Malware Analysis Report

2025-01-03 05:11

Sample ID 230630-psd4hscf31
Target 101.exe
SHA256 902db07687a97742aa5aee6a87347a01d451939de8f022420438c73e86f96ad1
Tags
bitrat upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

902db07687a97742aa5aee6a87347a01d451939de8f022420438c73e86f96ad1

Threat Level: Known bad

The file 101.exe was found to be: Known bad.

Malicious Activity Summary

bitrat upx

Bitrat family

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Looks up external IP address via web service

Uses Tor communications

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-30 12:35

Signatures

Bitrat family

bitrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-30 12:35

Reported

2023-06-30 12:57

Platform

win7-20230621-en

Max time kernel

151s

Max time network

171s

Command Line

"C:\Users\Admin\AppData\Local\Temp\101.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\101.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\101.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\101.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\101.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\101.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A api.ipify.org N/A N/A
N/A myexternalip.com N/A N/A

Uses Tor communications

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\101.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\101.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\101.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\101.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\101.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\101.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\101.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\101.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\101.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\101.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1200 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 1200 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 1200 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 1200 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 1200 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 1200 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 1200 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 1200 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 1200 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 1200 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 1200 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 1200 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 1200 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 1200 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 1200 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 1200 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\101.exe

"C:\Users\Admin\AppData\Local\Temp\101.exe"

C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc

Network

Country Destination Domain Proto
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:49203 tcp
SE 193.11.164.243:9001 tcp
DE 54.36.237.163:443 tcp
CA 148.113.162.135:9001 tcp
FI 95.216.115.85:443 tcp
US 172.106.167.62:443 tcp
FI 95.216.115.85:443 tcp
US 172.106.167.62:443 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:49297 tcp
US 8.8.8.8:53 myexternalip.com udp
US 34.160.111.145:443 myexternalip.com tcp
US 34.160.111.145:443 myexternalip.com tcp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 apps.identrust.com udp
NL 92.122.101.41:80 apps.identrust.com tcp
NL 92.122.101.18:80 apps.identrust.com tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.237.62.211:80 api.ipify.org tcp
N/A 127.0.0.1:49384 tcp
FR 51.255.106.107:443 tcp
US 51.81.93.39:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.160.111.145:443 myexternalip.com tcp
N/A 127.0.0.1:49595 tcp

Files

\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

memory/1200-71-0x0000000003B90000-0x0000000003F94000-memory.dmp

memory/1224-72-0x00000000010F0000-0x00000000014F4000-memory.dmp

C:\Users\Admin\AppData\Local\795e6f10\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

\Users\Admin\AppData\Local\795e6f10\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\795e6f10\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

\Users\Admin\AppData\Local\795e6f10\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

memory/1224-77-0x0000000074800000-0x0000000074ACF000-memory.dmp

C:\Users\Admin\AppData\Local\795e6f10\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

\Users\Admin\AppData\Local\795e6f10\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

memory/1224-81-0x00000000747B0000-0x00000000747F9000-memory.dmp

C:\Users\Admin\AppData\Local\795e6f10\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\795e6f10\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\795e6f10\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\795e6f10\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\795e6f10\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\795e6f10\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\795e6f10\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\795e6f10\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

memory/1224-89-0x00000000746E0000-0x00000000747A8000-memory.dmp

memory/1224-90-0x00000000745D0000-0x00000000746DA000-memory.dmp

memory/1224-91-0x0000000074540000-0x00000000745C8000-memory.dmp

memory/1224-92-0x0000000074470000-0x000000007453E000-memory.dmp

memory/1224-93-0x0000000074BC0000-0x0000000074BE4000-memory.dmp

C:\Users\Admin\AppData\Local\795e6f10\tor\torrc

MD5 eebf3cf47a1beca7d42881292f826fcc
SHA1 a37799483175f02dc9913f25389c574c13996164
SHA256 9e45d5a6d2715a70dc3783af1e049de4defe98c2cc574d6ec8e0c1539874d6d7
SHA512 4157e0f3d73f8c39fb93e0f80f01ba2a83fd20863fe10078fc75d061e19798850f34c9053bd0449c5c6b508682cfa5b8c505fe085e30b46d18305396389e2800

