Malware Analysis Report

2025-01-03 05:11

Sample ID 230303-vcd2gaaa5v
Target workkkkkkkk2.exe
SHA256 aba8bad15949bd79d6b47939afbe4a8febf82eab89527f42a08836da9022d7b8
Tags
bitrat persistence ransomware trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aba8bad15949bd79d6b47939afbe4a8febf82eab89527f42a08836da9022d7b8

Threat Level: Known bad

The file workkkkkkkk2.exe was found to be: Known bad.

Malicious Activity Summary

bitrat persistence ransomware trojan upx

Bitrat family

BitRAT

Loads dropped DLL

UPX packed file

ACProtect 1.3x - 1.4x DLL software

Checks computer location settings

Executes dropped EXE

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Sets desktop wallpaper using registry

Enumerates physical storage devices

Modifies system certificate store

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Modifies Control Panel

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-03 16:50

Signatures

Bitrat family

bitrat

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-03 16:50

Reported

2023-03-03 16:54

Platform

win10-20230220-en

Max time kernel

238s

Max time network

245s

Command Line

"C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe"

Signatures

BitRAT

trojan bitrat

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1\uff00" C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1︀" C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1" C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1ë°€" C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1츀" C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2oi27hofLboVnNG1" C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Control Panel\Desktop\TileWallpaper = "0" C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Control Panel\Desktop\WallpaperStyle = "0" C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Desktop\General C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Desktop\General\WallpaperSource = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2oi27hofLboVnNG1" C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2544 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 2544 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 2544 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 2544 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 2544 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 2544 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 2544 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 2544 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 2544 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 2544 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 2544 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 2544 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 2544 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 2544 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 2544 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 2544 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 2544 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 2544 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 2544 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 2544 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 2544 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 2544 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 2544 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 2544 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 2544 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 2544 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 2544 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe

"C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe"

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

"C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

"C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

"C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

"C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

"C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

"C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

"C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

"C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

"C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe" -f torrc

Network

Country Destination Domain Proto
N/A 127.0.0.1:49734 tcp
FR 185.13.39.197:443 tcp
US 66.111.2.16:9001 tcp
US 8.8.8.8:53 16.2.111.66.in-addr.arpa udp
PL 195.230.23.185:9001 tcp
DE 46.4.57.75:8443 tcp
FR 129.151.246.99:9001 tcp
US 8.8.8.8:53 75.57.4.46.in-addr.arpa udp
US 8.8.8.8:53 99.246.151.129.in-addr.arpa udp
US 8.8.8.8:53 185.23.230.195.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
FR 129.151.246.99:9001 tcp
DE 46.4.57.75:8443 tcp
PL 195.230.23.185:9001 tcp
US 8.8.8.8:53 myexternalip.com udp
US 34.160.111.145:443 myexternalip.com tcp
US 8.8.8.8:53 145.111.160.34.in-addr.arpa udp
US 8.8.8.8:53 116.172.5.23.in-addr.arpa udp
US 8.8.8.8:53 9.175.53.84.in-addr.arpa udp
US 20.189.173.5:443 tcp
NL 87.248.202.1:80 tcp
US 34.160.111.145:443 myexternalip.com tcp
US 8.8.8.8:53 233.141.123.20.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 34.160.111.145:443 myexternalip.com tcp
US 8.8.8.8:53 i.imgur.com udp
NL 199.232.148.193:80 i.imgur.com tcp
NL 199.232.148.193:443 i.imgur.com tcp
US 8.8.8.8:53 193.148.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:49887 tcp
US 34.160.111.145:443 myexternalip.com tcp
N/A 127.0.0.1:45808 tcp
US 34.160.111.145:443 myexternalip.com tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:49953 tcp
US 34.160.111.145:443 myexternalip.com tcp
N/A 127.0.0.1:49998 tcp
N/A 127.0.0.1:50033 tcp
N/A 127.0.0.1:50070 tcp
N/A 127.0.0.1:50101 tcp
N/A 127.0.0.1:45808 tcp
US 34.160.111.145:443 myexternalip.com tcp
N/A 127.0.0.1:50152 tcp
N/A 127.0.0.1:50180 tcp

Files

memory/2544-121-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2544-122-0x0000000073950000-0x000000007398A000-memory.dmp

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\33245aa2\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

\Users\Admin\AppData\Local\33245aa2\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\33245aa2\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\33245aa2\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

\Users\Admin\AppData\Local\33245aa2\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\33245aa2\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\33245aa2\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\33245aa2\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

\Users\Admin\AppData\Local\33245aa2\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\33245aa2\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

\Users\Admin\AppData\Local\33245aa2\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\33245aa2\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\33245aa2\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\33245aa2\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

memory/4484-150-0x0000000001240000-0x0000000001644000-memory.dmp

memory/4484-151-0x0000000072FF0000-0x0000000073039000-memory.dmp

memory/4484-152-0x0000000072F20000-0x0000000072FE8000-memory.dmp

memory/4484-153-0x00000000739C0000-0x00000000739E4000-memory.dmp

memory/4484-154-0x0000000072DC0000-0x0000000072E48000-memory.dmp

memory/4484-155-0x0000000072CB0000-0x0000000072DBA000-memory.dmp

memory/4484-156-0x00000000729E0000-0x0000000072CAF000-memory.dmp

C:\Users\Admin\AppData\Local\33245aa2\tor\torrc

MD5 3482761e23f1f48d90244a4296a61933
SHA1 c162137facb3af28f9366980c4dbfe64299deed9
SHA256 e59386eaf356582459af2a8061ac59358fb217c2e94e0845c6c39e9e5909679f
SHA512 8ec0e3bc73026cede5dd853223524a196b16e48fa55e4c62217fa9e36197ba586d98a7bfb7faa4c7948372691b5d084aff0ed6307be5ba80b547699767390eab

memory/4484-160-0x0000000072E50000-0x0000000072F1E000-memory.dmp

C:\Users\Admin\AppData\Local\33245aa2\tor\data\cached-microdesc-consensus.tmp

MD5 1756674bbccc3d724e7a08c08a6c62cb
SHA1 a98926c8d67e12881b0dbea28586c3be1c78aff2
SHA256 e412d1661645f7e462a71c0f31e50df3d396cb889dcb47b4f29740f581d518d3
SHA512 7b219c7f74572d7028f9389e69487238cfcfcdd03015672a156daaf69ba50f68249223190692e651153bc00f96dd5f2240752288b083c903b946a524eac6ed9c

memory/2544-169-0x00000000726D0000-0x000000007270A000-memory.dmp

C:\Users\Admin\AppData\Local\33245aa2\tor\data\cached-microdescs.new

MD5 bfdc65a2c121da9e35111fd557ce9460
SHA1 a3697883f4693bd97f01758f63be7aabccecffc5
SHA256 24c3f4aea51f8c48a0b1ecd46792ad610a186e9b1412a845977c5b4ca874a3af
SHA512 21f7ff0b9dc3c3d409f370dbfab98132758d84d49dce7585b5c6bb486287c65f9c72e41b399c60e31d31b559e1fc9c1fdfc85906eb1179ea63eaac90deac36c9

memory/4484-183-0x0000000001240000-0x0000000001644000-memory.dmp

memory/4484-184-0x0000000072FF0000-0x0000000073039000-memory.dmp

memory/4484-185-0x0000000072F20000-0x0000000072FE8000-memory.dmp

memory/4484-186-0x00000000739C0000-0x00000000739E4000-memory.dmp

memory/4484-189-0x00000000729E0000-0x0000000072CAF000-memory.dmp

memory/4484-191-0x0000000001240000-0x0000000001644000-memory.dmp

memory/4484-200-0x0000000001240000-0x0000000001644000-memory.dmp

memory/4484-208-0x0000000001240000-0x0000000001644000-memory.dmp

memory/4484-216-0x0000000001240000-0x0000000001644000-memory.dmp

memory/4484-224-0x0000000001240000-0x0000000001644000-memory.dmp

memory/4484-232-0x0000000001240000-0x0000000001644000-memory.dmp

memory/4484-240-0x0000000001240000-0x0000000001644000-memory.dmp

memory/4484-248-0x0000000001240000-0x0000000001644000-memory.dmp

memory/2544-263-0x0000000073950000-0x000000007398A000-memory.dmp

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

\Users\Admin\AppData\Local\33245aa2\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\33245aa2\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\33245aa2\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\33245aa2\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\33245aa2\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

