1b9c4646b8840ef2d2a24603ffa2efa695ee29002c0057d4ba558080f2c485b6

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15-04-2024 13:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7613e5c267e7f270918ef87fcb1e45c.exe
Size

7.8MB
MD5

a7613e5c267e7f270918ef87fcb1e45c
SHA1

5ce965496ce1d9eea2d78548854bd486c11329d1
SHA256

1b9c4646b8840ef2d2a24603ffa2efa695ee29002c0057d4ba558080f2c485b6
SHA512

19888cf9937c44770dff47027ada8ef8eaa46cc849717ec0fb46bb32d07434b3b851efa708decd2fa18c07333cc247d35e03d71fbd386caea839bf44cdd7c0d2
SSDEEP

196608:LIRcbH4jSteTGvCxwhzav1yo31CPwDv3uFZjeg2EeJUO9WLQkDxtw3iFFrS6XOf:LdHsfuCxwZ6v1CPwDv3uFteg2EeJUO9E

Score

7^/10

persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 7 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\f7cf36c6\tor\libevent-2-1-6.dll	acprotect
C:\Users\Admin\AppData\Local\f7cf36c6\tor\libcrypto-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\f7cf36c6\tor\libssl-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\f7cf36c6\tor\zlib1.dll	acprotect
C:\Users\Admin\AppData\Local\f7cf36c6\tor\libgcc_s_sjlj-1.dll	acprotect
C:\Users\Admin\AppData\Local\f7cf36c6\tor\libwinpthread-1.dll	acprotect
C:\Users\Admin\AppData\Local\f7cf36c6\tor\libssp-0.dll	acprotect

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

a7613e5c267e7f270918ef87fcb1e45c.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation a7613e5c267e7f270918ef87fcb1e45c.exe
Executes dropped EXE 7 IoCs

Processes:

windows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exe

pid process

4956 windows32.exe
4400 windows32.exe
5036 windows32.exe
5044 windows32.exe
4128 windows32.exe
4552 windows32.exe
2500 windows32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation	a7613e5c267e7f270918ef87fcb1e45c.exe

Loads dropped DLL 50 IoCs

Processes:

