bitrat | 824bfb1adf72681cee3da426dee064d9cdf8b4062941bc7232957b6055709b22

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-06-2023 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exe
Size

8.1MB
MD5

ef194a3933b45e376e35ba7c4b14bf49
SHA1

0830bceebac97ee4ecf909e22189c858865a553f
SHA256

6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d
SHA512

c0777e7ea276d983a72cdc6286b22e8267b1f2fe7baf3aaf47e63400bca1ba2ce88d2a59fe1d8bce001c3accdcfcd04f5e4552c3a659206d9e1493c45a71d3fd
SSDEEP

98304:voRRzohHPzOY8MqNY5rONLPW75h1Zfvcls5+wMLi7VjtY2xhSzmUOlWg7t:vCRctM0yNDWL1FvclsGWhD9UOJp

Score

10^/10

bitrat evasion persistence trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

rxbwrzmdaw27pt7lrrhophwwlcyuqkw3n2dhpr5gu5bjh3ut2ot2mwid.onion:80

Attributes

communication_password
5ffc3746012bb1139c6bf49107694c1a
tor_process
Smartscreens

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

svchost.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0"	svchost.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys"	svchost.exe

ACProtect 1.3x - 1.4x DLL software 44 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libssp-0.dll	acprotect
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libssp-0.dll	acprotect
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libssl-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libssl-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libevent-2-1-6.dll	acprotect
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libevent-2-1-6.dll	acprotect
C:\Users\Admin\AppData\Local\bd6e11cd\tor\zlib1.dll	acprotect
C:\Users\Admin\AppData\Local\bd6e11cd\tor\zlib1.dll	acprotect
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libcrypto-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libwinpthread-1.dll	acprotect
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libcrypto-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libcrypto-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libwinpthread-1.dll	acprotect
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libgcc_s_sjlj-1.dll	acprotect
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libwinpthread-1.dll	acprotect
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libgcc_s_sjlj-1.dll	acprotect
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libwinpthread-1.dll	acprotect
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libgcc_s_sjlj-1.dll	acprotect
C:\Users\Admin\AppData\Local\bd6e11cd\tor\zlib1.dll	acprotect
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libssp-0.dll	acprotect
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libssl-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libevent-2-1-6.dll	acprotect
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libcrypto-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libwinpthread-1.dll	acprotect
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libgcc_s_sjlj-1.dll	acprotect
C:\Users\Admin\AppData\Local\bd6e11cd\tor\zlib1.dll	acprotect
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libssp-0.dll	acprotect
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libssl-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libevent-2-1-6.dll	acprotect
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libcrypto-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libssp-0.dll	acprotect
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libwinpthread-1.dll	acprotect
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libgcc_s_sjlj-1.dll	acprotect
C:\Users\Admin\AppData\Local\bd6e11cd\tor\zlib1.dll	acprotect
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libssl-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libssl-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libevent-2-1-6.dll	acprotect
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libcrypto-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libevent-2-1-6.dll	acprotect
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libgcc_s_sjlj-1.dll	acprotect
C:\Users\Admin\AppData\Local\bd6e11cd\tor\zlib1.dll	acprotect
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libssp-0.dll	acprotect
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libssl-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libcrypto-1_1.dll	acprotect

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 7 IoCs

Processes:

svchost.exeSmartscreens.exeSmartscreens.exeSmartscreens.exeSmartscreens.exeSmartscreens.exeSmartscreens.exe

pid process

732 svchost.exe
1000 Smartscreens.exe
1796 Smartscreens.exe
3756 Smartscreens.exe
3792 Smartscreens.exe
5116 Smartscreens.exe
3268 Smartscreens.exe

pid	process
732	svchost.exe
1000	Smartscreens.exe
1796	Smartscreens.exe
3756	Smartscreens.exe
3792	Smartscreens.exe
5116	Smartscreens.exe
3268	Smartscreens.exe

Loads dropped DLL 45 IoCs

Processes:

Smartscreens.exeSmartscreens.exeSmartscreens.exeSmartscreens.exeSmartscreens.exeSmartscreens.exe

