bitrat | 437ad80eaa637caba6237c5ecb0b4d328bb8131a45905088b2441bdfa021b598

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2024 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69211520423fa18fde09eee360343412.exe
Size

6.5MB
MD5

69211520423fa18fde09eee360343412
SHA1

dba822c016a18500e40723c7e96fa0894f025d06
SHA256

437ad80eaa637caba6237c5ecb0b4d328bb8131a45905088b2441bdfa021b598
SHA512

3378bc9725b187e9ed5be3f775c88153cfe49f053a1b1d5d0cee3d056289a4afd7ee1bbef86d8be8b7e497a244f143a29a983f8cf701f8e46338b9f23569ba97
SSDEEP

98304:Ld5VJppwXSyo8skn3moI25UzSOVRBKrCqflZ+VJscvKgFl8jD:LBpOwu2t26uqRsnf2VXvD6j

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.35

4napo6g3cp6av4hmxmwzi5lyojpfk3i2kl2tpssb2wvidqsa3kzo6eyd.onion:80

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
windows32file

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

ACProtect 1.3x - 1.4x DLL software 9 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libcrypto-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libevent-2-1-6.dll	acprotect
C:\Users\Admin\AppData\Local\c3b89bbf\tor\zlib1.dll	acprotect
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libssp-0.dll	acprotect
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libwinpthread-1.dll	acprotect
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libcrypto-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libcrypto-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libgcc_s_sjlj-1.dll	acprotect
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libssl-1_1.dll	acprotect

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

69211520423fa18fde09eee360343412.exeWScript.exe69211520423fa18fde09eee360343412.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	69211520423fa18fde09eee360343412.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	69211520423fa18fde09eee360343412.exe

Executes dropped EXE 3 IoCs

Processes:

windows32file.exewindows32file.exewindows32file.exe

pid process

2008 windows32file.exe
864 windows32file.exe
4216 windows32file.exe

Loads dropped DLL 24 IoCs

Processes:

windows32file.exewindows32file.exewindows32file.exe

pid	process
2008	windows32file.exe
2008	windows32file.exe
2008	windows32file.exe
2008	windows32file.exe
2008	windows32file.exe
2008	windows32file.exe
2008	windows32file.exe
2008	windows32file.exe
2008	windows32file.exe
2008	windows32file.exe
864	windows32file.exe
864	windows32file.exe
864	windows32file.exe
864	windows32file.exe
864	windows32file.exe
864	windows32file.exe
864	windows32file.exe
4216	windows32file.exe
4216	windows32file.exe
4216	windows32file.exe
4216	windows32file.exe
4216	windows32file.exe
4216	windows32file.exe
4216	windows32file.exe