\Users\Admin\AppData\Local\33245aa2\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\33245aa2\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

\Users\Admin\AppData\Local\33245aa2\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

memory/3096-282-0x0000000001240000-0x0000000001644000-memory.dmp

memory/3096-284-0x0000000072F20000-0x0000000072FE8000-memory.dmp

memory/3096-283-0x00000000729E0000-0x0000000072CAF000-memory.dmp

memory/3096-285-0x0000000072E50000-0x0000000072F1E000-memory.dmp

memory/3096-286-0x0000000072FF0000-0x0000000073039000-memory.dmp

C:\Users\Admin\AppData\Local\33245aa2\tor\torrc

MD5 3482761e23f1f48d90244a4296a61933
SHA1 c162137facb3af28f9366980c4dbfe64299deed9
SHA256 e59386eaf356582459af2a8061ac59358fb217c2e94e0845c6c39e9e5909679f
SHA512 8ec0e3bc73026cede5dd853223524a196b16e48fa55e4c62217fa9e36197ba586d98a7bfb7faa4c7948372691b5d084aff0ed6307be5ba80b547699767390eab

memory/3096-289-0x0000000072CB0000-0x0000000072DBA000-memory.dmp

memory/3096-287-0x00000000739C0000-0x00000000739E4000-memory.dmp

memory/3096-291-0x0000000072DC0000-0x0000000072E48000-memory.dmp

memory/3096-292-0x0000000001080000-0x0000000001108000-memory.dmp

memory/3096-300-0x0000000001240000-0x0000000001644000-memory.dmp

memory/3096-301-0x00000000729E0000-0x0000000072CAF000-memory.dmp

memory/3096-303-0x0000000072E50000-0x0000000072F1E000-memory.dmp

memory/3096-304-0x00000000739C0000-0x00000000739E4000-memory.dmp

memory/3096-302-0x0000000072F20000-0x0000000072FE8000-memory.dmp

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

\Users\Admin\AppData\Local\33245aa2\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\33245aa2\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\33245aa2\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\33245aa2\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

\Users\Admin\AppData\Local\33245aa2\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\33245aa2\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

\Users\Admin\AppData\Local\33245aa2\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\33245aa2\tor\torrc

MD5 3482761e23f1f48d90244a4296a61933
SHA1 c162137facb3af28f9366980c4dbfe64299deed9
SHA256 e59386eaf356582459af2a8061ac59358fb217c2e94e0845c6c39e9e5909679f
SHA512 8ec0e3bc73026cede5dd853223524a196b16e48fa55e4c62217fa9e36197ba586d98a7bfb7faa4c7948372691b5d084aff0ed6307be5ba80b547699767390eab

memory/3320-350-0x0000000001240000-0x0000000001644000-memory.dmp

memory/3320-352-0x00000000729E0000-0x0000000072CAF000-memory.dmp

memory/3320-354-0x0000000072F20000-0x0000000072FE8000-memory.dmp

memory/3320-356-0x0000000072E50000-0x0000000072F1E000-memory.dmp

memory/3320-358-0x0000000072FF0000-0x0000000073039000-memory.dmp

memory/3320-360-0x00000000739C0000-0x00000000739E4000-memory.dmp

memory/3320-361-0x0000000072CB0000-0x0000000072DBA000-memory.dmp

memory/3320-362-0x0000000072DC0000-0x0000000072E48000-memory.dmp

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

\Users\Admin\AppData\Local\33245aa2\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

\Users\Admin\AppData\Local\33245aa2\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\33245aa2\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\33245aa2\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\33245aa2\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

\Users\Admin\AppData\Local\33245aa2\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\33245aa2\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\33245aa2\tor\torrc

MD5 3482761e23f1f48d90244a4296a61933
SHA1 c162137facb3af28f9366980c4dbfe64299deed9
SHA256 e59386eaf356582459af2a8061ac59358fb217c2e94e0845c6c39e9e5909679f
SHA512 8ec0e3bc73026cede5dd853223524a196b16e48fa55e4c62217fa9e36197ba586d98a7bfb7faa4c7948372691b5d084aff0ed6307be5ba80b547699767390eab

memory/212-397-0x0000000001240000-0x0000000001644000-memory.dmp

memory/212-398-0x0000000072F20000-0x0000000072FE8000-memory.dmp

memory/212-399-0x00000000729E0000-0x0000000072CAF000-memory.dmp

memory/212-401-0x0000000072FF0000-0x0000000073039000-memory.dmp

memory/212-400-0x0000000072E50000-0x0000000072F1E000-memory.dmp

memory/212-402-0x00000000739C0000-0x00000000739E4000-memory.dmp

memory/212-403-0x0000000072CB0000-0x0000000072DBA000-memory.dmp

memory/212-404-0x0000000072DC0000-0x0000000072E48000-memory.dmp

C:\Users\Admin\AppData\Local\33245aa2\tor\torrc

MD5 3482761e23f1f48d90244a4296a61933
SHA1 c162137facb3af28f9366980c4dbfe64299deed9
SHA256 e59386eaf356582459af2a8061ac59358fb217c2e94e0845c6c39e9e5909679f
SHA512 8ec0e3bc73026cede5dd853223524a196b16e48fa55e4c62217fa9e36197ba586d98a7bfb7faa4c7948372691b5d084aff0ed6307be5ba80b547699767390eab

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

\Users\Admin\AppData\Local\33245aa2\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

\Users\Admin\AppData\Local\33245aa2\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\33245aa2\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\33245aa2\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\33245aa2\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

\Users\Admin\AppData\Local\33245aa2\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\33245aa2\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\33245aa2\tor\torrc

MD5 3482761e23f1f48d90244a4296a61933
SHA1 c162137facb3af28f9366980c4dbfe64299deed9
SHA256 e59386eaf356582459af2a8061ac59358fb217c2e94e0845c6c39e9e5909679f
SHA512 8ec0e3bc73026cede5dd853223524a196b16e48fa55e4c62217fa9e36197ba586d98a7bfb7faa4c7948372691b5d084aff0ed6307be5ba80b547699767390eab

memory/1168-425-0x0000000001240000-0x0000000001644000-memory.dmp

memory/1168-428-0x00000000729E0000-0x0000000072CAF000-memory.dmp

memory/1168-430-0x0000000072F20000-0x0000000072FE8000-memory.dmp

memory/1168-432-0x0000000072E50000-0x0000000072F1E000-memory.dmp

memory/1168-435-0x0000000072FF0000-0x0000000073039000-memory.dmp

memory/1168-436-0x0000000072DC0000-0x0000000072E48000-memory.dmp

memory/1168-438-0x00000000739C0000-0x00000000739E4000-memory.dmp

memory/1168-437-0x0000000072CB0000-0x0000000072DBA000-memory.dmp

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

\Users\Admin\AppData\Local\33245aa2\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

\Users\Admin\AppData\Local\33245aa2\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\33245aa2\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\33245aa2\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\33245aa2\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

\Users\Admin\AppData\Local\33245aa2\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\33245aa2\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\33245aa2\tor\torrc