windows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exewindows32.exe

pid	process
4956	windows32.exe
4956	windows32.exe
4956	windows32.exe
4956	windows32.exe
4956	windows32.exe
4956	windows32.exe
4956	windows32.exe
4956	windows32.exe
4400	windows32.exe
4400	windows32.exe
4400	windows32.exe
4400	windows32.exe
4400	windows32.exe
4400	windows32.exe
4400	windows32.exe
5036	windows32.exe
5036	windows32.exe
5036	windows32.exe
5036	windows32.exe
5036	windows32.exe
5036	windows32.exe
5036	windows32.exe
5044	windows32.exe
5044	windows32.exe
5044	windows32.exe
5044	windows32.exe
5044	windows32.exe
5044	windows32.exe
5044	windows32.exe
4128	windows32.exe
4128	windows32.exe
4128	windows32.exe
4128	windows32.exe
4128	windows32.exe
4128	windows32.exe
4128	windows32.exe
4552	windows32.exe
4552	windows32.exe
4552	windows32.exe
4552	windows32.exe
4552	windows32.exe
4552	windows32.exe
4552	windows32.exe
2500	windows32.exe
2500	windows32.exe
2500	windows32.exe
2500	windows32.exe
2500	windows32.exe
2500	windows32.exe
2500	windows32.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe	upx
behavioral4/memory/4956-20-0x0000000000CD0000-0x00000000010D4000-memory.dmp	upx
C:\Users\Admin\AppData\Local\f7cf36c6\tor\libevent-2-1-6.dll	upx
C:\Users\Admin\AppData\Local\f7cf36c6\tor\libcrypto-1_1.dll	upx
C:\Users\Admin\AppData\Local\f7cf36c6\tor\libssl-1_1.dll	upx
C:\Users\Admin\AppData\Local\f7cf36c6\tor\zlib1.dll	upx
C:\Users\Admin\AppData\Local\f7cf36c6\tor\libgcc_s_sjlj-1.dll	upx
behavioral4/memory/4956-32-0x0000000074150000-0x0000000074199000-memory.dmp	upx
behavioral4/memory/4956-35-0x0000000074050000-0x0000000074074000-memory.dmp	upx
behavioral4/memory/4956-37-0x0000000073EB0000-0x0000000073FBA000-memory.dmp	upx
behavioral4/memory/4956-38-0x0000000073FC0000-0x0000000074048000-memory.dmp	upx
behavioral4/memory/4956-39-0x0000000073BE0000-0x0000000073EAF000-memory.dmp	upx
behavioral4/memory/4956-33-0x0000000074080000-0x000000007414E000-memory.dmp	upx
C:\Users\Admin\AppData\Local\f7cf36c6\tor\libwinpthread-1.dll	upx
behavioral4/memory/4956-29-0x00000000741A0000-0x0000000074268000-memory.dmp	upx
C:\Users\Admin\AppData\Local\f7cf36c6\tor\libssp-0.dll	upx
behavioral4/memory/4956-58-0x0000000000CD0000-0x00000000010D4000-memory.dmp	upx
behavioral4/memory/4956-61-0x0000000074150000-0x0000000074199000-memory.dmp	upx
behavioral4/memory/4956-60-0x00000000741A0000-0x0000000074268000-memory.dmp	upx
behavioral4/memory/4956-62-0x0000000074080000-0x000000007414E000-memory.dmp	upx
behavioral4/memory/4956-63-0x0000000074050000-0x0000000074074000-memory.dmp	upx
behavioral4/memory/4956-65-0x0000000073FC0000-0x0000000074048000-memory.dmp	upx
behavioral4/memory/4956-66-0x0000000073EB0000-0x0000000073FBA000-memory.dmp	upx
behavioral4/memory/4956-67-0x0000000073BE0000-0x0000000073EAF000-memory.dmp	upx
behavioral4/memory/4956-77-0x0000000000CD0000-0x00000000010D4000-memory.dmp	upx
behavioral4/memory/4956-85-0x0000000000CD0000-0x00000000010D4000-memory.dmp	upx
behavioral4/memory/4956-93-0x0000000000CD0000-0x00000000010D4000-memory.dmp	upx
behavioral4/memory/4956-101-0x0000000000CD0000-0x00000000010D4000-memory.dmp	upx
behavioral4/memory/4956-109-0x0000000000CD0000-0x00000000010D4000-memory.dmp	upx
behavioral4/memory/4400-117-0x0000000000CD0000-0x00000000010D4000-memory.dmp	upx
behavioral4/memory/4400-126-0x0000000073BE0000-0x0000000073EAF000-memory.dmp	upx
behavioral4/memory/4400-128-0x00000000741A0000-0x0000000074268000-memory.dmp	upx
behavioral4/memory/4400-129-0x0000000074080000-0x000000007414E000-memory.dmp	upx
behavioral4/memory/4400-131-0x0000000074150000-0x0000000074199000-memory.dmp	upx
behavioral4/memory/4400-132-0x0000000074050000-0x0000000074074000-memory.dmp	upx
behavioral4/memory/4400-133-0x0000000000CD0000-0x00000000010D4000-memory.dmp	upx
behavioral4/memory/4400-135-0x0000000073BE0000-0x0000000073EAF000-memory.dmp	upx
behavioral4/memory/4400-137-0x00000000741A0000-0x0000000074268000-memory.dmp	upx
behavioral4/memory/4400-136-0x0000000073FC0000-0x0000000074048000-memory.dmp	upx
behavioral4/memory/4400-134-0x0000000073EB0000-0x0000000073FBA000-memory.dmp	upx
behavioral4/memory/4400-138-0x0000000074080000-0x000000007414E000-memory.dmp	upx
behavioral4/memory/5036-154-0x0000000073ED0000-0x0000000073F98000-memory.dmp	upx
behavioral4/memory/5036-156-0x0000000073E50000-0x0000000073E74000-memory.dmp	upx
behavioral4/memory/5036-155-0x0000000073E80000-0x0000000073EC9000-memory.dmp	upx
behavioral4/memory/5036-157-0x0000000073D40000-0x0000000073E4A000-memory.dmp	upx
behavioral4/memory/5036-158-0x0000000073CB0000-0x0000000073D38000-memory.dmp	upx
behavioral4/memory/5036-159-0x0000000073BE0000-0x0000000073CAE000-memory.dmp	upx
behavioral4/memory/5036-164-0x0000000073FA0000-0x000000007426F000-memory.dmp	upx
behavioral4/memory/5036-173-0x0000000000CD0000-0x00000000010D4000-memory.dmp	upx
behavioral4/memory/5036-175-0x0000000073ED0000-0x0000000073F98000-memory.dmp	upx
behavioral4/memory/5036-180-0x0000000073BE0000-0x0000000073CAE000-memory.dmp	upx
behavioral4/memory/5036-181-0x0000000000CD0000-0x00000000010D4000-memory.dmp	upx
behavioral4/memory/5036-189-0x0000000000CD0000-0x00000000010D4000-memory.dmp	upx
behavioral4/memory/5044-210-0x0000000000CD0000-0x00000000010D4000-memory.dmp	upx
behavioral4/memory/5044-213-0x0000000073BE0000-0x0000000073CAE000-memory.dmp	upx
behavioral4/memory/5044-215-0x0000000073E80000-0x0000000073EC9000-memory.dmp	upx
behavioral4/memory/5044-221-0x0000000073CB0000-0x0000000073D38000-memory.dmp	upx
behavioral4/memory/5044-219-0x0000000073D40000-0x0000000073E4A000-memory.dmp	upx
behavioral4/memory/5044-223-0x0000000073FA0000-0x000000007426F000-memory.dmp	upx
behavioral4/memory/5044-226-0x0000000073ED0000-0x0000000073F98000-memory.dmp	upx
behavioral4/memory/5036-224-0x0000000000CD0000-0x00000000010D4000-memory.dmp	upx
behavioral4/memory/5044-216-0x0000000073E50000-0x0000000073E74000-memory.dmp	upx
behavioral4/memory/5044-233-0x0000000000CD0000-0x00000000010D4000-memory.dmp	upx
behavioral4/memory/5044-234-0x0000000073BE0000-0x0000000073CAE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

