danabot | 37cb831726dc1877ea59cf5618e4fa224368bbd64a7047dec6fb554a6a17d4c2

Analysis

max time kernel
151s
max time network
138s
platform
windows7_x64
resource
win7v20201028
submitted
02-12-2020 14:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f855a98d4367685b38e0c961627ef029.exe
Size

671KB
MD5

f855a98d4367685b38e0c961627ef029
SHA1

f111814ebf9950785a8e932627abfae9c3ec24ef
SHA256

37cb831726dc1877ea59cf5618e4fa224368bbd64a7047dec6fb554a6a17d4c2
SHA512

c3e295ac5f46c8400ebe9846eaddea93b06f4023cc36751654ae9ff73f4dc0e33510fbe4ef2ebf9ff24328ac316158b77560620ad6db8d4dc8791756b1e7386c

Score

10^/10

danabot xmrig 3 banker discovery evasion miner spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1732

Botnet

104.227.34.227:443

64.188.20.187:443

51.195.73.129:443

176.123.2.249:443

Attributes

embedded_hash
6266E79288DFE2AE2C2DB47563C7F93A

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
miner
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

XMRig Miner Payload 4 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/432-874-0x0000000000400000-0x0000000000B59000-memory.dmp	xmrig
behavioral1/memory/432-875-0x00000000004014C0-mapping.dmp	xmrig
behavioral1/memory/432-876-0x0000000000400000-0x0000000000B59000-memory.dmp	xmrig
behavioral1/memory/432-877-0x0000000000400000-0x0000000000B59000-memory.dmp	xmrig

Blocklisted process makes network request 6 IoCs

Processes:

RUNDLL32.EXEWScript.exe

flow pid process

23 2560 RUNDLL32.EXE
26 2824 WScript.exe
28 2824 WScript.exe
30 2824 WScript.exe
32 2824 WScript.exe
34 2824 WScript.exe

flow	pid	process
23	2560	RUNDLL32.EXE
26	2824	WScript.exe
28	2824	WScript.exe
30	2824	WScript.exe
32	2824	WScript.exe
34	2824	WScript.exe

Executes dropped EXE 14 IoCs

Processes:

File2.exelvlar.exe4pla.exestartver.exeCL_Debug_Log.txtSmartClock.exerckuwwu.exeHelper.exeHelper.exeHelper.exetor.exeHelper.exeHelper.exeHelper.exe

pid	process
548	File2.exe
1604	lvlar.exe
1160	4pla.exe
320	startver.exe
1388	CL_Debug_Log.txt
2076	SmartClock.exe
2416	rckuwwu.exe
2300	Helper.exe
2304	Helper.exe
1620	Helper.exe
2452	tor.exe
2644	Helper.exe
1600	Helper.exe
2372	Helper.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4pla.exestartver.exeSmartClock.exelvlar.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4pla.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4pla.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	startver.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	startver.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SmartClock.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SmartClock.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	lvlar.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	lvlar.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

616 cmd.exe
Drops startup file 1 IoCs

Processes:

4pla.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4pla.exe

pid	process
616	cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	4pla.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

4pla.exestartver.exeSmartClock.exelvlar.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Wine	4pla.exe
Key opened	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Wine	startver.exe
Key opened	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Wine	SmartClock.exe
Key opened	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Wine	lvlar.exe

Loads dropped DLL 48 IoCs

Processes:

f855a98d4367685b38e0c961627ef029.exeFile2.exelvlar.exe4pla.exestartver.exeSmartClock.execmd.exerckuwwu.exerundll32.exeRUNDLL32.EXEHelper.exetor.exe

pid	process
836	f855a98d4367685b38e0c961627ef029.exe
548	File2.exe
548	File2.exe
548	File2.exe
548	File2.exe
548	File2.exe
1604	lvlar.exe
1604	lvlar.exe
548	File2.exe
548	File2.exe
1160	4pla.exe
1160	4pla.exe
1160	4pla.exe
548	File2.exe
548	File2.exe
320	startver.exe
320	startver.exe
320	startver.exe
1160	4pla.exe
320	startver.exe
1160	4pla.exe
1160	4pla.exe
2076	SmartClock.exe
2076	SmartClock.exe
2076	SmartClock.exe
2388	cmd.exe
2388	cmd.exe
2416	rckuwwu.exe
2416	rckuwwu.exe
2496	rundll32.exe
2496	rundll32.exe
2496	rundll32.exe
2496	rundll32.exe
2560	RUNDLL32.EXE
2560	RUNDLL32.EXE
2560	RUNDLL32.EXE
2560	RUNDLL32.EXE
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe
2452	tor.exe
2452	tor.exe
2452	tor.exe
2452	tor.exe
2452	tor.exe
2452	tor.exe
2452	tor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 3 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	RUNDLL32.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\F6O5NPVK\desktop.ini	RUNDLL32.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	RUNDLL32.EXE

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

12 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

lvlar.exe4pla.exestartver.exeSmartClock.exe

pid process

1604 lvlar.exe
1160 4pla.exe
320 startver.exe
2076 SmartClock.exe

flow	ioc
12	ip-api.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

Helper.exe

description	pid	process	target process
PID 2300 set thread context of 1620	2300	Helper.exe	Helper.exe
PID 2300 set thread context of 2644	2300	Helper.exe	Helper.exe
PID 2300 set thread context of 432	2300	Helper.exe	attrib.exe

Drops file in Program Files directory 9 IoCs

Processes:

File2.exepowershell.exepowershell.exe

description	ioc	process
File created	C:\Program Files (x86)\solfer\Microsoft.IdentityServer.Web.Resources.dll	File2.exe
File created	C:\Program Files (x86)\solfer\4pla.exe	File2.exe
File created	C:\Program Files (x86)\solfer\boleroh\msdasc.chm	File2.exe
File opened for modification	C:\Program Files (x86)\solfer\boleroh\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Program Files (x86)\solfer\boleroh\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Program Files (x86)\solfer\wiatrace.log	File2.exe
File created	C:\Program Files (x86)\solfer\startver.exe	File2.exe
File created	C:\Program Files (x86)\solfer\boleroh\msorcl32.chm	File2.exe
File created	C:\Program Files (x86)\solfer\boleroh\lvlar.exe	File2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXEf855a98d4367685b38e0c961627ef029.exelvlar.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f855a98d4367685b38e0c961627ef029.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	f855a98d4367685b38e0c961627ef029.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	lvlar.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	lvlar.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2300 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1620 timeout.exe

pid	process
2300	schtasks.exe

pid	process
1620	timeout.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exelvlar.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	lvlar.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	lvlar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

2076 SmartClock.exe

pid	process
2076	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

lvlar.exe4pla.exestartver.exeSmartClock.exepowershell.exeRUNDLL32.EXEpowershell.exeHelper.exetor.exe

pid	process
1604	lvlar.exe
1160	4pla.exe
320	startver.exe
2076	SmartClock.exe
2936	powershell.exe
2936	powershell.exe
2560	RUNDLL32.EXE
2560	RUNDLL32.EXE
1140	powershell.exe
1140	powershell.exe
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe
2452	tor.exe
2452	tor.exe
2452	tor.exe
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Helper.exe

pid process

2300 Helper.exe

pid	process
2300	Helper.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

CL_Debug_Log.txtrundll32.exeRUNDLL32.EXEpowershell.exepowershell.exeHelper.exeHelper.exeattrib.exe

description	pid	process
Token: SeRestorePrivilege	1388	CL_Debug_Log.txt
Token: 35	1388	CL_Debug_Log.txt
Token: SeSecurityPrivilege	1388	CL_Debug_Log.txt
Token: SeSecurityPrivilege	1388	CL_Debug_Log.txt
Token: SeDebugPrivilege	2496	rundll32.exe
Token: SeDebugPrivilege	2560	RUNDLL32.EXE
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	1140	powershell.exe
Token: SeRestorePrivilege	1620	Helper.exe
Token: 35	1620	Helper.exe
Token: SeSecurityPrivilege	1620	Helper.exe
Token: SeSecurityPrivilege	1620	Helper.exe
Token: SeRestorePrivilege	2644	Helper.exe
Token: 35	2644	Helper.exe
Token: SeSecurityPrivilege	2644	Helper.exe
Token: SeSecurityPrivilege	2644	Helper.exe
Token: SeLockMemoryPrivilege	432	attrib.exe
Token: SeLockMemoryPrivilege	432	attrib.exe

