bitrat | c30fc9bfc313a2fd1fa09265e08e93d086cd889c1f5f7e79fa9fe1a3feaad5be

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 06:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

118dc55dafc395d36e6432306816cedd.exe
Size

5.5MB
MD5

118dc55dafc395d36e6432306816cedd
SHA1

0d70395fe14f4653b4d2b1e04306996ca7668dc1
SHA256

c30fc9bfc313a2fd1fa09265e08e93d086cd889c1f5f7e79fa9fe1a3feaad5be
SHA512

56ad5aa5276a8f5ff16af42f4dd7d29a8b4570a23d6868e6e81b132d015923028fcee83accca8acb174d2db51a05554f2bad3b502ea3a32adc843f68add81f9e
SSDEEP

98304:7l2eH5MynQqSDbvnA3/i5Z16dsxKn4L2kb0TNszipheT9kVO4v80abDOhgx:7l2GzS3vnm/i5P6drn4rbZGphy9kVz+r

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

nwgj3ux4huyfgbrwj5i2uwbxdu2ddd33eqrpq44dwooaoqo4ntmpc6qd.onion:80

Attributes

communication_password
81dc9bdb52d04dc20036dbd8313ed055
tor_process
winasxp

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

ACProtect 1.3x - 1.4x DLL software 15 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000600000002322f-36.dat	acprotect
behavioral2/files/0x0006000000023232-41.dat	acprotect
behavioral2/files/0x0006000000023233-44.dat	acprotect
behavioral2/files/0x0006000000023230-43.dat	acprotect
behavioral2/files/0x0006000000023232-38.dat	acprotect
behavioral2/files/0x0006000000023230-37.dat	acprotect
behavioral2/files/0x0006000000023236-51.dat	acprotect
behavioral2/files/0x000600000002322f-56.dat	acprotect
behavioral2/files/0x0006000000023234-54.dat	acprotect
behavioral2/files/0x000600000002322f-55.dat	acprotect
behavioral2/files/0x0006000000023231-49.dat	acprotect
behavioral2/files/0x000600000002322f-151.dat	acprotect
behavioral2/files/0x0006000000023234-157.dat	acprotect
behavioral2/files/0x0006000000023232-153.dat	acprotect
behavioral2/files/0x0006000000023230-152.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	windowsmediaplayer.exe

