61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3

max time kernel
186s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29/02/2024, 05:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
Size

16.0MB
MD5

b8e2ec7d64fe3156c5f684b3a2757301
SHA1

565db0f626a875be0ba5234963727e45c01f3ca9
SHA256

61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3
SHA512

02894d45ddeb98471ce09a99e3b4fe6e23b03e17c77ffba31d6a5e58b2a3b17eba3f8c8b81988b82aacca385ecc6dc752aa1ed62681909ff3d67acaf56a697d6
SSDEEP

393216:OccUL96juOB/a7LOupqeRbz9rmGuXrERtpyw7c+AiT:FZJkazpqeRbrdZyAc+Ai

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	Updts.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	Updts.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	Updts.exe

Executes dropped EXE 7 IoCs

pid	Process
4908	CL_Debug_Log.txt
1264	Updts.exe
2572	Updts.exe
1384	Updts.exe
4692	tor.exe
3408	Updts.exe
1328	Updts.exe

Loads dropped DLL 8 IoCs

pid	Process
4692	tor.exe
4692	tor.exe
4692	tor.exe
4692	tor.exe
4692	tor.exe
4692	tor.exe
4692	tor.exe
4692	tor.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000a000000023248-22.dat	autoit_exe
behavioral2/files/0x000b000000023246-29.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2572 set thread context of 1384	2572	Updts.exe	107

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4212	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
400	timeout.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\MKDQUQPQ\root\CIMV2	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winmgmts:\MKDQUQPQ\root\CIMV2	Updts.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeRestorePrivilege	4908	CL_Debug_Log.txt
Token: 35	4908	CL_Debug_Log.txt
Token: SeSecurityPrivilege	4908	CL_Debug_Log.txt
Token: SeSecurityPrivilege	4908	CL_Debug_Log.txt
Token: SeRestorePrivilege	1384	Updts.exe
Token: 35	1384	Updts.exe
Token: SeSecurityPrivilege	1384	Updts.exe
Token: SeSecurityPrivilege	1384	Updts.exe

Suspicious use of FindShellTrayWindow 16 IoCs

pid	Process
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
1264	Updts.exe
1264	Updts.exe
1264	Updts.exe
2572	Updts.exe
2572	Updts.exe
2572	Updts.exe
2572	Updts.exe
3408	Updts.exe
3408	Updts.exe
3408	Updts.exe
1328	Updts.exe
1328	Updts.exe
1328	Updts.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
1264	Updts.exe
1264	Updts.exe
1264	Updts.exe
2572	Updts.exe
2572	Updts.exe
2572	Updts.exe
2572	Updts.exe
3408	Updts.exe
3408	Updts.exe
3408	Updts.exe
1328	Updts.exe
1328	Updts.exe
1328	Updts.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 4908	2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe	93
PID 2308 wrote to memory of 4908	2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe	93
PID 2308 wrote to memory of 4908	2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe	93
PID 2308 wrote to memory of 4824	2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe	95
PID 2308 wrote to memory of 4824	2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe	95
PID 2308 wrote to memory of 4824	2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe	95
PID 4824 wrote to memory of 4212	4824	cmd.exe	97
PID 4824 wrote to memory of 4212	4824	cmd.exe	97
PID 4824 wrote to memory of 4212	4824	cmd.exe	97
PID 2308 wrote to memory of 1596	2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe	98
PID 2308 wrote to memory of 1596	2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe	98
PID 2308 wrote to memory of 1596	2308	61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe	98
PID 1596 wrote to memory of 400	1596	cmd.exe	100
PID 1596 wrote to memory of 400	1596	cmd.exe	100
PID 1596 wrote to memory of 400	1596	cmd.exe	100
PID 1264 wrote to memory of 2572	1264	Updts.exe	105
PID 1264 wrote to memory of 2572	1264	Updts.exe	105
PID 2572 wrote to memory of 1384	2572	Updts.exe	107
PID 2572 wrote to memory of 1384	2572	Updts.exe	107
PID 2572 wrote to memory of 1384	2572	Updts.exe	107
PID 2572 wrote to memory of 1384	2572	Updts.exe	107
PID 2572 wrote to memory of 4692	2572	Updts.exe	109
PID 2572 wrote to memory of 4692	2572	Updts.exe	109
PID 3408 wrote to memory of 1328	3408	Updts.exe	111
PID 3408 wrote to memory of 1328	3408	Updts.exe	111

