cryptbot | 69057a29d94d0ae3e51c435df396178b093d057db5addcdb273dcd5aedc6e1ef

Analysis

max time kernel
151s
max time network
112s
platform
windows7_x64
resource
win7v20201028
submitted
03-12-2020 07:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

313f90db50cc3d4164b90d648b83cd75.exe
Size

671KB
MD5

313f90db50cc3d4164b90d648b83cd75
SHA1

f861f285705a4eb7ef51de27baef8dae05c36e15
SHA256

69057a29d94d0ae3e51c435df396178b093d057db5addcdb273dcd5aedc6e1ef
SHA512

cb0acb7106a328a83848812e85d7f998e5c0ef0780b4f0c20ab33cf046053202c265c40d7f68ee156d2ad4f80c114529ef8d8e793302d45991337a5cf37d1546

Score

10^/10

cryptbot xmrig discovery evasion miner spyware stealer

Malware Config

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
miner
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

XMRig Miner Payload 4 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/280-668-0x0000000000400000-0x0000000000B59000-memory.dmp	xmrig
behavioral1/memory/280-669-0x00000000004014C0-mapping.dmp	xmrig
behavioral1/memory/280-670-0x0000000000400000-0x0000000000B59000-memory.dmp	xmrig
behavioral1/memory/280-671-0x0000000000400000-0x0000000000B59000-memory.dmp	xmrig

Blocklisted process makes network request 5 IoCs

Processes:

WScript.exe

flow pid process

28 2880 WScript.exe
30 2880 WScript.exe
32 2880 WScript.exe
34 2880 WScript.exe
36 2880 WScript.exe
Downloads MZ/PE file

flow	pid	process
28	2880	WScript.exe
30	2880	WScript.exe
32	2880	WScript.exe
34	2880	WScript.exe
36	2880	WScript.exe

Executes dropped EXE 15 IoCs

Processes:

File2.exelvfuk.exe6las.exe4ger.exestartveu.exeSmartClock.exeCL_Debug_Log.txtssoujhvp.exeHelper.exeHelper.exeHelper.exetor.exeHelper.exeHelper.exeHelper.exe

pid	process
308	File2.exe
564	lvfuk.exe
748	6las.exe
820	4ger.exe
2144	startveu.exe
2228	SmartClock.exe
2524	CL_Debug_Log.txt
2820	ssoujhvp.exe
2980	Helper.exe
2988	Helper.exe
3016	Helper.exe
1368	tor.exe
2844	Helper.exe
2680	Helper.exe
2664	Helper.exe

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4ger.exe6las.exestartveu.exeSmartClock.exelvfuk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4ger.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6las.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	startveu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SmartClock.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	lvfuk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	lvfuk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	startveu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SmartClock.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4ger.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6las.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

980 cmd.exe
Drops startup file 1 IoCs

Processes:

4ger.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4ger.exe

pid	process
980	cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	4ger.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

lvfuk.exe6las.exe4ger.exestartveu.exeSmartClock.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Wine	lvfuk.exe
Key opened	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Wine	6las.exe
Key opened	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Wine	4ger.exe
Key opened	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Wine	startveu.exe
Key opened	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Wine	SmartClock.exe

Loads dropped DLL 49 IoCs

Processes:

313f90db50cc3d4164b90d648b83cd75.exeFile2.exelvfuk.exe6las.exe4ger.exestartveu.exeSmartClock.execmd.exessoujhvp.exerundll32.exeHelper.exetor.exe

pid	process
1408	313f90db50cc3d4164b90d648b83cd75.exe
308	File2.exe
308	File2.exe
308	File2.exe
308	File2.exe
308	File2.exe
564	lvfuk.exe
564	lvfuk.exe
308	File2.exe
308	File2.exe
748	6las.exe
748	6las.exe
748	6las.exe
308	File2.exe
308	File2.exe
820	4ger.exe
820	4ger.exe
820	4ger.exe
820	4ger.exe
308	File2.exe
308	File2.exe
2144	startveu.exe
2144	startveu.exe
2144	startveu.exe
820	4ger.exe
820	4ger.exe
2228	SmartClock.exe
2228	SmartClock.exe
2228	SmartClock.exe
2144	startveu.exe
2788	cmd.exe
2788	cmd.exe
2820	ssoujhvp.exe
2820	ssoujhvp.exe
2904	rundll32.exe
2904	rundll32.exe
2904	rundll32.exe
2904	rundll32.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
1368	tor.exe
1368	tor.exe
1368	tor.exe
1368	tor.exe
1368	tor.exe
1368	tor.exe
1368	tor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

lvfuk.exe4ger.exe6las.exestartveu.exeSmartClock.exe

pid process

564 lvfuk.exe
820 4ger.exe
748 6las.exe
2144 startveu.exe
2228 SmartClock.exe

flow	ioc
13	ip-api.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

Helper.exe

description	pid	process	target process
PID 2980 set thread context of 3016	2980	Helper.exe	Helper.exe
PID 2980 set thread context of 2844	2980	Helper.exe	Helper.exe
PID 2980 set thread context of 280	2980	Helper.exe	attrib.exe

