bitrat | 9ea701c18c02ed5f5c0f9a2f095c0b568609f0735f2e39c572c67875071b01fc

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08-03-2024 08:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.exe
Size

5.6MB
MD5

a971f912044d0e4280b0e9b7c54765be
SHA1

ba9078e5a88f433414f6386bbbb4462173bdf254
SHA256

9d585faa0851666f34381200277b38a1bef136ecd062fc53b158aa1b323fdf10
SHA512

272a809f9f510e35763955a0af2814071ee95af51b6e95af3f25b144ed319cb7d47b7fbd409d393c532637836ef2252b1cef4d29c6b549b8eab585db3b43eaca
SSDEEP

98304:vyZ3LRUXR9GPj9rbdajRbINHkOeY7i8mRMoRLVkGqIf/m4BQ9K+3t2tVlsT/jCSr:vyZ3LRUXrATkItkOEbZL29K/t+K+QsTE

Score

10^/10

bitrat trojan upx

Malware Config

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

BitRAT payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4980-46-0x0000000000400000-0x0000000000DDC000-memory.dmp	family_bitrat
behavioral2/memory/4980-101-0x0000000000400000-0x0000000000DDC000-memory.dmp	family_bitrat
behavioral2/memory/4980-112-0x0000000000400000-0x0000000000DDC000-memory.dmp	family_bitrat

ACProtect 1.3x - 1.4x DLL software 9 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\18c4d7d0\tor\libcrypto-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\18c4d7d0\tor\libevent-2-1-6.dll	acprotect
C:\Users\Admin\AppData\Local\18c4d7d0\tor\libssp-0.dll	acprotect
C:\Users\Admin\AppData\Local\18c4d7d0\tor\libgcc_s_sjlj-1.dll	acprotect
C:\Users\Admin\AppData\Local\18c4d7d0\tor\libwinpthread-1.dll	acprotect
C:\Users\Admin\AppData\Local\18c4d7d0\tor\zlib1.dll	acprotect
C:\Users\Admin\AppData\Local\18c4d7d0\tor\libssl-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\18c4d7d0\tor\libcrypto-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\18c4d7d0\tor\libcrypto-1_1.dll	acprotect

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

sample.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation sample.exe
Executes dropped EXE 1 IoCs

Processes:

winsys64.exe

pid process

1608 winsys64.exe
Loads dropped DLL 8 IoCs

Processes:

winsys64.exe

pid process

1608 winsys64.exe
1608 winsys64.exe
1608 winsys64.exe
1608 winsys64.exe
1608 winsys64.exe
1608 winsys64.exe
1608 winsys64.exe
1608 winsys64.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	sample.exe

pid	process
1608	winsys64.exe

pid	process
1608	winsys64.exe
1608	winsys64.exe
1608	winsys64.exe
1608	winsys64.exe
1608	winsys64.exe
1608	winsys64.exe
1608	winsys64.exe
1608	winsys64.exe

