bitrat | caf48b67e7bb94a178426fc7ce6b9ed50ffb2f3813a7c68900f21bfffb24e44f

max time kernel
1797s
max time network
1804s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
09-04-2024 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

stub_tor.exe
Size

7.8MB
MD5

c76390d9e1052d9e708940d67b5c135d
SHA1

a370a73a9dd746584428e8a939288ecffd3c80f7
SHA256

caf48b67e7bb94a178426fc7ce6b9ed50ffb2f3813a7c68900f21bfffb24e44f
SHA512

4d2d38d8719cdac8a406cfa96944ee99d2d926511e64d6b6aa964d40d0d9ddb1dc6e4e6253bcb1e77b32613c0b4409ab32ea54c476018fee963574edb043dd3b
SSDEEP

196608:oIRcbH4jSteTGvExwhzav1yo31CPwDv3uFZjeg2EeJUO9WLQkDxtw3iFFrS6XOf:odHsfuExwZ6v1CPwDv3uFteg2EeJUO9E

Score

10^/10

bitrat persistence trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

7sbl4dpbubwjjghdquwg47fyq7rookd4bgm2ypm2kjzkivd7tomvczqd.onion:440

Attributes

communication_password
4124bc0a9335c27f086f24ba207a4912
install_dir
Minecraft
install_file
Runtime_Broker
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

ACProtect 1.3x - 1.4x DLL software 7 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\a5b260eb\tor\libcrypto-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\a5b260eb\tor\libssp-0.dll	acprotect
\Users\Admin\AppData\Local\a5b260eb\tor\libssl-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\a5b260eb\tor\zlib1.dll	acprotect
C:\Users\Admin\AppData\Local\a5b260eb\tor\libgcc_s_sjlj-1.dll	acprotect
\Users\Admin\AppData\Local\a5b260eb\tor\libwinpthread-1.dll	acprotect
\Users\Admin\AppData\Local\a5b260eb\tor\libevent-2-1-6.dll	acprotect

Executes dropped EXE 64 IoCs

Processes:

tor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exe

pid	process
3644	tor.exe
2760	tor.exe
516	tor.exe
3088	tor.exe
1136	tor.exe
4184	tor.exe
2372	tor.exe
4356	tor.exe
64	tor.exe
2884	tor.exe
3948	tor.exe
3508	tor.exe
1896	tor.exe
2832	tor.exe
1340	tor.exe
2208	tor.exe
676	tor.exe
4148	tor.exe
1256	tor.exe
4988	tor.exe
2068	tor.exe
3908	tor.exe
3496	tor.exe
928	tor.exe
2160	tor.exe
3252	tor.exe
768	tor.exe
4960	tor.exe
164	tor.exe
1436	tor.exe
64	tor.exe
2972	tor.exe
2912	tor.exe
4580	tor.exe
3348	tor.exe
2104	tor.exe
1332	tor.exe
4144	tor.exe
4416	tor.exe
4772	tor.exe
2380	tor.exe
1248	tor.exe
2060	tor.exe
4572	tor.exe
2300	tor.exe
224	tor.exe
4848	tor.exe
2780	tor.exe
416	tor.exe
1812	tor.exe
3660	tor.exe
2756	tor.exe
5116	tor.exe
4952	tor.exe
4676	tor.exe
3136	tor.exe
3952	tor.exe
4396	tor.exe
3672	tor.exe
4304	tor.exe
2612	tor.exe
2696	tor.exe
2084	tor.exe
3236	tor.exe

Loads dropped DLL 64 IoCs

Processes:

tor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exetor.exe

pid	process
3644	tor.exe
3644	tor.exe
3644	tor.exe
3644	tor.exe
3644	tor.exe
3644	tor.exe
3644	tor.exe
3644	tor.exe
2760	tor.exe
2760	tor.exe
2760	tor.exe
2760	tor.exe
2760	tor.exe
2760	tor.exe
2760	tor.exe
516	tor.exe
516	tor.exe
516	tor.exe
516	tor.exe
516	tor.exe
516	tor.exe
516	tor.exe
3088	tor.exe
3088	tor.exe
3088	tor.exe
3088	tor.exe
3088	tor.exe
3088	tor.exe
3088	tor.exe
1136	tor.exe
1136	tor.exe
1136	tor.exe
1136	tor.exe
1136	tor.exe
1136	tor.exe
1136	tor.exe
4184	tor.exe
4184	tor.exe
4184	tor.exe
4184	tor.exe
4184	tor.exe
4184	tor.exe
4184	tor.exe
2372	tor.exe
2372	tor.exe
2372	tor.exe
2372	tor.exe
2372	tor.exe
2372	tor.exe
2372	tor.exe
2372	tor.exe
4356	tor.exe
4356	tor.exe
4356	tor.exe
4356	tor.exe
4356	tor.exe
4356	tor.exe
4356	tor.exe
64	tor.exe
64	tor.exe
64	tor.exe
64	tor.exe
64	tor.exe
64	tor.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe	upx
C:\Users\Admin\AppData\Local\a5b260eb\tor\libcrypto-1_1.dll	upx
C:\Users\Admin\AppData\Local\a5b260eb\tor\libssp-0.dll	upx
\Users\Admin\AppData\Local\a5b260eb\tor\libssl-1_1.dll	upx
C:\Users\Admin\AppData\Local\a5b260eb\tor\zlib1.dll	upx
C:\Users\Admin\AppData\Local\a5b260eb\tor\libgcc_s_sjlj-1.dll	upx
\Users\Admin\AppData\Local\a5b260eb\tor\libwinpthread-1.dll	upx
\Users\Admin\AppData\Local\a5b260eb\tor\libevent-2-1-6.dll	upx
behavioral2/memory/3644-30-0x0000000000AA0000-0x0000000000EA4000-memory.dmp	upx
behavioral2/memory/3644-31-0x0000000072E20000-0x0000000072EEE000-memory.dmp	upx
behavioral2/memory/3644-33-0x0000000072DA0000-0x0000000072DC4000-memory.dmp	upx
behavioral2/memory/3644-34-0x0000000072D10000-0x0000000072D98000-memory.dmp	upx
behavioral2/memory/3644-32-0x0000000072DD0000-0x0000000072E19000-memory.dmp	upx
behavioral2/memory/3644-35-0x0000000072C00000-0x0000000072D0A000-memory.dmp	upx
behavioral2/memory/3644-39-0x0000000072930000-0x0000000072BFF000-memory.dmp	upx
behavioral2/memory/3644-41-0x0000000072EF0000-0x0000000072FB8000-memory.dmp	upx
behavioral2/memory/3644-51-0x0000000000AA0000-0x0000000000EA4000-memory.dmp	upx
behavioral2/memory/3644-54-0x0000000072E20000-0x0000000072EEE000-memory.dmp	upx
behavioral2/memory/3644-59-0x0000000072930000-0x0000000072BFF000-memory.dmp	upx
behavioral2/memory/3644-75-0x0000000000AA0000-0x0000000000EA4000-memory.dmp	upx
behavioral2/memory/3644-83-0x0000000000AA0000-0x0000000000EA4000-memory.dmp	upx
behavioral2/memory/3644-85-0x0000000000AA0000-0x0000000000EA4000-memory.dmp	upx
behavioral2/memory/3644-101-0x0000000000AA0000-0x0000000000EA4000-memory.dmp	upx
behavioral2/memory/3644-110-0x0000000000AA0000-0x0000000000EA4000-memory.dmp	upx
behavioral2/memory/3644-118-0x0000000000AA0000-0x0000000000EA4000-memory.dmp	upx
behavioral2/memory/3644-126-0x0000000000AA0000-0x0000000000EA4000-memory.dmp	upx
behavioral2/memory/3644-134-0x0000000000AA0000-0x0000000000EA4000-memory.dmp	upx
behavioral2/memory/2760-154-0x0000000000AA0000-0x0000000000EA4000-memory.dmp	upx