MD5 3482761e23f1f48d90244a4296a61933
SHA1 c162137facb3af28f9366980c4dbfe64299deed9
SHA256 e59386eaf356582459af2a8061ac59358fb217c2e94e0845c6c39e9e5909679f
SHA512 8ec0e3bc73026cede5dd853223524a196b16e48fa55e4c62217fa9e36197ba586d98a7bfb7faa4c7948372691b5d084aff0ed6307be5ba80b547699767390eab

memory/3216-465-0x0000000001240000-0x0000000001644000-memory.dmp

memory/3216-467-0x0000000072F20000-0x0000000072FE8000-memory.dmp

memory/3216-466-0x00000000729E0000-0x0000000072CAF000-memory.dmp

memory/3216-468-0x0000000072E50000-0x0000000072F1E000-memory.dmp

memory/3216-470-0x00000000739C0000-0x00000000739E4000-memory.dmp

memory/3216-469-0x0000000072FF0000-0x0000000073039000-memory.dmp

memory/3216-471-0x0000000072CB0000-0x0000000072DBA000-memory.dmp

memory/3216-472-0x0000000072DC0000-0x0000000072E48000-memory.dmp

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

memory/2964-483-0x0000000072E50000-0x0000000072F1E000-memory.dmp

memory/2964-485-0x0000000072DC0000-0x0000000072E48000-memory.dmp

memory/2964-484-0x0000000072FF0000-0x0000000073039000-memory.dmp

memory/2964-486-0x0000000072CB0000-0x0000000072DBA000-memory.dmp

memory/2964-487-0x00000000739C0000-0x00000000739E4000-memory.dmp

memory/2964-496-0x00000000729E0000-0x0000000072CAF000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2023-03-03 16:50

Reported

2023-03-03 16:54

Platform

win10v2004-20230220-en

Max time kernel

241s

Max time network

249s

Command Line

"C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe"

Signatures

BitRAT

trojan bitrat

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1" C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4776 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 4776 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 4776 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 4776 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 4776 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 4776 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 4776 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 4776 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 4776 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 4776 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 4776 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 4776 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 4776 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 4776 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 4776 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe

"C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe"

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

"C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

"C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

"C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

"C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

"C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe" -f torrc

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 42.220.44.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.104.205.20.in-addr.arpa udp
US 8.8.8.8:53 33.18.126.40.in-addr.arpa udp
US 8.8.8.8:53 57.103.197.20.in-addr.arpa udp
CA 192.160.102.170:9001 tcp
US 8.8.8.8:53 164.113.223.173.in-addr.arpa udp
US 8.8.8.8:53 170.102.160.192.in-addr.arpa udp
N/A 127.0.0.1:49753 tcp
N/A 127.0.0.1:45808 tcp
CZ 87.236.199.239:80 tcp
US 172.241.140.249:443 tcp
US 185.220.103.112:443 tcp
US 8.8.8.8:53 239.199.236.87.in-addr.arpa udp
US 8.8.8.8:53 112.103.220.185.in-addr.arpa udp
US 8.8.8.8:53 249.140.241.172.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 84.150.43.20.in-addr.arpa udp
CZ 87.236.199.239:80 tcp
US 172.241.140.249:443 tcp
US 185.220.103.112:443 tcp
US 8.8.8.8:53 151.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 99.113.223.173.in-addr.arpa udp
US 8.8.8.8:53 113.66.64.40.in-addr.arpa udp
US 8.8.8.8:53 250.255.255.239.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 169.25.221.88.in-addr.arpa udp
US 8.8.8.8:53 126.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 104.144.221.88.in-addr.arpa udp
IE 20.50.73.11:443 tcp
US 8.8.8.8:53 8.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 98.144.221.88.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 50.4.107.13.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 240.232.18.117.in-addr.arpa udp
US 8.8.8.8:53 155.25.221.88.in-addr.arpa udp
N/A 127.0.0.1:50118 tcp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 myexternalip.com udp
US 34.160.111.145:443 myexternalip.com tcp
US 8.8.8.8:53 145.111.160.34.in-addr.arpa udp
US 8.8.8.8:53 116.172.5.23.in-addr.arpa udp
US 8.8.8.8:53 9.175.53.84.in-addr.arpa udp
N/A 127.0.0.1:50160 tcp
DE 62.141.38.69:443 tcp
DE 131.188.40.189:443 tcp
FR 163.172.139.104:443 tcp
US 8.8.8.8:53 104.139.172.163.in-addr.arpa udp
US 8.8.8.8:53 189.40.188.131.in-addr.arpa udp
DE 217.79.179.177:9001 tcp
US 8.8.8.8:53 177.179.79.217.in-addr.arpa udp
GR 185.4.132.148:443 tcp
US 128.31.0.39:9101 tcp
US 8.8.8.8:53 148.132.4.185.in-addr.arpa udp
SE 171.25.193.20:443 tcp
US 8.8.8.8:53 20.193.25.171.in-addr.arpa udp
NO 193.35.52.53:9001 tcp
US 154.35.175.225:443 tcp
SE 193.11.114.45:9002 tcp
N/A 127.0.0.1:45808 tcp
FI 185.100.86.128:9001 tcp
US 8.8.8.8:53 45.114.11.193.in-addr.arpa udp
US 8.8.8.8:53 128.86.100.185.in-addr.arpa udp
DE 5.189.169.190:8080 tcp
US 8.8.8.8:53 190.169.189.5.in-addr.arpa udp
DE 78.47.18.110:80 tcp
US 8.8.8.8:53 110.18.47.78.in-addr.arpa udp
DK 185.96.88.29:443 tcp
US 128.31.0.13:443 tcp
SE 171.25.193.9:80 tcp
US 8.8.8.8:53 13.0.31.128.in-addr.arpa udp
US 8.8.8.8:53 9.193.25.171.in-addr.arpa udp
NL 77.247.181.162:443 tcp
US 45.79.108.130:9001 tcp
CA 199.58.81.140:443 tcp
US 8.8.8.8:53 140.81.58.199.in-addr.arpa udp
US 8.8.8.8:53 130.108.79.45.in-addr.arpa udp
N/A 127.0.0.1:50254 tcp
N/A 127.0.0.1:45808 tcp
US 34.160.111.145:443 myexternalip.com tcp
N/A 127.0.0.1:50300 tcp
DE 178.254.7.88:8443 tcp
FR 95.128.43.164:443 tcp
NO 193.35.52.53:9001 tcp
US 8.8.8.8:53 164.43.128.95.in-addr.arpa udp
FI 185.100.86.182:8080 tcp
CA 192.160.102.169:9001 tcp
FR 51.254.147.57:443 tcp
US 8.8.8.8:53 169.102.160.192.in-addr.arpa udp
SE 171.25.193.9:80 tcp
MD 178.17.174.14:9001 tcp
US 8.8.8.8:53 14.174.17.178.in-addr.arpa udp
DE 81.7.14.253:443 tcp
US 8.8.8.8:53 253.14.7.81.in-addr.arpa udp
CA 199.58.81.140:443 tcp
BG 213.183.60.21:443 tcp
N/A 127.0.0.1:45808 tcp
RU 213.141.138.174:9001 tcp
NL 45.66.33.45:443 tcp
US 8.8.8.8:53 45.33.66.45.in-addr.arpa udp

Files

memory/4776-133-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/4776-134-0x00000000748F0000-0x0000000074929000-memory.dmp

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\33245aa2\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\33245aa2\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\33245aa2\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\33245aa2\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\33245aa2\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\33245aa2\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\33245aa2\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\33245aa2\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\33245aa2\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\33245aa2\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\33245aa2\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\33245aa2\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\33245aa2\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\33245aa2\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\33245aa2\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\33245aa2\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\33245aa2\tor\torrc