pid	process
1000	Smartscreens.exe
1000	Smartscreens.exe
1000	Smartscreens.exe
1000	Smartscreens.exe
1000	Smartscreens.exe
1000	Smartscreens.exe
1000	Smartscreens.exe
1000	Smartscreens.exe
1000	Smartscreens.exe
1796	Smartscreens.exe
1796	Smartscreens.exe
1796	Smartscreens.exe
1796	Smartscreens.exe
1796	Smartscreens.exe
1796	Smartscreens.exe
1796	Smartscreens.exe
3756	Smartscreens.exe
3756	Smartscreens.exe
3756	Smartscreens.exe
3756	Smartscreens.exe
3756	Smartscreens.exe
3756	Smartscreens.exe
3756	Smartscreens.exe
3792	Smartscreens.exe
3792	Smartscreens.exe
3792	Smartscreens.exe
3792	Smartscreens.exe
3792	Smartscreens.exe
3792	Smartscreens.exe
3792	Smartscreens.exe
5116	Smartscreens.exe
5116	Smartscreens.exe
5116	Smartscreens.exe
5116	Smartscreens.exe
5116	Smartscreens.exe
5116	Smartscreens.exe
5116	Smartscreens.exe
3268	Smartscreens.exe
3268	Smartscreens.exe
3268	Smartscreens.exe
3268	Smartscreens.exe
3268	Smartscreens.exe
3268	Smartscreens.exe
3268	Smartscreens.exe
3268	Smartscreens.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\bd6e11cd\tor\Smartscreens.exe	upx
C:\Users\Admin\AppData\Local\bd6e11cd\tor\Smartscreens.exe	upx
C:\Users\Admin\AppData\Local\bd6e11cd\tor\Smartscreens.exe	upx
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libssp-0.dll	upx
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libssp-0.dll	upx
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libssl-1_1.dll	upx
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libssl-1_1.dll	upx
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libevent-2-1-6.dll	upx
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libevent-2-1-6.dll	upx
C:\Users\Admin\AppData\Local\bd6e11cd\tor\zlib1.dll	upx
C:\Users\Admin\AppData\Local\bd6e11cd\tor\zlib1.dll	upx
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libcrypto-1_1.dll	upx
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libwinpthread-1.dll	upx
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libcrypto-1_1.dll	upx
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libcrypto-1_1.dll	upx
behavioral2/memory/1000-199-0x0000000073C80000-0x0000000073CC9000-memory.dmp	upx
behavioral2/memory/1000-204-0x0000000073AE0000-0x0000000073BA8000-memory.dmp	upx
behavioral2/memory/1000-205-0x0000000073AB0000-0x0000000073AD4000-memory.dmp	upx
behavioral2/memory/1000-203-0x0000000073BB0000-0x0000000073C7E000-memory.dmp	upx
behavioral2/memory/1000-206-0x00000000739A0000-0x0000000073AAA000-memory.dmp	upx
behavioral2/memory/1000-207-0x0000000073910000-0x0000000073998000-memory.dmp	upx
behavioral2/memory/1000-198-0x0000000000E80000-0x0000000001284000-memory.dmp	upx
behavioral2/memory/1000-209-0x0000000073640000-0x000000007390F000-memory.dmp	upx
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libwinpthread-1.dll	upx
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libgcc_s_sjlj-1.dll	upx
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libwinpthread-1.dll	upx
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libgcc_s_sjlj-1.dll	upx
behavioral2/memory/1000-219-0x0000000000E80000-0x0000000001284000-memory.dmp	upx
behavioral2/memory/1000-221-0x0000000073BB0000-0x0000000073C7E000-memory.dmp	upx
behavioral2/memory/1000-227-0x0000000000E80000-0x0000000001284000-memory.dmp	upx
behavioral2/memory/1000-229-0x0000000000E80000-0x0000000001284000-memory.dmp	upx
behavioral2/memory/1000-259-0x0000000000E80000-0x0000000001284000-memory.dmp	upx
behavioral2/memory/1000-277-0x0000000000E80000-0x0000000001284000-memory.dmp	upx
behavioral2/memory/1000-290-0x0000000000E80000-0x0000000001284000-memory.dmp	upx
behavioral2/memory/1000-298-0x0000000000E80000-0x0000000001284000-memory.dmp	upx
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libwinpthread-1.dll	upx
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libgcc_s_sjlj-1.dll	upx
C:\Users\Admin\AppData\Local\bd6e11cd\tor\zlib1.dll	upx
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libssp-0.dll	upx
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libssl-1_1.dll	upx
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libevent-2-1-6.dll	upx
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libcrypto-1_1.dll	upx
C:\Users\Admin\AppData\Local\bd6e11cd\tor\Smartscreens.exe	upx
behavioral2/memory/1796-320-0x0000000000E80000-0x0000000001284000-memory.dmp	upx
behavioral2/memory/1796-321-0x0000000073640000-0x000000007390F000-memory.dmp	upx
behavioral2/memory/1796-322-0x0000000073AE0000-0x0000000073BA8000-memory.dmp	upx
behavioral2/memory/1796-323-0x0000000073BB0000-0x0000000073C7E000-memory.dmp	upx
behavioral2/memory/1796-324-0x0000000073C80000-0x0000000073CC9000-memory.dmp	upx
behavioral2/memory/1796-325-0x0000000073AB0000-0x0000000073AD4000-memory.dmp	upx
behavioral2/memory/1796-326-0x00000000739A0000-0x0000000073AAA000-memory.dmp	upx
behavioral2/memory/1796-327-0x0000000073910000-0x0000000073998000-memory.dmp	upx
behavioral2/memory/1796-342-0x0000000000E80000-0x0000000001284000-memory.dmp	upx
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libwinpthread-1.dll	upx
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libgcc_s_sjlj-1.dll	upx
C:\Users\Admin\AppData\Local\bd6e11cd\tor\zlib1.dll	upx
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libssp-0.dll	upx
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libssl-1_1.dll	upx
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libevent-2-1-6.dll	upx
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libcrypto-1_1.dll	upx
behavioral2/memory/1796-381-0x0000000000E80000-0x0000000001284000-memory.dmp	upx
C:\Users\Admin\AppData\Local\bd6e11cd\tor\Smartscreens.exe	upx
behavioral2/memory/3756-390-0x0000000000E80000-0x0000000001284000-memory.dmp	upx
behavioral2/memory/3756-391-0x0000000073640000-0x000000007390F000-memory.dmp	upx
behavioral2/memory/3756-392-0x0000000073AE0000-0x0000000073BA8000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0"	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

84 myexternalip.com
91 myexternalip.com
98 myexternalip.com
66 myexternalip.com
68 myexternalip.com

flow	ioc
84	myexternalip.com
91	myexternalip.com
98	myexternalip.com
66	myexternalip.com
68	myexternalip.com

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

Processes:

AddInProcess32.exe

pid	process
2988	AddInProcess32.exe
2988	AddInProcess32.exe
2988	AddInProcess32.exe
2988	AddInProcess32.exe
2988	AddInProcess32.exe
2988	AddInProcess32.exe
2988	AddInProcess32.exe
2988	AddInProcess32.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 732 set thread context of 2988 732 svchost.exe AddInProcess32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3852 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3980 timeout.exe

description	pid	process	target process
PID 732 set thread context of 2988	732	svchost.exe	AddInProcess32.exe

pid	process
3852	schtasks.exe

pid	process
3980	timeout.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

Processes:

6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exepowershell.exesvchost.exe

pid	process
2612	6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exe
2612	6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exe
2612	6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exe
2612	6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exe
2612	6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exe
2612	6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exe
2612	6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exe
2612	6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exe
2612	6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exe
2612	6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exe
2612	6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exe
2612	6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exe
2612	6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exe
2612	6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exe
2612	6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exe
2612	6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exe
2612	6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exe
2612	6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exe
2612	6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exe
2612	6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exe
2612	6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exe
2612	6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exe
2612	6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exe
3844	powershell.exe
732	svchost.exe
732	svchost.exe
3844	powershell.exe
732	svchost.exe
732	svchost.exe
732	svchost.exe
732	svchost.exe
732	svchost.exe
732	svchost.exe
732	svchost.exe
732	svchost.exe
732	svchost.exe
732	svchost.exe
732	svchost.exe
732	svchost.exe
732	svchost.exe
732	svchost.exe
732	svchost.exe
732	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

svchost.exe

pid process

732 svchost.exe

pid	process
732	svchost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exesvchost.exepowershell.exeAddInProcess32.exe

description	pid	process
Token: SeDebugPrivilege	2612	6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exe
Token: SeDebugPrivilege	732	svchost.exe
Token: SeDebugPrivilege	732	svchost.exe
Token: SeLoadDriverPrivilege	732	svchost.exe
Token: SeDebugPrivilege	3844	powershell.exe
Token: SeShutdownPrivilege	2988	AddInProcess32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AddInProcess32.exe

pid process

2988 AddInProcess32.exe
2988 AddInProcess32.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.execmd.execmd.exesvchost.exeAddInProcess32.exe

description	pid	process	target process
PID 2612 wrote to memory of 2328	2612	6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exe	cmd.exe
PID 2612 wrote to memory of 2328	2612	6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exe	cmd.exe
PID 2612 wrote to memory of 2080	2612	6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exe	cmd.exe
PID 2612 wrote to memory of 2080	2612	6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exe	cmd.exe
PID 2080 wrote to memory of 3980	2080	cmd.exe	timeout.exe
PID 2080 wrote to memory of 3980	2080	cmd.exe	timeout.exe
PID 2328 wrote to memory of 3852	2328	cmd.exe	schtasks.exe
PID 2328 wrote to memory of 3852	2328	cmd.exe	schtasks.exe
PID 2080 wrote to memory of 732	2080	cmd.exe	svchost.exe
PID 2080 wrote to memory of 732	2080	cmd.exe	svchost.exe
PID 732 wrote to memory of 3844	732	svchost.exe	powershell.exe
PID 732 wrote to memory of 3844	732	svchost.exe	powershell.exe
PID 732 wrote to memory of 1456	732	svchost.exe	SMSvcHost.exe
PID 732 wrote to memory of 1456	732	svchost.exe	SMSvcHost.exe
PID 732 wrote to memory of 4404	732	svchost.exe	ngen.exe
PID 732 wrote to memory of 4404	732	svchost.exe	ngen.exe
PID 732 wrote to memory of 2632	732	svchost.exe	AddInUtil.exe
PID 732 wrote to memory of 2632	732	svchost.exe	AddInUtil.exe
PID 732 wrote to memory of 1724	732	svchost.exe	CasPol.exe
PID 732 wrote to memory of 1724	732	svchost.exe	CasPol.exe
PID 732 wrote to memory of 1960	732	svchost.exe	WsatConfig.exe
PID 732 wrote to memory of 1960	732	svchost.exe	WsatConfig.exe
PID 732 wrote to memory of 2336	732	svchost.exe	InstallUtil.exe
PID 732 wrote to memory of 2336	732	svchost.exe	InstallUtil.exe
PID 732 wrote to memory of 4892	732	svchost.exe	csc.exe
PID 732 wrote to memory of 4892	732	svchost.exe	csc.exe
PID 732 wrote to memory of 3056	732	svchost.exe	vbc.exe
PID 732 wrote to memory of 3056	732	svchost.exe	vbc.exe
PID 732 wrote to memory of 560	732	svchost.exe	cvtres.exe
PID 732 wrote to memory of 560	732	svchost.exe	cvtres.exe
PID 732 wrote to memory of 2988	732	svchost.exe	AddInProcess32.exe
PID 732 wrote to memory of 2988	732	svchost.exe	AddInProcess32.exe
PID 732 wrote to memory of 2988	732	svchost.exe	AddInProcess32.exe
PID 732 wrote to memory of 2988	732	svchost.exe	AddInProcess32.exe
PID 732 wrote to memory of 2988	732	svchost.exe	AddInProcess32.exe
PID 732 wrote to memory of 2988	732	svchost.exe	AddInProcess32.exe
PID 732 wrote to memory of 2988	732	svchost.exe	AddInProcess32.exe
PID 732 wrote to memory of 2988	732	svchost.exe	AddInProcess32.exe
PID 732 wrote to memory of 2988	732	svchost.exe	AddInProcess32.exe
PID 732 wrote to memory of 2988	732	svchost.exe	AddInProcess32.exe
PID 732 wrote to memory of 2988	732	svchost.exe	AddInProcess32.exe
PID 732 wrote to memory of 2988	732	svchost.exe	AddInProcess32.exe
PID 2988 wrote to memory of 1000	2988	AddInProcess32.exe	Smartscreens.exe
PID 2988 wrote to memory of 1000	2988	AddInProcess32.exe	Smartscreens.exe
PID 2988 wrote to memory of 1000	2988	AddInProcess32.exe	Smartscreens.exe
PID 2988 wrote to memory of 1796	2988	AddInProcess32.exe	Smartscreens.exe
PID 2988 wrote to memory of 1796	2988	AddInProcess32.exe	Smartscreens.exe
PID 2988 wrote to memory of 1796	2988	AddInProcess32.exe	Smartscreens.exe
PID 2988 wrote to memory of 3756	2988	AddInProcess32.exe	Smartscreens.exe
PID 2988 wrote to memory of 3756	2988	AddInProcess32.exe	Smartscreens.exe
PID 2988 wrote to memory of 3756	2988	AddInProcess32.exe	Smartscreens.exe
PID 2988 wrote to memory of 3792	2988	AddInProcess32.exe	Smartscreens.exe
PID 2988 wrote to memory of 3792	2988	AddInProcess32.exe	Smartscreens.exe
PID 2988 wrote to memory of 3792	2988	AddInProcess32.exe	Smartscreens.exe
PID 2988 wrote to memory of 5116	2988	AddInProcess32.exe	Smartscreens.exe
PID 2988 wrote to memory of 5116	2988	AddInProcess32.exe	Smartscreens.exe
PID 2988 wrote to memory of 5116	2988	AddInProcess32.exe	Smartscreens.exe
PID 2988 wrote to memory of 3268	2988	AddInProcess32.exe	Smartscreens.exe
PID 2988 wrote to memory of 3268	2988	AddInProcess32.exe	Smartscreens.exe
PID 2988 wrote to memory of 3268	2988	AddInProcess32.exe	Smartscreens.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

svchost.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

C:\Users\Admin\AppData\Local\Temp\6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exe
"C:\Users\Admin\AppData\Local\Temp\6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
3⤵
- Creates scheduled task(s)
PID:3852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp92EE.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:2080