a7613e5c267e7f270918ef87fcb1e45c.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win32 = "C:\\Users\\Admin\\AppData\\Local\\windir\\win32.exe"	a7613e5c267e7f270918ef87fcb1e45c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win32 = "C:\\Users\\Admin\\AppData\\Local\\windir\\win32.exe\ue800"	a7613e5c267e7f270918ef87fcb1e45c.exe

Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

44 myexternalip.com
45 myexternalip.com
65 myexternalip.com
77 myexternalip.com
90 myexternalip.com

flow	ioc
44	myexternalip.com
45	myexternalip.com
65	myexternalip.com
77	myexternalip.com
90	myexternalip.com

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

Processes:

a7613e5c267e7f270918ef87fcb1e45c.exe

pid	process
2920	a7613e5c267e7f270918ef87fcb1e45c.exe
2920	a7613e5c267e7f270918ef87fcb1e45c.exe
2920	a7613e5c267e7f270918ef87fcb1e45c.exe
2920	a7613e5c267e7f270918ef87fcb1e45c.exe
2920	a7613e5c267e7f270918ef87fcb1e45c.exe
2920	a7613e5c267e7f270918ef87fcb1e45c.exe
2920	a7613e5c267e7f270918ef87fcb1e45c.exe
2920	a7613e5c267e7f270918ef87fcb1e45c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: RenamesItself 25 IoCs

Processes:

a7613e5c267e7f270918ef87fcb1e45c.exe

pid	process
2920	a7613e5c267e7f270918ef87fcb1e45c.exe
2920	a7613e5c267e7f270918ef87fcb1e45c.exe
2920	a7613e5c267e7f270918ef87fcb1e45c.exe
2920	a7613e5c267e7f270918ef87fcb1e45c.exe
2920	a7613e5c267e7f270918ef87fcb1e45c.exe
2920	a7613e5c267e7f270918ef87fcb1e45c.exe
2920	a7613e5c267e7f270918ef87fcb1e45c.exe
2920	a7613e5c267e7f270918ef87fcb1e45c.exe
2920	a7613e5c267e7f270918ef87fcb1e45c.exe
2920	a7613e5c267e7f270918ef87fcb1e45c.exe
2920	a7613e5c267e7f270918ef87fcb1e45c.exe
2920	a7613e5c267e7f270918ef87fcb1e45c.exe
2920	a7613e5c267e7f270918ef87fcb1e45c.exe
2920	a7613e5c267e7f270918ef87fcb1e45c.exe
2920	a7613e5c267e7f270918ef87fcb1e45c.exe
2920	a7613e5c267e7f270918ef87fcb1e45c.exe
2920	a7613e5c267e7f270918ef87fcb1e45c.exe
2920	a7613e5c267e7f270918ef87fcb1e45c.exe
2920	a7613e5c267e7f270918ef87fcb1e45c.exe
2920	a7613e5c267e7f270918ef87fcb1e45c.exe
2920	a7613e5c267e7f270918ef87fcb1e45c.exe
2920	a7613e5c267e7f270918ef87fcb1e45c.exe
2920	a7613e5c267e7f270918ef87fcb1e45c.exe
2920	a7613e5c267e7f270918ef87fcb1e45c.exe
2920	a7613e5c267e7f270918ef87fcb1e45c.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a7613e5c267e7f270918ef87fcb1e45c.exe

description pid process

Token: SeShutdownPrivilege 2920 a7613e5c267e7f270918ef87fcb1e45c.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

a7613e5c267e7f270918ef87fcb1e45c.exe

pid process

2920 a7613e5c267e7f270918ef87fcb1e45c.exe
2920 a7613e5c267e7f270918ef87fcb1e45c.exe

description	pid	process
Token: SeShutdownPrivilege	2920	a7613e5c267e7f270918ef87fcb1e45c.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

a7613e5c267e7f270918ef87fcb1e45c.exe

description	pid	process	target process
PID 2920 wrote to memory of 4956	2920	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 2920 wrote to memory of 4956	2920	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 2920 wrote to memory of 4956	2920	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 2920 wrote to memory of 4400	2920	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 2920 wrote to memory of 4400	2920	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 2920 wrote to memory of 4400	2920	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 2920 wrote to memory of 5036	2920	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 2920 wrote to memory of 5036	2920	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 2920 wrote to memory of 5036	2920	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 2920 wrote to memory of 5044	2920	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 2920 wrote to memory of 5044	2920	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 2920 wrote to memory of 5044	2920	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 2920 wrote to memory of 4128	2920	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 2920 wrote to memory of 4128	2920	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 2920 wrote to memory of 4128	2920	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 2920 wrote to memory of 4552	2920	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 2920 wrote to memory of 4552	2920	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 2920 wrote to memory of 4552	2920	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 2920 wrote to memory of 2500	2920	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 2920 wrote to memory of 2500	2920	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe
PID 2920 wrote to memory of 2500	2920	a7613e5c267e7f270918ef87fcb1e45c.exe	windows32.exe

C:\Users\Admin\AppData\Local\Temp\a7613e5c267e7f270918ef87fcb1e45c.exe
"C:\Users\Admin\AppData\Local\Temp\a7613e5c267e7f270918ef87fcb1e45c.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2920

C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
"C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4956

C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
"C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4400

C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
"C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5036

C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
"C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5044

C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
"C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4128

C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
"C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4552

C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
"C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe" -f torrc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2500

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\f7cf36c6\tor\data\cached-certs
Filesize
15KB

MD5
1a88de32dd70ac4b2975a21d655c67ee

SHA1
0087dfefba413ec3384f0f0e074da8496a790a06

SHA256
e850487e946828b98a0336727b80abeb283ac99b1ea11e527babe1cba56a3a33

SHA512
8008df791af6db6d7767b546a0f8849b17762f3a807c15ddd393ec1eb1753ae955b849ca1725ea5f28d769923c29947814f2761cac8ed893d07c894cca0b58c8

Download Submit
C:\Users\Admin\AppData\Local\f7cf36c6\tor\data\cached-microdesc-consensus.tmp
Filesize
2.7MB

MD5
5ad02c48df55f05db0d7500a1880460b

SHA1
86a15e66e163c77509513f441c4804a244f8efab

SHA256
e63c0dc1cedcfb3ff0ff5e91f8cf612c22424fe18363f1a563c4c0b032e3bba0

SHA512
460337c8e80f450ece4ddb9f8dee9df2c65bfd33643da918f93f54d224ce9e3232f26856f65c4b211277db923ea78af3bfc1b729ee7ac95992b1add4efc9ea74