Executes dropped EXE 3 IoCs

pid	Process
1152	windowsmediaplayer.exe
100	winasxp.exe
2780	winasxp.exe

Loads dropped DLL 16 IoCs

pid	Process
100	winasxp.exe
100	winasxp.exe
100	winasxp.exe
100	winasxp.exe
100	winasxp.exe
100	winasxp.exe
100	winasxp.exe
100	winasxp.exe
100	winasxp.exe
2780	winasxp.exe
2780	winasxp.exe
2780	winasxp.exe
2780	winasxp.exe
2780	winasxp.exe
2780	winasxp.exe
2780	winasxp.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1152-7-0x0000000000400000-0x0000000000FF7000-memory.dmp	upx
behavioral2/memory/1152-15-0x0000000000400000-0x0000000000FF7000-memory.dmp	upx
behavioral2/memory/1152-16-0x0000000000400000-0x0000000000FF7000-memory.dmp	upx
behavioral2/memory/1152-17-0x0000000000400000-0x0000000000FF7000-memory.dmp	upx
behavioral2/memory/1152-18-0x0000000000400000-0x0000000000FF7000-memory.dmp	upx
behavioral2/files/0x0006000000023235-32.dat	upx
behavioral2/files/0x0006000000023235-34.dat	upx
behavioral2/files/0x000600000002322f-36.dat	upx
behavioral2/memory/100-40-0x0000000000C30000-0x0000000001034000-memory.dmp	upx
behavioral2/files/0x0006000000023235-35.dat	upx
behavioral2/files/0x0006000000023232-41.dat	upx
behavioral2/files/0x0006000000023233-44.dat	upx
behavioral2/memory/100-48-0x0000000074300000-0x0000000074349000-memory.dmp	upx
behavioral2/memory/100-47-0x0000000074420000-0x00000000744E8000-memory.dmp	upx
behavioral2/memory/100-46-0x0000000074350000-0x000000007441E000-memory.dmp	upx
behavioral2/files/0x0006000000023230-43.dat	upx
behavioral2/files/0x0006000000023232-38.dat	upx
behavioral2/files/0x0006000000023230-37.dat	upx
behavioral2/files/0x0006000000023236-51.dat	upx
behavioral2/files/0x000600000002322f-56.dat	upx
behavioral2/memory/100-58-0x0000000073E60000-0x000000007412F000-memory.dmp	upx
behavioral2/files/0x0006000000023234-54.dat	upx
behavioral2/files/0x000600000002322f-55.dat	upx
behavioral2/memory/100-60-0x0000000074130000-0x00000000741B8000-memory.dmp	upx
behavioral2/memory/100-52-0x00000000741F0000-0x00000000742FA000-memory.dmp	upx
behavioral2/memory/100-53-0x00000000741C0000-0x00000000741E4000-memory.dmp	upx
behavioral2/files/0x0006000000023231-49.dat	upx
behavioral2/memory/1152-65-0x0000000000400000-0x0000000000FF7000-memory.dmp	upx
behavioral2/memory/1152-66-0x0000000000400000-0x0000000000FF7000-memory.dmp	upx
behavioral2/memory/1152-67-0x0000000000400000-0x0000000000FF7000-memory.dmp	upx
behavioral2/memory/1152-68-0x0000000000400000-0x0000000000FF7000-memory.dmp	upx
behavioral2/memory/1152-69-0x0000000000400000-0x0000000000FF7000-memory.dmp	upx
behavioral2/memory/1152-72-0x0000000000400000-0x0000000000FF7000-memory.dmp	upx
behavioral2/memory/1152-76-0x0000000000400000-0x0000000000FF7000-memory.dmp	upx
behavioral2/memory/100-84-0x0000000000C30000-0x0000000001034000-memory.dmp	upx
behavioral2/memory/100-91-0x0000000073E60000-0x000000007412F000-memory.dmp	upx
behavioral2/memory/100-89-0x00000000741C0000-0x00000000741E4000-memory.dmp	upx
behavioral2/memory/100-88-0x00000000741F0000-0x00000000742FA000-memory.dmp	upx
behavioral2/memory/100-87-0x0000000074300000-0x0000000074349000-memory.dmp	upx
behavioral2/memory/100-86-0x0000000074420000-0x00000000744E8000-memory.dmp	upx
behavioral2/memory/100-85-0x0000000074350000-0x000000007441E000-memory.dmp	upx