UPX packed file 32 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4980-0-0x0000000000400000-0x0000000000DDC000-memory.dmp	upx
C:\Users\Admin\AppData\Local\18c4d7d0\tor\winsys64.exe	upx
C:\Users\Admin\AppData\Local\18c4d7d0\tor\libcrypto-1_1.dll	upx
C:\Users\Admin\AppData\Local\18c4d7d0\tor\libevent-2-1-6.dll	upx
C:\Users\Admin\AppData\Local\18c4d7d0\tor\libssp-0.dll	upx
C:\Users\Admin\AppData\Local\18c4d7d0\tor\libgcc_s_sjlj-1.dll	upx
C:\Users\Admin\AppData\Local\18c4d7d0\tor\libwinpthread-1.dll	upx
behavioral2/memory/1608-29-0x0000000000AF0000-0x0000000000EF4000-memory.dmp	upx
C:\Users\Admin\AppData\Local\18c4d7d0\tor\zlib1.dll	upx
C:\Users\Admin\AppData\Local\18c4d7d0\tor\libssl-1_1.dll	upx
behavioral2/memory/1608-33-0x00000000742D0000-0x00000000742F4000-memory.dmp	upx
C:\Users\Admin\AppData\Local\18c4d7d0\tor\libcrypto-1_1.dll	upx
C:\Users\Admin\AppData\Local\18c4d7d0\tor\libcrypto-1_1.dll	upx
behavioral2/memory/1608-35-0x00000000743D0000-0x0000000074419000-memory.dmp	upx
behavioral2/memory/1608-36-0x0000000074300000-0x00000000743C8000-memory.dmp	upx
behavioral2/memory/1608-37-0x0000000074240000-0x00000000742C8000-memory.dmp	upx
behavioral2/memory/1608-38-0x0000000074130000-0x000000007423A000-memory.dmp	upx
behavioral2/memory/1608-43-0x0000000074420000-0x00000000744EE000-memory.dmp	upx
behavioral2/memory/1608-44-0x0000000073E60000-0x000000007412F000-memory.dmp	upx
behavioral2/memory/4980-46-0x0000000000400000-0x0000000000DDC000-memory.dmp	upx
behavioral2/memory/1608-47-0x0000000000AF0000-0x0000000000EF4000-memory.dmp	upx
behavioral2/memory/1608-49-0x00000000742D0000-0x00000000742F4000-memory.dmp	upx
behavioral2/memory/1608-51-0x0000000074300000-0x00000000743C8000-memory.dmp	upx
behavioral2/memory/1608-64-0x0000000000AF0000-0x0000000000EF4000-memory.dmp	upx
behavioral2/memory/1608-65-0x0000000000AF0000-0x0000000000EF4000-memory.dmp	upx
behavioral2/memory/1608-81-0x0000000000AF0000-0x0000000000EF4000-memory.dmp	upx
behavioral2/memory/1608-90-0x0000000000AF0000-0x0000000000EF4000-memory.dmp	upx
behavioral2/memory/4980-101-0x0000000000400000-0x0000000000DDC000-memory.dmp	upx
behavioral2/memory/1608-102-0x0000000000AF0000-0x0000000000EF4000-memory.dmp	upx
behavioral2/memory/4980-112-0x0000000000400000-0x0000000000DDC000-memory.dmp	upx
behavioral2/memory/1608-113-0x0000000000AF0000-0x0000000000EF4000-memory.dmp	upx
behavioral2/memory/1608-122-0x0000000000AF0000-0x0000000000EF4000-memory.dmp	upx

Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

213 myexternalip.com
218 myexternalip.com
223 myexternalip.com
224 myexternalip.com
256 myexternalip.com
257 myexternalip.com
212 myexternalip.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

sample.exe

pid process

4980 sample.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
213	myexternalip.com
218	myexternalip.com
223	myexternalip.com
224	myexternalip.com
256	myexternalip.com
257	myexternalip.com
212	myexternalip.com

pid	process
4980	sample.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

sample.exe

description pid process

Token: SeShutdownPrivilege 4980 sample.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

2420 firefox.exe
2420 firefox.exe
2420 firefox.exe
2420 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

2420 firefox.exe
2420 firefox.exe
2420 firefox.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

sample.exefirefox.exe

pid process

4980 sample.exe
4980 sample.exe
2420 firefox.exe

description	pid	process
Token: SeShutdownPrivilege	4980	sample.exe

pid	process
2420	firefox.exe
2420	firefox.exe
2420	firefox.exe
2420	firefox.exe

pid	process
2420	firefox.exe
2420	firefox.exe
2420	firefox.exe

pid	process
4980	sample.exe
4980	sample.exe
2420	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