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:3980

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
3⤵
- UAC bypass
- Windows security bypass
- Sets service image path in registry
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3844

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
4⤵
PID:1456

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
4⤵
PID:4404

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
4⤵
PID:2632

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
4⤵
PID:1724

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
4⤵
PID:2336

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
4⤵
PID:1960

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
4⤵
PID:4892

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
4⤵
PID:3056

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
4⤵
PID:560

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
4⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2988

C:\Users\Admin\AppData\Local\bd6e11cd\tor\Smartscreens.exe
"C:\Users\Admin\AppData\Local\bd6e11cd\tor\Smartscreens.exe" -f torrc
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1000

C:\Users\Admin\AppData\Local\bd6e11cd\tor\Smartscreens.exe
"C:\Users\Admin\AppData\Local\bd6e11cd\tor\Smartscreens.exe" -f torrc
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1796

C:\Users\Admin\AppData\Local\bd6e11cd\tor\Smartscreens.exe
"C:\Users\Admin\AppData\Local\bd6e11cd\tor\Smartscreens.exe" -f torrc
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3756

C:\Users\Admin\AppData\Local\bd6e11cd\tor\Smartscreens.exe
"C:\Users\Admin\AppData\Local\bd6e11cd\tor\Smartscreens.exe" -f torrc
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3792

C:\Users\Admin\AppData\Local\bd6e11cd\tor\Smartscreens.exe
"C:\Users\Admin\AppData\Local\bd6e11cd\tor\Smartscreens.exe" -f torrc
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5116

C:\Users\Admin\AppData\Local\bd6e11cd\tor\Smartscreens.exe
"C:\Users\Admin\AppData\Local\bd6e11cd\tor\Smartscreens.exe" -f torrc
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uyts2dn3.swa.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp92EE.tmp.bat
Filesize
151B

MD5
96eeab6c42ea68ee2f97531a5c60925b

SHA1
843ebcdf13de3ab4d327308f8fd19435ee77b210

SHA256
68c83fbcfe5c78e2e5c5cc8ad7e9de2a38c4e3f41c14d6e9e9991bf934605284

SHA512
880a04e583046b383164d3ce043eb16600282c12e4fe2cfa2d85a1b05d316b23efbb287bf1a6e28c98a74599d2beffe2675b5d7a85b86e5feae66fb6c36765ee

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\Smartscreens.exe
Filesize
973KB

MD5
5cfe61ff895c7daa889708665ef05d7b

SHA1
5e58efe30406243fbd58d4968b0492ddeef145f2

SHA256
f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5

SHA512
43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\Smartscreens.exe
Filesize
973KB

MD5
5cfe61ff895c7daa889708665ef05d7b

SHA1
5e58efe30406243fbd58d4968b0492ddeef145f2

SHA256
f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5

SHA512
43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\Smartscreens.exe
Filesize
973KB

MD5
5cfe61ff895c7daa889708665ef05d7b

SHA1
5e58efe30406243fbd58d4968b0492ddeef145f2

SHA256
f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5

SHA512
43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\Smartscreens.exe
Filesize
973KB

MD5
5cfe61ff895c7daa889708665ef05d7b

SHA1
5e58efe30406243fbd58d4968b0492ddeef145f2

SHA256
f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5

SHA512
43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\Smartscreens.exe
Filesize
973KB

MD5
5cfe61ff895c7daa889708665ef05d7b

SHA1
5e58efe30406243fbd58d4968b0492ddeef145f2

SHA256
f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5

SHA512
43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\Smartscreens.exe
Filesize
973KB

MD5
5cfe61ff895c7daa889708665ef05d7b

SHA1
5e58efe30406243fbd58d4968b0492ddeef145f2

SHA256
f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5

SHA512
43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\Smartscreens.exe
Filesize
973KB

MD5
5cfe61ff895c7daa889708665ef05d7b

SHA1
5e58efe30406243fbd58d4968b0492ddeef145f2

SHA256
f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5

SHA512
43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\data\cached-certs
Filesize
20KB

MD5
e3f78cc3a7d81c0fe513886df187e008

SHA1
76125eb06b16d4b0196eb9204a598eba473c8beb

SHA256
74b518485923209473d8edc549b3f29a49809cb0a87c8241c39dbde89e34d6be

SHA512
9583b4046780e5bac8cd6e3084be82853b0281eda72ed1a6b291e4de6455e7edbbe762acdbce4d2a5ad363894ecb2c95f8a68282f49399b48d78708c4fe848fd

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\data\cached-microdesc-consensus
Filesize
2.3MB

MD5
a73ab55081244b81f852d6f78986e4ba

SHA1
0c5ee433c140d442c27f687ffbdebe6b33252cd1

SHA256
33e5d90e498e23b2f9d6cf33d631f201f5b2c9870129ec8eb37a94f87f3164e0

SHA512
3547c919b7244483c16c651a6c7317da10f9f78f767c33c3af2cbb91bb21f2f2b528248cc469bd99fd4529ae6612f105f463ff2959c3afdea2f6117501ebc4df

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\data\cached-microdesc-consensus.tmp
Filesize
2.3MB

MD5
a73ab55081244b81f852d6f78986e4ba

SHA1
0c5ee433c140d442c27f687ffbdebe6b33252cd1

SHA256
33e5d90e498e23b2f9d6cf33d631f201f5b2c9870129ec8eb37a94f87f3164e0

SHA512
3547c919b7244483c16c651a6c7317da10f9f78f767c33c3af2cbb91bb21f2f2b528248cc469bd99fd4529ae6612f105f463ff2959c3afdea2f6117501ebc4df

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\data\cached-microdescs
Filesize
13.8MB

MD5
ebd14a602b44d5bc805b6b7c580fcb8c

SHA1
dda2bee60f10cf95fc4062ab0dc04c0c39d04eb3

SHA256
38ef777e7b2f241e4d8a0fbcd7c758c89d5477e76f4ec3065c6a50fe53671373

SHA512
04132161258993a435e3101a50932e25a2fe14d14a7fead6004802a5cf77ff5299741d4485c85e9cf8f6399db0db4921c86fd9d5f7e8f5c100c0b3637297be6b