behavioral2/memory/1152-92-0x0000000000400000-0x0000000000FF7000-memory.dmp	upx
behavioral2/memory/100-94-0x0000000000C30000-0x0000000001034000-memory.dmp	upx
behavioral2/memory/100-95-0x0000000000C30000-0x0000000001034000-memory.dmp	upx
behavioral2/memory/100-105-0x0000000000C30000-0x0000000001034000-memory.dmp	upx
behavioral2/memory/1152-113-0x0000000000400000-0x0000000000FF7000-memory.dmp	upx
behavioral2/memory/100-114-0x0000000000C30000-0x0000000001034000-memory.dmp	upx
behavioral2/memory/100-123-0x0000000000C30000-0x0000000001034000-memory.dmp	upx
behavioral2/memory/100-132-0x0000000000C30000-0x0000000001034000-memory.dmp	upx
behavioral2/files/0x000600000002322f-151.dat	upx
behavioral2/files/0x0006000000023235-150.dat	upx
behavioral2/files/0x0006000000023234-157.dat	upx
behavioral2/memory/2780-159-0x0000000000C30000-0x0000000001034000-memory.dmp	upx
behavioral2/memory/2780-161-0x0000000073E60000-0x000000007412F000-memory.dmp	upx
behavioral2/memory/2780-162-0x0000000074420000-0x00000000744E8000-memory.dmp	upx
behavioral2/memory/2780-163-0x0000000074350000-0x000000007441E000-memory.dmp	upx
behavioral2/memory/2780-166-0x0000000074300000-0x0000000074349000-memory.dmp	upx
behavioral2/memory/2780-169-0x00000000741C0000-0x00000000741E4000-memory.dmp	upx
behavioral2/memory/2780-170-0x00000000741F0000-0x00000000742FA000-memory.dmp	upx
behavioral2/memory/2780-171-0x0000000074130000-0x00000000741B8000-memory.dmp	upx
behavioral2/files/0x0006000000023232-153.dat	upx
behavioral2/files/0x0006000000023230-152.dat	upx
behavioral2/memory/100-158-0x0000000000C30000-0x0000000001034000-memory.dmp	upx
behavioral2/memory/2780-194-0x0000000000C30000-0x0000000001034000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1152	windowsmediaplayer.exe
1152	windowsmediaplayer.exe
1152	windowsmediaplayer.exe
1152	windowsmediaplayer.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4888 set thread context of 1152	4888	118dc55dafc395d36e6432306816cedd.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1152	windowsmediaplayer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1152	windowsmediaplayer.exe
1152	windowsmediaplayer.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 1152	4888	118dc55dafc395d36e6432306816cedd.exe	96
PID 4888 wrote to memory of 1152	4888	118dc55dafc395d36e6432306816cedd.exe	96
PID 4888 wrote to memory of 1152	4888	118dc55dafc395d36e6432306816cedd.exe	96
PID 4888 wrote to memory of 1152	4888	118dc55dafc395d36e6432306816cedd.exe	96
PID 4888 wrote to memory of 1152	4888	118dc55dafc395d36e6432306816cedd.exe	96
PID 4888 wrote to memory of 1152	4888	118dc55dafc395d36e6432306816cedd.exe	96
PID 4888 wrote to memory of 1152	4888	118dc55dafc395d36e6432306816cedd.exe	96
PID 4888 wrote to memory of 1152	4888	118dc55dafc395d36e6432306816cedd.exe	96
PID 1152 wrote to memory of 100	1152	windowsmediaplayer.exe	100
PID 1152 wrote to memory of 100	1152	windowsmediaplayer.exe	100
PID 1152 wrote to memory of 100	1152	windowsmediaplayer.exe	100
PID 1152 wrote to memory of 2780	1152	windowsmediaplayer.exe	107
PID 1152 wrote to memory of 2780	1152	windowsmediaplayer.exe	107
PID 1152 wrote to memory of 2780	1152	windowsmediaplayer.exe	107