Download Submit
C:\Users\Admin\AppData\Local\f7cf36c6\tor\data\cached-microdescs
Filesize
20.3MB

MD5
09b1028788119ff685680380600056fb

SHA1
ad65f2d55e54bac3f5b2e9ac820491fbb99696e2

SHA256
28c79e12aaa65af669147c6aaddb703b9adc42018dda5b671a9cf015f0920c45

SHA512
961737da7b18a7442c56603f935d74143e8cb515e50d63f5f0adfb86e638ec92aabb0f9fe0ccf1592bc154f20906241845cb8bb565983c657823d011a99313dc

Download Submit
C:\Users\Admin\AppData\Local\f7cf36c6\tor\data\cached-microdescs.new
Filesize
20.3MB

MD5
19083e25309ccdc2c3c1df93a2e4fe47

SHA1
18e3a28c32ed80687ceeeaf056e17eb823611496

SHA256
f3012d326ad15782bf3c4d09cda21bce9804e3a00d928ff6909531b82e921a42

SHA512
4ae861da674eba407c6f3ca58058ee15c940857c7eb2f5a0a3fea11fe49cc2c6f7a8104e734e0497efd6121b900f9d2ebcd7736415daee2ea752918bf9e1f514

Download Submit
C:\Users\Admin\AppData\Local\f7cf36c6\tor\data\cached-microdescs.new
Filesize
8.7MB

MD5
4948a3251a3f3c45f518efb909609d32

SHA1
98876c872a1196d64dc1397f14410ccf67aac848

SHA256
2a2b2544783d8099f1741cebd51cdbe2ccebb234e86024c707cb066d00487b83

SHA512
f6d71073d9f0411904c3e02ebcc958dc4cd8b7bf231a02785af9127648a3f4a2111271f45fa9499a51cd83ffbbdf18f104bc0844ba85ad9bcad7e21a5d97ccbd

Download Submit
C:\Users\Admin\AppData\Local\f7cf36c6\tor\data\cached-microdescs.new
Filesize
8KB

MD5
6cd8c7800b82152d1cd9dd34a5c52f1c

SHA1
3345e446f87ac22471cf15d6c5571976995ac3ba

SHA256
bd2f908892e3fbcf08e6661e1b15a8abaf371478ceca1c889554bf049c32f95b

SHA512
71b386ddf37f96d3b63550b2bc0f7454aad5bcac7e8d45044038e5cbdaaf94a1f7bcf273ad5974a6721a57e12a8dbb488616c39788675dc1f76fd5fb3b6ecb15

Download Submit
C:\Users\Admin\AppData\Local\f7cf36c6\tor\data\state
Filesize
232B

MD5
475a65007f6b353a963b9ea7b01f2e84

SHA1
b07c0e2b6ce50404e5609dcbcbcc803bd0c5e424

SHA256
6f578b398af4bd14410c5a92ed51c3323eafbfbb86603830d5512da14bc4e65a

SHA512
725d78430c57fb51ef10bb57eb60377ce538bb3fce7a3ba893030cd927bec720fcaadf9c1fea0b31f6312b06874540e754320d00e261b7c16147d7abe1dfcfe2

Download Submit
C:\Users\Admin\AppData\Local\f7cf36c6\tor\data\state
Filesize
3KB

MD5
34212ce5486defa2411a4285aa09fdfc

SHA1
200e8b719c6b4c4034f9f9e9201573dbee637f9d

SHA256
e4c5261670fd12507fb04fdb05256fe12e060c738e987dbd190f2bb07eda2bbe

SHA512
afd508c1866c14985bb08fb911d8b0df626b3a21a00522e2812604b28cda37a7c3fc79da5596c479f58830e5f1d20e697a0f31d0190d7981a7e6d2a42485ce93

Download Submit
C:\Users\Admin\AppData\Local\f7cf36c6\tor\libcrypto-1_1.dll
Filesize
1.7MB

MD5
2384a02c4a1f7ec481adde3a020607d3

SHA1
7e848d35a10bf9296c8fa41956a3daa777f86365

SHA256
c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369

SHA512
1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

Download Submit
C:\Users\Admin\AppData\Local\f7cf36c6\tor\libevent-2-1-6.dll
Filesize
366KB