Suspicious use of FindShellTrayWindow 18 IoCs

Processes:

f855a98d4367685b38e0c961627ef029.exestartver.exeRUNDLL32.EXEHelper.exeHelper.exeHelper.exeHelper.exe

pid	process
836	f855a98d4367685b38e0c961627ef029.exe
836	f855a98d4367685b38e0c961627ef029.exe
320	startver.exe
320	startver.exe
320	startver.exe
2560	RUNDLL32.EXE
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe
2304	Helper.exe
2304	Helper.exe
2304	Helper.exe
1600	Helper.exe
1600	Helper.exe
1600	Helper.exe
2372	Helper.exe
2372	Helper.exe
2372	Helper.exe

Suspicious use of SendNotifyMessage 15 IoCs

Processes:

startver.exeHelper.exeHelper.exeHelper.exeHelper.exe

pid	process
320	startver.exe
320	startver.exe
320	startver.exe
2300	Helper.exe
2300	Helper.exe
2300	Helper.exe
2304	Helper.exe
2304	Helper.exe
2304	Helper.exe
1600	Helper.exe
1600	Helper.exe
1600	Helper.exe
2372	Helper.exe
2372	Helper.exe
2372	Helper.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f855a98d4367685b38e0c961627ef029.execmd.exeFile2.exestartver.exe4pla.execmd.exe

description	pid	process	target process
PID 836 wrote to memory of 548	836	f855a98d4367685b38e0c961627ef029.exe	File2.exe
PID 836 wrote to memory of 548	836	f855a98d4367685b38e0c961627ef029.exe	File2.exe
PID 836 wrote to memory of 548	836	f855a98d4367685b38e0c961627ef029.exe	File2.exe
PID 836 wrote to memory of 548	836	f855a98d4367685b38e0c961627ef029.exe	File2.exe
PID 836 wrote to memory of 548	836	f855a98d4367685b38e0c961627ef029.exe	File2.exe
PID 836 wrote to memory of 548	836	f855a98d4367685b38e0c961627ef029.exe	File2.exe
PID 836 wrote to memory of 548	836	f855a98d4367685b38e0c961627ef029.exe	File2.exe
PID 836 wrote to memory of 616	836	f855a98d4367685b38e0c961627ef029.exe	cmd.exe
PID 836 wrote to memory of 616	836	f855a98d4367685b38e0c961627ef029.exe	cmd.exe
PID 836 wrote to memory of 616	836	f855a98d4367685b38e0c961627ef029.exe	cmd.exe
PID 836 wrote to memory of 616	836	f855a98d4367685b38e0c961627ef029.exe	cmd.exe
PID 616 wrote to memory of 1620	616	cmd.exe	timeout.exe
PID 616 wrote to memory of 1620	616	cmd.exe	timeout.exe
PID 616 wrote to memory of 1620	616	cmd.exe	timeout.exe
PID 616 wrote to memory of 1620	616	cmd.exe	timeout.exe
PID 548 wrote to memory of 1604	548	File2.exe	lvlar.exe
PID 548 wrote to memory of 1604	548	File2.exe	lvlar.exe
PID 548 wrote to memory of 1604	548	File2.exe	lvlar.exe
PID 548 wrote to memory of 1604	548	File2.exe	lvlar.exe
PID 548 wrote to memory of 1604	548	File2.exe	lvlar.exe
PID 548 wrote to memory of 1604	548	File2.exe	lvlar.exe
PID 548 wrote to memory of 1604	548	File2.exe	lvlar.exe
PID 548 wrote to memory of 1160	548	File2.exe	4pla.exe
PID 548 wrote to memory of 1160	548	File2.exe	4pla.exe
PID 548 wrote to memory of 1160	548	File2.exe	4pla.exe
PID 548 wrote to memory of 1160	548	File2.exe	4pla.exe
PID 548 wrote to memory of 1160	548	File2.exe	4pla.exe
PID 548 wrote to memory of 1160	548	File2.exe	4pla.exe
PID 548 wrote to memory of 1160	548	File2.exe	4pla.exe
PID 548 wrote to memory of 320	548	File2.exe	startver.exe
PID 548 wrote to memory of 320	548	File2.exe	startver.exe
PID 548 wrote to memory of 320	548	File2.exe	startver.exe
PID 548 wrote to memory of 320	548	File2.exe	startver.exe
PID 548 wrote to memory of 320	548	File2.exe	startver.exe
PID 548 wrote to memory of 320	548	File2.exe	startver.exe
PID 548 wrote to memory of 320	548	File2.exe	startver.exe
PID 320 wrote to memory of 1388	320	startver.exe	CL_Debug_Log.txt
PID 320 wrote to memory of 1388	320	startver.exe	CL_Debug_Log.txt
PID 320 wrote to memory of 1388	320	startver.exe	CL_Debug_Log.txt
PID 320 wrote to memory of 1388	320	startver.exe	CL_Debug_Log.txt
PID 320 wrote to memory of 1388	320	startver.exe	CL_Debug_Log.txt
PID 320 wrote to memory of 1388	320	startver.exe	CL_Debug_Log.txt
PID 320 wrote to memory of 1388	320	startver.exe	CL_Debug_Log.txt
PID 1160 wrote to memory of 2076	1160	4pla.exe	SmartClock.exe
PID 1160 wrote to memory of 2076	1160	4pla.exe	SmartClock.exe
PID 1160 wrote to memory of 2076	1160	4pla.exe	SmartClock.exe
PID 1160 wrote to memory of 2076	1160	4pla.exe	SmartClock.exe
PID 1160 wrote to memory of 2076	1160	4pla.exe	SmartClock.exe
PID 1160 wrote to memory of 2076	1160	4pla.exe	SmartClock.exe
PID 1160 wrote to memory of 2076	1160	4pla.exe	SmartClock.exe
PID 320 wrote to memory of 2260	320	startver.exe	cmd.exe
PID 320 wrote to memory of 2260	320	startver.exe	cmd.exe
PID 320 wrote to memory of 2260	320	startver.exe	cmd.exe
PID 320 wrote to memory of 2260	320	startver.exe	cmd.exe
PID 320 wrote to memory of 2260	320	startver.exe	cmd.exe
PID 320 wrote to memory of 2260	320	startver.exe	cmd.exe
PID 320 wrote to memory of 2260	320	startver.exe	cmd.exe
PID 2260 wrote to memory of 2300	2260	cmd.exe	schtasks.exe
PID 2260 wrote to memory of 2300	2260	cmd.exe	schtasks.exe
PID 2260 wrote to memory of 2300	2260	cmd.exe	schtasks.exe
PID 2260 wrote to memory of 2300	2260	cmd.exe	schtasks.exe
PID 2260 wrote to memory of 2300	2260	cmd.exe	schtasks.exe
PID 2260 wrote to memory of 2300	2260	cmd.exe	schtasks.exe
PID 2260 wrote to memory of 2300	2260	cmd.exe	schtasks.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