C:\Users\Admin\AppData\Local\Temp\118dc55dafc395d36e6432306816cedd.exe
"C:\Users\Admin\AppData\Local\Temp\118dc55dafc395d36e6432306816cedd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Users\Admin\AppData\Local\Temp\windowsmediaplayer.exe
  C:\Users\Admin\AppData\Local\Temp\windowsmediaplayer.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Users\Admin\AppData\Local\5dbdef45\tor\winasxp.exe
    "C:\Users\Admin\AppData\Local\5dbdef45\tor\winasxp.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:100
- - C:\Users\Admin\AppData\Local\5dbdef45\tor\winasxp.exe
    "C:\Users\Admin\AppData\Local\5dbdef45\tor\winasxp.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\5dbdef45\tor\data\cached-certs

Filesize
20KB

MD5
ec5faf5bb17b9c98918ce60781f7cee4

SHA1
56b2cbc9d979b141776f4c9dee2a372a699f9b42

SHA256
31aeb0ec41ad154a1612d9ca16211bcc03f3dfa82ee5d236c507306a5acf54f2

SHA512
5ddff59770322278303a441eab759c4879662dfccd5921ed0ac1c1171603711cfa3b3dae54fd355abf1fdf0eb3891b1e1f38f89b0d2100c0c01e56b6ccdd2ce1

Download Submit
C:\Users\Admin\AppData\Local\5dbdef45\tor\data\cached-microdesc-consensus