C:\Users\Admin\AppData\Local\Temp\61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe
"C:\Users\Admin\AppData\Local\Temp\61b322051908949b1fe40f5ab5995cec4c2f1abb6628e5f798cab8a91f42d0e3.exe"
1⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
  C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt e -p"JDQJndnqwdnqw2139dn21n3b312idDQDB" "C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt" -o"C:\Users\Admin\AppData\Local\Temp\"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4824
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
    3⤵
    - Creates scheduled task(s)
    PID:4212
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c For /L %i In (0,0,0) Do (del "C:\Users\Admin\AppData\Local\Temp\61B322~1.EXE"&&timeout /t 0&&if not exist "C:\Users\Admin\AppData\Local\Temp\61B322~1.EXE" exit)
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 0
    3⤵
    - Delays execution with timeout.exe
    PID:400

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Updts.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Updts.exe -SystemCheck
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Updts.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Updts.exe" -SystemCheck74309
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - NTFS ADS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Updts.exe
    7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1384
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe" -f TorConfig
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4692

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Updts.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Updts.exe -SystemCheck
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3408
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Updts.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Updts.exe" -SystemCheck74309
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\32.exe

Filesize
7.4MB

MD5
42da03d20542bf824f217214258fca1a

SHA1
5a4cf5f819d784973e3d9b4cc61f431cfc8e7564

SHA256
4e57e739833686c5951a78b783973e8f79445868ad3e3621a1ab9eaa559d78d7

SHA512
a9d15c0b4ba37fe0c9738311c9825b4aa6b0f0c105f6721affdfbe23065a924bfed300cdb990877fe5036e47279c671c262193de18e32528584cd2f7a71fb212

Download Submit
C:\Users\Admin\AppData\Local\Temp\64.exe

Filesize
8.4MB

MD5
1f8173ce565d749dec7e11f40110ddd8

SHA1
4d375fa658b16e9ce1217cc9dc4161e418126228

SHA256
f3983921f687f6de73a7640d50393ab8ca1e8faa8d1031e08276f5a3db747b4a

SHA512
036c172c82820553c4d8613cb8aca0acd2491cf2b4d23a2f816e273a6b22493e9fe9d45b02c0250247dd7d8d8331460b24f9fe224c9b36444c6c248b4e59eb92

Download Submit
C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt

Filesize
722KB

MD5
43141e85e7c36e31b52b22ab94d5e574

SHA1
cfd7079a9b268d84b856dc668edbb9ab9ef35312

SHA256
ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d

SHA512
9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt

Filesize
14.6MB

MD5
8d9b3986dfe0a08cd9c7e4dcce1936c7

SHA1
fe8f379c0014dda5783d4730947ab280e0856cfc

SHA256
2cff8e2b9d115e9a5dabe687f776cb548d9bb42f50881ad2ebcc964ef8ad2775

SHA512
d1baf085c2b7d5d2d84f4c7a0676282989594318cfdf8a3b05a2d16f4cd33b128bb6540993efcd56e03155157d5b2bd8d3e1091d657cbbce789069941b992455

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml

Filesize
2KB

MD5
725bf5d38461e8fe65aacb46fd09458e

SHA1
9f20129f55de7ae251ae2d1277f96df4908b836a

SHA256
b25bf441a40738723589d7d301112fa630672766b1fff9368bbdb709f660d613

SHA512
3918e9dcd028619f4d82a027f43987aad96c56d587e71ad0d42ae64a4bd0adf4605032b2b89bb7de37e4cf073184d11f885eac40722747d1a2cc63976b158135

Download Submit
C:\Users\Admin\AppData\Local\Temp\asacpiex.dll

Filesize
14.6MB

MD5
33b9825bd5ca7a974a1dddf9ea3001ca

SHA1
c30a2ab78c10127e27f48ec69eb61038aec4f111

SHA256
cc9474e1d4129cf9b4c02a6c948ca8b6f52d806811c719ecfb108c977d4090e4

SHA512
bc33b87c331d215ea5abdfe62a2f3d38af49bfa4db443b4b8cdad89e72fd8baf8d6b491bde148899ad9401560f38ebb18b5668669f9380a168e386f562a36603

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmp

Filesize
13KB

MD5
dcaa46522abcfc2b1ed4e6368c9ce6fe

SHA1
b3a05a06a6bd52fe45c81de7c303d0e3239b6109

SHA256
cc2dd9aa9518a5dfa46370b59e8c593bf137a52e61171a7f6657ed00fbcce578

SHA512
75c8c824e3d0cb7520f52b9e5236dd5446184618a861de9a843bd18ff8fcdaaef0aaec4cc2a5e825e81e714cceb6dc377c068386e2c2795bc13288e446e81f91

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp

Filesize
2.5MB

MD5
54183220aa6c777f8228474ff5b5df01

SHA1
ed438f17bffb37d42afd61d8dcef0c50d554c65c

SHA256
9a78c80e93bd1ed3d71eb090465e39a69470cd1812fc5e169d8b412e8c665963

SHA512
70b1e22449c5264bed46b62595206e3ad36e2a9c33fa9589acb792d499dcbbae5ebdbf3b35c140e72a7d594f807a6ce1ab925736b5e1a07c17a26445a2591987

