x000000007368F000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\torrc

MD5 439cd73927f46fde28540391feee8477
SHA1 ee7fb2aeb7708378abda293b03f5c9ffb6dbc742
SHA256 d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75
SHA512 c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319

memory/884-257-0x0000000073860000-0x0000000073928000-memory.dmp

memory/884-258-0x0000000073930000-0x00000000739FE000-memory.dmp

memory/884-261-0x0000000073830000-0x0000000073854000-memory.dmp

memory/884-263-0x0000000073720000-0x000000007382A000-memory.dmp

memory/884-264-0x0000000073860000-0x0000000073928000-memory.dmp

memory/884-266-0x0000000073930000-0x00000000739FE000-memory.dmp

memory/884-265-0x0000000073690000-0x0000000073718000-memory.dmp

memory/884-262-0x00000000733C0000-0x000000007368F000-memory.dmp

memory/884-259-0x00000000009C0000-0x0000000000DC4000-memory.dmp

memory/884-260-0x0000000073A00000-0x0000000073A49000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\d46500b0\tor\torrc

MD5 439cd73927f46fde28540391feee8477
SHA1 ee7fb2aeb7708378abda293b03f5c9ffb6dbc742
SHA256 d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75
SHA512 c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-certs

MD5 b0bf8e1b27411f86f6c46280511dc321
SHA1 537ade45e081a877e948004382573feb8736b089
SHA256 5960c0d94aea1646f8dd0b4ab249ae16d427153fc04dd28e271682696f8d0b7b
SHA512 521541212754e1b68a8a69a07f7affd1449d395e08b84bc5aab53d5b226d1ae0f6e72ced660faf52b50ebfe82f0f7e5ebaa4d9f44d1795f96ca4ac8e380ab40b

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 1b43fce0af50a5a394961b00634a0cb6
SHA1 3ba1765d4fe34237d9a1ce9b2959eb347f8292c3
SHA256 df274091be4ae20718304d2df2aaa538aaf37af02ca603b5916ecf1a36069fa2
SHA512 c283221a22aa10fc3f68818609c24bb47f0032198b8210d37ac5e01b788f7bcfb5d86d77a8740c33e274fc1a9b07dfca2232b050dd2e6eedcdb38277725e26f3

memory/4732-284-0x00000000009C0000-0x0000000000DC4000-memory.dmp

memory/4732-286-0x0000000073780000-0x0000000073A4F000-memory.dmp

memory/4732-288-0x00000000736B0000-0x0000000073778000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdesc-consensus

MD5 1756674bbccc3d724e7a08c08a6c62cb
SHA1 a98926c8d67e12881b0dbea28586c3be1c78aff2
SHA256 e412d1661645f7e462a71c0f31e50df3d396cb889dcb47b4f29740f581d518d3
SHA512 7b219c7f74572d7028f9389e69487238cfcfcdd03015672a156daaf69ba50f68249223190692e651153bc00f96dd5f2240752288b083c903b946a524eac6ed9c

memory/4732-289-0x00000000735E0000-0x00000000736AE000-memory.dmp

memory/4732-291-0x0000000073560000-0x0000000073584000-memory.dmp

memory/4732-290-0x0000000073590000-0x00000000735D9000-memory.dmp

memory/4732-293-0x00000000733C0000-0x0000000073448000-memory.dmp

memory/4732-292-0x0000000073450000-0x000000007355A000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 8518050bf355bfbc7c74f0c506110824
SHA1 7c81e21f288ac6539ac504e8f373528efdeee820
SHA256 c44b36ce23cdf5529b28bfd1d8fcfe63ea8a34d6aafe649da39ddf41f4a307b3
SHA512 18ebd312b519904cd7bb54fcf4df283555df0f980cf60fe8cc3cc38d0de433e11287b415398a6d963fc42ea95d605cc64a2cc1f5b407103cb1586b2800cd9154

C:\Users\Admin\AppData\Local\d46500b0\tor\data\unverified-microdesc-consensus

MD5 1756674bbccc3d724e7a08c08a6c62cb
SHA1 a98926c8d67e12881b0dbea28586c3be1c78aff2
SHA256 e412d1661645f7e462a71c0f31e50df3d396cb889dcb47b4f29740f581d518d3
SHA512 7b219c7f74572d7028f9389e69487238cfcfcdd03015672a156daaf69ba50f68249223190692e651153bc00f96dd5f2240752288b083c903b946a524eac6ed9c

memory/4732-301-0x00000000009C0000-0x0000000000DC4000-memory.dmp

memory/4732-309-0x00000000009C0000-0x0000000000DC4000-memory.dmp

memory/4732-317-0x00000000009C0000-0x0000000000DC4000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\d46500b0\tor\torrc