Filesize
73KB

MD5
05754cd0f83e46120062c37020fd3498

SHA1
9063a09a47ad418e13d4c0c4a9f7129ecc0f0047

SHA256
54acd5806225a0f6f4b003279244603e6cd4dacb1a297fe7aa1154ddf0d26827

SHA512
20932da14024f9c965474213f12ce69bfc0e088d6dbed25ab26cdc045a1dcb472313689f6aae693c0cc83cbccc90758db530a95d5d2843a0fe03b584c87f0cc6

Download Submit
C:\Users\Admin\AppData\Local\5dbdef45\tor\data\cached-microdesc-consensus.tmp

Filesize
206KB

MD5
8188fc2976542f6c6ff682216b9aa315

SHA1
06122bfa566c9a7937a1e2731b0e158ff171d37d

SHA256
345d97b443698de53eb71ee30c0c2d5502c9facf82f5233dc8186fe196eace5d

SHA512
fa3b90641d9f16adc127803218722a30cc60a347f9101afc23bbc5f2cddb9c7219c8c34df4d9facce409bce187e2c597e2ff57ae642100105c826099a39ac54b

Download Submit
C:\Users\Admin\AppData\Local\5dbdef45\tor\data\state

Filesize
232B

MD5
93b1e96aab6fb84aa09fc1b59953058b

SHA1
ae8ce2b39ff1162a7bb47fec02e17f59fdc7acf4

SHA256
6a028baa5341e6d1c394481fcfd3a739e49679442a17e3708071162dceb41210

SHA512
3be5a32c4ea28407f2ea08eec260505d84f14bd327822ce8544a39594b8d655cfefdf98aa241536eeed545a8043803bf94933dfc836b4ff834183380d513befb

Download Submit
C:\Users\Admin\AppData\Local\5dbdef45\tor\data\unverified-microdesc-consensus

Filesize
1.3MB

MD5
a0419ca6104a0d1bfd15945754104647

SHA1
31e9bbf38fe340ad79f447f5e67833b2cfc04ada

SHA256
0431a7388c9836a77a7821100bf148e135968c47d4b5e489036cbde76689284a

SHA512
583a06f485161a20416ae1a0d3fa014d357c602924f3ae332c85a9288d2f4096a7438bbbf075a82a4a95d9fe0eee70adda5070dac9b68f4985a16f16c2445350

Download Submit
C:\Users\Admin\AppData\Local\5dbdef45\tor\libcrypto-1_1.dll

Filesize
1.2MB

MD5
edeec09c4f1680e6b8317076a7fc535d

SHA1
f4d20c1aacd71f35cdf8ca38fe1bf49ae98a6096

SHA256
28b364bf830980457cbc5dd156b1e39a0e42f4b6a69582ae39da538c5c8f5e14

SHA512
699e8a5ad419d68734a50646406993473f5d60f5de621cf11483d980bb445788f50ebc9187ff67bd9170226d23a07857599b406694cdb1882e8b867a743fea76

Download Submit
C:\Users\Admin\AppData\Local\5dbdef45\tor\libcrypto-1_1.dll

Filesize
272KB

MD5
e837a081bccb23bb7c99f1d3e33d23d0

SHA1
fa0f76d203137001902a6732bbb04f828ebff55d

SHA256
6fc8d381dd8dfdb74a8021e9e1a3f2ef3f4b962318383f709f61057e09899028

SHA512
c8097803a8246b094681e0fe5c1e6f70f66cfc72ad8634c0692eb7231c58da361672958ee8ed3cf76ebee50212c1db51bc4aea672db354e197382ed8ead15bce

Download Submit
C:\Users\Admin\AppData\Local\5dbdef45\tor\libcrypto-1_1.dll

Filesize
307KB

MD5
db353e05b4390b75598f7b8629b7222b

SHA1
3b0d7036d22725aa21db620ec98c9539dc901dd1

SHA256
9b2d412d03653153832d18870631bea1225ec05dbd43e40049057b19124c8438

SHA512
c80a42b464481950e11d07f8827dadc95811b54471027b90e16455679f2ff8dd9badb63b108108f66bd4d98663a3595c9658aaab1e173e546ab66e72513ceedf