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\data\cached-microdescs.new
Filesize
4.7MB

MD5
1d4d18ff92e2622c0c2954306cb09a10

SHA1
869d869f396d9b0645e365865aba9018e1e2b5f4

SHA256
425a76167395f21096d1d33bb90fbf03448b3924f66e950c6731c93e2c064f9b

SHA512
517fba85ce02203d1b149eccef60cb5df9d4abcc5e08bfd162664cee8911f79b0c81a7c537e0a9ff81b0dd0dcbb94176c0ea4c66aa4747bd3b65f798c43ff5d9

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\data\cached-microdescs.new
Filesize
13.8MB

MD5
dd59aa39ce091582ecc8293fb2a1cdea

SHA1
ac218a72d1e099de79e9c82ed7b2366c87515312

SHA256
899a28706b3ab6d740dcaf47b8a1c2eb455e524dfc7638405e854fca9cf750c1

SHA512
095e27de4655c5c49f3eea9106a87b6e42da47c276e7e875d2a96a73c12899e3906b4af8c8207e8ac7af569b83c68b58100138e6e2c77bf61373e9e7a233d4c5

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\data\state
Filesize
232B

MD5
8eae536d0cf66374833114906b243ae5

SHA1
bdf8ca47526bd749bd31fa46f8aaded1882f9edf

SHA256
c9a2bb75014547f2a34919eea22f9c56ec10c641b2adbb147b5884959b71b216

SHA512
35502e8c179d0dbcf635c7190865c71d3de833bf1fbaf3623d0e8b6afb5f3727db5767259054c8bdd47e0a672b3c67a1367d0297b1a562bdf4f6b005983bc82e

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\data\state
Filesize
3KB

MD5
2463afb02048bab81ccefad311a3ea58

SHA1
2bc80d9d71527a17a3292bfe6b60983c73993b57

SHA256
ca08412ef7a8671335489db89996023913f9a11964cf5b61eedf53474c424f40

SHA512
588e13b536b771a67dc6aadf2b1a14c84535b099395495ba32b255ff434fd94f997cf0768f29a87d2aec8220ea843a4f630b26268089b469281b8a3ec1ae1d9e

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\data\unverified-microdesc-consensus
Filesize
2.3MB

MD5
a73ab55081244b81f852d6f78986e4ba

SHA1
0c5ee433c140d442c27f687ffbdebe6b33252cd1

SHA256
33e5d90e498e23b2f9d6cf33d631f201f5b2c9870129ec8eb37a94f87f3164e0

SHA512
3547c919b7244483c16c651a6c7317da10f9f78f767c33c3af2cbb91bb21f2f2b528248cc469bd99fd4529ae6612f105f463ff2959c3afdea2f6117501ebc4df

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libcrypto-1_1.dll
Filesize
1.7MB

MD5
2384a02c4a1f7ec481adde3a020607d3

SHA1
7e848d35a10bf9296c8fa41956a3daa777f86365

SHA256
c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369

SHA512
1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libcrypto-1_1.dll
Filesize
1.7MB

MD5
2384a02c4a1f7ec481adde3a020607d3

SHA1
7e848d35a10bf9296c8fa41956a3daa777f86365

SHA256
c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369

SHA512
1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libcrypto-1_1.dll
Filesize
1.7MB

MD5
2384a02c4a1f7ec481adde3a020607d3

SHA1
7e848d35a10bf9296c8fa41956a3daa777f86365

SHA256
c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369

SHA512
1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libcrypto-1_1.dll
Filesize
1.7MB

MD5
2384a02c4a1f7ec481adde3a020607d3

SHA1
7e848d35a10bf9296c8fa41956a3daa777f86365

SHA256
c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369

SHA512
1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libcrypto-1_1.dll
Filesize
1.7MB

MD5
2384a02c4a1f7ec481adde3a020607d3

SHA1
7e848d35a10bf9296c8fa41956a3daa777f86365

SHA256
c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369

SHA512
1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libcrypto-1_1.dll
Filesize
1.7MB

MD5
2384a02c4a1f7ec481adde3a020607d3

SHA1
7e848d35a10bf9296c8fa41956a3daa777f86365

SHA256
c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369

SHA512
1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libcrypto-1_1.dll
Filesize
1.7MB

MD5
2384a02c4a1f7ec481adde3a020607d3

SHA1
7e848d35a10bf9296c8fa41956a3daa777f86365

SHA256
c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369

SHA512
1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libevent-2-1-6.dll
Filesize
366KB

MD5
099983c13bade9554a3c17484e5481f1

SHA1
a84e69ad9722f999252d59d0ed9a99901a60e564

SHA256
b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838

SHA512
89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libevent-2-1-6.dll
Filesize
366KB

MD5
099983c13bade9554a3c17484e5481f1

SHA1
a84e69ad9722f999252d59d0ed9a99901a60e564

SHA256
b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838

SHA512
89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libevent-2-1-6.dll
Filesize
366KB

MD5
099983c13bade9554a3c17484e5481f1

SHA1
a84e69ad9722f999252d59d0ed9a99901a60e564

SHA256
b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838

SHA512
89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libevent-2-1-6.dll
Filesize
366KB

MD5
099983c13bade9554a3c17484e5481f1

SHA1
a84e69ad9722f999252d59d0ed9a99901a60e564

SHA256
b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838

SHA512
89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libevent-2-1-6.dll
Filesize
366KB

MD5
099983c13bade9554a3c17484e5481f1

SHA1
a84e69ad9722f999252d59d0ed9a99901a60e564

SHA256
b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838

SHA512
89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libevent-2-1-6.dll
Filesize
366KB

MD5
099983c13bade9554a3c17484e5481f1

SHA1
a84e69ad9722f999252d59d0ed9a99901a60e564

SHA256
b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838

SHA512
89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libgcc_s_sjlj-1.dll
Filesize
286KB

