Malware Analysis Report

2025-01-03 05:04

Sample ID 230826-zr56qafa8w
Target 101.exe
SHA256 def365ca4816c8d33a32a6ccf7632a875c77672c2c148d6720e8b26f66e5eec6
Tags
upx bitrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

def365ca4816c8d33a32a6ccf7632a875c77672c2c148d6720e8b26f66e5eec6

Threat Level: Known bad

The file 101.exe was found to be: Known bad.

Malicious Activity Summary

upx bitrat

Bitrat family

Executes dropped EXE

UPX packed file

Loads dropped DLL

ACProtect 1.3x - 1.4x DLL software

Uses Tor communications

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-26 20:58

Signatures

Bitrat family

bitrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-26 20:58

Reported

2023-08-26 21:00

Platform

win7-20230712-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\101.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\101.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\101.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\101.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\101.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\101.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\101.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\101.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\101.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\101.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Uses Tor communications

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\101.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\101.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\101.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\101.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\101.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\101.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\101.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\101.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3024 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 3024 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 3024 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 3024 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 3024 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 3024 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 3024 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 3024 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 3024 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 3024 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 3024 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 3024 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 3024 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 3024 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 3024 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 3024 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 3024 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 3024 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 3024 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 3024 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 3024 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 3024 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 3024 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 3024 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 3024 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 3024 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 3024 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 3024 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 3024 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 3024 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 3024 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 3024 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\101.exe

"C:\Users\Admin\AppData\Local\Temp\101.exe"

C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc

Network

Country Destination Domain Proto
N/A 127.0.0.1:49255 tcp
NL 80.127.137.19:443 tcp
NL 192.87.28.28:9001 tcp
N/A 127.0.0.1:45808 tcp
DE 162.55.131.67:9100 tcp
FI 65.21.177.69:1312 tcp
US 135.148.53.62:443 tcp
FI 65.21.177.69:1312 tcp
US 135.148.53.62:443 tcp
US 8.8.8.8:53 myexternalip.com udp
US 34.160.111.145:443 myexternalip.com tcp
DE 162.55.131.67:9100 tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.121.80:80 apps.identrust.com tcp
N/A 127.0.0.1:45808 tcp
US 34.160.111.145:443 myexternalip.com tcp
N/A 127.0.0.1:49489 tcp
N/A 127.0.0.1:49530 tcp
US 147.135.65.134:443 tcp
MD 185.163.46.83:9001 tcp
US 8.8.8.8:53 www.microsoft.com udp
BE 23.55.97.181:80 www.microsoft.com tcp
N/A 127.0.0.1:45808 tcp
US 34.160.111.145:443 myexternalip.com tcp
US 8.8.8.8:53 www.microsoft.com udp
DE 89.58.57.25:5742 tcp
N/A 127.0.0.1:49655 tcp
US 147.135.65.134:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.160.111.145:443 myexternalip.com tcp
N/A 127.0.0.1:49761 tcp
N/A 127.0.0.1:49795 tcp
PL 31.133.0.141:443 tcp
DE 89.58.57.25:5742 tcp
US 147.135.65.134:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.160.111.145:443 myexternalip.com tcp
N/A 127.0.0.1:49894 tcp
N/A 127.0.0.1:49929 tcp
US 50.7.74.170:9001 tcp
DE 89.58.57.25:5742 tcp
US 147.135.65.134:443 tcp

Files

\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

memory/3024-16-0x0000000003B30000-0x0000000003F34000-memory.dmp

C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

memory/868-19-0x00000000012F0000-0x00000000016F4000-memory.dmp

C:\Users\Admin\AppData\Local\795e6f10\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

memory/3024-20-0x0000000003B30000-0x0000000003F34000-memory.dmp

\Users\Admin\AppData\Local\795e6f10\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\795e6f10\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

\Users\Admin\AppData\Local\795e6f10\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

memory/868-24-0x0000000073F90000-0x000000007425F000-memory.dmp

memory/868-26-0x00000000744F0000-0x0000000074539000-memory.dmp

C:\Users\Admin\AppData\Local\795e6f10\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

\Users\Admin\AppData\Local\795e6f10\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\795e6f10\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

memory/868-29-0x0000000073EC0000-0x0000000073F88000-memory.dmp

memory/868-32-0x0000000073DB0000-0x0000000073EBA000-memory.dmp

C:\Users\Admin\AppData\Local\795e6f10\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\795e6f10\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

memory/868-35-0x0000000074460000-0x00000000744E8000-memory.dmp

\Users\Admin\AppData\Local\795e6f10\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\795e6f10\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

memory/868-38-0x0000000073CE0000-0x0000000073DAE000-memory.dmp

C:\Users\Admin\AppData\Local\795e6f10\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

memory/868-40-0x0000000074770000-0x0000000074794000-memory.dmp

\Users\Admin\AppData\Local\795e6f10\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\795e6f10\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\795e6f10\tor\torrc