UPX packed file 41 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe	upx
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libcrypto-1_1.dll	upx
C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe	upx
C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe	upx
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libevent-2-1-6.dll	upx
C:\Users\Admin\AppData\Local\c3b89bbf\tor\zlib1.dll	upx
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libssp-0.dll	upx
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libwinpthread-1.dll	upx
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libcrypto-1_1.dll	upx
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libcrypto-1_1.dll	upx
behavioral2/memory/2008-95-0x000000006FB30000-0x000000006FBF8000-memory.dmp	upx
behavioral2/memory/2008-96-0x000000006FAC0000-0x000000006FB09000-memory.dmp	upx
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libgcc_s_sjlj-1.dll	upx
behavioral2/memory/2008-88-0x0000000000D90000-0x0000000001194000-memory.dmp	upx
behavioral2/memory/2008-89-0x000000006FC00000-0x000000006FC24000-memory.dmp	upx
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libssl-1_1.dll	upx
behavioral2/memory/2008-97-0x000000006F920000-0x000000006F9A8000-memory.dmp	upx
behavioral2/memory/2008-104-0x000000006F9B0000-0x000000006FABA000-memory.dmp	upx
behavioral2/memory/2008-105-0x000000006F650000-0x000000006F91F000-memory.dmp	upx
behavioral2/memory/2008-103-0x000000006FC30000-0x000000006FCFE000-memory.dmp	upx
behavioral2/memory/2008-142-0x000000006FB30000-0x000000006FBF8000-memory.dmp	upx
behavioral2/memory/2008-141-0x000000006FC00000-0x000000006FC24000-memory.dmp	upx
behavioral2/memory/2008-139-0x0000000000D90000-0x0000000001194000-memory.dmp	upx
behavioral2/memory/2008-153-0x0000000000D90000-0x0000000001194000-memory.dmp	upx
behavioral2/memory/2008-161-0x0000000000D90000-0x0000000001194000-memory.dmp	upx
behavioral2/memory/2008-174-0x0000000000D90000-0x0000000001194000-memory.dmp	upx
behavioral2/memory/2008-182-0x0000000000D90000-0x0000000001194000-memory.dmp	upx
behavioral2/memory/2008-194-0x0000000000D90000-0x0000000001194000-memory.dmp	upx
C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe	upx
behavioral2/memory/864-220-0x0000000000D90000-0x0000000001194000-memory.dmp	upx
behavioral2/memory/864-221-0x000000006F650000-0x000000006F91F000-memory.dmp	upx
behavioral2/memory/864-226-0x000000006FC30000-0x000000006FCFE000-memory.dmp	upx
behavioral2/memory/864-224-0x000000006FB30000-0x000000006FBF8000-memory.dmp	upx
behavioral2/memory/864-228-0x000000006FAC0000-0x000000006FB09000-memory.dmp	upx
behavioral2/memory/864-230-0x000000006FC00000-0x000000006FC24000-memory.dmp	upx
behavioral2/memory/864-232-0x000000006F9B0000-0x000000006FABA000-memory.dmp	upx
behavioral2/memory/864-234-0x000000006F920000-0x000000006F9A8000-memory.dmp	upx
behavioral2/memory/4216-246-0x0000000000D90000-0x0000000001194000-memory.dmp	upx
behavioral2/memory/4216-247-0x0000000074140000-0x000000007440F000-memory.dmp	upx
behavioral2/memory/4216-248-0x0000000074070000-0x0000000074138000-memory.dmp	upx
behavioral2/memory/4216-249-0x0000000074020000-0x0000000074069000-memory.dmp	upx

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

68 myexternalip.com
69 myexternalip.com
78 myexternalip.com

flow	ioc
68	myexternalip.com
69	myexternalip.com
78	myexternalip.com

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

69211520423fa18fde09eee360343412.exe

pid	process
4636	69211520423fa18fde09eee360343412.exe
4636	69211520423fa18fde09eee360343412.exe
4636	69211520423fa18fde09eee360343412.exe
4636	69211520423fa18fde09eee360343412.exe
4636	69211520423fa18fde09eee360343412.exe
4636	69211520423fa18fde09eee360343412.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

69211520423fa18fde09eee360343412.exe

description pid process target process

PID 4160 set thread context of 4636 4160 69211520423fa18fde09eee360343412.exe 69211520423fa18fde09eee360343412.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 4160 set thread context of 4636	4160	69211520423fa18fde09eee360343412.exe	69211520423fa18fde09eee360343412.exe

Modifies registry class 1 IoCs

Processes:

69211520423fa18fde09eee360343412.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings	69211520423fa18fde09eee360343412.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

69211520423fa18fde09eee360343412.exepowershell.exe

pid process

4160 69211520423fa18fde09eee360343412.exe
4160 69211520423fa18fde09eee360343412.exe
1212 powershell.exe
1212 powershell.exe

pid	process
4160	69211520423fa18fde09eee360343412.exe
4160	69211520423fa18fde09eee360343412.exe
1212	powershell.exe
1212	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

69211520423fa18fde09eee360343412.exepowershell.exe69211520423fa18fde09eee360343412.exe

description	pid	process
Token: SeDebugPrivilege	4160	69211520423fa18fde09eee360343412.exe
Token: SeDebugPrivilege	1212	powershell.exe
Token: SeShutdownPrivilege	4636	69211520423fa18fde09eee360343412.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

69211520423fa18fde09eee360343412.exe

pid process

4636 69211520423fa18fde09eee360343412.exe
4636 69211520423fa18fde09eee360343412.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