behavioral2/memory/2760-157-0x0000000072930000-0x0000000072BFF000-memory.dmp	upx
behavioral2/memory/2760-160-0x0000000072EF0000-0x0000000072FB8000-memory.dmp	upx
behavioral2/memory/2760-162-0x0000000072E20000-0x0000000072EEE000-memory.dmp	upx
behavioral2/memory/2760-165-0x0000000072DD0000-0x0000000072E19000-memory.dmp	upx
behavioral2/memory/2760-167-0x0000000072DA0000-0x0000000072DC4000-memory.dmp	upx
behavioral2/memory/2760-170-0x0000000072C00000-0x0000000072D0A000-memory.dmp	upx
behavioral2/memory/2760-172-0x0000000072D10000-0x0000000072D98000-memory.dmp	upx
behavioral2/memory/3644-169-0x0000000000AA0000-0x0000000000EA4000-memory.dmp	upx
behavioral2/memory/2760-177-0x0000000000AA0000-0x0000000000EA4000-memory.dmp	upx
behavioral2/memory/2760-178-0x0000000072930000-0x0000000072BFF000-memory.dmp	upx
behavioral2/memory/2760-179-0x0000000072EF0000-0x0000000072FB8000-memory.dmp	upx
behavioral2/memory/516-191-0x0000000072C20000-0x0000000072CE8000-memory.dmp	upx
behavioral2/memory/516-192-0x0000000072BD0000-0x0000000072C19000-memory.dmp	upx
behavioral2/memory/516-193-0x0000000072BA0000-0x0000000072BC4000-memory.dmp	upx
behavioral2/memory/516-194-0x0000000072A90000-0x0000000072B9A000-memory.dmp	upx
behavioral2/memory/516-200-0x0000000072930000-0x00000000729FE000-memory.dmp	upx
behavioral2/memory/516-201-0x0000000072CF0000-0x0000000072FBF000-memory.dmp	upx
behavioral2/memory/516-196-0x0000000072A00000-0x0000000072A88000-memory.dmp	upx
behavioral2/memory/516-225-0x0000000000AA0000-0x0000000000EA4000-memory.dmp	upx
behavioral2/memory/516-226-0x0000000072C20000-0x0000000072CE8000-memory.dmp	upx
behavioral2/memory/3088-262-0x0000000000AA0000-0x0000000000EA4000-memory.dmp	upx
behavioral2/memory/3088-265-0x0000000072CF0000-0x0000000072FBF000-memory.dmp	upx
behavioral2/memory/3088-267-0x0000000072C20000-0x0000000072CE8000-memory.dmp	upx
behavioral2/memory/3088-269-0x0000000072930000-0x00000000729FE000-memory.dmp	upx
behavioral2/memory/3088-272-0x0000000072BD0000-0x0000000072C19000-memory.dmp	upx
behavioral2/memory/3088-275-0x0000000072A90000-0x0000000072B9A000-memory.dmp	upx
behavioral2/memory/3088-278-0x0000000072A00000-0x0000000072A88000-memory.dmp	upx
behavioral2/memory/3088-279-0x0000000072BA0000-0x0000000072BC4000-memory.dmp	upx
behavioral2/memory/516-281-0x0000000000AA0000-0x0000000000EA4000-memory.dmp	upx
behavioral2/memory/3088-286-0x0000000000AA0000-0x0000000000EA4000-memory.dmp	upx
behavioral2/memory/3088-287-0x0000000072CF0000-0x0000000072FBF000-memory.dmp	upx
behavioral2/memory/3088-289-0x0000000072930000-0x00000000729FE000-memory.dmp	upx
behavioral2/memory/3088-288-0x0000000072C20000-0x0000000072CE8000-memory.dmp	upx
behavioral2/memory/1136-301-0x0000000072CF0000-0x0000000072FBF000-memory.dmp	upx
behavioral2/memory/1136-303-0x0000000072BD0000-0x0000000072C19000-memory.dmp	upx
behavioral2/memory/1136-302-0x0000000072C20000-0x0000000072CE8000-memory.dmp	upx