MD5
b0d98f7157d972190fe0759d4368d320

SHA1
5715a533621a2b642aad9616e603c6907d80efc4

SHA256
2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5

SHA512
41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libgcc_s_sjlj-1.dll
Filesize
286KB

MD5
b0d98f7157d972190fe0759d4368d320

SHA1
5715a533621a2b642aad9616e603c6907d80efc4

SHA256
2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5

SHA512
41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libgcc_s_sjlj-1.dll
Filesize
286KB

MD5
b0d98f7157d972190fe0759d4368d320

SHA1
5715a533621a2b642aad9616e603c6907d80efc4

SHA256
2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5

SHA512
41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libgcc_s_sjlj-1.dll
Filesize
286KB

MD5
b0d98f7157d972190fe0759d4368d320

SHA1
5715a533621a2b642aad9616e603c6907d80efc4

SHA256
2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5

SHA512
41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libgcc_s_sjlj-1.dll
Filesize
286KB

MD5
b0d98f7157d972190fe0759d4368d320

SHA1
5715a533621a2b642aad9616e603c6907d80efc4

SHA256
2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5

SHA512
41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libgcc_s_sjlj-1.dll
Filesize
286KB

MD5
b0d98f7157d972190fe0759d4368d320

SHA1
5715a533621a2b642aad9616e603c6907d80efc4

SHA256
2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5

SHA512
41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libssl-1_1.dll
Filesize
439KB

MD5
c88826ac4bb879622e43ead5bdb95aeb

SHA1
87d29853649a86f0463bfd9ad887b85eedc21723

SHA256
c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f

SHA512
f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libssl-1_1.dll
Filesize
439KB

MD5
c88826ac4bb879622e43ead5bdb95aeb

SHA1
87d29853649a86f0463bfd9ad887b85eedc21723

SHA256
c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f

SHA512
f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libssl-1_1.dll
Filesize
439KB

MD5
c88826ac4bb879622e43ead5bdb95aeb

SHA1
87d29853649a86f0463bfd9ad887b85eedc21723

SHA256
c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f

SHA512
f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libssl-1_1.dll
Filesize
439KB

MD5
c88826ac4bb879622e43ead5bdb95aeb

SHA1
87d29853649a86f0463bfd9ad887b85eedc21723

SHA256
c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f

SHA512
f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libssl-1_1.dll
Filesize
439KB

MD5
c88826ac4bb879622e43ead5bdb95aeb

SHA1
87d29853649a86f0463bfd9ad887b85eedc21723

SHA256
c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f

SHA512
f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libssl-1_1.dll
Filesize
439KB

MD5
c88826ac4bb879622e43ead5bdb95aeb

SHA1
87d29853649a86f0463bfd9ad887b85eedc21723

SHA256
c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f

SHA512
f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libssl-1_1.dll
Filesize
439KB

MD5
c88826ac4bb879622e43ead5bdb95aeb

SHA1
87d29853649a86f0463bfd9ad887b85eedc21723

SHA256
c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f

SHA512
f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libssp-0.dll
Filesize
88KB

MD5
2c916456f503075f746c6ea649cf9539

SHA1
fa1afc1f3d728c89b2e90e14ca7d88b599580a9d

SHA256
cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6

SHA512
1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libssp-0.dll
Filesize
88KB

MD5
2c916456f503075f746c6ea649cf9539

SHA1
fa1afc1f3d728c89b2e90e14ca7d88b599580a9d

SHA256
cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6

SHA512
1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libssp-0.dll
Filesize
88KB

MD5
2c916456f503075f746c6ea649cf9539

SHA1
fa1afc1f3d728c89b2e90e14ca7d88b599580a9d

SHA256
cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6

SHA512
1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libssp-0.dll
Filesize
88KB

MD5
2c916456f503075f746c6ea649cf9539

SHA1
fa1afc1f3d728c89b2e90e14ca7d88b599580a9d

SHA256
cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6

SHA512
1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libssp-0.dll
Filesize
88KB

MD5
2c916456f503075f746c6ea649cf9539

SHA1
fa1afc1f3d728c89b2e90e14ca7d88b599580a9d

SHA256
cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6

SHA512
1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libssp-0.dll
Filesize
88KB

MD5
2c916456f503075f746c6ea649cf9539

SHA1
fa1afc1f3d728c89b2e90e14ca7d88b599580a9d

SHA256
cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6

SHA512
1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libwinpthread-1.dll
Filesize
188KB

MD5
d407cc6d79a08039a6f4b50539e560b8

SHA1
21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71

SHA256
92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e

SHA512
378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libwinpthread-1.dll
Filesize
188KB

MD5
d407cc6d79a08039a6f4b50539e560b8

SHA1
21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71

SHA256
92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e

SHA512
378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libwinpthread-1.dll
Filesize
188KB

MD5
d407cc6d79a08039a6f4b50539e560b8

SHA1
21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71

SHA256
92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e

SHA512
378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libwinpthread-1.dll
Filesize
188KB

MD5
d407cc6d79a08039a6f4b50539e560b8

SHA1
21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71

SHA256
92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e

SHA512
378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libwinpthread-1.dll
Filesize
188KB

MD5
d407cc6d79a08039a6f4b50539e560b8

SHA1
21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71

SHA256
92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e

SHA512
378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\libwinpthread-1.dll
Filesize
188KB

MD5
d407cc6d79a08039a6f4b50539e560b8

SHA1
21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71

SHA256
92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e

SHA512
378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\torrc
Filesize
157B

MD5
56f321507b92151da9480590689438f9

SHA1
a9f5e3bf476e44f77b629ed27a715f67c8d5f041

SHA256
cc5784c19a962029187cabfc59efd39b52800cf8a7feb56f4fb66b1cf9a2d47c

SHA512
f046337f2e7a20025fc9951fa4a89785193ee2202f045fd5f3e214209526079f83473fd0b49dda858640de63b5760d5f171e3011be26a706e08338728361f7e3

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\torrc
Filesize
157B

MD5
56f321507b92151da9480590689438f9

SHA1
a9f5e3bf476e44f77b629ed27a715f67c8d5f041

SHA256
cc5784c19a962029187cabfc59efd39b52800cf8a7feb56f4fb66b1cf9a2d47c

SHA512
f046337f2e7a20025fc9951fa4a89785193ee2202f045fd5f3e214209526079f83473fd0b49dda858640de63b5760d5f171e3011be26a706e08338728361f7e3