69211520423fa18fde09eee360343412.exeWScript.exe69211520423fa18fde09eee360343412.exe

description	pid	process	target process
PID 4160 wrote to memory of 4196	4160	69211520423fa18fde09eee360343412.exe	WScript.exe
PID 4160 wrote to memory of 4196	4160	69211520423fa18fde09eee360343412.exe	WScript.exe
PID 4160 wrote to memory of 4196	4160	69211520423fa18fde09eee360343412.exe	WScript.exe
PID 4196 wrote to memory of 1212	4196	WScript.exe	powershell.exe
PID 4196 wrote to memory of 1212	4196	WScript.exe	powershell.exe
PID 4196 wrote to memory of 1212	4196	WScript.exe	powershell.exe
PID 4160 wrote to memory of 4636	4160	69211520423fa18fde09eee360343412.exe	69211520423fa18fde09eee360343412.exe
PID 4160 wrote to memory of 4636	4160	69211520423fa18fde09eee360343412.exe	69211520423fa18fde09eee360343412.exe
PID 4160 wrote to memory of 4636	4160	69211520423fa18fde09eee360343412.exe	69211520423fa18fde09eee360343412.exe
PID 4160 wrote to memory of 4636	4160	69211520423fa18fde09eee360343412.exe	69211520423fa18fde09eee360343412.exe
PID 4160 wrote to memory of 4636	4160	69211520423fa18fde09eee360343412.exe	69211520423fa18fde09eee360343412.exe
PID 4160 wrote to memory of 4636	4160	69211520423fa18fde09eee360343412.exe	69211520423fa18fde09eee360343412.exe
PID 4160 wrote to memory of 4636	4160	69211520423fa18fde09eee360343412.exe	69211520423fa18fde09eee360343412.exe
PID 4160 wrote to memory of 4636	4160	69211520423fa18fde09eee360343412.exe	69211520423fa18fde09eee360343412.exe
PID 4160 wrote to memory of 4636	4160	69211520423fa18fde09eee360343412.exe	69211520423fa18fde09eee360343412.exe
PID 4160 wrote to memory of 4636	4160	69211520423fa18fde09eee360343412.exe	69211520423fa18fde09eee360343412.exe
PID 4160 wrote to memory of 4636	4160	69211520423fa18fde09eee360343412.exe	69211520423fa18fde09eee360343412.exe
PID 4160 wrote to memory of 4636	4160	69211520423fa18fde09eee360343412.exe	69211520423fa18fde09eee360343412.exe
PID 4636 wrote to memory of 2008	4636	69211520423fa18fde09eee360343412.exe	windows32file.exe
PID 4636 wrote to memory of 2008	4636	69211520423fa18fde09eee360343412.exe	windows32file.exe
PID 4636 wrote to memory of 2008	4636	69211520423fa18fde09eee360343412.exe	windows32file.exe
PID 4636 wrote to memory of 864	4636	69211520423fa18fde09eee360343412.exe	windows32file.exe
PID 4636 wrote to memory of 864	4636	69211520423fa18fde09eee360343412.exe	windows32file.exe
PID 4636 wrote to memory of 864	4636	69211520423fa18fde09eee360343412.exe	windows32file.exe
PID 4636 wrote to memory of 4216	4636	69211520423fa18fde09eee360343412.exe	windows32file.exe
PID 4636 wrote to memory of 4216	4636	69211520423fa18fde09eee360343412.exe	windows32file.exe
PID 4636 wrote to memory of 4216	4636	69211520423fa18fde09eee360343412.exe	windows32file.exe

C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe
"C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4160

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Ukvcpgfl.vbs"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4196

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chrome\google\chrome.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1212

C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe
C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe
2⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4636

C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2008

C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:864

C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4216

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_Ukvcpgfl.vbs
Filesize
188B

MD5
92ed2795e0152284c6cc6486516b9cf6

SHA1
d1e81202222be31f6c3197259b8ad83107598743

SHA256
65167ec718a46e872471bac93f57104853afe7de650d8c0286750c140995c673

SHA512
43e537d0d69912ffb7a48abb3b60513db7b8a29279111660a09150aeac1237e8895c2362fbabdec4abccef74391e197bb29e303c7d23b13235f85acd38f92a67