MD5 eebf3cf47a1beca7d42881292f826fcc
SHA1 a37799483175f02dc9913f25389c574c13996164
SHA256 9e45d5a6d2715a70dc3783af1e049de4defe98c2cc574d6ec8e0c1539874d6d7
SHA512 4157e0f3d73f8c39fb93e0f80f01ba2a83fd20863fe10078fc75d061e19798850f34c9053bd0449c5c6b508682cfa5b8c505fe085e30b46d18305396389e2800

memory/868-44-0x00000000012F0000-0x00000000016F4000-memory.dmp

memory/3024-47-0x0000000003B30000-0x0000000003F34000-memory.dmp

memory/868-48-0x0000000073F90000-0x000000007425F000-memory.dmp

C:\Users\Admin\AppData\Local\795e6f10\tor\data\cached-microdesc-consensus.tmp

MD5 62277c3c230836e89c97734568cd1296
SHA1 2c72d50a2b528d44dcc91a559d84430f08a0fe09
SHA256 6d2b556001b3d4e8d80798a0b1f0d44ec316970e3e910d924889476b98ad147c
SHA512 e7d2eae6cf20fa9bf599c6b7334767d3eab9a61982ea509da1854d8a74b4ee8bb6c28900d233a874169b3dd467ff7219491955553659da7a17427fdd4109f634

memory/868-59-0x00000000744F0000-0x0000000074539000-memory.dmp

memory/868-63-0x0000000073EC0000-0x0000000073F88000-memory.dmp

C:\Users\Admin\AppData\Local\795e6f10\tor\data\cached-microdescs.new

MD5 9c4ab3a56d9b4196ae3a7c82da5801b1
SHA1 351c81447b7f1d750d7e0ac7fd81395f17d45b26
SHA256 ecd18d576c21cf98f14113b108eb9f3f2856f9fdef03f5515d6879a20c88c4d0
SHA512 2eaca66428f5ac765f5ed64612cbdfa67133aa9f042b31bdda1798e42f1c85337002624df6846007e66400821b7e3b53a8b6b8ce37a6fd1107708ce001d604f0

memory/868-70-0x0000000073DB0000-0x0000000073EBA000-memory.dmp

memory/868-76-0x00000000012F0000-0x00000000016F4000-memory.dmp

memory/868-82-0x0000000074460000-0x00000000744E8000-memory.dmp

memory/868-83-0x0000000073CE0000-0x0000000073DAE000-memory.dmp

memory/868-84-0x0000000074770000-0x0000000074794000-memory.dmp

memory/3024-85-0x00000000003F0000-0x00000000003FA000-memory.dmp

memory/3024-86-0x00000000003F0000-0x00000000003FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabD53B.tmp

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

memory/868-105-0x00000000012F0000-0x00000000016F4000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\TarD8BC.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ff6d2a1f2156760f0d731c130cf4480a
SHA1 0c801de1f358a4e0847b4bd32e1ce8bdef5f10c9
SHA256 3e06a6620025d122db2fca25f9c69fe6d024fcaafdc29b18d475b912366b1f41
SHA512 013660f50f5ab69ea1e5b80092b4314c3cc892ec8a336b3811a6cd161ae38bf6fc757eac2d0db2371cd9865dfde946a1e368e783ed97d5d4b19115f4b274f9f6

memory/3024-189-0x00000000003F0000-0x00000000003FA000-memory.dmp

memory/3024-190-0x00000000003F0000-0x00000000003FA000-memory.dmp

memory/868-191-0x00000000012F0000-0x00000000016F4000-memory.dmp

memory/3024-199-0x0000000004660000-0x000000000466A000-memory.dmp

memory/3024-200-0x0000000004660000-0x000000000466A000-memory.dmp

memory/868-241-0x00000000012F0000-0x00000000016F4000-memory.dmp

C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

memory/3024-257-0x0000000005BA0000-0x0000000005FA4000-memory.dmp

\Users\Admin\AppData\Local\795e6f10\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\795e6f10\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\795e6f10\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\795e6f10\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\795e6f10\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

\Users\Admin\AppData\Local\795e6f10\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

\Users\Admin\AppData\Local\795e6f10\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\795e6f10\tor\torrc