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\torrc
Filesize
157B

MD5
56f321507b92151da9480590689438f9

SHA1
a9f5e3bf476e44f77b629ed27a715f67c8d5f041

SHA256
cc5784c19a962029187cabfc59efd39b52800cf8a7feb56f4fb66b1cf9a2d47c

SHA512
f046337f2e7a20025fc9951fa4a89785193ee2202f045fd5f3e214209526079f83473fd0b49dda858640de63b5760d5f171e3011be26a706e08338728361f7e3

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\torrc
Filesize
157B

MD5
56f321507b92151da9480590689438f9

SHA1
a9f5e3bf476e44f77b629ed27a715f67c8d5f041

SHA256
cc5784c19a962029187cabfc59efd39b52800cf8a7feb56f4fb66b1cf9a2d47c

SHA512
f046337f2e7a20025fc9951fa4a89785193ee2202f045fd5f3e214209526079f83473fd0b49dda858640de63b5760d5f171e3011be26a706e08338728361f7e3

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\torrc
Filesize
157B

MD5
56f321507b92151da9480590689438f9

SHA1
a9f5e3bf476e44f77b629ed27a715f67c8d5f041

SHA256
cc5784c19a962029187cabfc59efd39b52800cf8a7feb56f4fb66b1cf9a2d47c

SHA512
f046337f2e7a20025fc9951fa4a89785193ee2202f045fd5f3e214209526079f83473fd0b49dda858640de63b5760d5f171e3011be26a706e08338728361f7e3

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\zlib1.dll
Filesize
52KB

MD5
add33041af894b67fe34e1dc819b7eb6

SHA1
6db46eb021855a587c95479422adcc774a272eeb

SHA256
8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183

SHA512
bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\zlib1.dll
Filesize
52KB

MD5
add33041af894b67fe34e1dc819b7eb6

SHA1
6db46eb021855a587c95479422adcc774a272eeb

SHA256
8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183

SHA512
bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\zlib1.dll
Filesize
52KB

MD5
add33041af894b67fe34e1dc819b7eb6

SHA1
6db46eb021855a587c95479422adcc774a272eeb

SHA256
8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183

SHA512
bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\zlib1.dll
Filesize
52KB

MD5
add33041af894b67fe34e1dc819b7eb6

SHA1
6db46eb021855a587c95479422adcc774a272eeb

SHA256
8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183

SHA512
bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\zlib1.dll
Filesize
52KB

MD5
add33041af894b67fe34e1dc819b7eb6

SHA1
6db46eb021855a587c95479422adcc774a272eeb

SHA256
8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183

SHA512
bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

Download Submit
C:\Users\Admin\AppData\Local\bd6e11cd\tor\zlib1.dll
Filesize
52KB

MD5
add33041af894b67fe34e1dc819b7eb6

SHA1
6db46eb021855a587c95479422adcc774a272eeb

SHA256
8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183

SHA512
bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
8.1MB

MD5
ef194a3933b45e376e35ba7c4b14bf49

SHA1
0830bceebac97ee4ecf909e22189c858865a553f

SHA256
6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d

SHA512
c0777e7ea276d983a72cdc6286b22e8267b1f2fe7baf3aaf47e63400bca1ba2ce88d2a59fe1d8bce001c3accdcfcd04f5e4552c3a659206d9e1493c45a71d3fd

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
8.1MB

MD5
ef194a3933b45e376e35ba7c4b14bf49

SHA1
0830bceebac97ee4ecf909e22189c858865a553f

SHA256
6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d

SHA512
c0777e7ea276d983a72cdc6286b22e8267b1f2fe7baf3aaf47e63400bca1ba2ce88d2a59fe1d8bce001c3accdcfcd04f5e4552c3a659206d9e1493c45a71d3fd