Drops file in Program Files directory 8 IoCs

Processes:

File2.exe

description	ioc	process
File created	C:\Program Files (x86)\solfer\Microsoft.IdentityServer.Web.Resources.dll	File2.exe
File created	C:\Program Files (x86)\solfer\4ger.exe	File2.exe
File created	C:\Program Files (x86)\solfer\6las.exe	File2.exe
File created	C:\Program Files (x86)\solfer\startveu.exe	File2.exe
File created	C:\Program Files (x86)\solfer\boleroh\msdasc.chm	File2.exe
File created	C:\Program Files (x86)\solfer\boleroh\msorcl32.chm	File2.exe
File created	C:\Program Files (x86)\solfer\boleroh\lvfuk.exe	File2.exe
File created	C:\Program Files (x86)\solfer\wiatrace.log	File2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

313f90db50cc3d4164b90d648b83cd75.exelvfuk.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	313f90db50cc3d4164b90d648b83cd75.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	313f90db50cc3d4164b90d648b83cd75.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	lvfuk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	lvfuk.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2688 schtasks.exe
Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

1080 timeout.exe
2576 timeout.exe
2624 timeout.exe

pid	process
2688	schtasks.exe

pid	process
1080	timeout.exe
2576	timeout.exe
2624	timeout.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

lvfuk.exeWScript.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	lvfuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	lvfuk.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

2228 SmartClock.exe

pid	process
2228	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

lvfuk.exe4ger.exe6las.exestartveu.exeSmartClock.exeHelper.exetor.exe

pid	process
564	lvfuk.exe
820	4ger.exe
748	6las.exe
2144	startveu.exe
2228	SmartClock.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
1368	tor.exe
1368	tor.exe
2980	Helper.exe
1368	tor.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Helper.exe

pid process

2980 Helper.exe

pid	process
2980	Helper.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

CL_Debug_Log.txtHelper.exeHelper.exeattrib.exe

description	pid	process
Token: SeRestorePrivilege	2524	CL_Debug_Log.txt
Token: 35	2524	CL_Debug_Log.txt
Token: SeSecurityPrivilege	2524	CL_Debug_Log.txt
Token: SeSecurityPrivilege	2524	CL_Debug_Log.txt
Token: SeRestorePrivilege	3016	Helper.exe
Token: 35	3016	Helper.exe
Token: SeSecurityPrivilege	3016	Helper.exe
Token: SeSecurityPrivilege	3016	Helper.exe
Token: SeRestorePrivilege	2844	Helper.exe
Token: 35	2844	Helper.exe
Token: SeSecurityPrivilege	2844	Helper.exe
Token: SeSecurityPrivilege	2844	Helper.exe
Token: SeLockMemoryPrivilege	280	attrib.exe
Token: SeLockMemoryPrivilege	280	attrib.exe

Suspicious use of FindShellTrayWindow 17 IoCs

Processes:

313f90db50cc3d4164b90d648b83cd75.exestartveu.exeHelper.exeHelper.exeHelper.exeHelper.exe

pid	process
1408	313f90db50cc3d4164b90d648b83cd75.exe
1408	313f90db50cc3d4164b90d648b83cd75.exe
2144	startveu.exe
2144	startveu.exe
2144	startveu.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2988	Helper.exe
2988	Helper.exe
2988	Helper.exe
2680	Helper.exe
2680	Helper.exe
2680	Helper.exe
2664	Helper.exe
2664	Helper.exe
2664	Helper.exe

Suspicious use of SendNotifyMessage 15 IoCs

Processes:

startveu.exeHelper.exeHelper.exeHelper.exeHelper.exe

pid	process
2144	startveu.exe
2144	startveu.exe
2144	startveu.exe
2980	Helper.exe
2980	Helper.exe
2980	Helper.exe
2988	Helper.exe
2988	Helper.exe
2988	Helper.exe
2680	Helper.exe
2680	Helper.exe
2680	Helper.exe
2664	Helper.exe
2664	Helper.exe
2664	Helper.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