MD5 eebf3cf47a1beca7d42881292f826fcc
SHA1 a37799483175f02dc9913f25389c574c13996164
SHA256 9e45d5a6d2715a70dc3783af1e049de4defe98c2cc574d6ec8e0c1539874d6d7
SHA512 4157e0f3d73f8c39fb93e0f80f01ba2a83fd20863fe10078fc75d061e19798850f34c9053bd0449c5c6b508682cfa5b8c505fe085e30b46d18305396389e2800

memory/2028-262-0x0000000073F90000-0x000000007425F000-memory.dmp

memory/2028-259-0x00000000012F0000-0x00000000016F4000-memory.dmp

memory/2028-263-0x00000000012F0000-0x00000000016F4000-memory.dmp

memory/2028-265-0x00000000744F0000-0x0000000074539000-memory.dmp

memory/2028-266-0x0000000073F90000-0x000000007425F000-memory.dmp

memory/2028-271-0x0000000073DB0000-0x0000000073EBA000-memory.dmp

memory/2028-268-0x0000000073EC0000-0x0000000073F88000-memory.dmp

memory/2028-274-0x0000000074460000-0x00000000744E8000-memory.dmp

memory/2028-276-0x0000000073CE0000-0x0000000073DAE000-memory.dmp

memory/2028-278-0x0000000074770000-0x0000000074794000-memory.dmp

\Users\Admin\AppData\Local\795e6f10\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

\Users\Admin\AppData\Local\795e6f10\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\795e6f10\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\795e6f10\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

\Users\Admin\AppData\Local\795e6f10\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

\Users\Admin\AppData\Local\795e6f10\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\795e6f10\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\795e6f10\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

memory/3024-301-0x0000000005BA0000-0x0000000005FA4000-memory.dmp

memory/1628-302-0x00000000013D0000-0x00000000017D4000-memory.dmp

C:\Users\Admin\AppData\Local\795e6f10\tor\data\cached-microdesc-consensus

MD5 62277c3c230836e89c97734568cd1296
SHA1 2c72d50a2b528d44dcc91a559d84430f08a0fe09
SHA256 6d2b556001b3d4e8d80798a0b1f0d44ec316970e3e910d924889476b98ad147c
SHA512 e7d2eae6cf20fa9bf599c6b7334767d3eab9a61982ea509da1854d8a74b4ee8bb6c28900d233a874169b3dd467ff7219491955553659da7a17427fdd4109f634

C:\Users\Admin\AppData\Local\795e6f10\tor\data\cached-certs

MD5 4f3a9a7b724391ee06dae52506fe2a7f
SHA1 f51e80463d21f5ea2fc083896609b7b40ecf47d5
SHA256 5876a5f40711f3752ef00a6de8fd92e3a9669da1480327a5b06d95fd801aef87
SHA512 291204e098055dee2aea6afe3e522068d723c645eee850e456839260fccb2fc90f8d60176f7292362ffc5c4cd2b0feb09a2f7940b0856d3900b37755c5829c8e

C:\Users\Admin\AppData\Local\795e6f10\tor\data\state

MD5 b3ef577b46e4a23f66466a2e00c93a5e
SHA1 b5be1405b766f97dc1d71c22eb666f7f26edbbb1
SHA256 f681e8373193090e42584698abf0f510e469e3c38c92e758ea2f175f69c64139
SHA512 fcdf0a0631c4bd4995e1e02b057307c401d0b032b3bb63735c96e75bba3cce0929d6b166e8fcf2ef392a5fa83a218f4c9d6658c3ac9a8c4cba0dbd25822b27cc

C:\Users\Admin\AppData\Local\795e6f10\tor\torrc

MD5 eebf3cf47a1beca7d42881292f826fcc
SHA1 a37799483175f02dc9913f25389c574c13996164
SHA256 9e45d5a6d2715a70dc3783af1e049de4defe98c2cc574d6ec8e0c1539874d6d7
SHA512 4157e0f3d73f8c39fb93e0f80f01ba2a83fd20863fe10078fc75d061e19798850f34c9053bd0449c5c6b508682cfa5b8c505fe085e30b46d18305396389e2800

memory/1628-303-0x0000000072E90000-0x000000007315F000-memory.dmp

C:\Users\Admin\AppData\Local\795e6f10\tor\data\cached-microdescs.new

MD5 ffb7b93d5788adf69d270c99656450a1
SHA1 7bb3148e85ad766a72054f8d26e534c891335e9b
SHA256 2a27ea3d849b420bbac0f201b1cc1726ba7d0b97aa80163342450b5caa8bebee
SHA512 c20f8c5294937d281c85ac2a747a5821c371fab78caed58868caf6afea6206e0689917fa9e402db22db0a3b0ec7bb9889f002a610a5312f5c23eb7fd9776a1c1