Download Submit
memory/1000-199-0x0000000073C80000-0x0000000073CC9000-memory.dmp

Filesize
292KB

Download
memory/1000-209-0x0000000073640000-0x000000007390F000-memory.dmp

Filesize
2.8MB

Download
memory/1000-290-0x0000000000E80000-0x0000000001284000-memory.dmp

Filesize
4.0MB

Download
memory/1000-298-0x0000000000E80000-0x0000000001284000-memory.dmp

Filesize
4.0MB

Download
memory/1000-219-0x0000000000E80000-0x0000000001284000-memory.dmp

Filesize
4.0MB

Download
memory/1000-221-0x0000000073BB0000-0x0000000073C7E000-memory.dmp

Filesize
824KB

Download
memory/1000-227-0x0000000000E80000-0x0000000001284000-memory.dmp

Filesize
4.0MB

Download
memory/1000-210-0x0000000001490000-0x000000000175F000-memory.dmp

Filesize
2.8MB

Download
memory/1000-228-0x00000000007E0000-0x0000000000868000-memory.dmp

Filesize
544KB

Download
memory/1000-203-0x0000000073BB0000-0x0000000073C7E000-memory.dmp

Filesize
824KB

Download
memory/1000-198-0x0000000000E80000-0x0000000001284000-memory.dmp

Filesize
4.0MB

Download
memory/1000-208-0x00000000007E0000-0x0000000000868000-memory.dmp

Filesize
544KB

Download
memory/1000-207-0x0000000073910000-0x0000000073998000-memory.dmp

Filesize
544KB

Download
memory/1000-229-0x0000000000E80000-0x0000000001284000-memory.dmp

Filesize
4.0MB

Download
memory/1000-206-0x00000000739A0000-0x0000000073AAA000-memory.dmp

Filesize
1.0MB

Download
memory/1000-259-0x0000000000E80000-0x0000000001284000-memory.dmp

Filesize
4.0MB

Download
memory/1000-204-0x0000000073AE0000-0x0000000073BA8000-memory.dmp

Filesize
800KB

Download
memory/1000-205-0x0000000073AB0000-0x0000000073AD4000-memory.dmp

Filesize
144KB

Download
memory/1000-277-0x0000000000E80000-0x0000000001284000-memory.dmp

Filesize
4.0MB

Download
memory/1796-320-0x0000000000E80000-0x0000000001284000-memory.dmp

Filesize
4.0MB

Download
memory/1796-325-0x0000000073AB0000-0x0000000073AD4000-memory.dmp

Filesize
144KB

Download
memory/1796-326-0x00000000739A0000-0x0000000073AAA000-memory.dmp

Filesize
1.0MB

Download
memory/1796-327-0x0000000073910000-0x0000000073998000-memory.dmp

Filesize
544KB

Download
memory/1796-324-0x0000000073C80000-0x0000000073CC9000-memory.dmp

Filesize
292KB

Download
memory/1796-342-0x0000000000E80000-0x0000000001284000-memory.dmp

Filesize
4.0MB

Download
memory/1796-323-0x0000000073BB0000-0x0000000073C7E000-memory.dmp

Filesize
824KB

Download
memory/1796-322-0x0000000073AE0000-0x0000000073BA8000-memory.dmp

Filesize
800KB

Download
memory/1796-321-0x0000000073640000-0x000000007390F000-memory.dmp

Filesize
2.8MB

Download
memory/1796-381-0x0000000000E80000-0x0000000001284000-memory.dmp

Filesize
4.0MB

Download
memory/2612-133-0x000001E00E9D0000-0x000001E00F1E2000-memory.dmp

Filesize
8.1MB

Download
memory/2612-134-0x000001E0297D0000-0x000001E0297E0000-memory.dmp

Filesize
64KB

Download
memory/2988-214-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/2988-218-0x0000000073310000-0x0000000073349000-memory.dmp

Filesize
228KB

Download
memory/2988-267-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/2988-213-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/2988-212-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/2988-216-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/2988-217-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/2988-215-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/2988-289-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/2988-211-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/2988-287-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/2988-409-0x0000000074820000-0x0000000074859000-memory.dmp

Filesize
228KB

Download
memory/2988-274-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/2988-276-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/2988-285-0x0000000072950000-0x0000000072989000-memory.dmp

Filesize
228KB

Download
memory/2988-174-0x0000000074820000-0x0000000074859000-memory.dmp

Filesize
228KB

Download
memory/2988-286-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/2988-163-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/2988-162-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/2988-161-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/2988-157-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/3756-395-0x0000000073AB0000-0x0000000073AD4000-memory.dmp

Filesize
144KB

Download
memory/3756-394-0x0000000073C80000-0x0000000073CC9000-memory.dmp

Filesize
292KB

Download
memory/3756-392-0x0000000073AE0000-0x0000000073BA8000-memory.dmp

Filesize
800KB

Download
memory/3756-393-0x0000000073BB0000-0x0000000073C7E000-memory.dmp

Filesize
824KB

Download
memory/3756-390-0x0000000000E80000-0x0000000001284000-memory.dmp

Filesize
4.0MB

Download
memory/3756-396-0x00000000739A0000-0x0000000073AAA000-memory.dmp

Filesize
1.0MB

Download
memory/3756-391-0x0000000073640000-0x000000007390F000-memory.dmp

Filesize
2.8MB

Download
memory/3756-397-0x0000000073910000-0x0000000073998000-memory.dmp

Filesize
544KB

Download
memory/3792-416-0x00000000738B0000-0x00000000738D4000-memory.dmp

Filesize
144KB

Download
memory/3792-417-0x00000000737A0000-0x00000000738AA000-memory.dmp

Filesize
1.0MB

Download
memory/3792-418-0x0000000073710000-0x0000000073798000-memory.dmp

Filesize
544KB

Download
memory/3792-413-0x00000000738E0000-0x0000000073929000-memory.dmp

Filesize
292KB

Download
memory/3792-431-0x0000000000E80000-0x0000000001284000-memory.dmp

Filesize
4.0MB

Download
memory/3792-433-0x0000000073930000-0x00000000739F8000-memory.dmp

Filesize
800KB

Download
memory/3792-432-0x0000000073A00000-0x0000000073CCF000-memory.dmp

Filesize
2.8MB

Download
memory/3792-412-0x0000000073930000-0x00000000739F8000-memory.dmp

Filesize
800KB

Download
memory/3792-410-0x0000000000E80000-0x0000000001284000-memory.dmp

Filesize
4.0MB

Download
memory/3792-419-0x0000000073640000-0x000000007370E000-memory.dmp

Filesize
824KB

Download
memory/3792-411-0x0000000073A00000-0x0000000073CCF000-memory.dmp

Filesize
2.8MB

Download
memory/3792-468-0x0000000000E80000-0x0000000001284000-memory.dmp

Filesize
4.0MB

Download
memory/3844-156-0x000001F974520000-0x000001F974530000-memory.dmp

Filesize
64KB

Download
memory/3844-154-0x000001F974520000-0x000001F974530000-memory.dmp

Filesize
64KB

Download
memory/3844-144-0x000001F974020000-0x000001F974042000-memory.dmp

Filesize
136KB

Download
memory/3844-155-0x000001F974520000-0x000001F974530000-memory.dmp

Filesize
64KB

Download
memory/5116-465-0x00000000738E0000-0x0000000073929000-memory.dmp

Filesize
292KB

Download
memory/5116-461-0x0000000073930000-0x00000000739F8000-memory.dmp

Filesize
800KB

Download
memory/5116-463-0x0000000073640000-0x000000007370E000-memory.dmp

Filesize
824KB

Download
memory/5116-457-0x0000000000E80000-0x0000000001284000-memory.dmp

Filesize
4.0MB

Download
memory/5116-469-0x00000000738B0000-0x00000000738D4000-memory.dmp

Filesize
144KB

Download
memory/5116-459-0x0000000073A00000-0x0000000073CCF000-memory.dmp

Filesize
2.8MB

Download
memory/5116-472-0x00000000737A0000-0x00000000738AA000-memory.dmp

Filesize
1.0MB

Download
memory/5116-474-0x0000000073710000-0x0000000073798000-memory.dmp

Filesize
544KB

Download
memory/5116-479-0x0000000000E80000-0x0000000001284000-memory.dmp

Filesize
4.0MB

Download
memory/5116-480-0x0000000073A00000-0x0000000073CCF000-memory.dmp

Filesize
2.8MB

Download