432 attrib.exe

pid	process
432	attrib.exe

C:\Users\Admin\AppData\Local\Temp\f855a98d4367685b38e0c961627ef029.exe
"C:\Users\Admin\AppData\Local\Temp\f855a98d4367685b38e0c961627ef029.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:836

C:\Users\Admin\AppData\Local\Temp\File2.exe
"C:\Users\Admin\AppData\Local\Temp\File2.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:548

C:\Program Files (x86)\solfer\boleroh\lvlar.exe
"C:\Program Files (x86)\solfer\boleroh\lvlar.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1604

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\rckuwwu.exe"
4⤵
- Loads dropped DLL
PID:2388

C:\Users\Admin\AppData\Local\Temp\rckuwwu.exe
"C:\Users\Admin\AppData\Local\Temp\rckuwwu.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2416

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\RCKUWW~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\rckuwwu.exe
6⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\RCKUWW~1.DLL,h0o9fBI=
7⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2560

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp741.tmp.ps1"
8⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp2030.tmp.ps1"
8⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1140

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
9⤵
PID:2268

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
8⤵
PID:800

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
8⤵
PID:1348

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\gqbwsptt.vbs"
4⤵
PID:2744

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\gqbwsptt.vbs"
5⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:2824

C:\Program Files (x86)\solfer\4pla.exe
"C:\Program Files (x86)\solfer\4pla.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1160

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:2076

C:\Program Files (x86)\solfer\startver.exe
"C:\Program Files (x86)\solfer\startver.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:320

C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt e -p"JDQJndnqwdnqw2139dn21n3b312idDQDB" "C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt" -o"C:\Users\Admin\AppData\Local\Temp\"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
4⤵
- Suspicious use of WriteProcessMemory
PID:2260

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
5⤵
- Creates scheduled task(s)
PID:2300

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\mYqGI0ZP2 & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\f855a98d4367685b38e0c961627ef029.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:616

C:\Windows\SysWOW64\timeout.exe
timeout 2
3⤵
- Delays execution with timeout.exe
PID:1620

C:\Windows\system32\taskeng.exe
taskeng.exe {C84876A8-FFC4-4AB8-9774-F98359572BE6} S-1-5-21-3825035466-2522850611-591511364-1000:EIDQHRRL\Admin:Interactive:[1]
1⤵
PID:956

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2304

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2300

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe" -f TorConfig
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2452

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Windows\SysWOW64\attrib.exe
-o stratum+tcp://Nipan.hk:8888 -u 0001 -p x -t 1
3⤵
- Suspicious use of AdjustPrivilegeToken
- Views/modifies file attributes
PID:432

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2372

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1600

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Hidden Files and Directories

T1158

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\solfer\4pla.exe
MD5
429ce6473dc95275e58d8a001bb4fe3b

SHA1
d7858ce5b3d65383062d3902c19d185c4dc0ee50

SHA256
181b42bb03fc3ec6fb72e5188ace7d399f0c416e177417c510483d76cabb3bdc

SHA512
de7c11c20d9591afec7ac5c8c5e4c97ad1be670aba08a51b36f9e414deb54417c5d9003fb5a55164108e803dc43e65b99a792c245fc35ce58234bc70c34b34ae

Download Submit
C:\Program Files (x86)\solfer\4pla.exe
MD5
429ce6473dc95275e58d8a001bb4fe3b

SHA1
d7858ce5b3d65383062d3902c19d185c4dc0ee50

SHA256
181b42bb03fc3ec6fb72e5188ace7d399f0c416e177417c510483d76cabb3bdc

SHA512
de7c11c20d9591afec7ac5c8c5e4c97ad1be670aba08a51b36f9e414deb54417c5d9003fb5a55164108e803dc43e65b99a792c245fc35ce58234bc70c34b34ae

Download Submit
C:\Program Files (x86)\solfer\boleroh\lvlar.exe
MD5
5cdba982d93db6b44aa3ba621948ad01

SHA1
66bd330a6b386d37184061b0860726d32307e7f7

SHA256
941b7f63c12bfb653ec267619148817840f2bc0c6b2c3ba8978c312d3f5dfdd1

SHA512
5c3f17146b062f17b1988a27d117268ed16915d2110575c72318955c0c3af73ad96d69cf9c69457b560332538d67bbd10016b1084a7bba4213d79626e05e8f5d

Download Submit
C:\Program Files (x86)\solfer\boleroh\lvlar.exe
MD5
5cdba982d93db6b44aa3ba621948ad01

SHA1
66bd330a6b386d37184061b0860726d32307e7f7

SHA256
941b7f63c12bfb653ec267619148817840f2bc0c6b2c3ba8978c312d3f5dfdd1

SHA512
5c3f17146b062f17b1988a27d117268ed16915d2110575c72318955c0c3af73ad96d69cf9c69457b560332538d67bbd10016b1084a7bba4213d79626e05e8f5d

Download Submit
C:\Program Files (x86)\solfer\startver.exe
MD5
c914176a3837c64afc8c0adcedb75ab3

SHA1
a875893761b5738d045c812cf184bdccaa1a3adf

SHA256
64bbc532403baf3fdbf37570ff0034ad2f81d3ab49c59ac1687d4e79ad5b9be6

SHA512
75f072c712d74c3d13e1a50fd84a8c6682a392dff66a7cde2d52df48b56c801f5c85ed9360423725dfdb95ae8804be77e447712c9f63ce73dc86615053b07439

Download Submit
C:\Program Files (x86)\solfer\startver.exe
MD5
c914176a3837c64afc8c0adcedb75ab3

SHA1
a875893761b5738d045c812cf184bdccaa1a3adf

SHA256
64bbc532403baf3fdbf37570ff0034ad2f81d3ab49c59ac1687d4e79ad5b9be6

SHA512
75f072c712d74c3d13e1a50fd84a8c6682a392dff66a7cde2d52df48b56c801f5c85ed9360423725dfdb95ae8804be77e447712c9f63ce73dc86615053b07439

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3bf4f350-86fe-486e-8b87-41ab96d0ad9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4408bb97-19ee-4815-b02c-5a0939dddad8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_644b5728-e9b5-45ab-9104-7136ec814422

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6532a425-51ae-4577-837f-c6e09d9fcfcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_69670b6c-d49a-42a9-993a-10d18807f7c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7f45a795-9723-4ae3-b7ea-79ea7f92b87a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_aacd219d-c7ba-43ff-a67c-9ddc2f632d63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c9362bc9-9a59-457a-b4a5-e21eef6e7d55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e9f9468a-8cbd-4472-b808-e8b3772f4134

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5T8OP4KT\lexus[1].exe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O1R1CL99\json[1].json

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O1R1CL99\json[1].json

Download Submit
C:\Users\Admin\AppData\Local\Temp\32.exe
MD5
8d4a066a726394bea1ac340dc2b8da97

SHA1
a0d820b9a2aebd76c1e4babb8df29ee2e601591d

SHA256
8d115d59d23cfbea82a7863db006186733a6ca2f8ae8641860b3766a09199926

SHA512
e6b39c373a40f322596c426f31cc08c67500d39dbe0f4e82d8112c2393f21b201e54fe94179157a60138134a2479d63d1a2ec95d864718dcc464698315018803

Download Submit
C:\Users\Admin\AppData\Local\Temp\64.exe
MD5
b63316db18171e9b01e8182c7dee0a52