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

stub_tor.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runtime_Broker = "C:\\Users\\Admin\\AppData\\Local\\Minecraft\\Runtime_Broker쬀"	stub_tor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runtime_Broker = "C:\\Users\\Admin\\AppData\\Local\\Minecraft\\Runtime_Broker甀"	stub_tor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runtime_Broker = "C:\\Users\\Admin\\AppData\\Local\\Minecraft\\Runtime_Brokerᜀ"	stub_tor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runtime_Broker = "C:\\Users\\Admin\\AppData\\Local\\Minecraft\\Runtime_Broker销"	stub_tor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runtime_Broker = "C:\\Users\\Admin\\AppData\\Local\\Minecraft\\Runtime_Broker툀"	stub_tor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runtime_Broker = "C:\\Users\\Admin\\AppData\\Local\\Minecraft\\Runtime_Broker팀"	stub_tor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runtime_Broker = "C:\\Users\\Admin\\AppData\\Local\\Minecraft\\Runtime_Broker"	stub_tor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runtime_Broker = "C:\\Users\\Admin\\AppData\\Local\\Minecraft\\Runtime_Broker缀"	stub_tor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runtime_Broker = "C:\\Users\\Admin\\AppData\\Local\\Minecraft\\Runtime_Brokerᄀ"	stub_tor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runtime_Broker = "C:\\Users\\Admin\\AppData\\Local\\Minecraft\\Runtime_Broker̀"	stub_tor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runtime_Broker = "C:\\Users\\Admin\\AppData\\Local\\Minecraft\\Runtime_Broker\uff00"	stub_tor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runtime_Broker = "C:\\Users\\Admin\\AppData\\Local\\Minecraft\\Runtime_Brokerက"	stub_tor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runtime_Broker = "C:\\Users\\Admin\\AppData\\Local\\Minecraft\\Runtime_Brokerᘀ"	stub_tor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runtime_Broker = "C:\\Users\\Admin\\AppData\\Local\\Minecraft\\Runtime_Broker䠀"	stub_tor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runtime_Broker = "C:\\Users\\Admin\\AppData\\Local\\Minecraft\\Runtime_Broker輀"	stub_tor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runtime_Broker = "C:\\Users\\Admin\\AppData\\Local\\Minecraft\\Runtime_BrokerĀ"	stub_tor.exe

Looks up external IP address via web service 30 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
87	myexternalip.com
126	myexternalip.com
287	myexternalip.com
320	myexternalip.com
53	myexternalip.com
94	myexternalip.com
204	myexternalip.com
243	myexternalip.com
295	myexternalip.com
12	myexternalip.com
110	myexternalip.com
187	myexternalip.com
71	myexternalip.com
151	myexternalip.com
229	myexternalip.com
269	myexternalip.com
279	myexternalip.com
133	myexternalip.com
103	myexternalip.com
253	myexternalip.com
328	myexternalip.com
13	myexternalip.com
142	myexternalip.com
164	myexternalip.com
171	myexternalip.com
62	myexternalip.com
119	myexternalip.com
213	myexternalip.com
236	myexternalip.com
79	myexternalip.com

Suspicious use of NtSetInformationThreadHideFromDebugger 33 IoCs

Processes:

stub_tor.exe

pid	process
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

stub_tor.exe

pid process

3624 stub_tor.exe

Suspicious behavior: RenamesItself 64 IoCs

Processes:

stub_tor.exe

pid	process
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe
3624	stub_tor.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

stub_tor.exe

description pid process

Token: SeShutdownPrivilege 3624 stub_tor.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

stub_tor.exe

pid process

3624 stub_tor.exe
3624 stub_tor.exe

description	pid	process
Token: SeShutdownPrivilege	3624	stub_tor.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

stub_tor.exe

description	pid	process	target process
PID 3624 wrote to memory of 3644	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 3644	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 3644	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 2760	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 2760	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 2760	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 516	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 516	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 516	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 3088	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 3088	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 3088	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 1136	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 1136	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 1136	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 4184	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 4184	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 4184	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 2372	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 2372	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 2372	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 4356	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 4356	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 4356	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 64	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 64	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 64	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 2884	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 2884	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 2884	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 3948	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 3948	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 3948	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 3508	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 3508	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 3508	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 1896	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 1896	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 1896	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 2832	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 2832	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 2832	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 1340	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 1340	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 1340	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 2208	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 2208	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 2208	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 676	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 676	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 676	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 4148	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 4148	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 4148	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 1256	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 1256	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 1256	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 4988	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 4988	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 4988	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 2068	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 2068	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 2068	3624	stub_tor.exe	tor.exe
PID 3624 wrote to memory of 3908	3624	stub_tor.exe	tor.exe