MD5
099983c13bade9554a3c17484e5481f1

SHA1
a84e69ad9722f999252d59d0ed9a99901a60e564

SHA256
b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838

SHA512
89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

Download Submit
C:\Users\Admin\AppData\Local\f7cf36c6\tor\libgcc_s_sjlj-1.dll
Filesize
286KB

MD5
b0d98f7157d972190fe0759d4368d320

SHA1
5715a533621a2b642aad9616e603c6907d80efc4

SHA256
2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5

SHA512
41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

Download Submit
C:\Users\Admin\AppData\Local\f7cf36c6\tor\libssl-1_1.dll
Filesize
439KB

MD5
c88826ac4bb879622e43ead5bdb95aeb

SHA1
87d29853649a86f0463bfd9ad887b85eedc21723

SHA256
c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f

SHA512
f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

Download Submit
C:\Users\Admin\AppData\Local\f7cf36c6\tor\libssp-0.dll
Filesize
88KB

MD5
2c916456f503075f746c6ea649cf9539

SHA1
fa1afc1f3d728c89b2e90e14ca7d88b599580a9d

SHA256
cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6

SHA512
1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

Download Submit
C:\Users\Admin\AppData\Local\f7cf36c6\tor\libwinpthread-1.dll
Filesize
188KB

MD5
d407cc6d79a08039a6f4b50539e560b8

SHA1
21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71

SHA256
92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e

SHA512
378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

Download Submit
C:\Users\Admin\AppData\Local\f7cf36c6\tor\torrc
Filesize
157B

MD5
d55bed9415496532e5333ecaff1e308d

SHA1
074dc0ad8d7b3f86679c321ec7377b3394659a52

SHA256
aacbccc1d0337c77cb4408cd9556b8e31d3a0390ab2ab6b17ad3bf30f2c93850

SHA512
69c492e32f75809ee12cf29a38d71435ec39e9327970dd7f108ce0599804008c0e3a462d244796a5592b587e1c8f1c1f78c2602d539f6d84bf33c18eb38276a5

Download Submit
C:\Users\Admin\AppData\Local\f7cf36c6\tor\windows32.exe
Filesize
973KB

MD5
5cfe61ff895c7daa889708665ef05d7b

SHA1
5e58efe30406243fbd58d4968b0492ddeef145f2

SHA256
f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5

SHA512
43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

Download Submit
C:\Users\Admin\AppData\Local\f7cf36c6\tor\zlib1.dll
Filesize
52KB