SHA1
e4136a87a6d1e76b93b471af40bd8b98f277d4a4

SHA256
8549c72b6d363c4650231e5d464ae7429a1f3109cac6000e4bba9bdcb402897f

SHA512
79e2fa8f3a78eaaf0a2baee7bb8997cebb29afdca608e70d1fb7107bc27eb82ebb0c4b678a7485e050086fe835ba85b4e4de3e2a15bbf2428a30dd75a2859f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
MD5
43141e85e7c36e31b52b22ab94d5e574

SHA1
cfd7079a9b268d84b856dc668edbb9ab9ef35312

SHA256
ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d

SHA512
9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
MD5
43141e85e7c36e31b52b22ab94d5e574

SHA1
cfd7079a9b268d84b856dc668edbb9ab9ef35312

SHA256
ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d

SHA512
9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt
MD5
9e643e88a12409e738e1babd616b087e

SHA1
e819be03fb6a51d227d0bf24ed242348977b8260

SHA256
29b08f3e00e2fa354ee0986db0e8c3d1651d7526fb2fc9a1937416a0ea6fa653

SHA512
cfa5aca452ff8e69909a9e5c4b18e92b5aba162c7708779b2535c3e5f2c49edf8c9e2e5e18e8da327f4d0e8845bda9ee7e6b039cd251c33decd282fc2c3f8567

Download Submit
C:\Users\Admin\AppData\Local\Temp\DFD7.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\File2.exe
MD5
6b20c4c980ba7f45686cc2026d414552

SHA1
d630f4f92716e5feb53834e7fa49bf8f297209b0

SHA256
ddcd4930b73a1b15ceac5649378b388d0bb16380633624a2d1e1e66971e3d017

SHA512
963f6a05eb3bba0fa0e2ce5a0bb571b163f647cebf4a907228a97ba629e91ada21a8dfa93db68c16d4385b69dc919c767e5760173c0f7549eb7257d076b74974

Download Submit
C:\Users\Admin\AppData\Local\Temp\File2.exe
MD5
6b20c4c980ba7f45686cc2026d414552

SHA1
d630f4f92716e5feb53834e7fa49bf8f297209b0

SHA256
ddcd4930b73a1b15ceac5649378b388d0bb16380633624a2d1e1e66971e3d017

SHA512
963f6a05eb3bba0fa0e2ce5a0bb571b163f647cebf4a907228a97ba629e91ada21a8dfa93db68c16d4385b69dc919c767e5760173c0f7549eb7257d076b74974

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCKUWW~1.DLL
MD5
8ae60d14802fac0d5d8ddf4ab4e64cfd

SHA1
f8023b26304a891897b57c10a1d0bdec4f9c0d6a

SHA256
b5197c3bf67da872ba9d0b7366367c45790c4d5cc7be8b8109acee8d7f1152d8

SHA512
1201a79794c7e50c3ed09c917a323bd43146a4b7c9884ccc522ab8d89abb2c893ad1f2ea683acdfa724793da764c62673a7809a95feec6c8e05a4e055e06b677

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml
MD5
9160347bec74471e1a79edfd950629ae

SHA1
c149a7e5aab6e349a70b7b458d0eaaa9d301c790

SHA256
0fe356f3d04bb43f772604b049fd2b20f3038ca2ce84bf9778b8ccdd481d77ab

SHA512
b8061834f658567a1e742496c38688bdecd60191a92163d47470f64aa1fba23e92dd36fa1d2bb7efa36f14002c0606013973718b9f107e62d845a17be4b0d358

Download Submit
C:\Users\Admin\AppData\Local\Temp\gqbwsptt.vbs

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYqGI0ZP2\3TFGUU~1.ZIP
MD5
ce38edb31c846c371b040b5c24605134

SHA1
ffe8271cfb1c225c71912043a821ec1c6a55571e

SHA256
76354f99265a281d1f39bc4ae52066aa63d9ba2b0359d2cf15e893e9f7074d04

SHA512
8d8319c74069a0239c6db6461531595ef8c70d50cea2751d8e05d84de50af6847b176b3e3538647dc17182cc860b95292522f4f09f685f81f091cf762b5e1501

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYqGI0ZP2\IVZLLI~1.ZIP
MD5
d65c384f65802fc34baac9368624f8c5

SHA1
860218059d4174133653715b8a2b9a7600eb8350

SHA256
8ea11ad7bb768e2c742533ee76cf96b175b859ee60bb00ee5ef81c54d85ba85a

SHA512
17018434e3e27993a3e1caf50e62cd658a8f3d2a57e2fe61c4f9054ce1c8dd4c5ec27dcac5a8812af60f6c2f3f730689697c51944a98aba06366e013c1a8aa11

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYqGI0ZP2\_Files\_Files\UPDATE~1.TXT
MD5
68a571c333b77296dfc33cdca6a5da8d

SHA1
f97c81029e4c9957b222e97bcfda7f376adc7418

SHA256
ca825b148c67c1b202bf515c142ed53db882273299b2255bf037e5a6d4cd5290

SHA512
9917e9cd7b48e78c1bf20ee81ebab5fd3caac8c14e87ed29c538be05bf0f3b2016eb823dd9f70cc9400a01263b125d70fd430a2153e37ca7090124a062502621

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYqGI0ZP2\_Files\_INFOR~1.TXT
MD5
713f6278fdf85b619f4c75596d2e8f44

SHA1
adcde18b0d06648720ae02387a0764d367814327

SHA256
109c07e9bf563e4abd8f7c625e4557fbe58c929beb922c47769008e69a85ac20

SHA512
131a81719b8b581846a0033e749c56f3775cdbf01afa4d3aa340a42f5bbecb9883adba2f0faf2afa925f043ff576809ed83fb6f4e0e9427bdd513a62dbb8bc21

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYqGI0ZP2\_Files\_SCREE~1.JPE
MD5
856ca2e2dfb5cd17760eeaa0c027b822

SHA1
39ab941075e9feed060fd039bf106ad85b5df7bb

SHA256
b42125bc93b542c0d5065040c5c22769b0d11eb5fedfed8f4d8dc1f4b4b2b1e4

SHA512
881d10aa9fd66bfebc5ca48ddd9b9fe88f273a18901e6b1da4e6f8264b56298a76bc14d321aaf6823d169377e5d96e84f5f175a9ce5469fc83baf40bab78eadf

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYqGI0ZP2\files_\SCREEN~1.JPG
MD5
856ca2e2dfb5cd17760eeaa0c027b822

SHA1
39ab941075e9feed060fd039bf106ad85b5df7bb

SHA256
b42125bc93b542c0d5065040c5c22769b0d11eb5fedfed8f4d8dc1f4b4b2b1e4

SHA512
881d10aa9fd66bfebc5ca48ddd9b9fe88f273a18901e6b1da4e6f8264b56298a76bc14d321aaf6823d169377e5d96e84f5f175a9ce5469fc83baf40bab78eadf

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYqGI0ZP2\files_\SYSTEM~1.TXT
MD5
0421f2856c6ba3b0af1425463b4cd960

SHA1
e3bf0b7c35666ed43f0201705c6080ba3022f7dc

SHA256
50e9e7367c1a9158cf35a3d7a86f554b95b8beb269ba5c06f9b0ea045fdac520

SHA512
56400560ed4cb34fd04f9b79b9a7a866f832f7951c33d883eedd77d6ea93565eb0e88bd1ae431a5a8e06c5b362841d7e7c04cd66026d762684065c8c3bbfa13c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYqGI0ZP2\files_\files\UPDATE~1.TXT
MD5
68a571c333b77296dfc33cdca6a5da8d