C:\Users\Admin\AppData\Local\Temp\stub_tor.exe
"C:\Users\Admin\AppData\Local\Temp\stub_tor.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3624

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3644

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2760

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:516

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3088

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1136

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4184

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2372

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4356

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:64

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2884

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3948

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3508

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1896

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2832

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1340

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2208

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:676

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4148

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1256

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4988

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2068

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3908

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3496

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:928

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2160

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3252

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:768

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4960

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:164

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1436

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:64

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2972

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2912

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4580

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3348

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2104

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1332

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4144

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4416

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4772

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2380

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1248

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2060

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4572

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2300

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:224

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4848

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2780

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:416

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:1812

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3660

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2756

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:5116

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4952

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4676

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3136

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3952

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4396

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3672

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:4304

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2612

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2696

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:2084

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
- Executes dropped EXE
PID:3236

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
PID:1780

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
PID:964

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
PID:2160

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
PID:4432

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
PID:1000

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
PID:1556

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
PID:2300

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
PID:4436

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
PID:1440

C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
"C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe" -f torrc
2⤵
PID:4632

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\a5b260eb\tor\data\cached-certs
Filesize
20KB

MD5
0eb7a32063d58cc4343a01da1a462194

SHA1
a1e5dc9030d3f80aa99232339869cc1a2b15e81b

SHA256
0c7b39baeed32d34e213b84b4259828d8ff5a62b880c9bbd664ae6b4e567b5a9

SHA512
02463d82311bbfe46ee481cbcd36d521c5c30e513d31762104093616969bab52d8bd37433b399c3f273aba675c84f7f324ec2c6953620fe854931ab51d68654a

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\data\cached-microdesc-consensus.tmp
Filesize
2.6MB

MD5
3af58b6add70a3559c53205e4aefd0f9

SHA1
5c1a95db8a1695b14b26cb5e8ae92fea5bd9da41

SHA256
d9595b5e4bb49267b93c50334024de412c0e8a2831f2caa1102529292b9c2a7e

SHA512
21b93f9444d559aa19fd36afd939120623187fd42cf43296447cfa8794d7a72773900405b37587def2e794b7e829d337aaf5b397a8882552875a89023f104f97

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\data\cached-microdescs
Filesize
20.4MB

MD5
ac41caf26737b513326a705a32da4816

SHA1
32d41c9e468dae4bd3b27e313787a4022550b74c

SHA256
755fab868615479ad6a8daa6805ebebe8f6d3e61e5d0a57de044b3b50a469c5c

SHA512
a5e44f9f8d110021ea49636f82e0ac5565d18a12cf15c042d6d530966abb4c341a7bace6f8ef422859e73fc66af113459e152ad0a6c063e4b5a1d37dae201931

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\data\cached-microdescs.new
Filesize
20.4MB

MD5
7b10268d3142eea1e8bf7c5772a87a3d

SHA1
b7172200d61f014cbe30fd6cdfe02e88b3be8871

SHA256
641496927d733ad9316ff465228fea8606c174779907b8bb0a56745ca371f00f

SHA512
9ca20ce1f00cbeb0506df88aae1c7ddee27a656b865677dab6a871df540d1e8ee1d1293cb2e5db297cab2d7618fdb825e41d74714ca2c3769771d5d0ebde268e

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\data\cached-microdescs.new
Filesize
12.6MB

MD5
07e325a5bdcd69a07a4af033dfa5652d

SHA1
830d586d8bd3c3a332aa97d75a37b2cea8a61ae0

SHA256
bd55dfb94465a7f9ad46505a314aec32c65b8947a7db7e71b821ce7fd6eeb12a

SHA512
a94b350e8eacd7c4ebfc6af13e0bf617deb74686d43bdf525a1b97ca862f5e322a342ef29a0ff9b0809cd76e2df2130f3da4b53d7951dcdec1cd176b31a52d83

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\data\state
Filesize
232B

MD5
362ed12a7224b19158a9e8376ff04753

SHA1
e116cb981b4f19747194951880d9351d976e37fa

SHA256
72c9eadf528136833eea5271e334f3f23a65d7a0db13a14b8539aef9f793c96a

SHA512
987b06b3eced08185d73792ca07ea0d6764531ecb0b94f8cd8d04c00da6e7fd2f47a6b12da80e62c8362c6f04b279187dabbd221442a06944f16935d5de67ff0