313f90db50cc3d4164b90d648b83cd75.exeFile2.execmd.exe4ger.exe6las.exe

description	pid	process	target process
PID 1408 wrote to memory of 308	1408	313f90db50cc3d4164b90d648b83cd75.exe	File2.exe
PID 1408 wrote to memory of 308	1408	313f90db50cc3d4164b90d648b83cd75.exe	File2.exe
PID 1408 wrote to memory of 308	1408	313f90db50cc3d4164b90d648b83cd75.exe	File2.exe
PID 1408 wrote to memory of 308	1408	313f90db50cc3d4164b90d648b83cd75.exe	File2.exe
PID 1408 wrote to memory of 308	1408	313f90db50cc3d4164b90d648b83cd75.exe	File2.exe
PID 1408 wrote to memory of 308	1408	313f90db50cc3d4164b90d648b83cd75.exe	File2.exe
PID 1408 wrote to memory of 308	1408	313f90db50cc3d4164b90d648b83cd75.exe	File2.exe
PID 1408 wrote to memory of 980	1408	313f90db50cc3d4164b90d648b83cd75.exe	cmd.exe
PID 1408 wrote to memory of 980	1408	313f90db50cc3d4164b90d648b83cd75.exe	cmd.exe
PID 1408 wrote to memory of 980	1408	313f90db50cc3d4164b90d648b83cd75.exe	cmd.exe
PID 1408 wrote to memory of 980	1408	313f90db50cc3d4164b90d648b83cd75.exe	cmd.exe
PID 308 wrote to memory of 564	308	File2.exe	lvfuk.exe
PID 308 wrote to memory of 564	308	File2.exe	lvfuk.exe
PID 308 wrote to memory of 564	308	File2.exe	lvfuk.exe
PID 308 wrote to memory of 564	308	File2.exe	lvfuk.exe
PID 308 wrote to memory of 564	308	File2.exe	lvfuk.exe
PID 308 wrote to memory of 564	308	File2.exe	lvfuk.exe
PID 308 wrote to memory of 564	308	File2.exe	lvfuk.exe
PID 980 wrote to memory of 1080	980	cmd.exe	timeout.exe
PID 980 wrote to memory of 1080	980	cmd.exe	timeout.exe
PID 980 wrote to memory of 1080	980	cmd.exe	timeout.exe
PID 980 wrote to memory of 1080	980	cmd.exe	timeout.exe
PID 308 wrote to memory of 748	308	File2.exe	6las.exe
PID 308 wrote to memory of 748	308	File2.exe	6las.exe
PID 308 wrote to memory of 748	308	File2.exe	6las.exe
PID 308 wrote to memory of 748	308	File2.exe	6las.exe
PID 308 wrote to memory of 748	308	File2.exe	6las.exe
PID 308 wrote to memory of 748	308	File2.exe	6las.exe
PID 308 wrote to memory of 748	308	File2.exe	6las.exe
PID 308 wrote to memory of 820	308	File2.exe	4ger.exe
PID 308 wrote to memory of 820	308	File2.exe	4ger.exe
PID 308 wrote to memory of 820	308	File2.exe	4ger.exe
PID 308 wrote to memory of 820	308	File2.exe	4ger.exe
PID 308 wrote to memory of 820	308	File2.exe	4ger.exe
PID 308 wrote to memory of 820	308	File2.exe	4ger.exe
PID 308 wrote to memory of 820	308	File2.exe	4ger.exe
PID 308 wrote to memory of 2144	308	File2.exe	startveu.exe
PID 308 wrote to memory of 2144	308	File2.exe	startveu.exe
PID 308 wrote to memory of 2144	308	File2.exe	startveu.exe
PID 308 wrote to memory of 2144	308	File2.exe	startveu.exe
PID 308 wrote to memory of 2144	308	File2.exe	startveu.exe
PID 308 wrote to memory of 2144	308	File2.exe	startveu.exe
PID 308 wrote to memory of 2144	308	File2.exe	startveu.exe
PID 820 wrote to memory of 2228	820	4ger.exe	SmartClock.exe
PID 820 wrote to memory of 2228	820	4ger.exe	SmartClock.exe
PID 820 wrote to memory of 2228	820	4ger.exe	SmartClock.exe
PID 820 wrote to memory of 2228	820	4ger.exe	SmartClock.exe
PID 820 wrote to memory of 2228	820	4ger.exe	SmartClock.exe
PID 820 wrote to memory of 2228	820	4ger.exe	SmartClock.exe
PID 820 wrote to memory of 2228	820	4ger.exe	SmartClock.exe
PID 748 wrote to memory of 2492	748	6las.exe	cmd.exe
PID 748 wrote to memory of 2492	748	6las.exe	cmd.exe
PID 748 wrote to memory of 2492	748	6las.exe	cmd.exe
PID 748 wrote to memory of 2492	748	6las.exe	cmd.exe
PID 748 wrote to memory of 2492	748	6las.exe	cmd.exe
PID 748 wrote to memory of 2492	748	6las.exe	cmd.exe
PID 748 wrote to memory of 2492	748	6las.exe	cmd.exe
PID 748 wrote to memory of 2536	748	6las.exe	cmd.exe
PID 748 wrote to memory of 2536	748	6las.exe	cmd.exe
PID 748 wrote to memory of 2536	748	6las.exe	cmd.exe
PID 748 wrote to memory of 2536	748	6las.exe	cmd.exe
PID 748 wrote to memory of 2536	748	6las.exe	cmd.exe
PID 748 wrote to memory of 2536	748	6las.exe	cmd.exe
PID 748 wrote to memory of 2536	748	6las.exe	cmd.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