memory/1224-97-0x00000000010F0000-0x00000000014F4000-memory.dmp

memory/1224-98-0x0000000074800000-0x0000000074ACF000-memory.dmp

memory/1224-99-0x00000000747B0000-0x00000000747F9000-memory.dmp

memory/1224-100-0x00000000746E0000-0x00000000747A8000-memory.dmp

memory/1224-101-0x00000000745D0000-0x00000000746DA000-memory.dmp

memory/1224-103-0x0000000074470000-0x000000007453E000-memory.dmp

C:\Users\Admin\AppData\Local\795e6f10\tor\data\cached-microdesc-consensus.tmp

MD5 e1b88d23b5a71c322fd3d0936316ee23
SHA1 021ef69e219a82fa1ded80fea742d3ebc7e384a2
SHA256 4dc7876929e374e70a626fc40f6a2277ef11c5cdb09178fbc9aacba33ea4ddac
SHA512 4367b88044d315e2b8c9e20be746b2ae25a87fcf63ff83877ba1e272a4fdb69db38a471601f09436bf63f0c771436d261975938a82a445fd1b1aea4acb96e24f

C:\Users\Admin\AppData\Local\795e6f10\tor\data\cached-microdescs.new

MD5 d40457ef1a00ac769bc514abecf9dc8a
SHA1 ace1b473eb312847ba82bf74c5b596678b702eb1
SHA256 98149f1f723386551853d297a98414251ab81f1af623c1acf2d14a1acbdb0467
SHA512 8561629fc8411b416e99964d129ec619994b4a1c08e1dd4c04956cea53a39da13c0c35e5c45b7825d11a96a80d09ead5b4e148d920f6e48169a5ab8524ff1605

memory/1224-119-0x00000000010F0000-0x00000000014F4000-memory.dmp

memory/1224-128-0x00000000010F0000-0x00000000014F4000-memory.dmp

memory/1224-136-0x00000000010F0000-0x00000000014F4000-memory.dmp

memory/1200-144-0x0000000000DA0000-0x0000000000DAA000-memory.dmp

memory/1200-145-0x0000000000DA0000-0x0000000000DAA000-memory.dmp

memory/1224-146-0x00000000010F0000-0x00000000014F4000-memory.dmp

memory/1200-154-0x0000000001260000-0x000000000126A000-memory.dmp

memory/1200-155-0x0000000001260000-0x000000000126A000-memory.dmp

memory/1200-156-0x0000000000DA0000-0x0000000000DAA000-memory.dmp

memory/1200-157-0x0000000000DA0000-0x0000000000DAA000-memory.dmp

memory/1224-158-0x00000000010F0000-0x00000000014F4000-memory.dmp

\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

\Users\Admin\AppData\Local\795e6f10\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\795e6f10\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\795e6f10\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\795e6f10\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\795e6f10\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

\Users\Admin\AppData\Local\795e6f10\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

\Users\Admin\AppData\Local\795e6f10\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\795e6f10\tor\torrc

MD5 eebf3cf47a1beca7d42881292f826fcc
SHA1 a37799483175f02dc9913f25389c574c13996164
SHA256 9e45d5a6d2715a70dc3783af1e049de4defe98c2cc574d6ec8e0c1539874d6d7
SHA512 4157e0f3d73f8c39fb93e0f80f01ba2a83fd20863fe10078fc75d061e19798850f34c9053bd0449c5c6b508682cfa5b8c505fe085e30b46d18305396389e2800

memory/1492-181-0x00000000010F0000-0x00000000014F4000-memory.dmp

memory/1492-182-0x0000000074800000-0x0000000074ACF000-memory.dmp

memory/1492-183-0x00000000747B0000-0x00000000747F9000-memory.dmp

memory/1492-184-0x00000000746E0000-0x00000000747A8000-memory.dmp

memory/1492-185-0x00000000745D0000-0x00000000746DA000-memory.dmp

memory/1200-187-0x0000000005330000-0x0000000005734000-memory.dmp

memory/1492-186-0x0000000074540000-0x00000000745C8000-memory.dmp

memory/1492-188-0x0000000074470000-0x000000007453E000-memory.dmp

memory/1492-189-0x0000000074BC0000-0x0000000074BE4000-memory.dmp

memory/1200-190-0x0000000001260000-0x000000000126A000-memory.dmp

memory/1200-191-0x0000000001260000-0x000000000126A000-memory.dmp

memory/1200-192-0x0000000005330000-0x0000000005734000-memory.dmp

memory/1492-193-0x00000000746E0000-0x00000000747A8000-memory.dmp

memory/1200-194-0x0000000004A80000-0x0000000004A8A000-memory.dmp

memory/1200-195-0x0000000004A80000-0x0000000004A8A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab1864.tmp