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\data\state
Filesize
3KB

MD5
a2115447b2c450748a201c544a46795d

SHA1
5c561fa443b49ab5b4ea6fe766e25a12971e0b3e

SHA256
57ee4be3aebf48a39a980524a1a616a528dfc4136285c54452eea19b917d8579

SHA512
ca0e1c0eb5d824e87bdafdbe6e6c9a27fbe27d03d18f4e3b296158ee27bee73d59446b76faff6fcd88f77409cf67fdc4413384f923f0a1f0972c801a04276eed

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\libcrypto-1_1.dll
Filesize
1.7MB

MD5
2384a02c4a1f7ec481adde3a020607d3

SHA1
7e848d35a10bf9296c8fa41956a3daa777f86365

SHA256
c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369

SHA512
1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\libgcc_s_sjlj-1.dll
Filesize
286KB

MD5
b0d98f7157d972190fe0759d4368d320

SHA1
5715a533621a2b642aad9616e603c6907d80efc4

SHA256
2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5

SHA512
41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\libssp-0.dll
Filesize
88KB

MD5
2c916456f503075f746c6ea649cf9539

SHA1
fa1afc1f3d728c89b2e90e14ca7d88b599580a9d

SHA256
cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6

SHA512
1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\tor.exe
Filesize
973KB

MD5
5cfe61ff895c7daa889708665ef05d7b

SHA1
5e58efe30406243fbd58d4968b0492ddeef145f2

SHA256
f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5

SHA512
43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\torrc
Filesize
157B

MD5
8ea874223f853aac5ea469ccc164a8f9

SHA1
70d31011547870c9f930496dbf9fb7ec296a8c28

SHA256
95e134044f370b2a96408d581f3c0381fe95388dae27c6d9598f44dc7d72b9ed

SHA512
fd1dc20219fbf4863926d90b5a2127b65e165656eac4493a80288d0c57fc309ed998b5d30fe8ce313987ee367fc4fe9b6026ff32d4391950d7f26ca7b6fdcdf2

Download Submit
C:\Users\Admin\AppData\Local\a5b260eb\tor\zlib1.dll
Filesize
52KB

MD5
add33041af894b67fe34e1dc819b7eb6

SHA1
6db46eb021855a587c95479422adcc774a272eeb

SHA256
8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183

SHA512
bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

Download Submit
\Users\Admin\AppData\Local\a5b260eb\tor\libevent-2-1-6.dll
Filesize
366KB

MD5
099983c13bade9554a3c17484e5481f1

SHA1
a84e69ad9722f999252d59d0ed9a99901a60e564

SHA256
b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838

SHA512
89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

Download Submit
\Users\Admin\AppData\Local\a5b260eb\tor\libssl-1_1.dll
Filesize
439KB

MD5
c88826ac4bb879622e43ead5bdb95aeb

SHA1
87d29853649a86f0463bfd9ad887b85eedc21723

SHA256
c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f

SHA512
f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

Download Submit
\Users\Admin\AppData\Local\a5b260eb\tor\libwinpthread-1.dll
Filesize
188KB