sample.exefirefox.exefirefox.exe

description	pid	process	target process
PID 4980 wrote to memory of 1608	4980	sample.exe	winsys64.exe
PID 4980 wrote to memory of 1608	4980	sample.exe	winsys64.exe
PID 4980 wrote to memory of 1608	4980	sample.exe	winsys64.exe
PID 2780 wrote to memory of 2420	2780	firefox.exe	firefox.exe
PID 2780 wrote to memory of 2420	2780	firefox.exe	firefox.exe
PID 2780 wrote to memory of 2420	2780	firefox.exe	firefox.exe
PID 2780 wrote to memory of 2420	2780	firefox.exe	firefox.exe
PID 2780 wrote to memory of 2420	2780	firefox.exe	firefox.exe
PID 2780 wrote to memory of 2420	2780	firefox.exe	firefox.exe
PID 2780 wrote to memory of 2420	2780	firefox.exe	firefox.exe
PID 2780 wrote to memory of 2420	2780	firefox.exe	firefox.exe
PID 2780 wrote to memory of 2420	2780	firefox.exe	firefox.exe
PID 2780 wrote to memory of 2420	2780	firefox.exe	firefox.exe
PID 2780 wrote to memory of 2420	2780	firefox.exe	firefox.exe
PID 2420 wrote to memory of 1380	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 1380	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 4636	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 4636	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 4636	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 4636	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 4636	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 4636	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 4636	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 4636	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 4636	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 4636	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 4636	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 4636	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 4636	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 4636	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 4636	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 4636	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 4636	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 4636	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 4636	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 4636	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 4636	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 4636	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 4636	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 4636	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 4636	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 4636	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 4636	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 4636	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 4636	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 4636	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 4636	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 4636	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 4636	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 4636	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 4636	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 4636	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 4636	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 4636	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 4636	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 4636	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 4636	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 4636	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 4636	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 4636	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 4636	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 4636	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 4636	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 4636	2420	firefox.exe	firefox.exe

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4980

C:\Users\Admin\AppData\Local\18c4d7d0\tor\winsys64.exe
"C:\Users\Admin\AppData\Local\18c4d7d0\tor\winsys64.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1608

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2780

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2420

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2420.0.395588534\1610863571" -parentBuildID 20221007134813 -prefsHandle 1816 -prefMapHandle 1808 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e897f2ad-18ea-4a6e-b3ea-7608b4bc79d2} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" 1908 20616a07958 gpu
3⤵
PID:1380

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2420.1.208008293\515073165" -parentBuildID 20221007134813 -prefsHandle 2316 -prefMapHandle 2312 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ceea111c-eb8d-48c0-9d07-cb145dcfc744} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" 2348 20615341958 socket
3⤵
PID:4636

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2420.2.153611528\1250238155" -childID 1 -isForBrowser -prefsHandle 3168 -prefMapHandle 3184 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {81717063-68ef-4426-95fe-cafc4b0d0603} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" 3160 20619790858 tab
3⤵
PID:4440

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2420.3.1983897736\145568474" -childID 2 -isForBrowser -prefsHandle 3428 -prefMapHandle 3424 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f158c16b-50bc-4f39-842c-d10d4955b5cd} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" 3624 20608e5b558 tab
3⤵
PID:4676

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2420.4.1044075869\2068621501" -childID 3 -isForBrowser -prefsHandle 4328 -prefMapHandle 4320 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b8a3f68-ce26-4fa3-ac6e-d96d1cac0afc} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" 4340 2061adb8e58 tab
3⤵
PID:2684

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2420.5.256533735\1361669141" -childID 4 -isForBrowser -prefsHandle 5044 -prefMapHandle 5028 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {102d67cf-9f76-455c-9e8f-a83338f8858a} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" 5052 20608e2d258 tab
3⤵
PID:5576

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2420.6.455525187\1437314324" -childID 5 -isForBrowser -prefsHandle 5168 -prefMapHandle 5172 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {260f606c-95dc-4d36-ab20-2a6ef870729d} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" 5160 2061bb8e158 tab
3⤵
PID:5584

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2420.7.583133652\848955032" -childID 6 -isForBrowser -prefsHandle 5356 -prefMapHandle 5360 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {56a46760-a266-41f4-ab96-126bcecb95a8} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" 5440 2061bb8e758 tab
3⤵
PID:5592