SHA1
f97c81029e4c9957b222e97bcfda7f376adc7418

SHA256
ca825b148c67c1b202bf515c142ed53db882273299b2255bf037e5a6d4cd5290

SHA512
9917e9cd7b48e78c1bf20ee81ebab5fd3caac8c14e87ed29c538be05bf0f3b2016eb823dd9f70cc9400a01263b125d70fd430a2153e37ca7090124a062502621

Download Submit
C:\Users\Admin\AppData\Local\Temp\rckuwwu.exe
MD5
d9ea6ec0c475886c9592632a19f3f493

SHA1
bb42517f68b681f1c44e5ba962a96fedd983e0f9

SHA256
0528a0d4968681cc528613572c65924d92c739056cf923af61c24ce5e323ed64

SHA512
d02609957977c136230ceb313567af4475d5ec45ed43b23af4d15392b984a8cc5b37f887975d752b21851bc9827670122260ff71735f0257a5e7aece43302aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\rckuwwu.exe
MD5
d9ea6ec0c475886c9592632a19f3f493

SHA1
bb42517f68b681f1c44e5ba962a96fedd983e0f9

SHA256
0528a0d4968681cc528613572c65924d92c739056cf923af61c24ce5e323ed64

SHA512
d02609957977c136230ceb313567af4475d5ec45ed43b23af4d15392b984a8cc5b37f887975d752b21851bc9827670122260ff71735f0257a5e7aece43302aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2030.tmp.ps1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2031.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp741.tmp.ps1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmp

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.txt

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\LIBEAY32.dll

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\SSLEAY32.dll

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-certs

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdesc-consensus

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdescs.new

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\state

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorData\Tor.pid

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorData\TorConfig

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libevent-2-1-6.dll

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libevent_core-2-1-6.dll

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libevent_extra-2-1-6.dll

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libgcc_s_sjlj-1.dll

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libgmp-10.dll

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libssp-0.dll

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libwinpthread-1.dll

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\zlib1.dll

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
429ce6473dc95275e58d8a001bb4fe3b

SHA1
d7858ce5b3d65383062d3902c19d185c4dc0ee50

SHA256
181b42bb03fc3ec6fb72e5188ace7d399f0c416e177417c510483d76cabb3bdc

SHA512
de7c11c20d9591afec7ac5c8c5e4c97ad1be670aba08a51b36f9e414deb54417c5d9003fb5a55164108e803dc43e65b99a792c245fc35ce58234bc70c34b34ae

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
429ce6473dc95275e58d8a001bb4fe3b

SHA1
d7858ce5b3d65383062d3902c19d185c4dc0ee50

SHA256
181b42bb03fc3ec6fb72e5188ace7d399f0c416e177417c510483d76cabb3bdc

SHA512
de7c11c20d9591afec7ac5c8c5e4c97ad1be670aba08a51b36f9e414deb54417c5d9003fb5a55164108e803dc43e65b99a792c245fc35ce58234bc70c34b34ae

Download Submit
\??\PIPE\srvsvc

Download Submit
\Program Files (x86)\solfer\4pla.exe
MD5
429ce6473dc95275e58d8a001bb4fe3b

SHA1
d7858ce5b3d65383062d3902c19d185c4dc0ee50

SHA256
181b42bb03fc3ec6fb72e5188ace7d399f0c416e177417c510483d76cabb3bdc

SHA512
de7c11c20d9591afec7ac5c8c5e4c97ad1be670aba08a51b36f9e414deb54417c5d9003fb5a55164108e803dc43e65b99a792c245fc35ce58234bc70c34b34ae

Download Submit
\Program Files (x86)\solfer\4pla.exe
MD5
429ce6473dc95275e58d8a001bb4fe3b

SHA1
d7858ce5b3d65383062d3902c19d185c4dc0ee50

SHA256
181b42bb03fc3ec6fb72e5188ace7d399f0c416e177417c510483d76cabb3bdc

SHA512
de7c11c20d9591afec7ac5c8c5e4c97ad1be670aba08a51b36f9e414deb54417c5d9003fb5a55164108e803dc43e65b99a792c245fc35ce58234bc70c34b34ae

Download Submit
\Program Files (x86)\solfer\4pla.exe
MD5
429ce6473dc95275e58d8a001bb4fe3b

SHA1
d7858ce5b3d65383062d3902c19d185c4dc0ee50

SHA256
181b42bb03fc3ec6fb72e5188ace7d399f0c416e177417c510483d76cabb3bdc

SHA512
de7c11c20d9591afec7ac5c8c5e4c97ad1be670aba08a51b36f9e414deb54417c5d9003fb5a55164108e803dc43e65b99a792c245fc35ce58234bc70c34b34ae

Download Submit
\Program Files (x86)\solfer\4pla.exe
MD5
429ce6473dc95275e58d8a001bb4fe3b

SHA1
d7858ce5b3d65383062d3902c19d185c4dc0ee50

SHA256
181b42bb03fc3ec6fb72e5188ace7d399f0c416e177417c510483d76cabb3bdc

SHA512
de7c11c20d9591afec7ac5c8c5e4c97ad1be670aba08a51b36f9e414deb54417c5d9003fb5a55164108e803dc43e65b99a792c245fc35ce58234bc70c34b34ae

Download Submit
\Program Files (x86)\solfer\4pla.exe
MD5
429ce6473dc95275e58d8a001bb4fe3b

SHA1
d7858ce5b3d65383062d3902c19d185c4dc0ee50

SHA256
181b42bb03fc3ec6fb72e5188ace7d399f0c416e177417c510483d76cabb3bdc

SHA512
de7c11c20d9591afec7ac5c8c5e4c97ad1be670aba08a51b36f9e414deb54417c5d9003fb5a55164108e803dc43e65b99a792c245fc35ce58234bc70c34b34ae

Download Submit
\Program Files (x86)\solfer\boleroh\lvlar.exe
MD5
5cdba982d93db6b44aa3ba621948ad01

SHA1
66bd330a6b386d37184061b0860726d32307e7f7

SHA256
941b7f63c12bfb653ec267619148817840f2bc0c6b2c3ba8978c312d3f5dfdd1

SHA512
5c3f17146b062f17b1988a27d117268ed16915d2110575c72318955c0c3af73ad96d69cf9c69457b560332538d67bbd10016b1084a7bba4213d79626e05e8f5d

Download Submit
\Program Files (x86)\solfer\boleroh\lvlar.exe
MD5
5cdba982d93db6b44aa3ba621948ad01

SHA1
66bd330a6b386d37184061b0860726d32307e7f7

SHA256
941b7f63c12bfb653ec267619148817840f2bc0c6b2c3ba8978c312d3f5dfdd1

SHA512
5c3f17146b062f17b1988a27d117268ed16915d2110575c72318955c0c3af73ad96d69cf9c69457b560332538d67bbd10016b1084a7bba4213d79626e05e8f5d

Download Submit
\Program Files (x86)\solfer\boleroh\lvlar.exe
MD5
5cdba982d93db6b44aa3ba621948ad01

SHA1
66bd330a6b386d37184061b0860726d32307e7f7

SHA256
941b7f63c12bfb653ec267619148817840f2bc0c6b2c3ba8978c312d3f5dfdd1

SHA512
5c3f17146b062f17b1988a27d117268ed16915d2110575c72318955c0c3af73ad96d69cf9c69457b560332538d67bbd10016b1084a7bba4213d79626e05e8f5d

Download Submit
\Program Files (x86)\solfer\startver.exe
MD5
c914176a3837c64afc8c0adcedb75ab3