MD5
add33041af894b67fe34e1dc819b7eb6

SHA1
6db46eb021855a587c95479422adcc774a272eeb

SHA256
8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183

SHA512
bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

Download Submit
memory/2500-310-0x0000000073E80000-0x0000000073EC9000-memory.dmp

Filesize
292KB

Download
memory/2500-309-0x0000000073ED0000-0x0000000073F98000-memory.dmp

Filesize
800KB

Download
memory/2920-0-0x0000000074D20000-0x0000000074D59000-memory.dmp

Filesize
228KB

Download
memory/2920-44-0x00000000737D0000-0x0000000073809000-memory.dmp

Filesize
228KB

Download
memory/4128-254-0x0000000073E00000-0x0000000073ECE000-memory.dmp

Filesize
824KB

Download
memory/4128-249-0x0000000073C70000-0x0000000073D7A000-memory.dmp

Filesize
1.0MB

Download
memory/4128-293-0x0000000000CD0000-0x00000000010D4000-memory.dmp

Filesize
4.0MB

Download
memory/4128-241-0x0000000073ED0000-0x0000000073F98000-memory.dmp

Filesize
800KB

Download
memory/4128-250-0x0000000073BE0000-0x0000000073C68000-memory.dmp

Filesize
544KB

Download
memory/4128-253-0x0000000073FA0000-0x000000007426F000-memory.dmp

Filesize
2.8MB

Download
memory/4128-247-0x0000000073DB0000-0x0000000073DF9000-memory.dmp

Filesize
292KB

Download
memory/4128-248-0x0000000073D80000-0x0000000073DA4000-memory.dmp

Filesize
144KB

Download
memory/4128-268-0x0000000073ED0000-0x0000000073F98000-memory.dmp

Filesize
800KB

Download
memory/4128-267-0x0000000000CD0000-0x00000000010D4000-memory.dmp

Filesize
4.0MB

Download
memory/4400-137-0x00000000741A0000-0x0000000074268000-memory.dmp

Filesize
800KB

Download
memory/4400-134-0x0000000073EB0000-0x0000000073FBA000-memory.dmp

Filesize
1.0MB

Download
memory/4400-136-0x0000000073FC0000-0x0000000074048000-memory.dmp

Filesize
544KB

Download
memory/4400-135-0x0000000073BE0000-0x0000000073EAF000-memory.dmp

Filesize
2.8MB

Download
memory/4400-132-0x0000000074050000-0x0000000074074000-memory.dmp

Filesize
144KB

Download
memory/4400-117-0x0000000000CD0000-0x00000000010D4000-memory.dmp

Filesize
4.0MB

Download
memory/4400-126-0x0000000073BE0000-0x0000000073EAF000-memory.dmp

Filesize
2.8MB

Download
memory/4400-128-0x00000000741A0000-0x0000000074268000-memory.dmp

Filesize
800KB

Download
memory/4400-129-0x0000000074080000-0x000000007414E000-memory.dmp

Filesize
824KB

Download
memory/4400-131-0x0000000074150000-0x0000000074199000-memory.dmp

Filesize
292KB

Download
memory/4400-138-0x0000000074080000-0x000000007414E000-memory.dmp

Filesize
824KB

Download
memory/4400-133-0x0000000000CD0000-0x00000000010D4000-memory.dmp

Filesize
4.0MB

Download
memory/4552-296-0x0000000073BE0000-0x0000000073C68000-memory.dmp

Filesize
544KB

Download
memory/4552-282-0x0000000000CD0000-0x00000000010D4000-memory.dmp

Filesize
4.0MB

Download
memory/4552-284-0x0000000073FA0000-0x000000007426F000-memory.dmp

Filesize
2.8MB

Download
memory/4552-285-0x0000000073ED0000-0x0000000073F98000-memory.dmp

Filesize
800KB

Download
memory/4552-288-0x0000000073E00000-0x0000000073ECE000-memory.dmp

Filesize
824KB

Download
memory/4552-289-0x0000000073DB0000-0x0000000073DF9000-memory.dmp

Filesize
292KB

Download
memory/4552-291-0x0000000073D80000-0x0000000073DA4000-memory.dmp

Filesize
144KB

Download
memory/4552-294-0x0000000073C70000-0x0000000073D7A000-memory.dmp

Filesize
1.0MB

Download
memory/4552-303-0x0000000000CD0000-0x00000000010D4000-memory.dmp

Filesize
4.0MB

Download
memory/4552-305-0x0000000073ED0000-0x0000000073F98000-memory.dmp

Filesize
800KB

Download
memory/4552-304-0x0000000073FA0000-0x000000007426F000-memory.dmp

Filesize
2.8MB

Download
memory/4552-306-0x0000000073E00000-0x0000000073ECE000-memory.dmp

Filesize
824KB

Download
memory/4956-62-0x0000000074080000-0x000000007414E000-memory.dmp

Filesize
824KB

Download
memory/4956-109-0x0000000000CD0000-0x00000000010D4000-memory.dmp

Filesize
4.0MB

Download
memory/4956-20-0x0000000000CD0000-0x00000000010D4000-memory.dmp