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\18c4d7d0\tor\data\cached-microdesc-consensus.tmp
Filesize
2.6MB

MD5
1cd3fc8b27accdf673dbc86754ed39c8

SHA1
a86e2603516493ca6c6165cc37f897bc21972e27

SHA256
1156e69fed66356296fef86ef033e4e2814b85c3da02493d7764fdbb38f6590b

SHA512
934bc4ac9e1559d7de9d306f814510d40de41ac8c39bdce36c736fc7b13fafa6b3f72c4bd2cbd8451dbcd8f5d91ed9c5553cca2ee3c2692a93d591aff1352359

Download Submit
C:\Users\Admin\AppData\Local\18c4d7d0\tor\data\cached-microdescs.new
Filesize
6.2MB

MD5
ada125d22326c452d1f7520828b0b77f

SHA1
3b718f4da387c5728c36090b766593fe5e23a9dd

SHA256
d6046bde478d9b46942cbfcf0c85a46e1ffd1b8274188ec512ac7b00febb54ba

SHA512
a212bbc258c746e54d848eb0d7a9d6aa6df1fefa4d613be548ce3a26853e8d483fdfe84194c2502be18214b03eff232b66219fc60e780d409434ef41edf9dd81

Download Submit
C:\Users\Admin\AppData\Local\18c4d7d0\tor\libcrypto-1_1.dll
Filesize
1024KB

MD5
6e7f2917c21da490d54b808a7fc05e2a

SHA1
75db6f5ebdf59f6846d78da119b00f30967a4395

SHA256
123c5b94036ae85da596e3c33bd223cc751e4dc3ce4418b790b709f80928b598

SHA512
73d3b4fc718f063498547db04bc88e0ebac9245b99ec8598290a7e0e1ff94d9e590495644d56e530b7fcd9080cb6607379f0b2f6a7f7703b92b6733ceb2488a0

Download Submit
C:\Users\Admin\AppData\Local\18c4d7d0\tor\libcrypto-1_1.dll
Filesize
704KB

MD5
03b28988bcb5e1cf52d4e03c595bb8bf

SHA1
a0c5306f6969e445bd77b3c43a7d70a4636e9215

SHA256
580f1b258fb783e1d0f32145a4d52485b336f4396bab404ac1c54e7fe7c776ee

SHA512
65ddb1ca48ae145ca500e26242a896dacbc07c102b3efffb90251a59e01fd7a23887a1a8cd472a9d46f4a08510a1dbc78c5afd114b1c3f1f45e303eefa1d16b9

Download Submit
C:\Users\Admin\AppData\Local\18c4d7d0\tor\libcrypto-1_1.dll
Filesize
576KB

MD5
fe32829193300ae12975fcb8f7efcb8f

SHA1
c5ede4c85f7774df4c7d82722c5ec21ea0c19dbc

SHA256
73482db9bed752ae85fe738a488ea830c5eee29550624b13db8176f97dea3202

SHA512
22567b8d7b8107dd4e5f8eecb13600efb7b95dfc5400807aa21f55e32c3ecead30d49d752ddaade650a363fafac68551b1937abfcc71159edc73700678a0fe2f

Download Submit
C:\Users\Admin\AppData\Local\18c4d7d0\tor\libevent-2-1-6.dll
Filesize
366KB

MD5
099983c13bade9554a3c17484e5481f1

SHA1
a84e69ad9722f999252d59d0ed9a99901a60e564

SHA256
b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838

SHA512
89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

Download Submit
C:\Users\Admin\AppData\Local\18c4d7d0\tor\libgcc_s_sjlj-1.dll
Filesize
286KB

MD5
b0d98f7157d972190fe0759d4368d320

SHA1
5715a533621a2b642aad9616e603c6907d80efc4

SHA256
2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5

SHA512
41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

Download Submit
C:\Users\Admin\AppData\Local\18c4d7d0\tor\libssl-1_1.dll
Filesize
439KB