280 attrib.exe

pid	process
280	attrib.exe

C:\Users\Admin\AppData\Local\Temp\313f90db50cc3d4164b90d648b83cd75.exe
"C:\Users\Admin\AppData\Local\Temp\313f90db50cc3d4164b90d648b83cd75.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Users\Admin\AppData\Local\Temp\File2.exe
  "C:\Users\Admin\AppData\Local\Temp\File2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:308
- - C:\Program Files (x86)\solfer\boleroh\lvfuk.exe
    "C:\Program Files (x86)\solfer\boleroh\lvfuk.exe"
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Checks processor information in registry
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    PID:564
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\ssoujhvp.exe"
      4⤵
      Loads dropped DLL
      PID:2788
    - - C:\Users\Admin\AppData\Local\Temp\ssoujhvp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ssoujhvp.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2820
      - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\SSOUJH~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\ssoujhvp.exe
        6⤵
        Loads dropped DLL
        
        PID:2904
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\rjoviybjtpkn.vbs"
      4⤵
      PID:2800
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\rjoviybjtpkn.vbs"
        5⤵
        Blocklisted process makes network request
        Modifies system certificate store
        
        PID:2880
- - C:\Program Files (x86)\solfer\6las.exe
    "C:\Program Files (x86)\solfer\6las.exe"
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:748
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\ebxahtgsydywp & timeout 2 & del /f /q "C:\Program Files (x86)\solfer\6las.exe"
      4⤵
      PID:2492
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        5⤵
        Delays execution with timeout.exe
        
        PID:2576
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\ebxahtgsydywp & timeout 2 & del /f /q "C:\Program Files (x86)\solfer\6las.exe"
      4⤵
      PID:2536
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        5⤵
        Delays execution with timeout.exe
        
        PID:2624
- - C:\Program Files (x86)\solfer\4ger.exe
    "C:\Program Files (x86)\solfer\4ger.exe"
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Drops startup file
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:820
  - - C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
      "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
      4⤵
      Executes dropped EXE
      Checks BIOS information in registry
      Identifies Wine through registry keys
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      PID:2228
- - C:\Program Files (x86)\solfer\startveu.exe
    "C:\Program Files (x86)\solfer\startveu.exe"
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2144
  - - C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
      C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt e -p"JDQJndnqwdnqw2139dn21n3b312idDQDB" "C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt" -o"C:\Users\Admin\AppData\Local\Temp\"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2524
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
      4⤵
      PID:2660
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
        5⤵
        Creates scheduled task(s)
        
        PID:2688
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\UQVNKLsrA5 & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\313f90db50cc3d4164b90d648b83cd75.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:980
- - C:\Windows\SysWOW64\timeout.exe
    timeout 2
    3⤵
    - Delays execution with timeout.exe
    PID:1080

C:\Windows\system32\taskeng.exe
taskeng.exe {AB1A6BCA-77F6-4920-B2E3-BE6DE820EC51} S-1-5-21-3825035466-2522850611-591511364-1000:EIDQHRRL\Admin:Interactive:[1]
1⤵
PID:2944
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2988
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2980
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3016
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe" -f TorConfig
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:1368
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2844
- - C:\Windows\SysWOW64\attrib.exe
    -o stratum+tcp://Nipan.hk:8888 -u 0001 -p x -t 1
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Views/modifies file attributes
    PID:280
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2680
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Hidden Files and Directories