SHA1
a875893761b5738d045c812cf184bdccaa1a3adf

SHA256
64bbc532403baf3fdbf37570ff0034ad2f81d3ab49c59ac1687d4e79ad5b9be6

SHA512
75f072c712d74c3d13e1a50fd84a8c6682a392dff66a7cde2d52df48b56c801f5c85ed9360423725dfdb95ae8804be77e447712c9f63ce73dc86615053b07439

Download Submit
\Program Files (x86)\solfer\startver.exe
MD5
c914176a3837c64afc8c0adcedb75ab3

SHA1
a875893761b5738d045c812cf184bdccaa1a3adf

SHA256
64bbc532403baf3fdbf37570ff0034ad2f81d3ab49c59ac1687d4e79ad5b9be6

SHA512
75f072c712d74c3d13e1a50fd84a8c6682a392dff66a7cde2d52df48b56c801f5c85ed9360423725dfdb95ae8804be77e447712c9f63ce73dc86615053b07439

Download Submit
\Program Files (x86)\solfer\startver.exe
MD5
c914176a3837c64afc8c0adcedb75ab3

SHA1
a875893761b5738d045c812cf184bdccaa1a3adf

SHA256
64bbc532403baf3fdbf37570ff0034ad2f81d3ab49c59ac1687d4e79ad5b9be6

SHA512
75f072c712d74c3d13e1a50fd84a8c6682a392dff66a7cde2d52df48b56c801f5c85ed9360423725dfdb95ae8804be77e447712c9f63ce73dc86615053b07439

Download Submit
\Program Files (x86)\solfer\startver.exe
MD5
c914176a3837c64afc8c0adcedb75ab3

SHA1
a875893761b5738d045c812cf184bdccaa1a3adf

SHA256
64bbc532403baf3fdbf37570ff0034ad2f81d3ab49c59ac1687d4e79ad5b9be6

SHA512
75f072c712d74c3d13e1a50fd84a8c6682a392dff66a7cde2d52df48b56c801f5c85ed9360423725dfdb95ae8804be77e447712c9f63ce73dc86615053b07439

Download Submit
\Program Files (x86)\solfer\startver.exe
MD5
c914176a3837c64afc8c0adcedb75ab3

SHA1
a875893761b5738d045c812cf184bdccaa1a3adf

SHA256
64bbc532403baf3fdbf37570ff0034ad2f81d3ab49c59ac1687d4e79ad5b9be6

SHA512
75f072c712d74c3d13e1a50fd84a8c6682a392dff66a7cde2d52df48b56c801f5c85ed9360423725dfdb95ae8804be77e447712c9f63ce73dc86615053b07439

Download Submit
\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
MD5
43141e85e7c36e31b52b22ab94d5e574

SHA1
cfd7079a9b268d84b856dc668edbb9ab9ef35312

SHA256
ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d

SHA512
9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

Download Submit
\Users\Admin\AppData\Local\Temp\File2.exe
MD5
6b20c4c980ba7f45686cc2026d414552

SHA1
d630f4f92716e5feb53834e7fa49bf8f297209b0

SHA256
ddcd4930b73a1b15ceac5649378b388d0bb16380633624a2d1e1e66971e3d017

SHA512
963f6a05eb3bba0fa0e2ce5a0bb571b163f647cebf4a907228a97ba629e91ada21a8dfa93db68c16d4385b69dc919c767e5760173c0f7549eb7257d076b74974

Download Submit
\Users\Admin\AppData\Local\Temp\File2.exe
MD5
6b20c4c980ba7f45686cc2026d414552

SHA1
d630f4f92716e5feb53834e7fa49bf8f297209b0

SHA256
ddcd4930b73a1b15ceac5649378b388d0bb16380633624a2d1e1e66971e3d017

SHA512
963f6a05eb3bba0fa0e2ce5a0bb571b163f647cebf4a907228a97ba629e91ada21a8dfa93db68c16d4385b69dc919c767e5760173c0f7549eb7257d076b74974

Download Submit
\Users\Admin\AppData\Local\Temp\File2.exe
MD5
6b20c4c980ba7f45686cc2026d414552

SHA1
d630f4f92716e5feb53834e7fa49bf8f297209b0

SHA256
ddcd4930b73a1b15ceac5649378b388d0bb16380633624a2d1e1e66971e3d017

SHA512
963f6a05eb3bba0fa0e2ce5a0bb571b163f647cebf4a907228a97ba629e91ada21a8dfa93db68c16d4385b69dc919c767e5760173c0f7549eb7257d076b74974

Download Submit
\Users\Admin\AppData\Local\Temp\File2.exe
MD5
6b20c4c980ba7f45686cc2026d414552

SHA1
d630f4f92716e5feb53834e7fa49bf8f297209b0

SHA256
ddcd4930b73a1b15ceac5649378b388d0bb16380633624a2d1e1e66971e3d017

SHA512
963f6a05eb3bba0fa0e2ce5a0bb571b163f647cebf4a907228a97ba629e91ada21a8dfa93db68c16d4385b69dc919c767e5760173c0f7549eb7257d076b74974

Download Submit
\Users\Admin\AppData\Local\Temp\RCKUWW~1.DLL
MD5
8ae60d14802fac0d5d8ddf4ab4e64cfd

SHA1
f8023b26304a891897b57c10a1d0bdec4f9c0d6a

SHA256
b5197c3bf67da872ba9d0b7366367c45790c4d5cc7be8b8109acee8d7f1152d8

SHA512
1201a79794c7e50c3ed09c917a323bd43146a4b7c9884ccc522ab8d89abb2c893ad1f2ea683acdfa724793da764c62673a7809a95feec6c8e05a4e055e06b677

Download Submit
\Users\Admin\AppData\Local\Temp\RCKUWW~1.DLL
MD5
8ae60d14802fac0d5d8ddf4ab4e64cfd

SHA1
f8023b26304a891897b57c10a1d0bdec4f9c0d6a

SHA256
b5197c3bf67da872ba9d0b7366367c45790c4d5cc7be8b8109acee8d7f1152d8

SHA512
1201a79794c7e50c3ed09c917a323bd43146a4b7c9884ccc522ab8d89abb2c893ad1f2ea683acdfa724793da764c62673a7809a95feec6c8e05a4e055e06b677

Download Submit
\Users\Admin\AppData\Local\Temp\RCKUWW~1.DLL
MD5
8ae60d14802fac0d5d8ddf4ab4e64cfd

SHA1
f8023b26304a891897b57c10a1d0bdec4f9c0d6a

SHA256
b5197c3bf67da872ba9d0b7366367c45790c4d5cc7be8b8109acee8d7f1152d8

SHA512
1201a79794c7e50c3ed09c917a323bd43146a4b7c9884ccc522ab8d89abb2c893ad1f2ea683acdfa724793da764c62673a7809a95feec6c8e05a4e055e06b677

Download Submit
\Users\Admin\AppData\Local\Temp\RCKUWW~1.DLL
MD5
8ae60d14802fac0d5d8ddf4ab4e64cfd

SHA1
f8023b26304a891897b57c10a1d0bdec4f9c0d6a

SHA256
b5197c3bf67da872ba9d0b7366367c45790c4d5cc7be8b8109acee8d7f1152d8

SHA512
1201a79794c7e50c3ed09c917a323bd43146a4b7c9884ccc522ab8d89abb2c893ad1f2ea683acdfa724793da764c62673a7809a95feec6c8e05a4e055e06b677

Download Submit
\Users\Admin\AppData\Local\Temp\RCKUWW~1.DLL
MD5
8ae60d14802fac0d5d8ddf4ab4e64cfd