MD5
c88826ac4bb879622e43ead5bdb95aeb

SHA1
87d29853649a86f0463bfd9ad887b85eedc21723

SHA256
c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f

SHA512
f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

Download Submit
C:\Users\Admin\AppData\Local\18c4d7d0\tor\libssp-0.dll
Filesize
88KB

MD5
2c916456f503075f746c6ea649cf9539

SHA1
fa1afc1f3d728c89b2e90e14ca7d88b599580a9d

SHA256
cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6

SHA512
1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

Download Submit
C:\Users\Admin\AppData\Local\18c4d7d0\tor\libwinpthread-1.dll
Filesize
188KB

MD5
d407cc6d79a08039a6f4b50539e560b8

SHA1
21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71

SHA256
92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e

SHA512
378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

Download Submit
C:\Users\Admin\AppData\Local\18c4d7d0\tor\torrc
Filesize
139B

MD5
810ca57a4541aa0915723dd9a878a4f8

SHA1
bf5cbb30e140282febea89ade1b6f3c01a1614c4

SHA256
87d1de959d834f83a63d7b707ae81dceb521ed5169697e25797815e1025fdfd7

SHA512
833aaec0564f7a0a5f12643dc3cd90e581bea671a94162c899ab32b557c52ad6bd3f2b9195ae205051c5d46eb4d4a7b644f119dec5f041658d2a99c1cfe8662a

Download Submit
C:\Users\Admin\AppData\Local\18c4d7d0\tor\winsys64.exe
Filesize
973KB

MD5
5cfe61ff895c7daa889708665ef05d7b

SHA1
5e58efe30406243fbd58d4968b0492ddeef145f2

SHA256
f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5

SHA512
43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

Download Submit
C:\Users\Admin\AppData\Local\18c4d7d0\tor\zlib1.dll
Filesize
52KB

MD5
add33041af894b67fe34e1dc819b7eb6

SHA1
6db46eb021855a587c95479422adcc774a272eeb

SHA256
8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183

SHA512
bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\datareporting\glean\db\data.safe.bin
Filesize
2KB

MD5
0d2bc453758ebafcf9dc58f976c84431

SHA1
3cb46f77b9b49a77c90e52eb725389bf36a7fe01

SHA256
e8229c4d4e756c5227d21194b277f80caa16003e2c788298d185113b29a168b4

SHA512
587421675e71992ae4898673c3433ed63c0f0d245384ca77695494ad1cbef854b1d234c54e7447bdfc25f66f95c949bcd4ee4e45dcb33a8065eba9ca985dca32

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\datareporting\glean\pending_pings\4b576f45-9bd4-4174-a7c3-860f2686ba62
Filesize
746B

MD5
6ed0ad8b8090a4baed3e8ec33e50115d

SHA1
7495abd2fb0492897a70b038fd451959dffa8179

SHA256
a64f39794c4ab157ca4eca93a4ab6378f26eac7186530d4cce96751b1795ad9b

SHA512
25ab0278a4e74e797f9bf70cbab2a6cd357e3bd85adbb708be35740b63ec6eb77911c6f0295f874e86361c51be692ea5680e64b9537cf61d115520b00ddcd9e1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\datareporting\glean\pending_pings\e865ca21-c966-4aa0-8714-212b31cf7df7
Filesize
11KB

MD5
645f9d70f89e4f01e5896876395426ce

SHA1
5456c342cfcf54a78608da78a33bbd6d26ea88dc

SHA256
d8803110ccb0e0cc5920bb95ec4a3fc94a4124822f5530d84b9ef4a0bfff4526

SHA512
a729d38568d12d8b917036603da8635e0f51ea58ef518277adeef913288159ebffb9371e1647a827bd9bd2570aefed9b7672ee1e497028093b606ff93b675b13