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

C:\Users\Admin\AppData\Local\Temp\Tar1A5A.tmp

MD5 4ff65ad929cd9a367680e0e5b1c08166
SHA1 c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256 c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512 f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

\Users\Admin\AppData\Local\795e6f10\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

\Users\Admin\AppData\Local\795e6f10\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

\Users\Admin\AppData\Local\795e6f10\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\795e6f10\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\795e6f10\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

memory/1200-246-0x0000000005CB0000-0x00000000060B4000-memory.dmp

memory/1316-247-0x0000000000090000-0x0000000000494000-memory.dmp

memory/1316-248-0x00000000739C0000-0x0000000073C8F000-memory.dmp

memory/1316-249-0x0000000074570000-0x00000000745B9000-memory.dmp

C:\Users\Admin\AppData\Local\795e6f10\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

memory/1316-250-0x00000000744A0000-0x0000000074568000-memory.dmp

\Users\Admin\AppData\Local\795e6f10\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\795e6f10\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

memory/1316-251-0x00000000738B0000-0x00000000739BA000-memory.dmp

memory/1316-254-0x0000000073F60000-0x0000000073FE8000-memory.dmp

memory/1316-255-0x0000000074470000-0x0000000074494000-memory.dmp

C:\Users\Admin\AppData\Local\795e6f10\tor\data\state

MD5 195c4e5f3a25d69058e9cbf1ffee0a6d
SHA1 f1d8748d0439e3385a480f4bca9f1e1f6e3f8894
SHA256 2c88bf6ed3135c634840bacf851ec1c9a31c8b5d4df56a6df42e557689b2d466
SHA512 a938429c6a40394402fd172e906b4bafdd6195983e03adeb00ef64649f27c7cc5319547e9c4bea741865d4d9bfc835cc59ec861dda3e5b52ee9fe4fee619643b

C:\Users\Admin\AppData\Local\795e6f10\tor\torrc

MD5 eebf3cf47a1beca7d42881292f826fcc
SHA1 a37799483175f02dc9913f25389c574c13996164
SHA256 9e45d5a6d2715a70dc3783af1e049de4defe98c2cc574d6ec8e0c1539874d6d7
SHA512 4157e0f3d73f8c39fb93e0f80f01ba2a83fd20863fe10078fc75d061e19798850f34c9053bd0449c5c6b508682cfa5b8c505fe085e30b46d18305396389e2800

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8ad489d28d119d5f5c3858fd28391586
SHA1 13c11f3a3d44580eb2c65debe492b9d67b592513
SHA256 cb1bb9db2045b19813ff5bc2d88ec9020ec5ab48a0dbc01ca5242ddf36b034a0
SHA512 928eed0370c47f3e042deba5299d2270814278bc1969a06fcaaf3f1341cd25aa04717a92a6c309329378f64cb563300a25a53beed471e2939256789cf0d6b894

C:\Users\Admin\AppData\Local\795e6f10\tor\data\cached-microdesc-consensus

MD5 e1b88d23b5a71c322fd3d0936316ee23
SHA1 021ef69e219a82fa1ded80fea742d3ebc7e384a2
SHA256 4dc7876929e374e70a626fc40f6a2277ef11c5cdb09178fbc9aacba33ea4ddac
SHA512 4367b88044d315e2b8c9e20be746b2ae25a87fcf63ff83877ba1e272a4fdb69db38a471601f09436bf63f0c771436d261975938a82a445fd1b1aea4acb96e24f

C:\Users\Admin\AppData\Local\795e6f10\tor\data\cached-certs

MD5 bdcd7a5b147946934f2ab54683db6503
SHA1 f9421ee542a4af7d80dc3ee2c734372c300c2a96
SHA256 18293d1f8522824ceb4181b1b2e1708d2499df41795e0629ce14787710fb0fdf
SHA512 fdb927b46f11577219588105983868e681fcf37e70fe67991b587563760fcb5212a86c790e4828180d9cececfaafd0207c592eedab1c70342370eaadafc6a67b