memory/1628-307-0x0000000074080000-0x000000007418A000-memory.dmp

memory/1628-306-0x0000000074190000-0x0000000074258000-memory.dmp

memory/1628-304-0x00000000744A0000-0x00000000744E9000-memory.dmp

memory/1628-310-0x0000000073F20000-0x0000000073FEE000-memory.dmp

memory/1628-309-0x0000000074510000-0x0000000074534000-memory.dmp

memory/1628-308-0x0000000073FF0000-0x0000000074078000-memory.dmp

C:\Users\Admin\AppData\Local\795e6f10\tor\data\unverified-microdesc-consensus

MD5 62277c3c230836e89c97734568cd1296
SHA1 2c72d50a2b528d44dcc91a559d84430f08a0fe09
SHA256 6d2b556001b3d4e8d80798a0b1f0d44ec316970e3e910d924889476b98ad147c
SHA512 e7d2eae6cf20fa9bf599c6b7334767d3eab9a61982ea509da1854d8a74b4ee8bb6c28900d233a874169b3dd467ff7219491955553659da7a17427fdd4109f634

memory/3024-315-0x0000000004660000-0x000000000466A000-memory.dmp

memory/3024-316-0x0000000004660000-0x000000000466A000-memory.dmp

memory/3024-319-0x0000000005BA0000-0x0000000005FA4000-memory.dmp

memory/1628-320-0x00000000013D0000-0x00000000017D4000-memory.dmp

memory/1628-328-0x00000000013D0000-0x00000000017D4000-memory.dmp

memory/1628-329-0x00000000013D0000-0x00000000017D4000-memory.dmp

memory/3024-337-0x0000000004290000-0x000000000429A000-memory.dmp

memory/1628-386-0x00000000013D0000-0x00000000017D4000-memory.dmp

\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

memory/2136-403-0x0000000072E90000-0x000000007315F000-memory.dmp

\Users\Admin\AppData\Local\795e6f10\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\795e6f10\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\795e6f10\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\795e6f10\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\795e6f10\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

\Users\Admin\AppData\Local\795e6f10\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

\Users\Admin\AppData\Local\795e6f10\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\795e6f10\tor\data\state

MD5 e589ac8e688c6c9e43bbdab55ef3605d
SHA1 8a06be3aafcde30b5cbe4af24c4e29ee6bc5f434
SHA256 a3271ff360b610338d6c4f72eeaa6c8d9d48fbef7f051b5eace67be1309f9c88
SHA512 184ccc992ccd2158e18443bea8ab069d7baf2987ec0979d77498ab0c704492a4be56ede13f3a3dc870e4ab6ac839e820accbc7f525aa97bc7115646f7c71a43d

C:\Users\Admin\AppData\Local\795e6f10\tor\torrc

MD5 eebf3cf47a1beca7d42881292f826fcc
SHA1 a37799483175f02dc9913f25389c574c13996164
SHA256 9e45d5a6d2715a70dc3783af1e049de4defe98c2cc574d6ec8e0c1539874d6d7
SHA512 4157e0f3d73f8c39fb93e0f80f01ba2a83fd20863fe10078fc75d061e19798850f34c9053bd0449c5c6b508682cfa5b8c505fe085e30b46d18305396389e2800

memory/2136-412-0x0000000073FF0000-0x0000000074078000-memory.dmp

memory/2136-411-0x0000000074080000-0x000000007418A000-memory.dmp

memory/2136-408-0x0000000074190000-0x0000000074258000-memory.dmp

memory/2136-405-0x00000000744A0000-0x00000000744E9000-memory.dmp

memory/2136-417-0x00000000013D0000-0x00000000017D4000-memory.dmp

memory/2136-416-0x0000000074510000-0x0000000074534000-memory.dmp

memory/2136-415-0x0000000073F20000-0x0000000073FEE000-memory.dmp

C:\Users\Admin\AppData\Local\795e6f10\tor\data\cached-microdescs

MD5 c5eb4a5dc819e9514af228483bb00281
SHA1 c21a109e574c407ab864ce08d447068284f5d895
SHA256 316e3a5739a6a89a5d8af3846792d19300c2f42df8ba3102bfc4b75f40f6f754
SHA512 15a038591cab8df255ce16b047101e875ad57352de2d58c5b31cdc9e4259e3fa211683f1472d20e04e7787abfee4d4cbd9e5c3abf8e04a24e8230372c438c66f

memory/3024-419-0x0000000004290000-0x000000000429A000-memory.dmp

memory/3024-420-0x0000000004290000-0x000000000429A000-memory.dmp

memory/2136-431-0x0000000072E90000-0x000000007315F000-memory.dmp

memory/2136-432-0x0000000074190000-0x0000000074258000-memory.dmp

memory/2136-433-0x00000000013D0000-0x00000000017D4000-memory.dmp

memory/3024-442-0x0000000004310000-0x000000000431A000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 8237359457254c39afb2a03641def921
SHA1 8a81fc22f23bffee8f88472f7b9e09564b18699b
SHA256 bc19f9370a34b40fcb260df3ce467b038f5920a3080c8e1a69057899abf0888c
SHA512 ac8b7c30169a438ce52fb2af863e44ef1a1e9bc371009cacb4626cbdc666f239ae09ecf60968d2f0fba9f6f2f6b49609eb1bb34e7a08882e4b259ac0bc22ad89