Filesize
4.0MB

Download
memory/4956-32-0x0000000074150000-0x0000000074199000-memory.dmp

Filesize
292KB

Download
memory/4956-35-0x0000000074050000-0x0000000074074000-memory.dmp

Filesize
144KB

Download
memory/4956-37-0x0000000073EB0000-0x0000000073FBA000-memory.dmp

Filesize
1.0MB

Download
memory/4956-38-0x0000000073FC0000-0x0000000074048000-memory.dmp

Filesize
544KB

Download
memory/4956-39-0x0000000073BE0000-0x0000000073EAF000-memory.dmp

Filesize
2.8MB

Download
memory/4956-40-0x0000000001FE0000-0x00000000022AF000-memory.dmp

Filesize
2.8MB

Download
memory/4956-33-0x0000000074080000-0x000000007414E000-memory.dmp

Filesize
824KB

Download
memory/4956-29-0x00000000741A0000-0x0000000074268000-memory.dmp

Filesize
800KB

Download
memory/4956-58-0x0000000000CD0000-0x00000000010D4000-memory.dmp

Filesize
4.0MB

Download
memory/4956-61-0x0000000074150000-0x0000000074199000-memory.dmp

Filesize
292KB

Download
memory/4956-60-0x00000000741A0000-0x0000000074268000-memory.dmp

Filesize
800KB

Download
memory/4956-63-0x0000000074050000-0x0000000074074000-memory.dmp

Filesize
144KB

Download
memory/4956-65-0x0000000073FC0000-0x0000000074048000-memory.dmp

Filesize
544KB

Download
memory/4956-66-0x0000000073EB0000-0x0000000073FBA000-memory.dmp

Filesize
1.0MB

Download
memory/4956-67-0x0000000073BE0000-0x0000000073EAF000-memory.dmp

Filesize
2.8MB

Download
memory/4956-77-0x0000000000CD0000-0x00000000010D4000-memory.dmp

Filesize
4.0MB

Download
memory/4956-85-0x0000000000CD0000-0x00000000010D4000-memory.dmp

Filesize
4.0MB

Download
memory/4956-92-0x0000000001FE0000-0x00000000022AF000-memory.dmp

Filesize
2.8MB

Download
memory/4956-93-0x0000000000CD0000-0x00000000010D4000-memory.dmp

Filesize
4.0MB

Download
memory/4956-101-0x0000000000CD0000-0x00000000010D4000-memory.dmp

Filesize
4.0MB

Download
memory/5036-154-0x0000000073ED0000-0x0000000073F98000-memory.dmp

Filesize
800KB

Download
memory/5036-189-0x0000000000CD0000-0x00000000010D4000-memory.dmp

Filesize
4.0MB

Download
memory/5036-156-0x0000000073E50000-0x0000000073E74000-memory.dmp

Filesize
144KB

Download
memory/5036-155-0x0000000073E80000-0x0000000073EC9000-memory.dmp

Filesize
292KB

Download
memory/5036-157-0x0000000073D40000-0x0000000073E4A000-memory.dmp

Filesize
1.0MB

Download
memory/5036-158-0x0000000073CB0000-0x0000000073D38000-memory.dmp

Filesize
544KB

Download
memory/5036-159-0x0000000073BE0000-0x0000000073CAE000-memory.dmp

Filesize
824KB

Download
memory/5036-173-0x0000000000CD0000-0x00000000010D4000-memory.dmp

Filesize
4.0MB

Download
memory/5036-175-0x0000000073ED0000-0x0000000073F98000-memory.dmp

Filesize
800KB

Download
memory/5036-224-0x0000000000CD0000-0x00000000010D4000-memory.dmp

Filesize
4.0MB

Download
memory/5036-180-0x0000000073BE0000-0x0000000073CAE000-memory.dmp

Filesize
824KB

Download
memory/5036-164-0x0000000073FA0000-0x000000007426F000-memory.dmp

Filesize
2.8MB

Download
memory/5036-181-0x0000000000CD0000-0x00000000010D4000-memory.dmp

Filesize
4.0MB

Download
memory/5044-223-0x0000000073FA0000-0x000000007426F000-memory.dmp

Filesize
2.8MB

Download
memory/5044-215-0x0000000073E80000-0x0000000073EC9000-memory.dmp

Filesize
292KB

Download
memory/5044-213-0x0000000073BE0000-0x0000000073CAE000-memory.dmp

Filesize
824KB

Download
memory/5044-210-0x0000000000CD0000-0x00000000010D4000-memory.dmp

Filesize
4.0MB

Download
memory/5044-221-0x0000000073CB0000-0x0000000073D38000-memory.dmp

Filesize
544KB

Download
memory/5044-219-0x0000000073D40000-0x0000000073E4A000-memory.dmp

Filesize
1.0MB

Download
memory/5044-226-0x0000000073ED0000-0x0000000073F98000-memory.dmp

Filesize
800KB

Download
memory/5044-216-0x0000000073E50000-0x0000000073E74000-memory.dmp

Filesize
144KB

Download
memory/5044-233-0x0000000000CD0000-0x00000000010D4000-memory.dmp

Filesize
4.0MB

Download
memory/5044-234-0x0000000073BE0000-0x0000000073CAE000-memory.dmp

Filesize
824KB

Download