MD5 3482761e23f1f48d90244a4296a61933
SHA1 c162137facb3af28f9366980c4dbfe64299deed9
SHA256 e59386eaf356582459af2a8061ac59358fb217c2e94e0845c6c39e9e5909679f
SHA512 8ec0e3bc73026cede5dd853223524a196b16e48fa55e4c62217fa9e36197ba586d98a7bfb7faa4c7948372691b5d084aff0ed6307be5ba80b547699767390eab

memory/4620-170-0x0000000000E40000-0x0000000001244000-memory.dmp

memory/4620-171-0x0000000073D70000-0x0000000073E3E000-memory.dmp

memory/4620-172-0x0000000073CA0000-0x0000000073D68000-memory.dmp

memory/4620-174-0x0000000073C20000-0x0000000073C44000-memory.dmp

memory/4620-175-0x0000000073B10000-0x0000000073C1A000-memory.dmp

memory/4620-173-0x0000000073C50000-0x0000000073C99000-memory.dmp

memory/4620-176-0x0000000073A80000-0x0000000073B08000-memory.dmp

memory/4620-177-0x00000000018C0000-0x0000000001948000-memory.dmp

memory/4620-178-0x00000000737B0000-0x0000000073A7F000-memory.dmp

memory/4620-179-0x0000000002070000-0x000000000233F000-memory.dmp

memory/4776-180-0x00000000733A0000-0x00000000733D9000-memory.dmp

C:\Users\Admin\AppData\Local\33245aa2\tor\data\cached-microdesc-consensus.tmp

MD5 1756674bbccc3d724e7a08c08a6c62cb
SHA1 a98926c8d67e12881b0dbea28586c3be1c78aff2
SHA256 e412d1661645f7e462a71c0f31e50df3d396cb889dcb47b4f29740f581d518d3
SHA512 7b219c7f74572d7028f9389e69487238cfcfcdd03015672a156daaf69ba50f68249223190692e651153bc00f96dd5f2240752288b083c903b946a524eac6ed9c

C:\Users\Admin\AppData\Local\33245aa2\tor\data\cached-microdescs.new

MD5 5385c520aedfe33894f9d58dacd3c74a
SHA1 8fd578d8497df3fc93c538dab79a854ff7f24629
SHA256 475dbbead4294439d33b33511f108d2cc13be61421dabd2c41f8d7d430809318
SHA512 d62f06935bf896da7309ec1cf7080a4f4af1cd6e17e84e0b61369d873bd10badb11bbe7ee0eb11c28c0f981be52bc2b938c0437b982c77df437a4b94819c891c

memory/4620-200-0x0000000000E40000-0x0000000001244000-memory.dmp

memory/4620-210-0x0000000000E40000-0x0000000001244000-memory.dmp

memory/4620-211-0x00000000018C0000-0x0000000001948000-memory.dmp

memory/4620-212-0x0000000002070000-0x000000000233F000-memory.dmp

memory/4620-217-0x0000000000E40000-0x0000000001244000-memory.dmp

memory/4620-225-0x0000000000E40000-0x0000000001244000-memory.dmp

memory/4620-233-0x0000000000E40000-0x0000000001244000-memory.dmp

memory/4776-241-0x0000000074910000-0x0000000074949000-memory.dmp

memory/4620-242-0x0000000000E40000-0x0000000001244000-memory.dmp

memory/4620-250-0x0000000000E40000-0x0000000001244000-memory.dmp

memory/4620-258-0x0000000000E40000-0x0000000001244000-memory.dmp

memory/4620-266-0x0000000000E40000-0x0000000001244000-memory.dmp

memory/4776-274-0x00000000748F0000-0x0000000074929000-memory.dmp

C:\Users\Admin\AppData\Local\33245aa2\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\33245aa2\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\33245aa2\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\33245aa2\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\33245aa2\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\33245aa2\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\33245aa2\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

memory/4620-292-0x0000000000E40000-0x0000000001244000-memory.dmp

C:\Users\Admin\AppData\Local\33245aa2\tor\torrc

MD5 3482761e23f1f48d90244a4296a61933
SHA1 c162137facb3af28f9366980c4dbfe64299deed9
SHA256 e59386eaf356582459af2a8061ac59358fb217c2e94e0845c6c39e9e5909679f
SHA512 8ec0e3bc73026cede5dd853223524a196b16e48fa55e4c62217fa9e36197ba586d98a7bfb7faa4c7948372691b5d084aff0ed6307be5ba80b547699767390eab

memory/1744-302-0x0000000000E40000-0x0000000001244000-memory.dmp

memory/1744-304-0x0000000073CA0000-0x0000000073D68000-memory.dmp

memory/1744-303-0x00000000737B0000-0x0000000073A7F000-memory.dmp

memory/1744-305-0x0000000073D70000-0x0000000073E3E000-memory.dmp

memory/1744-306-0x0000000073C50000-0x0000000073C99000-memory.dmp

memory/1744-308-0x0000000073B10000-0x0000000073C1A000-memory.dmp

memory/1744-309-0x0000000073A80000-0x0000000073B08000-memory.dmp

memory/1744-307-0x0000000073C20000-0x0000000073C44000-memory.dmp

memory/4776-310-0x0000000073CD0000-0x0000000073D09000-memory.dmp

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\33245aa2\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\33245aa2\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\33245aa2\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\33245aa2\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\33245aa2\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\33245aa2\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\33245aa2\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\33245aa2\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\33245aa2\tor\torrc

MD5 3482761e23f1f48d90244a4296a61933
SHA1 c162137facb3af28f9366980c4dbfe64299deed9
SHA256 e59386eaf356582459af2a8061ac59358fb217c2e94e0845c6c39e9e5909679f
SHA512 8ec0e3bc73026cede5dd853223524a196b16e48fa55e4c62217fa9e36197ba586d98a7bfb7faa4c7948372691b5d084aff0ed6307be5ba80b547699767390eab

C:\Users\Admin\AppData\Local\33245aa2\tor\data\state

MD5 c21f190b3d40c0cf6abe7600fe9a1e6b
SHA1 6e9c7cc81aa3b3b729acc94685dd26e4739ec605
SHA256 087873eeba876a911f09d665d477000cb327118c11413b8b55002e8c406d5012
SHA512 3f834e463d6923b1d1c9e14467b44746826436069bad825def2e875efc81a236931c20f5add165ad6aefad255144495627eb9f00cb9eacec36d566f1efe0ee64

C:\Users\Admin\AppData\Local\33245aa2\tor\data\cached-certs

MD5 115331f1dcf67e5538a4f60ffef02290
SHA1 bf57f84c5013b4f80844798da7d727d8c99a73b8
SHA256 73325cad4057b953530f7dede314e3422a11bba9f56ec912fc149ce0de1aec50
SHA512 5cfb537e7b1e49e663e8766ba242c3c174f887c4a985d14dfd19041ab2841163b1dd5e6b51dc1eacdcba81a0e5a821642a88d28098f8d74748b902bd36d70dc2

C:\Users\Admin\AppData\Local\33245aa2\tor\data\cached-microdesc-consensus

MD5 1756674bbccc3d724e7a08c08a6c62cb
SHA1 a98926c8d67e12881b0dbea28586c3be1c78aff2
SHA256 e412d1661645f7e462a71c0f31e50df3d396cb889dcb47b4f29740f581d518d3
SHA512 7b219c7f74572d7028f9389e69487238cfcfcdd03015672a156daaf69ba50f68249223190692e651153bc00f96dd5f2240752288b083c903b946a524eac6ed9c

memory/1664-332-0x0000000000E40000-0x0000000001244000-memory.dmp

memory/1664-333-0x0000000072700000-0x00000000729CF000-memory.dmp

memory/1664-335-0x00000000725E0000-0x0000000072629000-memory.dmp

memory/1664-336-0x00000000725B0000-0x00000000725D4000-memory.dmp

memory/1664-337-0x00000000724A0000-0x00000000725AA000-memory.dmp

memory/1664-334-0x0000000072630000-0x00000000726F8000-memory.dmp

memory/1664-338-0x0000000072410000-0x0000000072498000-memory.dmp

memory/1664-339-0x0000000072340000-0x000000007240E000-memory.dmp

C:\Users\Admin\AppData\Local\33245aa2\tor\data\cached-microdescs

MD5 2719894f6ff0f8a59f3773ce4e47ccc6
SHA1 a5e21fbf0140352b17754d74726f9c24c392f0a3
SHA256 1b7cd88de490723c31dd77bd4f3c2745852d7d5d970370439ab9441bc0021ddc
SHA512 a8cabd0c1ced0d135b9597f76e4e8971a0916126de932cfa22a86fc3473ad16f900eb744396e1ae189c6eac8ae9d628d9b7efeb44533e9d0dbb2f67bc78679a5