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wadjwdqu.3a4.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\cached-certs
Filesize
13KB

MD5
b26791069ac5fc9ab70727332309e1e8

SHA1
06084afcec65f81a9b3e3773b5ab463e1c5b5479

SHA256
bc8073b4255ea5c64fa4380689d8f6921e9fcd853bfe4bae9b23e4dc67aa57d4

SHA512
74aa8675732805857fae329f2ee3f40fc83974f1ae72a4d259744b611c3771239180a3c18622d0cd70d26b5e218a9ba62df58d3ac1598342fbc02b3b26b2810f

Download Submit
C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\cached-microdesc-consensus
Filesize
2.7MB

MD5
408e6065d52048a86ac4dce5cdcebcc6

SHA1
82546a2a61e23423d22151ad4b792f44c4f3cd9d

SHA256
90c5ecd6763e4c8c9239a017c6a69daa4fef7ecd53e2da009756fd4ffbf39d54

SHA512
026786d92dd2b2d9c386769baacd6850ace08b11a10c6c564d6103d04fc3057448399240258d2bb304c82d762593ffc761061a5908ecfa218f99cf5d8a0343db

Download Submit
C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\cached-microdesc-consensus.tmp
Filesize
780KB

MD5
b1f4f4cfcec464ac7073feccf78036b8

SHA1
b9852b699336012520d494bead2bf209ec8e2a13

SHA256
43a7af377cfc95b1b04e6bb9c3e6d0b811a78c3fdd4a250d21f4cc6edb18bdf3

SHA512
51c35e1315ceda2808e1cef5504161ae7914b9af789db48cc7e12f00d30d68b07d3a6d7de058a81e243a0af150399e64373a4b3c8eb9a4c6671b015b80894778

Download Submit
C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\cached-microdescs.new
Filesize
3.1MB

MD5
ec07655f3cd44a2e1b19ccb0fd9a071f

SHA1
cb803bbd95408b5cc5152a713a68a9a5776e48ae

SHA256
a8ef043558b5ab296527534771b9b58e794c0fd21947c8034a98d95aa39ba1b5

SHA512
dc40674c26a4f59b00bada48314f37c27cade60c3564a38c903d5eec4ac3895e2f032b9cd2948b7c50dc350b73bbf54172d2831efc96a2b531a63cfbe846481b

Download Submit
C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\cached-microdescs.new
Filesize
21.4MB

MD5
052455dbe94d3df3a1a28d54c90a1afe

SHA1
24e7a0b41b4c6ab81d29bf5fd7e96a1f3c9aac6d

SHA256
45c11b639887b665389dcce2bee08e505ffa12e4b1cd16bc0beea418de629964

SHA512
964856639173d43bc87f82e170fc6347fbb77a57545d496f7ac5533e94c71fde250e5fd6dae0b972cc0d9b102bef523c88bc4fd32a3ae5fe04027c4a39a8ded7

Download Submit
C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\state
Filesize
232B

MD5
74ee9f8d6a8206542da3f2541e4c8a1d

SHA1
e4e9b24a2173b8a1f8f07b9fbdb9da11a50e3e70

SHA256
a635a327906b86562bd49b8c830b552b0992435a6e34421cadb6d9fefcdd870b

SHA512
de59924fd3b1036aeb7911da996ddd0199560af7b075205ce6aca8347fd67c042077818b4871e91de980a322a5b0598eb8bc8a3d9554b97c6aed962286520f68

Download Submit
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libcrypto-1_1.dll
Filesize
716KB

MD5
56d34407ce6a5a9ece1e3b99d05f099d

SHA1
cd049d5e1bc047b3d587b2afa8a2fa472ac92e3b

SHA256
39639f0b4ea177968c8ca6a5fc7ce1dbf814e05a26923aec6d97067fc46e547f

SHA512
34ad39c568ebd1e8993bf282e713fb5053360874f8d2343a0c20618f6c644f13f29fe0f40578055ddcc5274cc7977fd92e058d17cde86cfaedb11b0a0ed0375f