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\Local\795e6f10\tor\torrc

MD5 eebf3cf47a1beca7d42881292f826fcc
SHA1 a37799483175f02dc9913f25389c574c13996164
SHA256 9e45d5a6d2715a70dc3783af1e049de4defe98c2cc574d6ec8e0c1539874d6d7
SHA512 4157e0f3d73f8c39fb93e0f80f01ba2a83fd20863fe10078fc75d061e19798850f34c9053bd0449c5c6b508682cfa5b8c505fe085e30b46d18305396389e2800

\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

\Users\Admin\AppData\Local\795e6f10\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\795e6f10\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\795e6f10\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\795e6f10\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

\Users\Admin\AppData\Local\795e6f10\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

\Users\Admin\AppData\Local\795e6f10\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

memory/3024-524-0x0000000005AA0000-0x0000000005EA4000-memory.dmp

memory/2136-520-0x00000000013D0000-0x00000000017D4000-memory.dmp

C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

memory/912-527-0x0000000072E90000-0x000000007315F000-memory.dmp

memory/912-529-0x00000000744A0000-0x00000000744E9000-memory.dmp

memory/912-531-0x0000000074190000-0x0000000074258000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-26 20:58

Reported

2023-08-26 21:00

Platform

win10v2004-20230824-en

Max time kernel

150s

Max time network

156s

Command Line

C:\Windows\System32\svchost.exe -k netsvcs -p

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Uses Tor communications

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{E8DA0C81-931C-461E-A559-E1A4B4A5B308}.catalogItem C:\Windows\System32\svchost.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\101.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\101.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\101.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2120 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 2120 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 2120 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 2120 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 2120 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 2120 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 2120 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 2120 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 2120 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 2120 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 2120 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe
PID 2120 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\101.exe C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

Processes

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p

C:\Users\Admin\AppData\Local\Temp\101.exe

"C:\Users\Admin\AppData\Local\Temp\101.exe"

C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc

C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

"C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe" -f torrc

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 77.247.181.166:443 tcp
DE 178.254.7.88:8443 tcp
N/A 127.0.0.1:50004 tcp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 126.128.241.8.in-addr.arpa udp
DE 85.10.201.47:9001 tcp
DE 193.23.244.244:443 tcp
US 8.8.8.8:53 244.244.23.193.in-addr.arpa udp
DE 82.165.244.94:2424 tcp
FR 92.222.170.221:9001 tcp
GB 145.239.136.129:8080 tcp
US 8.8.8.8:53 221.170.222.92.in-addr.arpa udp
US 8.8.8.8:53 94.244.165.82.in-addr.arpa udp
US 8.8.8.8:53 129.136.239.145.in-addr.arpa udp
DE 82.165.244.94:2424 tcp
GB 145.239.136.129:8080 tcp
US 8.8.8.8:53 myexternalip.com udp
US 34.160.111.145:443 myexternalip.com tcp
US 8.8.8.8:53 142.33.222.23.in-addr.arpa udp
US 8.8.8.8:53 145.111.160.34.in-addr.arpa udp
US 8.8.8.8:53 76.121.18.2.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
N/A 127.0.0.1:50162 tcp
CA 198.50.191.95:443 tcp
US 45.88.171.100:9300 tcp
US 8.8.8.8:53 95.191.50.198.in-addr.arpa udp
US 8.8.8.8:53 100.171.88.45.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 34.160.111.145:443 myexternalip.com tcp
N/A 127.0.0.1:50227 tcp
DE 185.177.206.70:443 tcp
N/A 127.0.0.1:50269 tcp
DE 144.76.159.218:8443 tcp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 70.206.177.185.in-addr.arpa udp
US 8.8.8.8:53 218.159.76.144.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp

Files

memory/2120-5-0x0000000074790000-0x00000000747C9000-memory.dmp

C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

memory/4164-23-0x00000000005D0000-0x00000000009D4000-memory.dmp

C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\795e6f10\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\795e6f10\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\795e6f10\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

memory/4164-30-0x0000000073C90000-0x0000000073CD9000-memory.dmp

C:\Users\Admin\AppData\Local\795e6f10\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\795e6f10\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

memory/4164-37-0x0000000073BC0000-0x0000000073C8E000-memory.dmp

memory/4164-38-0x0000000073B90000-0x0000000073BB4000-memory.dmp

memory/4164-39-0x0000000073AC0000-0x0000000073B88000-memory.dmp

C:\Users\Admin\AppData\Local\795e6f10\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\795e6f10\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\795e6f10\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\795e6f10\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\795e6f10\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