C:\Users\Admin\AppData\Local\795e6f10\tor\data\cached-microdescs.new

MD5 736d3141a6a41f95aed774f739a8110c
SHA1 3b7ef57530a0c4529d9637e1b8a3a0fdac844878
SHA256 3fb426851e313af66ff323e85b1a11f94eb9bbcae987130b81e46af3758ac44c
SHA512 75cfa80f4fee5777ef60d5d814e11b000c2a8851d510e1d9e9b3bda5e1f9c1fb541c24a2c65eaf723c8ec0cd3c5cfd8149476ed11c11da67e4fdcf36cf254512

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e1d568179692eeabc6f0c4d9f0f69082
SHA1 c14fc6f560faf1de9f95e61d0365c0f6b336a997
SHA256 650dd3cc125f8f7714065a030fe8201e1ed928d05488f8e6bba0f5f7e72e4f34
SHA512 913a2e5472112316870d3f091be1fc73267c022ff364d9b656d2d8cbcd8e47f36031e0232a7c69148d511daf2869de7ae5b77c740b517f54a68a6135687efdca

memory/1316-336-0x00000000737E0000-0x00000000738AE000-memory.dmp

C:\Users\Admin\AppData\Local\795e6f10\tor\data\unverified-microdesc-consensus

MD5 e1b88d23b5a71c322fd3d0936316ee23
SHA1 021ef69e219a82fa1ded80fea742d3ebc7e384a2
SHA256 4dc7876929e374e70a626fc40f6a2277ef11c5cdb09178fbc9aacba33ea4ddac
SHA512 4367b88044d315e2b8c9e20be746b2ae25a87fcf63ff83877ba1e272a4fdb69db38a471601f09436bf63f0c771436d261975938a82a445fd1b1aea4acb96e24f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a3b2ec03ea558cd6e25ca4d35f559a8b
SHA1 cb227779f29374f0e89c922d1602e4a086cb878d
SHA256 b836d3b4da07f907e3df616b3a849207a8aa26c5ddad9c941a345bf47ebae653
SHA512 50ee35160d8a67437bbd5cef09b66cc4999c747ca449413f6dd058c3c3616a86958b6cc5d08659415d076af06c21d75f02f3f492e5e96c52cab3bc523cfd3414

memory/1200-374-0x0000000004A80000-0x0000000004A8A000-memory.dmp

memory/1200-375-0x0000000004A80000-0x0000000004A8A000-memory.dmp

memory/1316-376-0x0000000000090000-0x0000000000494000-memory.dmp

memory/1316-377-0x00000000739C0000-0x0000000073C8F000-memory.dmp

memory/1316-379-0x00000000744A0000-0x0000000074568000-memory.dmp

memory/1316-378-0x0000000074570000-0x00000000745B9000-memory.dmp

memory/1316-381-0x0000000073F60000-0x0000000073FE8000-memory.dmp

memory/1316-383-0x0000000074470000-0x0000000074494000-memory.dmp

memory/1316-380-0x00000000738B0000-0x00000000739BA000-memory.dmp

memory/1316-384-0x0000000000090000-0x0000000000494000-memory.dmp

memory/1316-385-0x0000000000090000-0x0000000000494000-memory.dmp

memory/1200-429-0x00000000047F0000-0x00000000047FA000-memory.dmp

\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

\Users\Admin\AppData\Local\795e6f10\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\795e6f10\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\795e6f10\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\795e6f10\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\795e6f10\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

\Users\Admin\AppData\Local\795e6f10\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

\Users\Admin\AppData\Local\795e6f10\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\795e6f10\tor\torrc

MD5 eebf3cf47a1beca7d42881292f826fcc
SHA1 a37799483175f02dc9913f25389c574c13996164
SHA256 9e45d5a6d2715a70dc3783af1e049de4defe98c2cc574d6ec8e0c1539874d6d7
SHA512 4157e0f3d73f8c39fb93e0f80f01ba2a83fd20863fe10078fc75d061e19798850f34c9053bd0449c5c6b508682cfa5b8c505fe085e30b46d18305396389e2800

memory/1316-462-0x0000000000090000-0x0000000000494000-memory.dmp

memory/1200-466-0x00000000060F0000-0x00000000064F4000-memory.dmp

memory/684-468-0x0000000000090000-0x0000000000494000-memory.dmp

memory/684-470-0x00000000739C0000-0x0000000073C8F000-memory.dmp

memory/684-472-0x0000000074570000-0x00000000745B9000-memory.dmp

memory/684-474-0x00000000744A0000-0x0000000074568000-memory.dmp

memory/684-475-0x00000000738B0000-0x00000000739BA000-memory.dmp

memory/684-478-0x0000000074470000-0x0000000074494000-memory.dmp

memory/684-477-0x00000000737E0000-0x00000000738AE000-memory.dmp

memory/684-476-0x0000000073F60000-0x0000000073FE8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-30 12:35