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdesc-consensus.tmp

Filesize
2.6MB

MD5
69272d604bcfc79a6cf9c8a117524e0a

SHA1
4c79237f6de3a3e0fb770157a83fb77923b43560

SHA256
40632a2f3dca03b4d56b7e4c8db05c054079c6de44c26579f9f4722270840cdb

SHA512
8aa579a6e603288afeb757b85f5cf72ea32e88c24100820fd890ff7fb0e6edb7b043c1d9adea0667c7912029293d723fea51fbaea6bb26d6e2170aed4c9d5ee6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdescs.new

Filesize
5.4MB

MD5
e5af84827606b6c577fe9a865beb7fb5

SHA1
3e69ce9fc24127e52201d2436f61774a6642db81

SHA256
f09a336173ea0bd0bb53c6914515ddefe8c475e93ed8d5c56768ed7e2495a275

SHA512
b779f30d53cc1c2d510a42a9d9825f9e0e30b9fabdebe2c8b29304ff554ec210105bce086043c007ecff39068107f59939bc7599fa8fd0f12a738337a876874f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorData\TorConfig

Filesize
201B

MD5
b9d2fe9cfa840518fa39039c928d4938

SHA1
0561516b7cfa784cf400349983817c8b18817256

SHA256
69d57bfb46ef8097c1cfca65885790421d0e0965b7778f165cd7df9368807776

SHA512
894510d39a044a37325d73b8348860960b3a78c54e7cdf81357f4b50e8dcf5d47ab98c768e6439949ba835802b2a5e98314441127d9655b027caf246e09e013d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libcrypto-1_1-x64.dll

Filesize
1.8MB

MD5
399e9c6e5aab73079a3673448b36aa9c

SHA1
216b67262ceed1dc929301df6b1c590dbde4ec03

SHA256
4233a1157ec6c9a7216db7ab8b999fbd4dbaa804fb2cc872796607e73660b4e8

SHA512
d257d63465519d227ff25948b4a5fbd8cf636345d07916cc92bd90462d8f9107b993635ebb409f3ab35ccc0ab3c111a8c49bc226f1725864a5275ff5ad93279f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libcrypto-1_1-x64.dll

Filesize
1.9MB

MD5
631e173c7cfa87974421f9e19ae8ac94

SHA1
72e0eb72785fc34716f9fb9b04516d9f48b59690

SHA256
13891d742b1063458aacb127ea1f9f58e5905009e31e4f41febbeea67f765d83

SHA512
25d3c07b803b9e4bd3fc6853f1de0b16f22deaa4538f358b72d7bd2461c6b70855e1d60d06124cecfea4ad925c0886af2d657fec335e96d4c1e57d3ffce3a8d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libcrypto-1_1-x64.dll

Filesize
1.7MB

MD5
7cc57754762628bafc65aca864e0fcab

SHA1
c2c279c1f0a46b0730a1bbbf157e0d5a0bada124

SHA256
bdacef3b76d3292a52600837bd8c93bd649d9ac384131e24b127f15597f87add

SHA512
31116041044fdfcc70bee4e63aac5d74ef8b6c801ea59aebe4ba3dd8d69342d9cc748035ff9e9a484243de244955d21642f8e7a899d2dac4dfb54910d4cbc951

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libevent-2-1-7.dll

Filesize
974KB

MD5
be51ba4bea2d731dacf974c43941e457

SHA1
51fc479fd8ee9a2b72e6aa020ce5bb1c7a28f621

SHA256
98d06628e3d9c8097d239722e83ad78eb0b41b1e2f54d50a500da6d9292ff747

SHA512
6184accd206aa466278c2f4b514fd5c85820d47cf3a148904e93927621ac386890e657f09547b694c32ef23c355ae738b7c7d039fcd6c791529198c7b0b6bd1e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libssl-1_1-x64.dll

Filesize
965KB

MD5
7847c7b13b3414e8e7652880b4609205

SHA1
930670acc16157f56aaf69423e5d7705441764ba

SHA256
38200438cf0c9c20d17e5b9030d2ad2e4a1b6b9dc41c287bc603dd50d22e67bb

SHA512
c3c81dc3eb546c40b3606338deadbd63331659645dd24b5fd0d4fb3170b053fef528ee3fe005c9446176a5c049e9412ea8193ad2f8b9a7301ff67b088f1bbb6e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libssp-0.dll