T1158

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\solfer\4ger.exe

MD5
1b482bf0134c52d93039eb961d2e8077

SHA1
98488275e5ebd98bc53327956670521cf33f6d22

SHA256
86c95550820bf9627e81f256652d482e07f0cfb40504cd319727953197448fd7

SHA512
22bfcc05e1ccc8e7ce84598ba7cdfbca143971b5d48b55636b3d794b21483bc948977f5686ce2add1c416f5241908fcacbba96d8ced8cc074605dd6e778f9952

Download Submit
C:\Program Files (x86)\solfer\4ger.exe

Download Submit
C:\Program Files (x86)\solfer\6las.exe

Download Submit
C:\Program Files (x86)\solfer\6las.exe

MD5
cf3de7cc91e95a144227364f30736911

SHA1
4b9373d0dea078c5a86b6c9258d86f49bb3d8ac4

SHA256
5526d3dfc1a497cca23c282a2db8a9ae275fa481ef027f2b5752aaea504d6bbe

SHA512
a73c67740f27cab24939474ff55d603fdb2d749d3f868605d305b836256e27ed5f9eb104925d6d32a77eb8de94ec286745b7cd94497cb78ef8c603d74735d3bb

Download Submit
C:\Program Files (x86)\solfer\boleroh\lvfuk.exe

MD5
64a76236492b14194d6bc86d85d94259

SHA1
b6e3f70b2c30b45353f5a98ce6aed407b89dd9f1

SHA256
23192ee63ad9c1159acf200c6d51f7b92e74a980630f25a02df23b8e7abf6521

SHA512
c94f00e6fe7f6d1c1d96d97d6b91c4c49f404bdac2db3e06fb19116a5091fee88408f202aca0af57a3bbfdb47451469f83ac58bfeddad4475bf586ff0f81448e

Download Submit
C:\Program Files (x86)\solfer\boleroh\lvfuk.exe

MD5
64a76236492b14194d6bc86d85d94259

SHA1
b6e3f70b2c30b45353f5a98ce6aed407b89dd9f1

SHA256
23192ee63ad9c1159acf200c6d51f7b92e74a980630f25a02df23b8e7abf6521

SHA512
c94f00e6fe7f6d1c1d96d97d6b91c4c49f404bdac2db3e06fb19116a5091fee88408f202aca0af57a3bbfdb47451469f83ac58bfeddad4475bf586ff0f81448e

Download Submit
C:\Program Files (x86)\solfer\startveu.exe

Download Submit
C:\Program Files (x86)\solfer\startveu.exe

Download Submit
C:\ProgramData\ebxahtgsydywp\46173476.txt

Download Submit
C:\ProgramData\ebxahtgsydywp\8372422.txt

Download Submit
C:\ProgramData\ebxahtgsydywp\Files\_INFOR~1.TXT

Download Submit
C:\ProgramData\ebxahtgsydywp\NL_202~1.ZIP

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Download Submit
C:\Users\Admin\AppData\Local\Temp\32.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\64.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt

Download Submit
C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt

Download Submit
C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt

Download Submit
C:\Users\Admin\AppData\Local\Temp\File2.exe

MD5
810e25cc339feaae512e60b98da0a8fc

SHA1
46947273eecf22ab2b47492c5691b8297f564781

SHA256
d572f5ea3a8bb203dbb26c62bcbffbfbfc3e285560893135eebbf227f124e488

SHA512
b236ae60cc04d2c60c2944b70a3bea895ee106b2591838b1a450a2f0dc4898d4e2df768837041e508ec0ecc1242c3317b633f1f00ad927326718f5e0763e6394

Download Submit
C:\Users\Admin\AppData\Local\Temp\File2.exe

MD5
810e25cc339feaae512e60b98da0a8fc

SHA1
46947273eecf22ab2b47492c5691b8297f564781

SHA256
d572f5ea3a8bb203dbb26c62bcbffbfbfc3e285560893135eebbf227f124e488

SHA512
b236ae60cc04d2c60c2944b70a3bea895ee106b2591838b1a450a2f0dc4898d4e2df768837041e508ec0ecc1242c3317b633f1f00ad927326718f5e0763e6394

Download Submit
C:\Users\Admin\AppData\Local\Temp\SSOUJH~1.DLL

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQVNKLsrA5\CMNREQ~1.ZIP

MD5
29c3b6838e85e970e5e7b16314d334d4

SHA1
c47736d3d1b636a164919b3513160883930c6d5b

SHA256
6c9cae97fa0a33804997f2b3531d1070c3864d83674871e4a7df3646a2628f18

SHA512
6a82c35b471aed11b0aa648513b9692d477f7118ace9d6a309ada4989b6c7d78b8e777c37f86ba6d2064260c3aba3904cf41fb601299e7b25b93df2513cec2c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQVNKLsrA5\FIUOAK~1.ZIP