memory/4164-43-0x00000000739B0000-0x0000000073ABA000-memory.dmp

C:\Users\Admin\AppData\Local\795e6f10\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\795e6f10\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\795e6f10\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\795e6f10\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\795e6f10\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

memory/4164-46-0x00000000013F0000-0x0000000001478000-memory.dmp

C:\Users\Admin\AppData\Local\795e6f10\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

memory/4164-47-0x0000000073650000-0x000000007391F000-memory.dmp

memory/4164-48-0x00000000013F0000-0x00000000016BF000-memory.dmp

memory/4164-49-0x0000000073920000-0x00000000739A8000-memory.dmp

C:\Users\Admin\AppData\Local\795e6f10\tor\torrc

MD5 eebf3cf47a1beca7d42881292f826fcc
SHA1 a37799483175f02dc9913f25389c574c13996164
SHA256 9e45d5a6d2715a70dc3783af1e049de4defe98c2cc574d6ec8e0c1539874d6d7
SHA512 4157e0f3d73f8c39fb93e0f80f01ba2a83fd20863fe10078fc75d061e19798850f34c9053bd0449c5c6b508682cfa5b8c505fe085e30b46d18305396389e2800

memory/2120-53-0x0000000073320000-0x0000000073359000-memory.dmp

memory/4164-54-0x00000000005D0000-0x00000000009D4000-memory.dmp

memory/4164-55-0x0000000073C90000-0x0000000073CD9000-memory.dmp

memory/4164-56-0x0000000073BC0000-0x0000000073C8E000-memory.dmp

memory/4164-57-0x0000000073B90000-0x0000000073BB4000-memory.dmp

memory/4164-58-0x0000000073AC0000-0x0000000073B88000-memory.dmp

memory/4164-59-0x00000000739B0000-0x0000000073ABA000-memory.dmp

memory/4164-60-0x00000000005D0000-0x00000000009D4000-memory.dmp

memory/4164-67-0x0000000073650000-0x000000007391F000-memory.dmp

memory/4164-68-0x00000000013F0000-0x0000000001478000-memory.dmp

memory/4164-69-0x00000000005D0000-0x00000000009D4000-memory.dmp

C:\Users\Admin\AppData\Local\795e6f10\tor\data\cached-microdesc-consensus.tmp

MD5 62277c3c230836e89c97734568cd1296
SHA1 2c72d50a2b528d44dcc91a559d84430f08a0fe09
SHA256 6d2b556001b3d4e8d80798a0b1f0d44ec316970e3e910d924889476b98ad147c
SHA512 e7d2eae6cf20fa9bf599c6b7334767d3eab9a61982ea509da1854d8a74b4ee8bb6c28900d233a874169b3dd467ff7219491955553659da7a17427fdd4109f634

C:\Users\Admin\AppData\Local\795e6f10\tor\data\cached-microdescs.new

MD5 d158c860379c7e3420e7b693808b117c
SHA1 3a96997b8cb7883d093eacf8f95f3d66eb4c2677
SHA256 f136b0b7979a5873e13e5748d2bd0ef4774a985460073e31ef04a34c832de83c
SHA512 675183d8ffe4cfc413808a907ec538cbb2d6bf22f0fb2cec389d5e931392cad1127df41c5b60e2278922a04507a0b879c8a8c9d180be79cd89d82d5f89be0355

memory/4164-95-0x00000000005D0000-0x00000000009D4000-memory.dmp

memory/4164-109-0x00000000005D0000-0x00000000009D4000-memory.dmp

memory/2120-123-0x0000000073DC0000-0x0000000073DF9000-memory.dmp

memory/4164-124-0x00000000005D0000-0x00000000009D4000-memory.dmp

memory/4164-132-0x00000000005D0000-0x00000000009D4000-memory.dmp

memory/4164-140-0x00000000005D0000-0x00000000009D4000-memory.dmp

memory/2120-148-0x0000000074790000-0x00000000747C9000-memory.dmp

memory/4164-149-0x00000000005D0000-0x00000000009D4000-memory.dmp

memory/2120-157-0x0000000073320000-0x0000000073359000-memory.dmp

C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\795e6f10\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

memory/4004-174-0x0000000073650000-0x000000007391F000-memory.dmp

C:\Users\Admin\AppData\Local\795e6f10\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\795e6f10\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\795e6f10\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

memory/4004-176-0x0000000073AC0000-0x0000000073B88000-memory.dmp

C:\Users\Admin\AppData\Local\795e6f10\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\795e6f10\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\795e6f10\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