C:\Users\Admin\AppData\Local\33245aa2\tor\data\unverified-microdesc-consensus

MD5 1756674bbccc3d724e7a08c08a6c62cb
SHA1 a98926c8d67e12881b0dbea28586c3be1c78aff2
SHA256 e412d1661645f7e462a71c0f31e50df3d396cb889dcb47b4f29740f581d518d3
SHA512 7b219c7f74572d7028f9389e69487238cfcfcdd03015672a156daaf69ba50f68249223190692e651153bc00f96dd5f2240752288b083c903b946a524eac6ed9c

memory/1664-352-0x0000000000E40000-0x0000000001244000-memory.dmp

memory/4776-353-0x0000000074910000-0x0000000074949000-memory.dmp

C:\Users\Admin\AppData\Local\33245aa2\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\33245aa2\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\33245aa2\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\33245aa2\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\33245aa2\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\33245aa2\tor\torrc

MD5 3482761e23f1f48d90244a4296a61933
SHA1 c162137facb3af28f9366980c4dbfe64299deed9
SHA256 e59386eaf356582459af2a8061ac59358fb217c2e94e0845c6c39e9e5909679f
SHA512 8ec0e3bc73026cede5dd853223524a196b16e48fa55e4c62217fa9e36197ba586d98a7bfb7faa4c7948372691b5d084aff0ed6307be5ba80b547699767390eab

C:\Users\Admin\AppData\Local\33245aa2\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\33245aa2\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

memory/1664-407-0x0000000000E40000-0x0000000001244000-memory.dmp

memory/1048-413-0x0000000000E40000-0x0000000001244000-memory.dmp

memory/1048-414-0x0000000072700000-0x00000000729CF000-memory.dmp

memory/1048-415-0x0000000072630000-0x00000000726F8000-memory.dmp

memory/1048-416-0x0000000072340000-0x000000007240E000-memory.dmp

memory/1048-417-0x00000000725E0000-0x0000000072629000-memory.dmp

memory/1048-418-0x00000000725B0000-0x00000000725D4000-memory.dmp

memory/1048-420-0x00000000724A0000-0x00000000725AA000-memory.dmp

memory/1048-419-0x0000000072410000-0x0000000072498000-memory.dmp

C:\Users\Admin\AppData\Local\33245aa2\tor\torrc

MD5 3482761e23f1f48d90244a4296a61933
SHA1 c162137facb3af28f9366980c4dbfe64299deed9
SHA256 e59386eaf356582459af2a8061ac59358fb217c2e94e0845c6c39e9e5909679f
SHA512 8ec0e3bc73026cede5dd853223524a196b16e48fa55e4c62217fa9e36197ba586d98a7bfb7faa4c7948372691b5d084aff0ed6307be5ba80b547699767390eab

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\33245aa2\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\33245aa2\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\33245aa2\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\33245aa2\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\33245aa2\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\33245aa2\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\33245aa2\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\33245aa2\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\33245aa2\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\33245aa2\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

memory/3080-434-0x0000000000E40000-0x0000000001244000-memory.dmp

memory/3080-435-0x0000000072700000-0x00000000729CF000-memory.dmp

memory/3080-436-0x0000000072630000-0x00000000726F8000-memory.dmp

memory/3080-437-0x0000000072560000-0x000000007262E000-memory.dmp

memory/3080-438-0x0000000072510000-0x0000000072559000-memory.dmp

memory/3080-439-0x0000000000D00000-0x0000000000D49000-memory.dmp

memory/3080-440-0x00000000724E0000-0x0000000072504000-memory.dmp

C:\Users\Admin\AppData\Local\33245aa2\tor\torrc

MD5 3482761e23f1f48d90244a4296a61933
SHA1 c162137facb3af28f9366980c4dbfe64299deed9
SHA256 e59386eaf356582459af2a8061ac59358fb217c2e94e0845c6c39e9e5909679f
SHA512 8ec0e3bc73026cede5dd853223524a196b16e48fa55e4c62217fa9e36197ba586d98a7bfb7faa4c7948372691b5d084aff0ed6307be5ba80b547699767390eab

memory/3080-441-0x00000000723D0000-0x00000000724DA000-memory.dmp

memory/3080-443-0x0000000072340000-0x00000000723C8000-memory.dmp

memory/3080-444-0x0000000000D00000-0x0000000000D88000-memory.dmp

memory/3080-455-0x0000000000E40000-0x0000000001244000-memory.dmp

memory/3080-456-0x0000000072700000-0x00000000729CF000-memory.dmp

memory/3080-457-0x0000000072630000-0x00000000726F8000-memory.dmp

memory/3080-458-0x0000000072560000-0x000000007262E000-memory.dmp

memory/3080-459-0x0000000000D00000-0x0000000000D49000-memory.dmp

memory/3080-460-0x0000000000D00000-0x0000000000D88000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-03 16:50

Reported

2023-03-03 16:54

Platform

win7-20230220-en

Max time kernel

239s

Max time network

243s

Command Line

"C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe"

Signatures

BitRAT

trojan bitrat

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1" C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2625D761-B9EC-11ED-8884-4E1AE6AC1D45} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f35fd4ec1ca1494aa57fdd0dc6b810a400000000020000000000106600000001000020000000025b4c42e35b12b81278994ae9235f3277cb257591ba646d3ec2b6d5b8e18e59000000000e800000000200002000000036d9be5c73b275d6c491b7bcb0e914b814bcbe4a91d81eaa90c534de8f2bf04a200000008bb45a4bbc12ece03fda9a1be1f2a60c5834e83664c4ba9a47d3c9f58c76fdb24000000088f16e3589eb257387a530502fc15d677ee0d39f193a9d61b400e73b6304644348c95c252672ae085210e10bf1311d73ec61abd69b2188456d8eb91df6053c01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20951e00f94dd901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f35fd4ec1ca1494aa57fdd0dc6b810a4000000000200000000001066000000010000200000001a3c192672d8ede4c942d0fdded8af41c51e0d7209be416262d9f755dfcb6e00000000000e80000000020000200000002e98c7562603704163a838fc6e1921f5452d3b56651b184604555c8b390b40d39000000090cd89e8df2af8a04faa68675df12967223b501a56835bfd3a4cc8809d9873f5f28d4cfeaf065c16913ab1c78f191084378b430f30e19237fde76ce2d9cf5287591c969db48fdd66ea155f1f95ad0b97d5833ed50555074703351c53e0b1a9349e20fa79f94be39ba206883bd463e6cc607fc9d27ff4d906f5190e14dc9a2fa1d135edb2f90b4611db47483dbd5704a64000000007b0de66a022fd500c78096429db0d0946f443497396c74a07dcd03dcd78a3dda1e5186c861e4adc144077a97e0a0d80e28c512f26063187abe5fc5d2cb354f0 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "384630917" C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1376 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 1376 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 1376 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 1376 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 1376 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1376 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1376 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1376 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2012 wrote to memory of 888 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2012 wrote to memory of 888 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2012 wrote to memory of 888 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2012 wrote to memory of 888 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1376 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 1376 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 1376 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 1376 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 1376 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 1376 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 1376 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 1376 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 1376 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 1376 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 1376 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 1376 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 1376 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 1376 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 1376 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 1376 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 1376 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 1376 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 1376 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 1376 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 1376 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 1376 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 1376 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe
PID 1376 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe

"C:\Users\Admin\AppData\Local\Temp\workkkkkkkk2.exe"

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

"C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe" -f torrc

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://i.imgur.com/UihTOUk.png

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2012 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