Download Submit
C:\Users\Admin\AppData\Local\5dbdef45\tor\libcrypto-1_1.dll

Filesize
381KB

MD5
05a80a3465c2c5dcd81710642771a673

SHA1
99403415859fb666a8cd9987ef072c9768c4bc8c

SHA256
2d4cc472d9bda6e75d82fe22d4537de7a50a5e78bf8a14aaf63cbdb5b9c07ec2

SHA512
4392c38f32da9f830448136c37471e4026a4be83be888fee9594ba6625081599d424c0af7ac4b9d0f28303e83496a40d28ab4abba6cd0ae8fd37abd41889d04c

Download Submit
C:\Users\Admin\AppData\Local\5dbdef45\tor\libevent-2-1-6.dll

Filesize
317KB

MD5
1077e464576d264045e9a86d5747618c

SHA1
4a2a300990e6a1bb4a246d33180958a0a180b630

SHA256
55b77ea4b7baf233ced5aa374acbf361b63b95ec4ae63d8e013b8c8b0fa17dfb

SHA512
77c15443d3a00d41db515d2dd8669c5f4b95427770f9fab99e3f1c3fec79886b26bf630593d636e90c4ab6678d7bc2bd090b10f1c971d438e330b45192dc8e4b

Download Submit
C:\Users\Admin\AppData\Local\5dbdef45\tor\libevent-2-1-6.dll

Filesize
338KB

MD5
73eddff2cf8bba1ad1272671c8f9f730

SHA1
032f17eeef1e1c73b52cd4be4f395c37660d8c0b

SHA256
b81352d4cc26ba9362056af1a9ef7d8df1e278fb90fe823dc8595e64d86a184e

SHA512
fd87894455f143b65e87481dca18c0e115dafb473f05fd73ac5b6b441f6cc730ce261e29ba599b03609e055ac1b9c4510e783711e1488a93c6cae465dcf5ab04

Download Submit
C:\Users\Admin\AppData\Local\5dbdef45\tor\libevent-2-1-6.dll

Filesize
250KB

MD5
6859bd369e7e4834f97c40cbfd70ec57

SHA1
7f44d8a5bb992439e0d595daef005ce761302afa

SHA256
b36fbcece4f6c27e51f6da164cdf6f6e2c0d8a24c7f1d8eaa284778ac8b99897

SHA512
76483b2958a342740a2d6ae777c643f74c68c9cae7faeb5ab85eed5a23c5fe4a25bc0d3ad3751ed6cfb22563ac4b11c3ea221e7f73289181dffbddd7b484c197

Download Submit
C:\Users\Admin\AppData\Local\5dbdef45\tor\libgcc_s_sjlj-1.dll

Filesize
286KB

MD5
b0d98f7157d972190fe0759d4368d320

SHA1
5715a533621a2b642aad9616e603c6907d80efc4

SHA256
2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5

SHA512
41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

Download Submit
C:\Users\Admin\AppData\Local\5dbdef45\tor\libssl-1_1.dll

Filesize
353KB

MD5
6ca979c2d8c8a700b092a792d04d382b

SHA1
8650b8412cd03533f74a6ec0ee65361e0861f597

SHA256
c6547259bc706f44ae6379e3687bbc17e5f98bbbf7c7f849307425b1fa1b4e9e

SHA512
652b276821156508d4d101c1a7787d7e553ad7d7335597b2574bf8fcabf6beb8642103880b13792f4510b25e79c2200cd0ccadb209d40d7e7c8eae5ae79ce5f8

Download Submit
C:\Users\Admin\AppData\Local\5dbdef45\tor\libssl-1_1.dll

Filesize
439KB

MD5
c88826ac4bb879622e43ead5bdb95aeb

SHA1
87d29853649a86f0463bfd9ad887b85eedc21723

SHA256
c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f

SHA512
f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

Download Submit
C:\Users\Admin\AppData\Local\5dbdef45\tor\libssl-1_1.dll

Filesize
304KB

MD5
d85283d6dd600a9bf6c9ef1f128e364b

SHA1
8d39e214d852d4183cafa4f3654f7c5c6e4dade6

SHA256
121767ae4d967b6798241ec19e49e695078a9c4d255fca0425a7f9b73ed1c674

SHA512
5f9be096ee4fa19cc539ae56d687b986629b2283250bbe2f14b5fed8375c5fa6bea61fa20233eb3d91a52658134df0fa2691523920f81e42a957f608a7135729