MD5
2a363b6cfd88aae9a34bb2888f04c23f

SHA1
030e57267e6838ab1b0ee859c93b295251ba96e3

SHA256
8cf8b060823de79ba2c3e3b473bb41eca1649ca8636d12703091c30ff3492c93

SHA512
b39d240ffc0539ad3d72ca6d6b155a92c393cbb6f9d1702750abdba771b9bca36d7000213d3bc0990a3d2eb995247f0104e7a36e9b60f9241b21993998639687

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQVNKLsrA5\_Files\_Files\DISABL~1.TXT

MD5
5c18e5ff2ea51f20e99e059aad8a03a5

SHA1
d1d6851ac3b3560f2b87986608cf89f6f34ff01c

SHA256
cf3e25ddb334af566fd1148eea16a578c45d81ab9dbf283302d858d2c5549bed

SHA512
e83c8bb06bb57f150d2d5e320c326c37203a58ebfb63b0667e3d62ea28f8415a2575907a0cb2609887b8cede7c7355a2a0696ce02b4a76620ae3fb9d9016f712

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQVNKLsrA5\_Files\_INFOR~1.TXT

MD5
1f4c5f83ed5aa5d0f9a0e8d4929359b9

SHA1
ec157bae3851c52c4a4ec04c9f00a27694d1a902

SHA256
8782c33b42b1d0e24498596f5da641baa83f8fe0951b7cf85d64d74cca058021

SHA512
5ed154bf503772fffeaed5a0ef9d6c5a8fb64deab8686f8502996abab70bd0962b1d8719729e67b7abbd07437a2525fd9e3e7e493ae71dff1b2c34e97c792a32

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQVNKLsrA5\_Files\_SCREE~1.JPE

MD5
9b9a98e0b9f84f63de6a97c31c335507

SHA1
25f3a7f7f87432a8ad963800890d8a66af22d403

SHA256
46462bd7851b3019e31d432a1b8f6addd168c84f5e9c146d6adddef9f3a0a621

SHA512
2bc63be90697bc191460538dd74a26179bec413acaac5b435f598265a3cdeabcb09e7443694cb445de95e2e0ecf4a66f827470e6c471cad896c9e3210371d13e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQVNKLsrA5\files_\SCREEN~1.JPG

MD5
9b9a98e0b9f84f63de6a97c31c335507

SHA1
25f3a7f7f87432a8ad963800890d8a66af22d403

SHA256
46462bd7851b3019e31d432a1b8f6addd168c84f5e9c146d6adddef9f3a0a621

SHA512
2bc63be90697bc191460538dd74a26179bec413acaac5b435f598265a3cdeabcb09e7443694cb445de95e2e0ecf4a66f827470e6c471cad896c9e3210371d13e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQVNKLsrA5\files_\SYSTEM~1.TXT

MD5
2cac18ab000a42116fcf338855797477

SHA1
90823a81339bba4e42bd8fc965337343d29f6b3f

SHA256
8dac433f5903be0bb2293cc3c4efc6409397da2417192830c471e1b223c872ba

SHA512
8e1b524cd9b285ddd7ef4a421073ca8ccc43d7e01c129f781a1b2f57947d21f7167af21a5e57dbf63575ece1a398d16f8c1a2c60ae6c8db34a99b3927375f79a

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQVNKLsrA5\files_\files\DISABL~1.TXT

MD5
5c18e5ff2ea51f20e99e059aad8a03a5

SHA1
d1d6851ac3b3560f2b87986608cf89f6f34ff01c

SHA256
cf3e25ddb334af566fd1148eea16a578c45d81ab9dbf283302d858d2c5549bed

SHA512
e83c8bb06bb57f150d2d5e320c326c37203a58ebfb63b0667e3d62ea28f8415a2575907a0cb2609887b8cede7c7355a2a0696ce02b4a76620ae3fb9d9016f712

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjoviybjtpkn.vbs

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssoujhvp.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssoujhvp.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmp

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.txt

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\LIBEAY32.dll

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\SSLEAY32.dll

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-certs

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdesc-consensus

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdescs.new

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\state

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorData\Tor.pid

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorData\TorConfig

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libevent-2-1-6.dll

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libevent_core-2-1-6.dll

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libevent_extra-2-1-6.dll

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libgcc_s_sjlj-1.dll

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libgmp-10.dll

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libssp-0.dll

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libwinpthread-1.dll

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\zlib1.dll

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

Download Submit
\Program Files (x86)\solfer\4ger.exe

MD5
1b482bf0134c52d93039eb961d2e8077

SHA1
98488275e5ebd98bc53327956670521cf33f6d22

SHA256
86c95550820bf9627e81f256652d482e07f0cfb40504cd319727953197448fd7

SHA512
22bfcc05e1ccc8e7ce84598ba7cdfbca143971b5d48b55636b3d794b21483bc948977f5686ce2add1c416f5241908fcacbba96d8ced8cc074605dd6e778f9952