Reported

2023-06-30 12:57

Platform

win10v2004-20230621-en

Max time kernel

147s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\101.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\101.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Uses Tor communications

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\101.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\101.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\101.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4828 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 4828 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 4828 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 4828 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 4828 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 4828 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 4828 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 4828 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 4828 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 4828 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 4828 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 4828 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 4828 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 4828 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 4828 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\101.exe

"C:\Users\Admin\AppData\Local\Temp\101.exe"

C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc

Network

Country Destination Domain Proto
US 52.165.164.15:443 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
NL 178.79.208.1:80 tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
BG 213.183.60.21:443 tcp
N/A 127.0.0.1:49770 tcp
NO 193.35.52.53:9001 tcp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 76.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 92.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 132.17.126.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
MD 178.17.174.14:9001 tcp
DE 131.188.40.189:443 tcp
US 8.8.8.8:53 189.40.188.131.in-addr.arpa udp
US 8.8.8.8:53 14.174.17.178.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
DE 185.220.101.48:20048 tcp
US 128.31.0.39:9101 tcp
DE 46.38.254.168:40000 tcp
DE 185.245.60.222:9100 tcp
FI 65.108.254.247:9081 tcp
US 8.8.8.8:53 222.60.245.185.in-addr.arpa udp
US 8.8.8.8:53 168.254.38.46.in-addr.arpa udp
US 8.8.8.8:53 247.254.108.65.in-addr.arpa udp
DE 185.245.60.222:9100 tcp
DE 46.38.254.168:40000 tcp
US 8.8.8.8:53 134.17.126.40.in-addr.arpa udp
US 8.8.8.8:53 myexternalip.com udp
US 34.160.111.145:443 myexternalip.com tcp
US 8.8.8.8:53 145.111.160.34.in-addr.arpa udp
US 8.8.8.8:53 10.101.122.92.in-addr.arpa udp
US 8.8.8.8:53 142.33.222.23.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
N/A 127.0.0.1:49921 tcp
N/A 127.0.0.1:45808 tcp
US 34.160.111.145:443 myexternalip.com tcp
N/A 127.0.0.1:49956 tcp
CA 51.222.140.58:443 tcp
US 8.8.8.8:53 58.140.222.51.in-addr.arpa udp
CH 188.40.220.196:8000 tcp
US 8.8.8.8:53 196.220.40.188.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
NL 178.79.208.1:80 tcp
US 34.160.111.145:443 myexternalip.com tcp
N/A 127.0.0.1:50019 tcp
N/A 127.0.0.1:45808 tcp
US 34.160.111.145:443 myexternalip.com tcp
N/A 127.0.0.1:50075 tcp

Files

memory/4828-142-0x0000000075200000-0x0000000075239000-memory.dmp

C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\795e6f10\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\795e6f10\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\795e6f10\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\795e6f10\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\795e6f10\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\795e6f10\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\795e6f10\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\795e6f10\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\795e6f10\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\795e6f10\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\795e6f10\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\795e6f10\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\795e6f10\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\795e6f10\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\795e6f10\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\795e6f10\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

memory/4460-166-0x00000000006D0000-0x0000000000AD4000-memory.dmp

memory/4460-167-0x0000000074680000-0x0000000074748000-memory.dmp

memory/4460-168-0x0000000074630000-0x0000000074679000-memory.dmp

memory/4460-169-0x0000000074560000-0x000000007462E000-memory.dmp

C:\Users\Admin\AppData\Local\795e6f10\tor\torrc

MD5 eebf3cf47a1beca7d42881292f826fcc
SHA1 a37799483175f02dc9913f25389c574c13996164
SHA256 9e45d5a6d2715a70dc3783af1e049de4defe98c2cc574d6ec8e0c1539874d6d7
SHA512 4157e0f3d73f8c39fb93e0f80f01ba2a83fd20863fe10078fc75d061e19798850f34c9053bd0449c5c6b508682cfa5b8c505fe085e30b46d18305396389e2800