Download Submit
C:\Users\Admin\AppData\Local\5dbdef45\tor\libssp-0.dll

Filesize
88KB

MD5
2c916456f503075f746c6ea649cf9539

SHA1
fa1afc1f3d728c89b2e90e14ca7d88b599580a9d

SHA256
cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6

SHA512
1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

Download Submit
C:\Users\Admin\AppData\Local\5dbdef45\tor\libwinpthread-1.dll

Filesize
178KB

MD5
325aa76a3b2add1aeff9e8f7a04fc7ae

SHA1
b5955b7915750671bd723fa566f7d8306e2cd8b4

SHA256
e05ba2a0147f834c8083ea6e47b861959253f89edfe9c203477442039a5ef19d

SHA512
aef0315718df2c0613f1ce60cae1c351eaf40c2ed4297c2b8aae1ca43d3691934743a8aa835e5c86c08053c3dd4b56e80a20a0f4cf4b3d9e195d92a8922a4361

Download Submit
C:\Users\Admin\AppData\Local\5dbdef45\tor\libwinpthread-1.dll

Filesize
188KB

MD5
d407cc6d79a08039a6f4b50539e560b8

SHA1
21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71

SHA256
92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e

SHA512
378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

Download Submit
C:\Users\Admin\AppData\Local\5dbdef45\tor\torrc

Filesize
157B

MD5
bcb1ec26cabe7787d9fd25365d5dc2d1

SHA1
3c7629f35fb569af24af4751dd24a7e42e9f1e84

SHA256
6017220d5abb8098c86f8d49f54730a6e4aa880aeef1a4de113821cc82319b07

SHA512
721e2d37bf3605c3c68aff24e521901fb0500d1d1809e46aaae237e3f5f161c432ec4680506f342f5c64379c827a4562b3e31609862bbb86c07ec050e584e45c

Download Submit
C:\Users\Admin\AppData\Local\5dbdef45\tor\winasxp.exe

Filesize
498KB

MD5
4f0b0c5044b6273b2f4f379eafdbc116

SHA1
fc1b3772e32ebfe0ffb342697241a86b0b53a81b

SHA256
cc832073eed21876d98ae9b37c319d0a363b4298ee72625c16a778cca039eefc

SHA512
a4cfe52d953528c6442b49b584725b1f13379b4e1ec64520a80da4331fd5e087061289f4e8d001c78a71ef1936d58cfe8da4976da869dcae5e604c9b788d8af4

Download Submit
C:\Users\Admin\AppData\Local\5dbdef45\tor\winasxp.exe

Filesize
360KB

MD5
4ae55dcf29a230f0848dd2aa9c560177

SHA1
4a37765702ff6906a82e77c0b8f39beca0e4aa54

SHA256
f69bfb1488ba44c306588ef0b599be6a19cbb5add9cb4e970b47a5d49996ae5f

SHA512
3fa52dedf17c447ede004706222feb1aaab7c3ed44dff229c575f61b63cb14b33f162ec30951fff908600eebddd91393097b6e72bdb3dc4a428faf7bd0328640

Download Submit
C:\Users\Admin\AppData\Local\5dbdef45\tor\winasxp.exe

Filesize
297KB

MD5
7460f566f88ec78215a40e7bca61e680

SHA1
dc22a1b9e8d9bbb5d7a580c5ae3a68a998250654

SHA256
ed05bf09780e6060d86d3824e624b089b05fd6d5a06692057d3b8f30b78caf8f

SHA512
d624bee135f55b90a40c6ee30d49a569b7d3181635dcc59fe3fb94b33a4f54a5fc661e51b6e1ceac4f257a42ec448fde13ea7ad291a599aa89fc253f25c7aad9