"C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

"C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

"C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

"C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

"C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

"C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe" -f torrc

Network

Country Destination Domain Proto
DE 131.188.40.189:443 tcp
N/A 127.0.0.1:49197 tcp
DK 85.235.250.88:443 tcp
US 23.238.170.206:443 tcp
DE 185.228.138.252:8080 tcp
PL 91.223.3.166:9100 tcp
N/A 127.0.0.1:45808 tcp
US 23.238.170.206:443 tcp
DE 185.228.138.252:8080 tcp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 myexternalip.com udp
US 34.160.111.145:443 myexternalip.com tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.153:80 apps.identrust.com tcp
US 34.160.111.145:443 myexternalip.com tcp
US 8.8.8.8:53 i.imgur.com udp
N/A 127.0.0.1:45808 tcp
NL 199.232.148.193:80 i.imgur.com tcp
NL 199.232.148.193:80 i.imgur.com tcp
NL 199.232.148.193:443 i.imgur.com tcp
US 8.8.8.8:53 imgur.com udp
US 199.232.192.193:443 imgur.com tcp
US 199.232.192.193:443 imgur.com tcp
N/A 127.0.0.1:49488 tcp
US 51.81.56.229:443 tcp
FR 92.204.40.241:443 tcp
N/A 127.0.0.1:49677 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:50033 tcp
US 34.160.111.145:443 myexternalip.com tcp
N/A 127.0.0.1:45808 tcp
US 34.160.111.145:443 myexternalip.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:50222 tcp
US 34.160.111.145:443 myexternalip.com tcp
N/A 127.0.0.1:50297 tcp
N/A 127.0.0.1:50332 tcp
US 34.160.111.145:443 myexternalip.com tcp

Files

memory/1376-54-0x0000000000400000-0x0000000000BD8000-memory.dmp

\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

memory/1376-73-0x0000000003AB0000-0x0000000003EB4000-memory.dmp

memory/1376-74-0x0000000003AB0000-0x0000000003EB4000-memory.dmp

memory/764-75-0x0000000000090000-0x0000000000494000-memory.dmp

C:\Users\Admin\AppData\Local\33245aa2\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

\Users\Admin\AppData\Local\33245aa2\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\33245aa2\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

\Users\Admin\AppData\Local\33245aa2\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\33245aa2\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

\Users\Admin\AppData\Local\33245aa2\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\33245aa2\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\33245aa2\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\33245aa2\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\33245aa2\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\33245aa2\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\33245aa2\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\33245aa2\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\33245aa2\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\33245aa2\tor\torrc

MD5 3482761e23f1f48d90244a4296a61933
SHA1 c162137facb3af28f9366980c4dbfe64299deed9
SHA256 e59386eaf356582459af2a8061ac59358fb217c2e94e0845c6c39e9e5909679f
SHA512 8ec0e3bc73026cede5dd853223524a196b16e48fa55e4c62217fa9e36197ba586d98a7bfb7faa4c7948372691b5d084aff0ed6307be5ba80b547699767390eab

memory/764-92-0x0000000074480000-0x000000007474F000-memory.dmp

memory/764-93-0x0000000074A40000-0x0000000074A89000-memory.dmp

memory/764-94-0x0000000074970000-0x0000000074A38000-memory.dmp

memory/764-95-0x0000000074370000-0x000000007447A000-memory.dmp

memory/764-96-0x00000000742E0000-0x0000000074368000-memory.dmp

memory/764-97-0x0000000074210000-0x00000000742DE000-memory.dmp

memory/764-98-0x0000000074AE0000-0x0000000074B04000-memory.dmp

C:\Users\Admin\AppData\Local\33245aa2\tor\data\cached-microdesc-consensus.tmp

MD5 1756674bbccc3d724e7a08c08a6c62cb
SHA1 a98926c8d67e12881b0dbea28586c3be1c78aff2
SHA256 e412d1661645f7e462a71c0f31e50df3d396cb889dcb47b4f29740f581d518d3
SHA512 7b219c7f74572d7028f9389e69487238cfcfcdd03015672a156daaf69ba50f68249223190692e651153bc00f96dd5f2240752288b083c903b946a524eac6ed9c

C:\Users\Admin\AppData\Local\33245aa2\tor\data\cached-microdescs.new

MD5 335c49f492aedd129ac4cde4bee300c7
SHA1 5a573595acd4018273478efa59531a533341de20
SHA256 9cf0a36f4a25c786481b61214b42884531c7310005fcafa56af9c4717dab00bf
SHA512 4d12e86f916a25e67a1ca9def27d7c95f31cb429a2dac01c29bb75491e27bdf52d1cc0486a37b39216cce04c71dd8bf64477c6dfd304038ae37b64e4d5ebfd31

memory/764-117-0x0000000000090000-0x0000000000494000-memory.dmp

memory/1376-128-0x0000000003AB0000-0x0000000003EB4000-memory.dmp

memory/764-129-0x0000000000090000-0x0000000000494000-memory.dmp

memory/764-130-0x0000000000090000-0x0000000000494000-memory.dmp

memory/764-138-0x0000000000090000-0x0000000000494000-memory.dmp

memory/1376-146-0x00000000003F0000-0x00000000003FA000-memory.dmp

memory/1376-147-0x00000000003F0000-0x00000000003FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabF125.tmp

MD5 fc4666cbca561e864e7fdf883a9e6661
SHA1 2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA256 10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512 c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 e71c8443ae0bc2e282c73faead0a6dd3
SHA1 0c110c1b01e68edfacaeae64781a37b1995fa94b
SHA256 95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72
SHA512 b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

C:\Users\Admin\AppData\Local\Temp\TarF35E.tmp

MD5 be2bec6e8c5653136d3e72fe53c98aa3
SHA1 a8182d6db17c14671c3d5766c72e58d87c0810de
SHA256 1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd
SHA512 0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 994a408f461919a8dd1dfd52d25e1a73
SHA1 9e6d94f6c394eb0177a549760a71a0c44aaeff54
SHA256 0bd906f09292faeb6c1175d04989b111a8e46679f045a4e239f5ccaafad04723
SHA512 c20d0e5e4dc9fbd936f98d016aa8c2f0251ac6b8bea59e145527cd841eea6126f9ff614e8a7a2047a203ba2abb70d2f6a2f83f224c3e0228a756c01f77e17a42

memory/764-231-0x0000000000090000-0x0000000000494000-memory.dmp

memory/764-239-0x0000000000090000-0x0000000000494000-memory.dmp

memory/1376-247-0x00000000003F0000-0x00000000003FA000-memory.dmp

memory/1376-248-0x00000000003F0000-0x00000000003FA000-memory.dmp

memory/764-249-0x0000000000090000-0x0000000000494000-memory.dmp

memory/764-257-0x0000000000090000-0x0000000000494000-memory.dmp

memory/764-305-0x0000000000090000-0x0000000000494000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 e71c8443ae0bc2e282c73faead0a6dd3
SHA1 0c110c1b01e68edfacaeae64781a37b1995fa94b
SHA256 95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72
SHA512 b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fc1be35c47f7d7e8e6438e92fce862a5
SHA1 481ba5630d04fcc48c67378763f72f46f1a7d581
SHA256 2216c49e82bd223a5f4e707fcc24eb51afac331d559082151a6e05c6eaacff93
SHA512 9d99d007916d706ea3a8d54616804a4328b3722936211479ab439561b85d9f4292376ff0fa6a7da4ccce3fab8450dcb05304e6dda394c56fb8aa5eff91636d38

\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

\Users\Admin\AppData\Local\33245aa2\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\33245aa2\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\33245aa2\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\33245aa2\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\33245aa2\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

\Users\Admin\AppData\Local\33245aa2\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

\Users\Admin\AppData\Local\33245aa2\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\33245aa2\tor\torrc