memory/4164-177-0x00000000005D0000-0x00000000009D4000-memory.dmp

memory/4004-179-0x0000000073C90000-0x0000000073CD9000-memory.dmp

memory/4004-178-0x0000000073BC0000-0x0000000073C8E000-memory.dmp

memory/4004-180-0x0000000073B90000-0x0000000073BB4000-memory.dmp

memory/4004-181-0x00000000739B0000-0x0000000073ABA000-memory.dmp

C:\Users\Admin\AppData\Local\795e6f10\tor\torrc

MD5 eebf3cf47a1beca7d42881292f826fcc
SHA1 a37799483175f02dc9913f25389c574c13996164
SHA256 9e45d5a6d2715a70dc3783af1e049de4defe98c2cc574d6ec8e0c1539874d6d7
SHA512 4157e0f3d73f8c39fb93e0f80f01ba2a83fd20863fe10078fc75d061e19798850f34c9053bd0449c5c6b508682cfa5b8c505fe085e30b46d18305396389e2800

C:\Users\Admin\AppData\Local\795e6f10\tor\data\cached-microdesc-consensus

MD5 62277c3c230836e89c97734568cd1296
SHA1 2c72d50a2b528d44dcc91a559d84430f08a0fe09
SHA256 6d2b556001b3d4e8d80798a0b1f0d44ec316970e3e910d924889476b98ad147c
SHA512 e7d2eae6cf20fa9bf599c6b7334767d3eab9a61982ea509da1854d8a74b4ee8bb6c28900d233a874169b3dd467ff7219491955553659da7a17427fdd4109f634

C:\Users\Admin\AppData\Local\795e6f10\tor\data\cached-certs

MD5 59d9cf0edce5beffd8b63b2666a3c7cf
SHA1 badf0a47d60fa051b29e9331405b0cd1b4489854
SHA256 e2e2da035d094b35ce8d2ebbbc961b53ac5148fd2b3188fc704f5baef04617c0
SHA512 6728a6f6c9916904a5de591882f531f8306c35287c5b0eb1b2c576307befa31ebf172cb66821da495301b667aebc66ea7aa738d0fdf5718d12bdad983eb942e6

C:\Users\Admin\AppData\Local\795e6f10\tor\data\state

MD5 85cc2a0d0deb3cba1b53605006a2f581
SHA1 90ee21cd4ad15f204dd60c29f39eff0441203e4c
SHA256 2d5c7147b331e34a120484d960cbd8d9ac5f99a4603be3595619c3afa731289e
SHA512 63a68224a9ee1f0509cb0f8d5dba9ad5e6950a2e48d6cd9b53cf5e760f691dfa83fa0894e491ea755148358f2dc9b5e90f71b552c998871d25341cadf4f315cd

memory/4004-182-0x0000000073920000-0x00000000739A8000-memory.dmp

C:\Users\Admin\AppData\Local\795e6f10\tor\data\cached-microdescs.new

MD5 e56905db0de0f4c750ad37d00a6f6e16
SHA1 a9c0c53d661b22253fdcb4d12aa1f54ca83c1f8c
SHA256 f719e060dd2dc4f97cf76bc20f8c04cda5d853309ff5c719f129819877218532
SHA512 3afd4612feae425878828a59aced4628f93ddb2aad87632a4f1044bd87c1d37984c3cd3486220e26c0dc81fd6dff3f48f1a1d830dc912e0fe157a1aa1d9a4cf5

C:\Users\Admin\AppData\Local\795e6f10\tor\data\unverified-microdesc-consensus

MD5 62277c3c230836e89c97734568cd1296
SHA1 2c72d50a2b528d44dcc91a559d84430f08a0fe09
SHA256 6d2b556001b3d4e8d80798a0b1f0d44ec316970e3e910d924889476b98ad147c
SHA512 e7d2eae6cf20fa9bf599c6b7334767d3eab9a61982ea509da1854d8a74b4ee8bb6c28900d233a874169b3dd467ff7219491955553659da7a17427fdd4109f634

memory/4004-194-0x00000000005D0000-0x00000000009D4000-memory.dmp

memory/4004-195-0x0000000073AC0000-0x0000000073B88000-memory.dmp

memory/4004-196-0x0000000073BC0000-0x0000000073C8E000-memory.dmp

memory/4004-197-0x0000000073650000-0x000000007391F000-memory.dmp

C:\Users\Admin\AppData\Local\795e6f10\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\795e6f10\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

memory/4816-237-0x00000000005D0000-0x00000000009D4000-memory.dmp

memory/4816-241-0x0000000073AC0000-0x0000000073B88000-memory.dmp

memory/4816-239-0x0000000073650000-0x000000007391F000-memory.dmp

memory/4816-242-0x0000000073BC0000-0x0000000073C8E000-memory.dmp

C:\Users\Admin\AppData\Local\795e6f10\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\795e6f10\tor\torrc