Download Submit
C:\Users\Admin\AppData\Local\5dbdef45\tor\winasxp.exe

Filesize
248KB

MD5
f5633ca0f64fb877138ba44607d5edff

SHA1
c9556c3b530ff752810dc2018957fdfc0e5667be

SHA256
3e9f3e5b41bdbda874e3499bb565d28d155f18128dcfd8a8d28e92a340e92d86

SHA512
94e32bc931fb896a7239d99c33bf44d2f74b7e7bed0f26a9848d466af5813efa99f7820b72d6f0b06c351bb3c8ef9e2a896ba4a268a16cbcf582a7fbc3a1561d

Download Submit
C:\Users\Admin\AppData\Local\5dbdef45\tor\zlib1.dll

Filesize
52KB

MD5
add33041af894b67fe34e1dc819b7eb6

SHA1
6db46eb021855a587c95479422adcc774a272eeb

SHA256
8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183

SHA512
bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowsmediaplayer.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
memory/100-47-0x0000000074420000-0x00000000744E8000-memory.dmp

Filesize
800KB

Download
memory/100-85-0x0000000074350000-0x000000007441E000-memory.dmp

Filesize
824KB

Download
memory/100-46-0x0000000074350000-0x000000007441E000-memory.dmp

Filesize
824KB

Download
memory/100-158-0x0000000000C30000-0x0000000001034000-memory.dmp

Filesize
4.0MB

Download
memory/100-59-0x0000000001910000-0x0000000001BDF000-memory.dmp

Filesize
2.8MB

Download
memory/100-60-0x0000000074130000-0x00000000741B8000-memory.dmp

Filesize
544KB

Download
memory/100-52-0x00000000741F0000-0x00000000742FA000-memory.dmp

Filesize
1.0MB

Download
memory/100-61-0x0000000001040000-0x00000000010C8000-memory.dmp

Filesize
544KB

Download
memory/100-53-0x00000000741C0000-0x00000000741E4000-memory.dmp

Filesize
144KB

Download
memory/100-48-0x0000000074300000-0x0000000074349000-memory.dmp

Filesize
292KB

Download
memory/100-40-0x0000000000C30000-0x0000000001034000-memory.dmp

Filesize
4.0MB

Download
memory/100-160-0x0000000001040000-0x00000000010C8000-memory.dmp

Filesize
544KB

Download
memory/100-132-0x0000000000C30000-0x0000000001034000-memory.dmp

Filesize
4.0MB

Download
memory/100-123-0x0000000000C30000-0x0000000001034000-memory.dmp

Filesize
4.0MB

Download
memory/100-114-0x0000000000C30000-0x0000000001034000-memory.dmp

Filesize
4.0MB

Download
memory/100-58-0x0000000073E60000-0x000000007412F000-memory.dmp

Filesize
2.8MB

Download
memory/100-105-0x0000000000C30000-0x0000000001034000-memory.dmp

Filesize
4.0MB

Download
memory/100-104-0x0000000001040000-0x00000000010C8000-memory.dmp

Filesize
544KB

Download
memory/100-95-0x0000000000C30000-0x0000000001034000-memory.dmp

Filesize
4.0MB

Download
memory/100-94-0x0000000000C30000-0x0000000001034000-memory.dmp

Filesize
4.0MB

Download
memory/100-84-0x0000000000C30000-0x0000000001034000-memory.dmp

Filesize
4.0MB

Download
memory/100-91-0x0000000073E60000-0x000000007412F000-memory.dmp

Filesize
2.8MB

Download
memory/100-89-0x00000000741C0000-0x00000000741E4000-memory.dmp

Filesize
144KB

Download
memory/100-88-0x00000000741F0000-0x00000000742FA000-memory.dmp

Filesize
1.0MB

Download
memory/100-87-0x0000000074300000-0x0000000074349000-memory.dmp

Filesize
292KB

Download
memory/100-86-0x0000000074420000-0x00000000744E8000-memory.dmp

Filesize
800KB

Download
memory/1152-69-0x0000000000400000-0x0000000000FF7000-memory.dmp

Filesize
12.0MB

Download
memory/1152-7-0x0000000000400000-0x0000000000FF7000-memory.dmp

Filesize
12.0MB

Download
memory/1152-19-0x0000000074F80000-0x0000000074FB9000-memory.dmp

Filesize
228KB

Download
memory/1152-77-0x0000000073A50000-0x0000000073A89000-memory.dmp

Filesize
228KB

Download
memory/1152-76-0x0000000000400000-0x0000000000FF7000-memory.dmp

Filesize
12.0MB

Download
memory/1152-72-0x0000000000400000-0x0000000000FF7000-memory.dmp

Filesize
12.0MB

Download
memory/1152-113-0x0000000000400000-0x0000000000FF7000-memory.dmp

Filesize
12.0MB

Download
memory/1152-68-0x0000000000400000-0x0000000000FF7000-memory.dmp

Filesize
12.0MB

Download
memory/1152-67-0x0000000000400000-0x0000000000FF7000-memory.dmp

Filesize
12.0MB

Download
memory/1152-66-0x0000000000400000-0x0000000000FF7000-memory.dmp

Filesize
12.0MB

Download
memory/1152-18-0x0000000000400000-0x0000000000FF7000-memory.dmp

Filesize
12.0MB

Download
memory/1152-17-0x0000000000400000-0x0000000000FF7000-memory.dmp

Filesize
12.0MB

Download
memory/1152-16-0x0000000000400000-0x0000000000FF7000-memory.dmp

Filesize
12.0MB

Download
memory/1152-193-0x0000000073CC0000-0x0000000073CF9000-memory.dmp

Filesize
228KB

Download
memory/1152-65-0x0000000000400000-0x0000000000FF7000-memory.dmp

Filesize
12.0MB

Download
memory/1152-92-0x0000000000400000-0x0000000000FF7000-memory.dmp

Filesize
12.0MB

Download
memory/1152-15-0x0000000000400000-0x0000000000FF7000-memory.dmp

Filesize
12.0MB

Download
memory/2780-161-0x0000000073E60000-0x000000007412F000-memory.dmp

Filesize
2.8MB

Download
memory/2780-194-0x0000000000C30000-0x0000000001034000-memory.dmp

Filesize
4.0MB

Download
memory/2780-163-0x0000000074350000-0x000000007441E000-memory.dmp

Filesize
824KB

Download
memory/2780-169-0x00000000741C0000-0x00000000741E4000-memory.dmp

Filesize
144KB

Download
memory/2780-197-0x0000000074350000-0x000000007441E000-memory.dmp

Filesize
824KB

Download
memory/2780-196-0x0000000074420000-0x00000000744E8000-memory.dmp

Filesize
800KB

Download
memory/2780-195-0x0000000073E60000-0x000000007412F000-memory.dmp

Filesize
2.8MB

Download
memory/2780-166-0x0000000074300000-0x0000000074349000-memory.dmp

Filesize
292KB

Download
memory/2780-162-0x0000000074420000-0x00000000744E8000-memory.dmp

Filesize
800KB

Download
memory/2780-170-0x00000000741F0000-0x00000000742FA000-memory.dmp

Filesize
1.0MB

Download
memory/2780-171-0x0000000074130000-0x00000000741B8000-memory.dmp

Filesize
544KB

Download
memory/2780-159-0x0000000000C30000-0x0000000001034000-memory.dmp

Filesize
4.0MB

Download
memory/4888-2-0x00000000010C0000-0x00000000010D0000-memory.dmp

Filesize
64KB

Download
memory/4888-0-0x0000000075320000-0x00000000758D1000-memory.dmp

Filesize
5.7MB

Download
memory/4888-14-0x0000000075320000-0x00000000758D1000-memory.dmp

Filesize
5.7MB

Download
memory/4888-13-0x0000000075320000-0x00000000758D1000-memory.dmp

Filesize
5.7MB

Download
memory/4888-1-0x0000000075320000-0x00000000758D1000-memory.dmp

Filesize
5.7MB

Download