Download Submit
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libcrypto-1_1.dll
Filesize
1.7MB

MD5
2384a02c4a1f7ec481adde3a020607d3

SHA1
7e848d35a10bf9296c8fa41956a3daa777f86365

SHA256
c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369

SHA512
1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

Download Submit
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libcrypto-1_1.dll
Filesize
1.4MB

MD5
10f0676f9e57451a1d01e261e100c8ff

SHA1
564e850c87c061ee6f4529aaf432b69d63327d12

SHA256
63a977c7e6fa4e878547c3db33fff6ab5633fc56012d6f2448ad9b07641617c0

SHA512
7d7c294a17da5cde783153afa4be660ac24b5017a1e80f663007272465e7b65ab7c4d73324c74ebd70147ce22b1e6be218ff6344b26f1bd9c97cb6b762bf8ae8

Download Submit
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libevent-2-1-6.dll
Filesize
366KB

MD5
099983c13bade9554a3c17484e5481f1

SHA1
a84e69ad9722f999252d59d0ed9a99901a60e564

SHA256
b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838

SHA512
89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

Download Submit
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libgcc_s_sjlj-1.dll
Filesize
286KB

MD5
b0d98f7157d972190fe0759d4368d320

SHA1
5715a533621a2b642aad9616e603c6907d80efc4

SHA256
2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5

SHA512
41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

Download Submit
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libssl-1_1.dll
Filesize
439KB

MD5
c88826ac4bb879622e43ead5bdb95aeb

SHA1
87d29853649a86f0463bfd9ad887b85eedc21723

SHA256
c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f

SHA512
f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

Download Submit
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libssp-0.dll
Filesize
88KB

MD5
2c916456f503075f746c6ea649cf9539

SHA1
fa1afc1f3d728c89b2e90e14ca7d88b599580a9d

SHA256
cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6

SHA512
1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

Download Submit
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libwinpthread-1.dll
Filesize
188KB

MD5
d407cc6d79a08039a6f4b50539e560b8

SHA1
21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71

SHA256
92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e

SHA512
378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

Download Submit
C:\Users\Admin\AppData\Local\c3b89bbf\tor\torrc
Filesize
157B

MD5
10e4369f9761d5401203f24a43aec777

SHA1
f6237d60d66f0bdc642836387c2e9adaf60114d2

SHA256
1936b09146613154cc18a4889276cb2de96a5fd24a2c86d34a778be90f965976

SHA512
7159148f7584cd188d7f030ac1be482ebad86cba6e964fdf2d6e673823027ebbb049ad9fdac15ed556976760953216a999c5145a0816d67072ed232bdc9e4abb

Download Submit
C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
Filesize
973KB

MD5
5cfe61ff895c7daa889708665ef05d7b

SHA1
5e58efe30406243fbd58d4968b0492ddeef145f2

SHA256
f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5

SHA512
43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

Download Submit
C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
Filesize
483KB

MD5
a51c06907e72df902a5eb79b0637e095

SHA1
1f6abc67b3dcd787233265466234297d5fdfed46

SHA256
b69569a7188b7896c421dd2c0233c117a2bfb4d1b152cc0073d24c1a1f70d9c7

SHA512
781650359fa85cc55a4f3fd2cc18c0308f8e27fd2848ecf5ae0ecc40229aeae0e9c251ed12aaea048a9f502c6e571a271f99381e0fed65b01585cc34c1a1e295

Download Submit
C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
Filesize
892KB

MD5
97cc3ec5040c880a7635228857668868

SHA1
9e5cf88bbd3ee028ff1f996d63a97ded1741b25c

SHA256
07d35700ef68638e345e958e0032fdd90752cb15318c94096eb2abed3d6ef7e6

SHA512
eb188768243e08ab9968f682b911215ea1230d34ee6a9be8e6ee3bead148b4ae07e2464fe16404210d747f05099bd6583764d83154c33feddff355ab37802def

Download Submit
C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
Filesize
831KB