memory/4460-170-0x0000000074290000-0x000000007455F000-memory.dmp

memory/4460-175-0x0000000074260000-0x0000000074284000-memory.dmp

memory/4460-174-0x0000000001C40000-0x0000000001F0F000-memory.dmp

memory/4460-176-0x0000000074150000-0x000000007425A000-memory.dmp

memory/4460-178-0x00000000012C0000-0x0000000001348000-memory.dmp

memory/4460-177-0x00000000740C0000-0x0000000074148000-memory.dmp

memory/4828-179-0x0000000073D90000-0x0000000073DC9000-memory.dmp

memory/4460-180-0x00000000006D0000-0x0000000000AD4000-memory.dmp

memory/4460-182-0x0000000074560000-0x000000007462E000-memory.dmp

memory/4460-183-0x0000000074680000-0x0000000074748000-memory.dmp

memory/4460-184-0x0000000074290000-0x000000007455F000-memory.dmp

memory/4460-188-0x00000000006D0000-0x0000000000AD4000-memory.dmp

memory/4460-189-0x00000000012C0000-0x0000000001348000-memory.dmp

memory/4460-190-0x00000000006D0000-0x0000000000AD4000-memory.dmp

memory/4460-198-0x00000000006D0000-0x0000000000AD4000-memory.dmp

C:\Users\Admin\AppData\Local\795e6f10\tor\data\cached-microdesc-consensus.tmp

MD5 e1b88d23b5a71c322fd3d0936316ee23
SHA1 021ef69e219a82fa1ded80fea742d3ebc7e384a2
SHA256 4dc7876929e374e70a626fc40f6a2277ef11c5cdb09178fbc9aacba33ea4ddac
SHA512 4367b88044d315e2b8c9e20be746b2ae25a87fcf63ff83877ba1e272a4fdb69db38a471601f09436bf63f0c771436d261975938a82a445fd1b1aea4acb96e24f

C:\Users\Admin\AppData\Local\795e6f10\tor\data\cached-microdescs.new

MD5 b95672380227262bf121f2ea15bd397a
SHA1 67b58d6a96b471854aa2551639280d136339de65
SHA256 70b5bed99cbcc063c774ebf52cbcb0130189c6c8f504b549c5b7040a579e3450
SHA512 561b59599db14b59f9e0b8811118ffa70dff0cead21b32c58ce7da8313433125d969ef200500bb50003756c279100eb14df86e4942156e87dfc5455ddae6c72d

memory/4460-231-0x00000000006D0000-0x0000000000AD4000-memory.dmp

memory/4460-245-0x00000000006D0000-0x0000000000AD4000-memory.dmp

C:\Users\Admin\AppData\Local\795e6f10\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\795e6f10\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\795e6f10\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\795e6f10\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\795e6f10\tor\torrc

MD5 eebf3cf47a1beca7d42881292f826fcc
SHA1 a37799483175f02dc9913f25389c574c13996164
SHA256 9e45d5a6d2715a70dc3783af1e049de4defe98c2cc574d6ec8e0c1539874d6d7
SHA512 4157e0f3d73f8c39fb93e0f80f01ba2a83fd20863fe10078fc75d061e19798850f34c9053bd0449c5c6b508682cfa5b8c505fe085e30b46d18305396389e2800

C:\Users\Admin\AppData\Local\795e6f10\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\795e6f10\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\795e6f10\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

memory/3660-271-0x00000000006D0000-0x0000000000AD4000-memory.dmp

memory/3660-272-0x0000000074290000-0x000000007455F000-memory.dmp

memory/3660-273-0x0000000074680000-0x0000000074748000-memory.dmp

memory/3660-274-0x0000000074560000-0x000000007462E000-memory.dmp

memory/3660-275-0x0000000074630000-0x0000000074679000-memory.dmp

memory/3660-276-0x0000000074260000-0x0000000074284000-memory.dmp

memory/3660-277-0x0000000074150000-0x000000007425A000-memory.dmp

memory/3660-278-0x00000000740C0000-0x0000000074148000-memory.dmp

memory/3660-279-0x00000000006D0000-0x0000000000AD4000-memory.dmp

memory/3660-280-0x0000000074290000-0x000000007455F000-memory.dmp

memory/3660-281-0x0000000074680000-0x0000000074748000-memory.dmp

memory/3660-283-0x0000000074630000-0x0000000074679000-memory.dmp

memory/3660-285-0x0000000074150000-0x000000007425A000-memory.dmp

memory/3660-286-0x00000000740C0000-0x0000000074148000-memory.dmp

memory/4828-287-0x0000000074540000-0x0000000074579000-memory.dmp

C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\795e6f10\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\795e6f10\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\795e6f10\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\795e6f10\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\795e6f10\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\795e6f10\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\795e6f10\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\795e6f10\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\795e6f10\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