MD5 3482761e23f1f48d90244a4296a61933
SHA1 c162137facb3af28f9366980c4dbfe64299deed9
SHA256 e59386eaf356582459af2a8061ac59358fb217c2e94e0845c6c39e9e5909679f
SHA512 8ec0e3bc73026cede5dd853223524a196b16e48fa55e4c62217fa9e36197ba586d98a7bfb7faa4c7948372691b5d084aff0ed6307be5ba80b547699767390eab

memory/764-363-0x0000000000090000-0x0000000000494000-memory.dmp

memory/600-370-0x0000000000090000-0x0000000000494000-memory.dmp

memory/600-373-0x0000000074970000-0x0000000074A38000-memory.dmp

memory/600-372-0x0000000074A40000-0x0000000074A89000-memory.dmp

memory/600-374-0x0000000074370000-0x000000007447A000-memory.dmp

memory/600-371-0x0000000074480000-0x000000007474F000-memory.dmp

memory/600-376-0x0000000074210000-0x00000000742DE000-memory.dmp

memory/600-375-0x00000000742E0000-0x0000000074368000-memory.dmp

memory/600-377-0x0000000074AE0000-0x0000000074B04000-memory.dmp

memory/1376-378-0x0000000005800000-0x0000000005C04000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\x4s3ygl\imagestore.dat

MD5 be12192ab4d2be808b33d05d4f9da8ae
SHA1 926c8ff4bc8679b34eeb1454bafc39f7bbaa611e
SHA256 e2899b90406cf0c8fb7ead76bdbb184ccc085b655e89cddeb26cfcc34f9aa6ce
SHA512 ec058eb84d36f5700532d58bc11c3a585cf7d2a16639a8137099f47666777778f319f2e39c0b3587b3188e459274e3a52df8882997d457de438bd6b4af4be519

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\x4s3ygl\imagestore.dat

MD5 be12192ab4d2be808b33d05d4f9da8ae
SHA1 926c8ff4bc8679b34eeb1454bafc39f7bbaa611e
SHA256 e2899b90406cf0c8fb7ead76bdbb184ccc085b655e89cddeb26cfcc34f9aa6ce
SHA512 ec058eb84d36f5700532d58bc11c3a585cf7d2a16639a8137099f47666777778f319f2e39c0b3587b3188e459274e3a52df8882997d457de438bd6b4af4be519

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R2EIRHNV\favicon[2].ico

MD5 c2aa5cd03b44bb2ff874837bc56cd85e
SHA1 7f567872dae7a3d183f03783972a05879baa8853
SHA256 17b883975935fa4f463d771e4679523645f11991e728881d7a0924b8aa95177e
SHA512 7bffea0be80e1e096ad90bb00cdaa138df71b14a0506ca49056303b77b1fe89b4a6700da235f9a8113b55fca56d255721f086f58c713af894bf99dce79d002d5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e2948095d08c2ade71dd6b0840c617fb
SHA1 16d7f4cfc94f2e76683d3b6f736aa537ac2e4326
SHA256 ce7412163096f0cca5d35ea90247fc92ae6273eaa961e0500b13f2ec0e213d26
SHA512 75759ded828d25ff7f436fdb670c8e1f645309f1de10b4d34b55bdc8cfaa4fde0ed6cd63dd22fdb9bac61965ee1f1bb20b7c8006a100f1deb05c580dcb98ef32

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f31d62976ac58c0ba844d11fa0cc5ce1
SHA1 a4e05ec6814a06948cb9d8069de7a01df954326f
SHA256 e7bfabda897606b4e0dad2a32f4874a4aea4c342d99149f1ac4333bd35b7be85
SHA512 e0979056d8fb302207d403028e87d3d5b10a7a6ef33cba31c16666a1b6ea30ae385d8cb3227df05dff4819de525881e893a9724eb93423d3dc4a5ec13bdec89c

\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

memory/1376-517-0x0000000005800000-0x0000000005C04000-memory.dmp

C:\Users\Admin\AppData\Local\33245aa2\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\33245aa2\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9b682689f96a9fd7ff1315ebed2d47ae
SHA1 3534930ba3bb093ce368892fe07f101a4737f458
SHA256 dcebbd581a97998f7fc26ea49911caed46cc59a0c91fd41c5dfdea0ea86c9571
SHA512 539ffb9a99be62e1aab191c0d67e326e1465810b65e9146b6bb64aaf585b7079df91fffddc977ea782befc82e9172c26c71fb3e3c93fad9a266f5b784571f20d

memory/1140-528-0x0000000000EB0000-0x00000000012B4000-memory.dmp

memory/1140-537-0x00000000749F0000-0x0000000074A39000-memory.dmp

\Users\Admin\AppData\Local\33245aa2\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

memory/1140-539-0x0000000074570000-0x000000007467A000-memory.dmp

memory/1140-538-0x0000000074680000-0x0000000074748000-memory.dmp

memory/1140-542-0x00000000744E0000-0x0000000074568000-memory.dmp

C:\Users\Admin\AppData\Local\33245aa2\tor\data\state

MD5 d36f8aaaea6bc872b9d1dc5cd9d02dc1
SHA1 39286bf283154b3ce3fbae348a3c1a81236274b0
SHA256 4e59d6f25a581a177c710a73caab9cc004fea8ec9b7ca0f7fc511ab389eb624c
SHA512 4d3231d458292ecd19b7fa1820d3c97e8c0dd33c6919b7b934f54d436e61889f24b72bec3f5bc92ee264ca4bbfde4abc7a4e4d6aba07dc780872cacc2d73a124

memory/1140-543-0x0000000074A60000-0x0000000074A84000-memory.dmp

C:\Users\Admin\AppData\Local\33245aa2\tor\torrc

MD5 3482761e23f1f48d90244a4296a61933
SHA1 c162137facb3af28f9366980c4dbfe64299deed9
SHA256 e59386eaf356582459af2a8061ac59358fb217c2e94e0845c6c39e9e5909679f
SHA512 8ec0e3bc73026cede5dd853223524a196b16e48fa55e4c62217fa9e36197ba586d98a7bfb7faa4c7948372691b5d084aff0ed6307be5ba80b547699767390eab

\Users\Admin\AppData\Local\33245aa2\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\33245aa2\tor\data\cached-microdesc-consensus

MD5 1756674bbccc3d724e7a08c08a6c62cb
SHA1 a98926c8d67e12881b0dbea28586c3be1c78aff2
SHA256 e412d1661645f7e462a71c0f31e50df3d396cb889dcb47b4f29740f581d518d3
SHA512 7b219c7f74572d7028f9389e69487238cfcfcdd03015672a156daaf69ba50f68249223190692e651153bc00f96dd5f2240752288b083c903b946a524eac6ed9c

C:\Users\Admin\AppData\Local\33245aa2\tor\data\cached-certs

MD5 1330cdc56477fb1deb1412bce2dfa210
SHA1 6624277fbc074888e3dab5152faaf4907ee04a50
SHA256 4e0b303d324057a4ecabc77fd0029b6fe4a08ca5ae5cfe09026012dcb54a887f
SHA512 14219633ebf31977780414dac4e02e779e88e025b15b17879c410527766290136c6011cd71bf73af0c294eb4edc769c9cae063f04f1014818ab8219ba8f53a97

\Users\Admin\AppData\Local\33245aa2\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\33245aa2\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

\Users\Admin\AppData\Local\33245aa2\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

\Users\Admin\AppData\Local\33245aa2\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2a867f1ad9832a184271291d86cad739
SHA1 81d0216e4f5a060c6aaae0244bfe28e98645f725
SHA256 1673cc5472418fd9233b785c7ff1f320858279fc370abf5e4ee0ff4b5ec78f24
SHA512 87b4b95946e6365fdff125acc8e568158b7c0d0002ff5744cf2b1396d6574209b4103080e1b5093d4b298da3a320ea89e8425d41337115f3dfecbd9598d6e94c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6b91c0d349fa468a25cd35cbee4116d5
SHA1 679098344ab618b4cce0bb6e02d6fce509c4a882
SHA256 5ed8a124fdbbd0d5edf46522cb18c496611e6d6e83d45fe3356963526541b244
SHA512 3601f762d4a9583ea9615c72e80e9ab1fbdfe63b549a65e90a91443cf60feef83236b66aae500d05827aa61d0f5d823a3fc78ed55888e130e8e865ffdae410c2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7a5844f7d9684f9d8cd63cb692b84860
SHA1 22c50149850a4da68f4a8afc6079a8b0166f9db1
SHA256 152db93054695ee72cf3b9dbfed16979ff689931cb191e47a33a4838e2f2016c
SHA512 a9586defc6d1ea61ba69db3de4e7e76078959e5b2932074f98fc4d594aee60c3777bb9d4d76ddd3a19740165f110dfdfadb74870da2a3ba3f786a23a7a2c7e76