Filesize
313KB

MD5
97d89dec5f6a236b6832a5f3f43ab625

SHA1
18f2696a3bf4d19cac3b677d58ff5e51bf54b9e8

SHA256
c6dca12e0e896df5f9b2db7a502a50d80d4fb014d7ec2f2ceb897b1a81f46ead

SHA512
7e82d1e37dc822a67e08bd1d624d5492f5813a33ec64f13d22caef9db35ebb9bb9913582289ebdecad00e6b6148d750ae0b4437364ef056d732734255498be54

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libwinpthread-1.dll

Filesize
608KB

MD5
624304f2ba253b33c265ff2738a10eb9

SHA1
5a337e49dd07f0b6f7fc6341755dc9a298e8b220

SHA256
27b857131977106c4a71ce626225d52a3d6e2932cb6243cb83e47b8d592d0d4f

SHA512
163820961a64b3fda33969cbb320aa743edc7a6bacebe033054c942e7a1d063f096290a59fad1569c607666429e2f3133fcfe31ef37649f9da71b453ef775e5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe

Filesize
4.3MB

MD5
9f2d86da7d58a70b0003307d9cfc2438

SHA1
bd69ad6ea837e309232d7c4fd0e87e22c3266ac5

SHA256
7052619814a614a1b157c5c94a92dbec22b425a0977ac8b21958b8db81e2dd65

SHA512
ce345ff77d8043f416a04b782be8e7b0d5fdea933f3ac79abb88648a9fca23d7a69f537a825d0b636ba64f80afe70f758114ddbf412bd9398800ba4b6e359a99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe

Filesize
3.0MB

MD5
4ebd2e2c7b6b18e92dc9205f8dc5cdec

SHA1
a6e3c8571311b632239d265fbbf6409f0bed4797

SHA256
d82f84ed6f8437a4b3d014a82a63cd7e3298db4a524089d17a50c52877f4f913

SHA512
df29ee0d83a09fe1eae109af39e0ca942ddf330d96f8f7dc63361f02e2865298e2a5c0f6291d44c49a1ad4c05ac88c55b8920116c7c29a884a730a70bdde9524

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\zlib1.dll

Filesize
107KB

MD5
d490b6c224e332a706dd3cd210f32aa8

SHA1
1f0769e1fffddac3d14eb79f16508cb6cc272347

SHA256
da9185e45fdcbee17fcd9292979b20f32aa4c82bc2cb356b4c7278029e247557

SHA512
43ce8d4ee07d437aaca3f345af129ff5401f1f08b1292d1e320096ba41e2529f41ce9105e3901cb4ecb1e8fde12c9298819961b0e6896c69b62f5983df9b0da3

Download Submit
memory/1384-36-0x000001C1FE820000-0x000001C1FE943000-memory.dmp

Filesize
1.1MB

Download
memory/1384-62-0x000001C1FE820000-0x000001C1FE943000-memory.dmp

Filesize
1.1MB

Download
memory/1384-41-0x000001C1FE820000-0x000001C1FE943000-memory.dmp

Filesize
1.1MB

Download
memory/1384-39-0x000001C1FE820000-0x000001C1FE943000-memory.dmp

Filesize
1.1MB

Download
memory/2308-23-0x00000000058D0000-0x00000000058D1000-memory.dmp

Filesize
4KB

Download
memory/2308-25-0x0000000005920000-0x0000000005921000-memory.dmp

Filesize
4KB

Download
memory/2308-27-0x0000000006380000-0x0000000006381000-memory.dmp

Filesize
4KB

Download
memory/2308-26-0x0000000006370000-0x0000000006371000-memory.dmp

Filesize
4KB

Download
memory/4692-110-0x0000000077990000-0x0000000077A73000-memory.dmp

Filesize
908KB

Download
memory/4692-111-0x0000000077850000-0x0000000077923000-memory.dmp

Filesize
844KB

Download
memory/4692-113-0x0000000077960000-0x0000000077983000-memory.dmp

Filesize
140KB

Download
memory/4692-115-0x0000000077750000-0x00000000777A4000-memory.dmp

Filesize
336KB

Download
memory/4692-114-0x00000000777B0000-0x0000000077848000-memory.dmp

Filesize
608KB

Download
memory/4692-117-0x0000000077460000-0x000000007774D000-memory.dmp

Filesize
2.9MB

Download
memory/4692-119-0x0000000000880000-0x0000000000CE1000-memory.dmp

Filesize
4.4MB

Download
memory/4692-138-0x0000000000880000-0x0000000000CE1000-memory.dmp

Filesize
4.4MB

Download
memory/4692-145-0x0000000000880000-0x0000000000CE1000-memory.dmp

Filesize
4.4MB

Download
memory/4692-109-0x0000000000880000-0x0000000000CE1000-memory.dmp

Filesize
4.4MB

Download
memory/4692-560-0x0000000000880000-0x0000000000CE1000-memory.dmp

Filesize
4.4MB

Download