SHA1
f8023b26304a891897b57c10a1d0bdec4f9c0d6a

SHA256
b5197c3bf67da872ba9d0b7366367c45790c4d5cc7be8b8109acee8d7f1152d8

SHA512
1201a79794c7e50c3ed09c917a323bd43146a4b7c9884ccc522ab8d89abb2c893ad1f2ea683acdfa724793da764c62673a7809a95feec6c8e05a4e055e06b677

Download Submit
\Users\Admin\AppData\Local\Temp\RCKUWW~1.DLL
MD5
8ae60d14802fac0d5d8ddf4ab4e64cfd

SHA1
f8023b26304a891897b57c10a1d0bdec4f9c0d6a

SHA256
b5197c3bf67da872ba9d0b7366367c45790c4d5cc7be8b8109acee8d7f1152d8

SHA512
1201a79794c7e50c3ed09c917a323bd43146a4b7c9884ccc522ab8d89abb2c893ad1f2ea683acdfa724793da764c62673a7809a95feec6c8e05a4e055e06b677

Download Submit
\Users\Admin\AppData\Local\Temp\RCKUWW~1.DLL
MD5
8ae60d14802fac0d5d8ddf4ab4e64cfd

SHA1
f8023b26304a891897b57c10a1d0bdec4f9c0d6a

SHA256
b5197c3bf67da872ba9d0b7366367c45790c4d5cc7be8b8109acee8d7f1152d8

SHA512
1201a79794c7e50c3ed09c917a323bd43146a4b7c9884ccc522ab8d89abb2c893ad1f2ea683acdfa724793da764c62673a7809a95feec6c8e05a4e055e06b677

Download Submit
\Users\Admin\AppData\Local\Temp\RCKUWW~1.DLL
MD5
8ae60d14802fac0d5d8ddf4ab4e64cfd

SHA1
f8023b26304a891897b57c10a1d0bdec4f9c0d6a

SHA256
b5197c3bf67da872ba9d0b7366367c45790c4d5cc7be8b8109acee8d7f1152d8

SHA512
1201a79794c7e50c3ed09c917a323bd43146a4b7c9884ccc522ab8d89abb2c893ad1f2ea683acdfa724793da764c62673a7809a95feec6c8e05a4e055e06b677

Download Submit
\Users\Admin\AppData\Local\Temp\nss5C25.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
\Users\Admin\AppData\Local\Temp\rckuwwu.exe
MD5
d9ea6ec0c475886c9592632a19f3f493

SHA1
bb42517f68b681f1c44e5ba962a96fedd983e0f9

SHA256
0528a0d4968681cc528613572c65924d92c739056cf923af61c24ce5e323ed64

SHA512
d02609957977c136230ceb313567af4475d5ec45ed43b23af4d15392b984a8cc5b37f887975d752b21851bc9827670122260ff71735f0257a5e7aece43302aef

Download Submit
\Users\Admin\AppData\Local\Temp\rckuwwu.exe
MD5
d9ea6ec0c475886c9592632a19f3f493

SHA1
bb42517f68b681f1c44e5ba962a96fedd983e0f9

SHA256
0528a0d4968681cc528613572c65924d92c739056cf923af61c24ce5e323ed64

SHA512
d02609957977c136230ceb313567af4475d5ec45ed43b23af4d15392b984a8cc5b37f887975d752b21851bc9827670122260ff71735f0257a5e7aece43302aef

Download Submit
\Users\Admin\AppData\Local\Temp\rckuwwu.exe
MD5
d9ea6ec0c475886c9592632a19f3f493

SHA1
bb42517f68b681f1c44e5ba962a96fedd983e0f9

SHA256
0528a0d4968681cc528613572c65924d92c739056cf923af61c24ce5e323ed64

SHA512
d02609957977c136230ceb313567af4475d5ec45ed43b23af4d15392b984a8cc5b37f887975d752b21851bc9827670122260ff71735f0257a5e7aece43302aef

Download Submit
\Users\Admin\AppData\Local\Temp\rckuwwu.exe
MD5
d9ea6ec0c475886c9592632a19f3f493

SHA1
bb42517f68b681f1c44e5ba962a96fedd983e0f9

SHA256
0528a0d4968681cc528613572c65924d92c739056cf923af61c24ce5e323ed64

SHA512
d02609957977c136230ceb313567af4475d5ec45ed43b23af4d15392b984a8cc5b37f887975d752b21851bc9827670122260ff71735f0257a5e7aece43302aef

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libeay32.dll

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libevent-2-1-6.dll

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libgcc_s_sjlj-1.dll

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libssp-0.dll

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libwinpthread-1.dll

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\ssleay32.dll

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\zlib1.dll

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
429ce6473dc95275e58d8a001bb4fe3b

SHA1
d7858ce5b3d65383062d3902c19d185c4dc0ee50

SHA256
181b42bb03fc3ec6fb72e5188ace7d399f0c416e177417c510483d76cabb3bdc

SHA512
de7c11c20d9591afec7ac5c8c5e4c97ad1be670aba08a51b36f9e414deb54417c5d9003fb5a55164108e803dc43e65b99a792c245fc35ce58234bc70c34b34ae

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
429ce6473dc95275e58d8a001bb4fe3b

SHA1
d7858ce5b3d65383062d3902c19d185c4dc0ee50

SHA256
181b42bb03fc3ec6fb72e5188ace7d399f0c416e177417c510483d76cabb3bdc

SHA512
de7c11c20d9591afec7ac5c8c5e4c97ad1be670aba08a51b36f9e414deb54417c5d9003fb5a55164108e803dc43e65b99a792c245fc35ce58234bc70c34b34ae

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
429ce6473dc95275e58d8a001bb4fe3b

SHA1
d7858ce5b3d65383062d3902c19d185c4dc0ee50

SHA256
181b42bb03fc3ec6fb72e5188ace7d399f0c416e177417c510483d76cabb3bdc

SHA512
de7c11c20d9591afec7ac5c8c5e4c97ad1be670aba08a51b36f9e414deb54417c5d9003fb5a55164108e803dc43e65b99a792c245fc35ce58234bc70c34b34ae

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
429ce6473dc95275e58d8a001bb4fe3b

SHA1
d7858ce5b3d65383062d3902c19d185c4dc0ee50

SHA256
181b42bb03fc3ec6fb72e5188ace7d399f0c416e177417c510483d76cabb3bdc

SHA512
de7c11c20d9591afec7ac5c8c5e4c97ad1be670aba08a51b36f9e414deb54417c5d9003fb5a55164108e803dc43e65b99a792c245fc35ce58234bc70c34b34ae

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
429ce6473dc95275e58d8a001bb4fe3b

SHA1
d7858ce5b3d65383062d3902c19d185c4dc0ee50

SHA256
181b42bb03fc3ec6fb72e5188ace7d399f0c416e177417c510483d76cabb3bdc

SHA512
de7c11c20d9591afec7ac5c8c5e4c97ad1be670aba08a51b36f9e414deb54417c5d9003fb5a55164108e803dc43e65b99a792c245fc35ce58234bc70c34b34ae

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
429ce6473dc95275e58d8a001bb4fe3b

SHA1
d7858ce5b3d65383062d3902c19d185c4dc0ee50

SHA256
181b42bb03fc3ec6fb72e5188ace7d399f0c416e177417c510483d76cabb3bdc

SHA512
de7c11c20d9591afec7ac5c8c5e4c97ad1be670aba08a51b36f9e414deb54417c5d9003fb5a55164108e803dc43e65b99a792c245fc35ce58234bc70c34b34ae