MD5
d407cc6d79a08039a6f4b50539e560b8

SHA1
21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71

SHA256
92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e

SHA512
378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

Download Submit
memory/516-193-0x0000000072BA0000-0x0000000072BC4000-memory.dmp

Filesize
144KB

Download
memory/516-194-0x0000000072A90000-0x0000000072B9A000-memory.dmp

Filesize
1.0MB

Download
memory/516-200-0x0000000072930000-0x00000000729FE000-memory.dmp

Filesize
824KB

Download
memory/516-201-0x0000000072CF0000-0x0000000072FBF000-memory.dmp

Filesize
2.8MB

Download
memory/516-226-0x0000000072C20000-0x0000000072CE8000-memory.dmp

Filesize
800KB

Download
memory/516-196-0x0000000072A00000-0x0000000072A88000-memory.dmp

Filesize
544KB

Download
memory/516-191-0x0000000072C20000-0x0000000072CE8000-memory.dmp

Filesize
800KB

Download
memory/516-225-0x0000000000AA0000-0x0000000000EA4000-memory.dmp

Filesize
4.0MB

Download
memory/516-281-0x0000000000AA0000-0x0000000000EA4000-memory.dmp

Filesize
4.0MB

Download
memory/516-192-0x0000000072BD0000-0x0000000072C19000-memory.dmp

Filesize
292KB

Download
memory/1136-329-0x0000000000AA0000-0x0000000000EA4000-memory.dmp

Filesize
4.0MB

Download
memory/1136-301-0x0000000072CF0000-0x0000000072FBF000-memory.dmp

Filesize
2.8MB

Download
memory/1136-303-0x0000000072BD0000-0x0000000072C19000-memory.dmp

Filesize
292KB

Download
memory/1136-302-0x0000000072C20000-0x0000000072CE8000-memory.dmp

Filesize
800KB

Download
memory/1136-304-0x0000000072B00000-0x0000000072BCE000-memory.dmp

Filesize
824KB

Download
memory/1136-305-0x00000000729F0000-0x0000000072AFA000-memory.dmp

Filesize
1.0MB

Download
memory/1136-306-0x0000000072960000-0x00000000729E8000-memory.dmp

Filesize
544KB

Download
memory/1136-309-0x0000000072930000-0x0000000072954000-memory.dmp

Filesize
144KB

Download
memory/1136-330-0x0000000072CF0000-0x0000000072FBF000-memory.dmp

Filesize
2.8MB

Download
memory/1136-331-0x0000000072C20000-0x0000000072CE8000-memory.dmp

Filesize
800KB

Download
memory/1136-332-0x0000000072B00000-0x0000000072BCE000-memory.dmp

Filesize
824KB

Download
memory/2760-157-0x0000000072930000-0x0000000072BFF000-memory.dmp

Filesize
2.8MB

Download
memory/2760-160-0x0000000072EF0000-0x0000000072FB8000-memory.dmp

Filesize
800KB

Download
memory/2760-162-0x0000000072E20000-0x0000000072EEE000-memory.dmp

Filesize
824KB

Download
memory/2760-165-0x0000000072DD0000-0x0000000072E19000-memory.dmp

Filesize
292KB

Download
memory/2760-167-0x0000000072DA0000-0x0000000072DC4000-memory.dmp

Filesize
144KB

Download
memory/2760-170-0x0000000072C00000-0x0000000072D0A000-memory.dmp

Filesize
1.0MB

Download
memory/2760-172-0x0000000072D10000-0x0000000072D98000-memory.dmp

Filesize
544KB

Download
memory/2760-154-0x0000000000AA0000-0x0000000000EA4000-memory.dmp

Filesize
4.0MB

Download
memory/2760-177-0x0000000000AA0000-0x0000000000EA4000-memory.dmp

Filesize
4.0MB

Download
memory/2760-178-0x0000000072930000-0x0000000072BFF000-memory.dmp

Filesize
2.8MB

Download
memory/2760-179-0x0000000072EF0000-0x0000000072FB8000-memory.dmp

Filesize
800KB

Download
memory/3088-278-0x0000000072A00000-0x0000000072A88000-memory.dmp

Filesize
544KB

Download
memory/3088-265-0x0000000072CF0000-0x0000000072FBF000-memory.dmp

Filesize
2.8MB

Download
memory/3088-275-0x0000000072A90000-0x0000000072B9A000-memory.dmp

Filesize
1.0MB

Download
memory/3088-272-0x0000000072BD0000-0x0000000072C19000-memory.dmp

Filesize
292KB