Download Submit
\Program Files (x86)\solfer\4ger.exe

MD5
1b482bf0134c52d93039eb961d2e8077

SHA1
98488275e5ebd98bc53327956670521cf33f6d22

SHA256
86c95550820bf9627e81f256652d482e07f0cfb40504cd319727953197448fd7

SHA512
22bfcc05e1ccc8e7ce84598ba7cdfbca143971b5d48b55636b3d794b21483bc948977f5686ce2add1c416f5241908fcacbba96d8ced8cc074605dd6e778f9952

Download Submit
\Program Files (x86)\solfer\4ger.exe

Download Submit
\Program Files (x86)\solfer\4ger.exe

Download Submit
\Program Files (x86)\solfer\4ger.exe

MD5
1b482bf0134c52d93039eb961d2e8077

SHA1
98488275e5ebd98bc53327956670521cf33f6d22

SHA256
86c95550820bf9627e81f256652d482e07f0cfb40504cd319727953197448fd7

SHA512
22bfcc05e1ccc8e7ce84598ba7cdfbca143971b5d48b55636b3d794b21483bc948977f5686ce2add1c416f5241908fcacbba96d8ced8cc074605dd6e778f9952

Download Submit
\Program Files (x86)\solfer\6las.exe

MD5
cf3de7cc91e95a144227364f30736911

SHA1
4b9373d0dea078c5a86b6c9258d86f49bb3d8ac4

SHA256
5526d3dfc1a497cca23c282a2db8a9ae275fa481ef027f2b5752aaea504d6bbe

SHA512
a73c67740f27cab24939474ff55d603fdb2d749d3f868605d305b836256e27ed5f9eb104925d6d32a77eb8de94ec286745b7cd94497cb78ef8c603d74735d3bb

Download Submit
\Program Files (x86)\solfer\6las.exe

MD5
cf3de7cc91e95a144227364f30736911

SHA1
4b9373d0dea078c5a86b6c9258d86f49bb3d8ac4

SHA256
5526d3dfc1a497cca23c282a2db8a9ae275fa481ef027f2b5752aaea504d6bbe

SHA512
a73c67740f27cab24939474ff55d603fdb2d749d3f868605d305b836256e27ed5f9eb104925d6d32a77eb8de94ec286745b7cd94497cb78ef8c603d74735d3bb

Download Submit
\Program Files (x86)\solfer\6las.exe

MD5
cf3de7cc91e95a144227364f30736911

SHA1
4b9373d0dea078c5a86b6c9258d86f49bb3d8ac4

SHA256
5526d3dfc1a497cca23c282a2db8a9ae275fa481ef027f2b5752aaea504d6bbe

SHA512
a73c67740f27cab24939474ff55d603fdb2d749d3f868605d305b836256e27ed5f9eb104925d6d32a77eb8de94ec286745b7cd94497cb78ef8c603d74735d3bb

Download Submit
\Program Files (x86)\solfer\6las.exe

MD5
cf3de7cc91e95a144227364f30736911

SHA1
4b9373d0dea078c5a86b6c9258d86f49bb3d8ac4

SHA256
5526d3dfc1a497cca23c282a2db8a9ae275fa481ef027f2b5752aaea504d6bbe

SHA512
a73c67740f27cab24939474ff55d603fdb2d749d3f868605d305b836256e27ed5f9eb104925d6d32a77eb8de94ec286745b7cd94497cb78ef8c603d74735d3bb

Download Submit
\Program Files (x86)\solfer\6las.exe

MD5
cf3de7cc91e95a144227364f30736911

SHA1
4b9373d0dea078c5a86b6c9258d86f49bb3d8ac4

SHA256
5526d3dfc1a497cca23c282a2db8a9ae275fa481ef027f2b5752aaea504d6bbe

SHA512
a73c67740f27cab24939474ff55d603fdb2d749d3f868605d305b836256e27ed5f9eb104925d6d32a77eb8de94ec286745b7cd94497cb78ef8c603d74735d3bb