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 df358525639b167c17f57dc452f540d4
SHA1 58795e75a3a9e8a254665453d7f16bb6d32b0833
SHA256 77423f070bf91d50c1b6748a5cc266482368784bb3886c98d9cbe9e7db35e583
SHA512 10d38c404dbaa7909aa6601144d5e97e10e858f4d3c8c1c4ea6f34f109ed7a56beb80b02667449d5bfcdedfc1a63f50c65f50c5be200913a8e0b73379a7db974

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ad93d2905f4ba57b36d576e965097b23
SHA1 61b502517d854e8b3463e17354b37f7747f0bd9e
SHA256 3d9ece9a96dbd04a7a53c5090aa1e47f41dc0b780d4d4a63abac0c785d93c134
SHA512 07c631bcd24a0a3f64edc119aa862ab9298cb4f7cb2e1aac5aef73c4642242fb783e6d79cf763e85f1d56469d30f6465769009b5b68b76a7310900780c878709

C:\Users\Admin\AppData\Local\33245aa2\tor\data\cached-microdescs.new

MD5 fbb219bf0ae102ef23a920930d9b3551
SHA1 9b57bf901072df0ff123a1b9938e51b51885c3b0
SHA256 5905019287cc173b57e839144fd8a40ed739a6d68a6d6c2cecd962cf771444b8
SHA512 136fab6fb546b43a24dfdbebbb19c67ada7cff7fd30413f1c8586cd441013275a4764ae40cd18cfa4cad4024c3b6a6bbb0fbcbf130045e2de2322aea44ad369c

memory/1140-858-0x0000000070C10000-0x0000000070EDF000-memory.dmp

memory/1140-859-0x0000000074410000-0x00000000744DE000-memory.dmp

C:\Users\Admin\AppData\Local\33245aa2\tor\data\unverified-microdesc-consensus

MD5 1756674bbccc3d724e7a08c08a6c62cb
SHA1 a98926c8d67e12881b0dbea28586c3be1c78aff2
SHA256 e412d1661645f7e462a71c0f31e50df3d396cb889dcb47b4f29740f581d518d3
SHA512 7b219c7f74572d7028f9389e69487238cfcfcdd03015672a156daaf69ba50f68249223190692e651153bc00f96dd5f2240752288b083c903b946a524eac6ed9c

memory/1376-865-0x0000000005800000-0x0000000005C04000-memory.dmp

\Users\Admin\AppData\Local\33245aa2\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\33245aa2\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\33245aa2\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\33245aa2\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\33245aa2\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

\Users\Admin\AppData\Local\33245aa2\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

\Users\Admin\AppData\Local\33245aa2\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\33245aa2\tor\torrc

MD5 3482761e23f1f48d90244a4296a61933
SHA1 c162137facb3af28f9366980c4dbfe64299deed9
SHA256 e59386eaf356582459af2a8061ac59358fb217c2e94e0845c6c39e9e5909679f
SHA512 8ec0e3bc73026cede5dd853223524a196b16e48fa55e4c62217fa9e36197ba586d98a7bfb7faa4c7948372691b5d084aff0ed6307be5ba80b547699767390eab

memory/1668-898-0x0000000070C10000-0x0000000070EDF000-memory.dmp

memory/1668-902-0x00000000744E0000-0x0000000074568000-memory.dmp

memory/1668-904-0x0000000074A60000-0x0000000074A84000-memory.dmp

memory/1668-903-0x0000000074410000-0x00000000744DE000-memory.dmp

memory/1668-901-0x0000000074570000-0x000000007467A000-memory.dmp

memory/1668-900-0x0000000074680000-0x0000000074748000-memory.dmp

memory/1668-899-0x00000000749F0000-0x0000000074A39000-memory.dmp

memory/1668-897-0x0000000000EB0000-0x00000000012B4000-memory.dmp

memory/1376-905-0x0000000005800000-0x0000000005C04000-memory.dmp

memory/1376-906-0x0000000005800000-0x0000000005C04000-memory.dmp

memory/1140-907-0x0000000000EB0000-0x00000000012B4000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5911b79055ecc2ad66561cb90e5d0465
SHA1 60e6fc50b4a7c96bd36249f858f75729e63d3b66
SHA256 aaa79eed554b5006c40e2b7bfc17ec6512a76a373b5c5349ab2f0f53f3249b60
SHA512 8d000402a6f71de0fe4a1a3be006e0525af5864190a89b5ea43ba5bcc58d6f83ef37e809eb6b45446192bba369f27d25271894befe355e6182c28a774ee64fa8

memory/1140-933-0x0000000074680000-0x0000000074748000-memory.dmp

memory/1376-934-0x0000000004510000-0x000000000451A000-memory.dmp

memory/1376-935-0x0000000004510000-0x000000000451A000-memory.dmp

memory/1376-962-0x0000000004510000-0x000000000451A000-memory.dmp

memory/1376-963-0x0000000004510000-0x000000000451A000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 adbbeac0531a00a4eeb5ff7d0b6214e0
SHA1 c368742dac93c394661b9605be6805134f3c3ec4
SHA256 ba1ea0acffdd4cca39e7144371bd62e8172ff44fad71c7259eb3c8fc26d40f59
SHA512 60d8be0d13569f015d3e46207131e5d76141d19b36dca1b5cd4ab19c85d75c673be641ef3990cfd5dee142171bfff2dd28b6b70461adda9a3512110964317f31

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\L0UTY599.txt

MD5 dd2866fda9196d59ad2c862b8ee6b31f
SHA1 f851f14f59daf812d93fe62eafce6419e1731114
SHA256 08450bddbb32ad68942926d8816be1110c78524d06cf029de91eed3a6582c1b0
SHA512 a0afb19dbff07897eeef7a045922565f5f43ee53d66578727ad078379c73e42dd71ff99d6a950d58c67a37708fd0e4b008a413e4b3d3045747c4b9827accb293

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HYTOKVEV\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

C:\Users\Admin\AppData\Local\33245aa2\tor\torrc

MD5 3482761e23f1f48d90244a4296a61933
SHA1 c162137facb3af28f9366980c4dbfe64299deed9
SHA256 e59386eaf356582459af2a8061ac59358fb217c2e94e0845c6c39e9e5909679f
SHA512 8ec0e3bc73026cede5dd853223524a196b16e48fa55e4c62217fa9e36197ba586d98a7bfb7faa4c7948372691b5d084aff0ed6307be5ba80b547699767390eab

C:\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

\Users\Admin\AppData\Local\33245aa2\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

\Users\Admin\AppData\Local\33245aa2\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

memory/1340-1077-0x0000000000EB0000-0x00000000012B4000-memory.dmp

memory/1340-1079-0x00000000749F0000-0x0000000074A39000-memory.dmp

memory/1340-1078-0x0000000070C10000-0x0000000070EDF000-memory.dmp

memory/1340-1080-0x0000000074680000-0x0000000074748000-memory.dmp

memory/1340-1082-0x00000000744E0000-0x0000000074568000-memory.dmp

memory/1340-1081-0x0000000074570000-0x000000007467A000-memory.dmp

memory/1340-1084-0x0000000074A60000-0x0000000074A84000-memory.dmp

memory/1340-1083-0x0000000074410000-0x00000000744DE000-memory.dmp

memory/1376-1085-0x0000000005C00000-0x0000000006004000-memory.dmp

memory/1596-1149-0x0000000000EB0000-0x00000000012B4000-memory.dmp

memory/1596-1150-0x0000000070C10000-0x0000000070EDF000-memory.dmp

memory/1596-1151-0x00000000749F0000-0x0000000074A39000-memory.dmp