Download
memory/3088-269-0x0000000072930000-0x00000000729FE000-memory.dmp

Filesize
824KB

Download
memory/3088-267-0x0000000072C20000-0x0000000072CE8000-memory.dmp

Filesize
800KB

Download
memory/3088-262-0x0000000000AA0000-0x0000000000EA4000-memory.dmp

Filesize
4.0MB

Download
memory/3088-288-0x0000000072C20000-0x0000000072CE8000-memory.dmp

Filesize
800KB

Download
memory/3088-289-0x0000000072930000-0x00000000729FE000-memory.dmp

Filesize
824KB

Download
memory/3088-287-0x0000000072CF0000-0x0000000072FBF000-memory.dmp

Filesize
2.8MB

Download
memory/3088-286-0x0000000000AA0000-0x0000000000EA4000-memory.dmp

Filesize
4.0MB

Download
memory/3088-279-0x0000000072BA0000-0x0000000072BC4000-memory.dmp

Filesize
144KB

Download
memory/3624-109-0x0000000072070000-0x00000000720AA000-memory.dmp

Filesize
232KB

Download
memory/3624-0-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/3624-50-0x0000000072640000-0x000000007267A000-memory.dmp

Filesize
232KB

Download
memory/3624-1-0x00000000738D0000-0x000000007390A000-memory.dmp

Filesize
232KB

Download
memory/3624-341-0x00000000738D0000-0x000000007390A000-memory.dmp

Filesize
232KB

Download
memory/3624-350-0x0000000072640000-0x000000007267A000-memory.dmp

Filesize
232KB

Download
memory/3644-75-0x0000000000AA0000-0x0000000000EA4000-memory.dmp

Filesize
4.0MB

Download
memory/3644-35-0x0000000072C00000-0x0000000072D0A000-memory.dmp

Filesize
1.0MB

Download
memory/3644-59-0x0000000072930000-0x0000000072BFF000-memory.dmp

Filesize
2.8MB

Download
memory/3644-83-0x0000000000AA0000-0x0000000000EA4000-memory.dmp

Filesize
4.0MB

Download
memory/3644-84-0x0000000001740000-0x0000000001A0F000-memory.dmp

Filesize
2.8MB

Download
memory/3644-85-0x0000000000AA0000-0x0000000000EA4000-memory.dmp

Filesize
4.0MB

Download
memory/3644-101-0x0000000000AA0000-0x0000000000EA4000-memory.dmp

Filesize
4.0MB

Download
memory/3644-54-0x0000000072E20000-0x0000000072EEE000-memory.dmp

Filesize
824KB

Download
memory/3644-51-0x0000000000AA0000-0x0000000000EA4000-memory.dmp

Filesize
4.0MB

Download
memory/3644-110-0x0000000000AA0000-0x0000000000EA4000-memory.dmp

Filesize
4.0MB

Download
memory/3644-41-0x0000000072EF0000-0x0000000072FB8000-memory.dmp

Filesize
800KB

Download
memory/3644-40-0x0000000001740000-0x0000000001A0F000-memory.dmp

Filesize
2.8MB

Download
memory/3644-39-0x0000000072930000-0x0000000072BFF000-memory.dmp

Filesize
2.8MB

Download
memory/3644-169-0x0000000000AA0000-0x0000000000EA4000-memory.dmp

Filesize
4.0MB

Download
memory/3644-32-0x0000000072DD0000-0x0000000072E19000-memory.dmp

Filesize
292KB

Download
memory/3644-34-0x0000000072D10000-0x0000000072D98000-memory.dmp

Filesize
544KB

Download
memory/3644-33-0x0000000072DA0000-0x0000000072DC4000-memory.dmp

Filesize
144KB

Download
memory/3644-31-0x0000000072E20000-0x0000000072EEE000-memory.dmp

Filesize
824KB

Download
memory/3644-30-0x0000000000AA0000-0x0000000000EA4000-memory.dmp

Filesize
4.0MB

Download
memory/3644-118-0x0000000000AA0000-0x0000000000EA4000-memory.dmp

Filesize
4.0MB

Download
memory/3644-126-0x0000000000AA0000-0x0000000000EA4000-memory.dmp

Filesize
4.0MB

Download
memory/3644-134-0x0000000000AA0000-0x0000000000EA4000-memory.dmp

Filesize
4.0MB

Download
memory/4184-358-0x0000000072CF0000-0x0000000072FBF000-memory.dmp

Filesize
2.8MB

Download
memory/4184-356-0x0000000000AA0000-0x0000000000EA4000-memory.dmp

Filesize
4.0MB

Download
memory/4184-360-0x0000000072C20000-0x0000000072CE8000-memory.dmp

Filesize
800KB

Download