MD5 439cd73927f46fde28540391feee8477
SHA1 ee7fb2aeb7708378abda293b03f5c9ffb6dbc742
SHA256 d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75
SHA512 c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319

memory/1456-336-0x0000000073780000-0x0000000073A4F000-memory.dmp

memory/1456-335-0x00000000009C0000-0x0000000000DC4000-memory.dmp

memory/1456-338-0x00000000736B0000-0x0000000073778000-memory.dmp

memory/1456-339-0x00000000735E0000-0x00000000736AE000-memory.dmp

memory/1456-341-0x0000000073590000-0x00000000735D9000-memory.dmp

memory/1456-343-0x0000000073560000-0x0000000073584000-memory.dmp

memory/1456-345-0x0000000073450000-0x000000007355A000-memory.dmp

memory/1456-347-0x00000000733C0000-0x0000000073448000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\torrc

MD5 439cd73927f46fde28540391feee8477
SHA1 ee7fb2aeb7708378abda293b03f5c9ffb6dbc742
SHA256 d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75
SHA512 c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319

C:\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

memory/4664-360-0x00000000009C0000-0x0000000000DC4000-memory.dmp

memory/4664-361-0x00000000736B0000-0x0000000073778000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\torrc

MD5 439cd73927f46fde28540391feee8477
SHA1 ee7fb2aeb7708378abda293b03f5c9ffb6dbc742
SHA256 d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75
SHA512 c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319

memory/4664-365-0x0000000073660000-0x00000000736A9000-memory.dmp

memory/4664-366-0x0000000073550000-0x000000007365A000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 8cf8a743382b180f1ac5dc894343a9cf
SHA1 26fbe48604b7706a87cbd9f4350b6309704aa668
SHA256 c51a1c6432b9f492e933568f4a7ab753e9979a3a5fbb7bb50026a129d7f7d846
SHA512 ca454bde59ed5549ed05e12f157120ff4a4db9b9c5b00cb0541b0c65fee89479cdf9fda014554aec952ee9b0de48b97c1c86682bdefa0b21c8c6348681304ba2

memory/4664-362-0x0000000073780000-0x0000000073A4F000-memory.dmp

memory/4664-367-0x00000000734C0000-0x0000000073548000-memory.dmp

memory/4664-368-0x0000000073490000-0x00000000734B4000-memory.dmp

memory/4664-369-0x00000000733C0000-0x000000007348E000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs

MD5 ea7c1b40860b2ecc4a9e049f3a4be8b6
SHA1 f287a430752088447c85b2eeb194b834cdb86c8c
SHA256 6fb3f4590f5bdc6ddaf2ec0089357737d745b73a16a4ea169b9d1ca6b3213894
SHA512 85ef8296823e1e514e73ed958d78afe68b40538482d2506b316ae20d469289b9de3a31066ac90fe69be3f0870ad8b622f872ee6c43a8062056553cdd206d4e49

memory/4664-381-0x00000000009C0000-0x0000000000DC4000-memory.dmp

memory/4664-382-0x00000000736B0000-0x0000000073778000-memory.dmp

memory/4664-383-0x0000000073780000-0x0000000073A4F000-memory.dmp

memory/676-396-0x0000000073780000-0x0000000073A4F000-memory.dmp

memory/676-398-0x00000000736B0000-0x0000000073778000-memory.dmp

memory/676-400-0x00000000733C0000-0x000000007348E000-memory.dmp

memory/676-403-0x0000000073660000-0x00000000736A9000-memory.dmp

memory/676-406-0x0000000073490000-0x00000000734B4000-memory.dmp

memory/676-409-0x0000000073550000-0x000000007365A000-memory.dmp

memory/676-412-0x00000000734C0000-0x0000000073548000-memory.dmp

memory/4664-410-0x00000000009C0000-0x0000000000DC4000-memory.dmp

memory/676-417-0x00000000009C0000-0x0000000000DC4000-memory.dmp

memory/676-419-0x00000000736B0000-0x0000000073778000-memory.dmp

memory/676-418-0x0000000073780000-0x0000000073A4F000-memory.dmp

memory/676-420-0x00000000733C0000-0x000000007348E000-memory.dmp

memory/4440-421-0x0000000074500000-0x0000000074539000-memory.dmp

memory/1008-424-0x00000000009C0000-0x0000000000DC4000-memory.dmp

memory/1008-425-0x0000000073780000-0x0000000073A4F000-memory.dmp

memory/1008-426-0x00000000736B0000-0x0000000073778000-memory.dmp

memory/1008-427-0x0000000073660000-0x00000000736A9000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3