MD5
c95460d879afa09936b5fa1326763ea8

SHA1
00c96fdbe096d0887dd114915625f3f0e12ad0e5

SHA256
af1cfdf275f018830ee6041a4fde8a51ef5de989698bf7ab31bba34addc3443d

SHA512
4179cacf3e45576581d2313ea6186e2ec2243e7dcbcda60eb819cbf8f0abe1593e3d6d411097798fabe7a83190c7962a79e63ee5c5edaa29e7a1ad1b48854293

Download Submit
C:\Users\Admin\AppData\Local\c3b89bbf\tor\zlib1.dll
Filesize
52KB

MD5
add33041af894b67fe34e1dc819b7eb6

SHA1
6db46eb021855a587c95479422adcc774a272eeb

SHA256
8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183

SHA512
bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

Download Submit
memory/864-220-0x0000000000D90000-0x0000000001194000-memory.dmp

Filesize
4.0MB

Download
memory/864-221-0x000000006F650000-0x000000006F91F000-memory.dmp

Filesize
2.8MB

Download
memory/864-226-0x000000006FC30000-0x000000006FCFE000-memory.dmp

Filesize
824KB

Download
memory/864-224-0x000000006FB30000-0x000000006FBF8000-memory.dmp

Filesize
800KB

Download
memory/864-228-0x000000006FAC0000-0x000000006FB09000-memory.dmp

Filesize
292KB

Download
memory/864-230-0x000000006FC00000-0x000000006FC24000-memory.dmp

Filesize
144KB

Download
memory/864-232-0x000000006F9B0000-0x000000006FABA000-memory.dmp

Filesize
1.0MB

Download
memory/864-234-0x000000006F920000-0x000000006F9A8000-memory.dmp

Filesize
544KB

Download
memory/1212-40-0x0000000006610000-0x0000000006642000-memory.dmp

Filesize
200KB

Download
memory/1212-106-0x0000000007570000-0x000000000757E000-memory.dmp

Filesize
56KB

Download
memory/1212-18-0x00000000051C0000-0x00000000057E8000-memory.dmp

Filesize
6.2MB

Download
memory/1212-56-0x0000000007340000-0x000000000735A000-memory.dmp

Filesize
104KB

Download
memory/1212-55-0x0000000007990000-0x000000000800A000-memory.dmp

Filesize
6.5MB

Download
memory/1212-57-0x00000000073B0000-0x00000000073BA000-memory.dmp

Filesize
40KB

Download
memory/1212-69-0x00000000075C0000-0x0000000007656000-memory.dmp

Filesize
600KB

Download
memory/1212-52-0x0000000007010000-0x00000000070B3000-memory.dmp

Filesize
652KB

Download
memory/1212-41-0x00000000726B0000-0x00000000726FC000-memory.dmp

Filesize
304KB

Download
memory/1212-51-0x00000000065F0000-0x000000000660E000-memory.dmp

Filesize
120KB

Download
memory/1212-16-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/1212-39-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/1212-38-0x0000000006070000-0x00000000060BC000-memory.dmp

Filesize
304KB

Download
memory/1212-83-0x0000000007540000-0x0000000007551000-memory.dmp

Filesize
68KB

Download
memory/1212-37-0x0000000006030000-0x000000000604E000-memory.dmp

Filesize
120KB

Download
memory/1212-36-0x0000000005B40000-0x0000000005E94000-memory.dmp

Filesize
3.3MB

Download
memory/1212-31-0x00000000059D0000-0x0000000005A36000-memory.dmp

Filesize
408KB

Download
memory/1212-25-0x0000000005860000-0x00000000058C6000-memory.dmp

Filesize
408KB

Download
memory/1212-15-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/1212-14-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/1212-24-0x0000000005050000-0x0000000005072000-memory.dmp

Filesize
136KB

Download
memory/1212-13-0x0000000004A40000-0x0000000004A76000-memory.dmp

Filesize
216KB

Download
memory/1212-112-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/1212-109-0x0000000007660000-0x0000000007668000-memory.dmp