memory/3280-302-0x00000000006D0000-0x0000000000AD4000-memory.dmp

C:\Users\Admin\AppData\Local\795e6f10\tor\data\cached-certs

MD5 92c0694d484132ed09ff3ff2cf4a6c9e
SHA1 4c8228800dcc8e53ed21460b9b36fda32b722f74
SHA256 38b8a0f5f427a640cfcd53ddc87733900cddff65143dac7dcc001238ab50e618
SHA512 2334d9b99a9e7a8f42f2ddbd1bb6e1592d25108fcf13836465e126c7a04af3793c4177a8d25ca49a64e03e2b722b989bd5b2ea84458e483029062e39f1240151

C:\Users\Admin\AppData\Local\795e6f10\tor\data\cached-microdesc-consensus

MD5 e1b88d23b5a71c322fd3d0936316ee23
SHA1 021ef69e219a82fa1ded80fea742d3ebc7e384a2
SHA256 4dc7876929e374e70a626fc40f6a2277ef11c5cdb09178fbc9aacba33ea4ddac
SHA512 4367b88044d315e2b8c9e20be746b2ae25a87fcf63ff83877ba1e272a4fdb69db38a471601f09436bf63f0c771436d261975938a82a445fd1b1aea4acb96e24f

memory/3280-306-0x00000000740C0000-0x0000000074188000-memory.dmp

memory/3280-307-0x0000000073E40000-0x0000000073E89000-memory.dmp

memory/3280-308-0x0000000073D30000-0x0000000073E3A000-memory.dmp

memory/3280-303-0x0000000074190000-0x000000007445F000-memory.dmp

memory/3280-309-0x0000000001280000-0x00000000012C9000-memory.dmp

memory/3280-310-0x0000000072D70000-0x0000000072DF8000-memory.dmp

memory/3280-311-0x0000000072CA0000-0x0000000072D6E000-memory.dmp

memory/3280-312-0x0000000073D00000-0x0000000073D24000-memory.dmp

C:\Users\Admin\AppData\Local\795e6f10\tor\data\cached-microdescs.new

MD5 cfceb922a42f5f2f31f4d7b17ece6690
SHA1 ab81a9a43a7123ad71a5962975b007084e2d8e46
SHA256 5d39e1663622ea79373d94b10b69a3f85b245f2284b435a10dd4f2e014cd68e5
SHA512 dda0356ebb9fddd680519fb1bc16a44f608b3c24604f4187bc8fa6f63f107b4bd5d03d35c609f8547b3bbabf90b92939566008c84a5ce75e7fdf25d9311a485e

C:\Users\Admin\AppData\Local\795e6f10\tor\data\state

MD5 a3b41cfceb5d2373b65112dfcebee127
SHA1 29f6beaaaf6e65d489f7748735c03007d3d1ee97
SHA256 4be115d19ec8ec7eea462befa715aaf928630adda3afea6e6b7c2ed8d6947325
SHA512 56acb7757fd246b92d6c261a759899b0e475f20b7be823d7d955bfb5f29edd70d2dc626311e1d6c09e15d4038b2cb442ec7f460b1ca470419028ff53ce794d9d

C:\Users\Admin\AppData\Local\795e6f10\tor\torrc

MD5 eebf3cf47a1beca7d42881292f826fcc
SHA1 a37799483175f02dc9913f25389c574c13996164
SHA256 9e45d5a6d2715a70dc3783af1e049de4defe98c2cc574d6ec8e0c1539874d6d7
SHA512 4157e0f3d73f8c39fb93e0f80f01ba2a83fd20863fe10078fc75d061e19798850f34c9053bd0449c5c6b508682cfa5b8c505fe085e30b46d18305396389e2800