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\prefs.js
Filesize
6KB

MD5
bab5182dd5087da1a86e3f4847640fd5

SHA1
9cb6da218506db7f36b0e12330dcab556aa4b028

SHA256
70f710877bec21616138ea92d7cb1f8c6dbdeb15f29da0e0a5f6e0dd52c527f8

SHA512
80c84162469a605a4303e8a9f1270d0d6301c4305efd80116b1baeddba09c06125a4cf6f9b435633d12cbb3815d312fb8b1f4c114babb72fb5ac081e7efc5163

Download Submit
memory/1608-90-0x0000000000AF0000-0x0000000000EF4000-memory.dmp

Filesize
4.0MB

Download
memory/1608-81-0x0000000000AF0000-0x0000000000EF4000-memory.dmp

Filesize
4.0MB

Download
memory/1608-42-0x0000000001980000-0x0000000001C4F000-memory.dmp

Filesize
2.8MB

Download
memory/1608-43-0x0000000074420000-0x00000000744EE000-memory.dmp

Filesize
824KB

Download
memory/1608-44-0x0000000073E60000-0x000000007412F000-memory.dmp

Filesize
2.8MB

Download
memory/1608-29-0x0000000000AF0000-0x0000000000EF4000-memory.dmp

Filesize
4.0MB

Download
memory/1608-33-0x00000000742D0000-0x00000000742F4000-memory.dmp

Filesize
144KB

Download
memory/1608-47-0x0000000000AF0000-0x0000000000EF4000-memory.dmp

Filesize
4.0MB

Download
memory/1608-49-0x00000000742D0000-0x00000000742F4000-memory.dmp

Filesize
144KB

Download
memory/1608-51-0x0000000074300000-0x00000000743C8000-memory.dmp

Filesize
800KB

Download
memory/1608-37-0x0000000074240000-0x00000000742C8000-memory.dmp

Filesize
544KB

Download
memory/1608-64-0x0000000000AF0000-0x0000000000EF4000-memory.dmp

Filesize
4.0MB

Download
memory/1608-65-0x0000000000AF0000-0x0000000000EF4000-memory.dmp

Filesize
4.0MB

Download
memory/1608-73-0x0000000001980000-0x0000000001C4F000-memory.dmp

Filesize
2.8MB

Download
memory/1608-36-0x0000000074300000-0x00000000743C8000-memory.dmp

Filesize
800KB

Download
memory/1608-38-0x0000000074130000-0x000000007423A000-memory.dmp

Filesize
1.0MB

Download
memory/1608-35-0x00000000743D0000-0x0000000074419000-memory.dmp

Filesize
292KB

Download
memory/1608-122-0x0000000000AF0000-0x0000000000EF4000-memory.dmp

Filesize
4.0MB

Download
memory/1608-102-0x0000000000AF0000-0x0000000000EF4000-memory.dmp

Filesize
4.0MB

Download
memory/1608-113-0x0000000000AF0000-0x0000000000EF4000-memory.dmp

Filesize
4.0MB

Download
memory/4980-112-0x0000000000400000-0x0000000000DDC000-memory.dmp

Filesize
9.9MB

Download
memory/4980-110-0x0000000074FC0000-0x0000000074FF9000-memory.dmp

Filesize
228KB

Download
memory/4980-101-0x0000000000400000-0x0000000000DDC000-memory.dmp

Filesize
9.9MB

Download
memory/4980-163-0x0000000074FC0000-0x0000000074FF9000-memory.dmp

Filesize
228KB

Download
memory/4980-193-0x00000000745B0000-0x00000000745E9000-memory.dmp

Filesize
228KB

Download
memory/4980-0-0x0000000000400000-0x0000000000DDC000-memory.dmp

Filesize
9.9MB

Download
memory/4980-46-0x0000000000400000-0x0000000000DDC000-memory.dmp

Filesize
9.9MB

Download
memory/4980-45-0x0000000073A50000-0x0000000073A89000-memory.dmp

Filesize
228KB

Download
memory/4980-1-0x0000000074FA0000-0x0000000074FD9000-memory.dmp

Filesize
228KB

Download