Download Submit
memory/320-71-0x000000000B710000-0x000000000B721000-memory.dmp

Filesize
68KB

Download
memory/320-72-0x000000000BB20000-0x000000000BB31000-memory.dmp

Filesize
68KB

Download
memory/320-63-0x0000000000000000-mapping.dmp

Download
memory/432-877-0x0000000000400000-0x0000000000B59000-memory.dmp

Filesize
7.3MB

Download
memory/432-874-0x0000000000400000-0x0000000000B59000-memory.dmp

Filesize
7.3MB

Download
memory/432-875-0x00000000004014C0-mapping.dmp

Download
memory/432-876-0x0000000000400000-0x0000000000B59000-memory.dmp

Filesize
7.3MB

Download
memory/548-26-0x0000000000000000-mapping.dmp

Download
memory/616-29-0x0000000000000000-mapping.dmp

Download
memory/800-190-0x0000000000000000-mapping.dmp

Download
memory/836-2-0x00000000024E0000-0x00000000024F1000-memory.dmp

Filesize
68KB

Download
memory/836-3-0x00000000026B0000-0x00000000026B1000-memory.dmp

Filesize
4KB

Download
memory/1140-183-0x00000000062B0000-0x00000000062B1000-memory.dmp

Filesize
4KB

Download
memory/1140-170-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/1140-171-0x00000000011C0000-0x00000000011C1000-memory.dmp

Filesize
4KB

Download
memory/1140-172-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/1140-169-0x00000000010B0000-0x00000000010B1000-memory.dmp

Filesize
4KB

Download
memory/1140-168-0x0000000072C40000-0x000000007332E000-memory.dmp

Filesize
6.9MB

Download
memory/1140-166-0x0000000000000000-mapping.dmp

Download
memory/1160-53-0x0000000000000000-mapping.dmp

Download
memory/1160-64-0x0000000004940000-0x0000000004951000-memory.dmp

Filesize
68KB

Download
memory/1160-70-0x0000000004D50000-0x0000000004D61000-memory.dmp

Filesize
68KB

Download
memory/1348-200-0x0000000000000000-mapping.dmp

Download
memory/1388-75-0x0000000000000000-mapping.dmp

Download
memory/1472-24-0x000007FEF7C70000-0x000007FEF7EEA000-memory.dmp

Filesize
2.5MB

Download
memory/1600-880-0x0000000000000000-mapping.dmp

Download
memory/1604-60-0x0000000005090000-0x00000000050A1000-memory.dmp

Filesize
68KB

Download
memory/1604-59-0x0000000004C80000-0x0000000004C91000-memory.dmp

Filesize
68KB

Download
memory/1604-46-0x0000000000000000-mapping.dmp

Download
memory/1620-204-0x0000000000080000-0x0000000000140000-memory.dmp

Filesize
768KB

Download
memory/1620-202-0x0000000000111C58-mapping.dmp

Download
memory/1620-201-0x0000000000080000-0x0000000000140000-memory.dmp

Filesize
768KB

Download
memory/1620-43-0x0000000000000000-mapping.dmp

Download
memory/2076-87-0x0000000004AE0000-0x0000000004AF1000-memory.dmp

Filesize
68KB

Download
memory/2076-80-0x0000000000000000-mapping.dmp

Download
memory/2076-88-0x0000000004EF0000-0x0000000004F01000-memory.dmp

Filesize
68KB

Download
memory/2260-90-0x0000000000000000-mapping.dmp

Download
memory/2268-184-0x0000000000000000-mapping.dmp

Download
memory/2300-192-0x0000000000000000-mapping.dmp

Download
memory/2300-91-0x0000000000000000-mapping.dmp

Download
memory/2304-193-0x0000000000000000-mapping.dmp

Download
memory/2372-879-0x0000000000000000-mapping.dmp

Download
memory/2388-94-0x0000000000000000-mapping.dmp

Download
memory/2416-99-0x0000000000000000-mapping.dmp

Download
memory/2416-98-0x0000000000000000-mapping.dmp

Download
memory/2416-103-0x0000000002F20000-0x0000000002F31000-memory.dmp

Filesize
68KB

Download
memory/2452-397-0x0000000003260000-0x0000000003271000-memory.dmp

Filesize
68KB

Download
memory/2452-230-0x0000000003260000-0x0000000003271000-memory.dmp

Filesize
68KB

Download
memory/2452-566-0x0000000003650000-0x0000000003661000-memory.dmp

Filesize
68KB

Download
memory/2452-564-0x0000000003650000-0x0000000003661000-memory.dmp

Filesize
68KB

Download
memory/2452-227-0x0000000064B40000-0x0000000064BBE000-memory.dmp

Filesize
504KB

Download
memory/2452-211-0x0000000000000000-mapping.dmp

Download
memory/2452-229-0x0000000002E50000-0x0000000002E61000-memory.dmp

Filesize
68KB

Download
memory/2452-398-0x0000000002E50000-0x0000000002E61000-memory.dmp

Filesize
68KB

Download
memory/2452-231-0x0000000002E50000-0x0000000002E61000-memory.dmp

Filesize
68KB

Download
memory/2452-396-0x0000000002E50000-0x0000000002E61000-memory.dmp

Filesize
68KB

Download
memory/2452-565-0x0000000003A60000-0x0000000003A71000-memory.dmp

Filesize
68KB

Download
memory/2496-110-0x00000000744B0000-0x0000000074653000-memory.dmp

Filesize
1.6MB

Download
memory/2496-104-0x0000000000000000-mapping.dmp

Download
memory/2496-111-0x0000000002580000-0x0000000002BE0000-memory.dmp

Filesize
6.4MB

Download
memory/2560-123-0x00000000027C0000-0x0000000002E20000-memory.dmp

Filesize
6.4MB

Download
memory/2560-131-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/2560-122-0x0000000074450000-0x00000000745F3000-memory.dmp

Filesize
1.6MB

Download
memory/2560-135-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/2560-117-0x0000000000000000-mapping.dmp

Download
memory/2560-134-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/2560-130-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/2560-186-0x00000000046A0000-0x00000000047A1000-memory.dmp

Filesize
1.0MB

Download
memory/2560-132-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/2560-133-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/2644-863-0x0000000000150000-0x0000000000210000-memory.dmp

Filesize
768KB

Download
memory/2644-861-0x00000000001E1C58-mapping.dmp

Download
memory/2644-860-0x0000000000150000-0x0000000000210000-memory.dmp

Filesize
768KB

Download
memory/2744-136-0x0000000000000000-mapping.dmp

Download
memory/2824-138-0x0000000000000000-mapping.dmp

Download
memory/2824-140-0x0000000002960000-0x0000000002964000-memory.dmp

Filesize
16KB

Download
memory/2936-141-0x0000000000000000-mapping.dmp

Download
memory/2936-142-0x0000000072EF0000-0x00000000735DE000-memory.dmp

Filesize
6.9MB

Download
memory/2936-143-0x0000000001F50000-0x0000000001F51000-memory.dmp

Filesize
4KB

Download
memory/2936-144-0x00000000048B0000-0x00000000048B1000-memory.dmp

Filesize
4KB

Download
memory/2936-145-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/2936-146-0x0000000005360000-0x0000000005361000-memory.dmp

Filesize
4KB

Download
memory/2936-151-0x0000000006190000-0x0000000006191000-memory.dmp

Filesize
4KB

Download
memory/2936-156-0x0000000006200000-0x0000000006201000-memory.dmp

Filesize
4KB

Download
memory/2936-157-0x0000000006310000-0x0000000006311000-memory.dmp

Filesize
4KB

Download
memory/2936-164-0x0000000006430000-0x0000000006431000-memory.dmp

Filesize
4KB

Download
memory/2936-165-0x0000000006660000-0x0000000006661000-memory.dmp

Filesize
4KB

Download