MD5 eebf3cf47a1beca7d42881292f826fcc
SHA1 a37799483175f02dc9913f25389c574c13996164
SHA256 9e45d5a6d2715a70dc3783af1e049de4defe98c2cc574d6ec8e0c1539874d6d7
SHA512 4157e0f3d73f8c39fb93e0f80f01ba2a83fd20863fe10078fc75d061e19798850f34c9053bd0449c5c6b508682cfa5b8c505fe085e30b46d18305396389e2800

memory/4004-245-0x00000000005D0000-0x00000000009D4000-memory.dmp

memory/4816-247-0x00000000739B0000-0x0000000073ABA000-memory.dmp

memory/4816-248-0x0000000073920000-0x00000000739A8000-memory.dmp

memory/4816-246-0x0000000073B90000-0x0000000073BB4000-memory.dmp

memory/4816-243-0x0000000073C90000-0x0000000073CD9000-memory.dmp

C:\Users\Admin\AppData\Local\795e6f10\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\795e6f10\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\795e6f10\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\795e6f10\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

memory/4816-260-0x00000000739B0000-0x0000000073ABA000-memory.dmp

memory/4816-259-0x0000000073B90000-0x0000000073BB4000-memory.dmp

memory/4816-258-0x0000000073C90000-0x0000000073CD9000-memory.dmp

memory/4816-257-0x0000000073BC0000-0x0000000073C8E000-memory.dmp

memory/4816-261-0x0000000073920000-0x00000000739A8000-memory.dmp

memory/4816-264-0x0000000073AC0000-0x0000000073B88000-memory.dmp

memory/4816-263-0x0000000073650000-0x000000007391F000-memory.dmp

memory/4816-262-0x00000000005D0000-0x00000000009D4000-memory.dmp

C:\Users\Admin\AppData\Local\795e6f10\tor\dllhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\795e6f10\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\795e6f10\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\795e6f10\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

memory/5072-275-0x0000000073940000-0x0000000073A08000-memory.dmp

C:\Users\Admin\AppData\Local\795e6f10\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

memory/5072-278-0x00000000737B0000-0x00000000738BA000-memory.dmp

memory/5072-279-0x0000000073720000-0x00000000737A8000-memory.dmp

memory/5072-280-0x0000000073650000-0x000000007371E000-memory.dmp

memory/5072-282-0x00000000738C0000-0x00000000738E4000-memory.dmp

memory/5072-281-0x0000000073A10000-0x0000000073CDF000-memory.dmp

memory/5072-277-0x00000000738F0000-0x0000000073939000-memory.dmp

C:\Users\Admin\AppData\Local\795e6f10\tor\torrc

MD5 eebf3cf47a1beca7d42881292f826fcc
SHA1 a37799483175f02dc9913f25389c574c13996164
SHA256 9e45d5a6d2715a70dc3783af1e049de4defe98c2cc574d6ec8e0c1539874d6d7
SHA512 4157e0f3d73f8c39fb93e0f80f01ba2a83fd20863fe10078fc75d061e19798850f34c9053bd0449c5c6b508682cfa5b8c505fe085e30b46d18305396389e2800

C:\Users\Admin\AppData\Local\795e6f10\tor\data\state

MD5 a038055c414f458c5c02754e878ba112
SHA1 19ee3ad57827a0c441f6bbd9e8e615abb1ed2675
SHA256 77e69daf674bae56ddffa59d29fafab6fdb2b3391664fadbc77bf110a9221138
SHA512 22ee0ca3e1a2c566dade5980494d7bb016b97dd9371e9af26d4a5d8028c575f4d2c74555004277711705ba9caf54448f4b56343857c4dca7d14559b0fcce11ae

C:\Users\Admin\AppData\Local\795e6f10\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\795e6f10\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\795e6f10\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\795e6f10\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\795e6f10\tor\data\cached-microdescs

MD5 02971f40a967ff407fe601a078c53e97
SHA1 8a17962f8a2b4f847235656db9fe30ecf4debf50
SHA256 629dfe80d1c21b17af451ea6bdf7c618bc4541f0089490a04221e25a3d28e588
SHA512 b182c1ecdd916d3cc0e08cfd5be9d7b8a868f117098e71a748edb28d08600e783567dfce499215606afdfabac2beaf8a067e7ca240718654cbba2fa13f7528c5

memory/2120-286-0x0000000073DC0000-0x0000000073DF9000-memory.dmp

memory/5072-289-0x00000000005D0000-0x00000000009D4000-memory.dmp

memory/5072-290-0x0000000073940000-0x0000000073A08000-memory.dmp

memory/5072-291-0x0000000073650000-0x000000007371E000-memory.dmp

memory/5072-300-0x0000000073A10000-0x0000000073CDF000-memory.dmp