C:\Users\Admin\AppData\Local\795e6f10\tor\data\unverified-microdesc-consensus

MD5 e1b88d23b5a71c322fd3d0936316ee23
SHA1 021ef69e219a82fa1ded80fea742d3ebc7e384a2
SHA256 4dc7876929e374e70a626fc40f6a2277ef11c5cdb09178fbc9aacba33ea4ddac
SHA512 4367b88044d315e2b8c9e20be746b2ae25a87fcf63ff83877ba1e272a4fdb69db38a471601f09436bf63f0c771436d261975938a82a445fd1b1aea4acb96e24f

memory/4828-320-0x0000000075200000-0x0000000075239000-memory.dmp

memory/3280-321-0x00000000006D0000-0x0000000000AD4000-memory.dmp

memory/3280-322-0x0000000074190000-0x000000007445F000-memory.dmp

memory/3280-329-0x00000000006D0000-0x0000000000AD4000-memory.dmp

memory/3280-330-0x0000000001280000-0x00000000012C9000-memory.dmp

C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\795e6f10\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\795e6f10\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\795e6f10\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\795e6f10\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\795e6f10\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\795e6f10\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\795e6f10\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\795e6f10\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\795e6f10\tor\torrc

MD5 eebf3cf47a1beca7d42881292f826fcc
SHA1 a37799483175f02dc9913f25389c574c13996164
SHA256 9e45d5a6d2715a70dc3783af1e049de4defe98c2cc574d6ec8e0c1539874d6d7
SHA512 4157e0f3d73f8c39fb93e0f80f01ba2a83fd20863fe10078fc75d061e19798850f34c9053bd0449c5c6b508682cfa5b8c505fe085e30b46d18305396389e2800

memory/2264-366-0x00000000006D0000-0x0000000000AD4000-memory.dmp

memory/2264-367-0x0000000074190000-0x000000007445F000-memory.dmp

memory/2264-368-0x00000000740C0000-0x0000000074188000-memory.dmp

memory/2264-369-0x0000000072CA0000-0x0000000072D6E000-memory.dmp

memory/2264-370-0x0000000073E40000-0x0000000073E89000-memory.dmp

memory/2264-374-0x0000000000B60000-0x0000000000BE8000-memory.dmp

memory/2264-373-0x0000000072D70000-0x0000000072DF8000-memory.dmp

memory/2264-372-0x0000000073D30000-0x0000000073E3A000-memory.dmp

memory/2264-371-0x0000000073D00000-0x0000000073D24000-memory.dmp

memory/2264-383-0x0000000000B60000-0x0000000000BE8000-memory.dmp

C:\Users\Admin\AppData\Local\795e6f10\tor\torrc

MD5 eebf3cf47a1beca7d42881292f826fcc
SHA1 a37799483175f02dc9913f25389c574c13996164
SHA256 9e45d5a6d2715a70dc3783af1e049de4defe98c2cc574d6ec8e0c1539874d6d7
SHA512 4157e0f3d73f8c39fb93e0f80f01ba2a83fd20863fe10078fc75d061e19798850f34c9053bd0449c5c6b508682cfa5b8c505fe085e30b46d18305396389e2800

C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\795e6f10\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\795e6f10\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\795e6f10\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\795e6f10\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\795e6f10\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\795e6f10\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\795e6f10\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\795e6f10\tor\torrc

MD5 eebf3cf47a1beca7d42881292f826fcc
SHA1 a37799483175f02dc9913f25389c574c13996164
SHA256 9e45d5a6d2715a70dc3783af1e049de4defe98c2cc574d6ec8e0c1539874d6d7
SHA512 4157e0f3d73f8c39fb93e0f80f01ba2a83fd20863fe10078fc75d061e19798850f34c9053bd0449c5c6b508682cfa5b8c505fe085e30b46d18305396389e2800

memory/3612-411-0x00000000006D0000-0x0000000000AD4000-memory.dmp

memory/3612-412-0x0000000074190000-0x000000007445F000-memory.dmp

memory/3612-415-0x00000000740C0000-0x0000000074188000-memory.dmp

memory/3612-417-0x0000000072CA0000-0x0000000072D6E000-memory.dmp

memory/3612-422-0x0000000073D30000-0x0000000073E3A000-memory.dmp

memory/3612-421-0x0000000073D00000-0x0000000073D24000-memory.dmp

memory/3612-423-0x0000000072D70000-0x0000000072DF8000-memory.dmp

memory/3612-419-0x0000000073E40000-0x0000000073E89000-memory.dmp

memory/3612-426-0x00000000006D0000-0x0000000000AD4000-memory.dmp