Filesize
32KB

Download
memory/1212-108-0x0000000007680000-0x000000000769A000-memory.dmp

Filesize
104KB

Download
memory/1212-107-0x0000000007580000-0x0000000007594000-memory.dmp

Filesize
80KB

Download
memory/2008-104-0x000000006F9B0000-0x000000006FABA000-memory.dmp

Filesize
1.0MB

Download
memory/2008-162-0x00000000011A0000-0x0000000001228000-memory.dmp

Filesize
544KB

Download
memory/2008-194-0x0000000000D90000-0x0000000001194000-memory.dmp

Filesize
4.0MB

Download
memory/2008-101-0x00000000011A0000-0x0000000001228000-memory.dmp

Filesize
544KB

Download
memory/2008-105-0x000000006F650000-0x000000006F91F000-memory.dmp

Filesize
2.8MB

Download
memory/2008-103-0x000000006FC30000-0x000000006FCFE000-memory.dmp

Filesize
824KB

Download
memory/2008-182-0x0000000000D90000-0x0000000001194000-memory.dmp

Filesize
4.0MB

Download
memory/2008-97-0x000000006F920000-0x000000006F9A8000-memory.dmp

Filesize
544KB

Download
memory/2008-174-0x0000000000D90000-0x0000000001194000-memory.dmp

Filesize
4.0MB

Download
memory/2008-89-0x000000006FC00000-0x000000006FC24000-memory.dmp

Filesize
144KB

Download
memory/2008-95-0x000000006FB30000-0x000000006FBF8000-memory.dmp

Filesize
800KB

Download
memory/2008-96-0x000000006FAC0000-0x000000006FB09000-memory.dmp

Filesize
292KB

Download
memory/2008-163-0x0000000000D20000-0x0000000000D69000-memory.dmp

Filesize
292KB

Download
memory/2008-102-0x0000000001970000-0x0000000001C3F000-memory.dmp

Filesize
2.8MB

Download
memory/2008-161-0x0000000000D90000-0x0000000001194000-memory.dmp

Filesize
4.0MB

Download
memory/2008-153-0x0000000000D90000-0x0000000001194000-memory.dmp

Filesize
4.0MB

Download
memory/2008-88-0x0000000000D90000-0x0000000001194000-memory.dmp

Filesize
4.0MB

Download
memory/2008-139-0x0000000000D90000-0x0000000001194000-memory.dmp

Filesize
4.0MB

Download
memory/2008-141-0x000000006FC00000-0x000000006FC24000-memory.dmp

Filesize
144KB

Download
memory/2008-142-0x000000006FB30000-0x000000006FBF8000-memory.dmp

Filesize
800KB

Download
memory/4160-0-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/4160-6-0x0000000005350000-0x0000000005360000-memory.dmp

Filesize
64KB

Download
memory/4160-5-0x0000000005570000-0x00000000055C4000-memory.dmp

Filesize
336KB

Download
memory/4160-10-0x0000000006040000-0x00000000060D2000-memory.dmp

Filesize
584KB

Download
memory/4160-1-0x00000000002A0000-0x000000000092A000-memory.dmp

Filesize
6.5MB

Download
memory/4160-22-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/4160-2-0x0000000005350000-0x0000000005360000-memory.dmp

Filesize
64KB

Download
memory/4160-4-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/4160-3-0x0000000005290000-0x00000000052BE000-memory.dmp

Filesize
184KB

Download
memory/4216-246-0x0000000000D90000-0x0000000001194000-memory.dmp

Filesize
4.0MB

Download
memory/4216-249-0x0000000074020000-0x0000000074069000-memory.dmp

Filesize
292KB

Download
memory/4216-248-0x0000000074070000-0x0000000074138000-memory.dmp

Filesize
800KB

Download
memory/4216-247-0x0000000074140000-0x000000007440F000-memory.dmp

Filesize
2.8MB

Download
memory/4636-121-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/4636-193-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/4636-191-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/4636-190-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/4636-17-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/4636-173-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/4636-171-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/4636-164-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/4636-152-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/4636-19-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/4636-125-0x0000000075440000-0x0000000075479000-memory.dmp

Filesize
228KB

Download
memory/4636-21-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/4636-123-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/4636-122-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/4636-53-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/4636-120-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/4636-116-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/4636-115-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/4636-23-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/4636-54-0x0000000070B60000-0x0000000070B99000-memory.dmp

Filesize
228KB

Download