Download Submit
\Program Files (x86)\solfer\boleroh\lvfuk.exe

MD5
64a76236492b14194d6bc86d85d94259

SHA1
b6e3f70b2c30b45353f5a98ce6aed407b89dd9f1

SHA256
23192ee63ad9c1159acf200c6d51f7b92e74a980630f25a02df23b8e7abf6521

SHA512
c94f00e6fe7f6d1c1d96d97d6b91c4c49f404bdac2db3e06fb19116a5091fee88408f202aca0af57a3bbfdb47451469f83ac58bfeddad4475bf586ff0f81448e

Download Submit
\Program Files (x86)\solfer\boleroh\lvfuk.exe

MD5
64a76236492b14194d6bc86d85d94259

SHA1
b6e3f70b2c30b45353f5a98ce6aed407b89dd9f1

SHA256
23192ee63ad9c1159acf200c6d51f7b92e74a980630f25a02df23b8e7abf6521

SHA512
c94f00e6fe7f6d1c1d96d97d6b91c4c49f404bdac2db3e06fb19116a5091fee88408f202aca0af57a3bbfdb47451469f83ac58bfeddad4475bf586ff0f81448e

Download Submit
\Program Files (x86)\solfer\boleroh\lvfuk.exe

MD5
64a76236492b14194d6bc86d85d94259

SHA1
b6e3f70b2c30b45353f5a98ce6aed407b89dd9f1

SHA256
23192ee63ad9c1159acf200c6d51f7b92e74a980630f25a02df23b8e7abf6521

SHA512
c94f00e6fe7f6d1c1d96d97d6b91c4c49f404bdac2db3e06fb19116a5091fee88408f202aca0af57a3bbfdb47451469f83ac58bfeddad4475bf586ff0f81448e

Download Submit
\Program Files (x86)\solfer\startveu.exe

Download Submit
\Program Files (x86)\solfer\startveu.exe

Download Submit
\Program Files (x86)\solfer\startveu.exe

Download Submit
\Program Files (x86)\solfer\startveu.exe

Download Submit
\Program Files (x86)\solfer\startveu.exe

Download Submit
\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt

Download Submit
\Users\Admin\AppData\Local\Temp\File2.exe

MD5
810e25cc339feaae512e60b98da0a8fc

SHA1
46947273eecf22ab2b47492c5691b8297f564781

SHA256
d572f5ea3a8bb203dbb26c62bcbffbfbfc3e285560893135eebbf227f124e488

SHA512
b236ae60cc04d2c60c2944b70a3bea895ee106b2591838b1a450a2f0dc4898d4e2df768837041e508ec0ecc1242c3317b633f1f00ad927326718f5e0763e6394

Download Submit
\Users\Admin\AppData\Local\Temp\File2.exe

MD5
810e25cc339feaae512e60b98da0a8fc

SHA1
46947273eecf22ab2b47492c5691b8297f564781

SHA256
d572f5ea3a8bb203dbb26c62bcbffbfbfc3e285560893135eebbf227f124e488

SHA512
b236ae60cc04d2c60c2944b70a3bea895ee106b2591838b1a450a2f0dc4898d4e2df768837041e508ec0ecc1242c3317b633f1f00ad927326718f5e0763e6394

Download Submit
\Users\Admin\AppData\Local\Temp\File2.exe

MD5
810e25cc339feaae512e60b98da0a8fc

SHA1
46947273eecf22ab2b47492c5691b8297f564781

SHA256
d572f5ea3a8bb203dbb26c62bcbffbfbfc3e285560893135eebbf227f124e488

SHA512
b236ae60cc04d2c60c2944b70a3bea895ee106b2591838b1a450a2f0dc4898d4e2df768837041e508ec0ecc1242c3317b633f1f00ad927326718f5e0763e6394

Download Submit
\Users\Admin\AppData\Local\Temp\File2.exe

MD5
810e25cc339feaae512e60b98da0a8fc

SHA1
46947273eecf22ab2b47492c5691b8297f564781

SHA256
d572f5ea3a8bb203dbb26c62bcbffbfbfc3e285560893135eebbf227f124e488

SHA512
b236ae60cc04d2c60c2944b70a3bea895ee106b2591838b1a450a2f0dc4898d4e2df768837041e508ec0ecc1242c3317b633f1f00ad927326718f5e0763e6394

Download Submit
\Users\Admin\AppData\Local\Temp\SSOUJH~1.DLL

Download Submit
\Users\Admin\AppData\Local\Temp\SSOUJH~1.DLL

Download Submit
\Users\Admin\AppData\Local\Temp\SSOUJH~1.DLL

Download Submit
\Users\Admin\AppData\Local\Temp\SSOUJH~1.DLL

Download Submit
\Users\Admin\AppData\Local\Temp\nsdB952.tmp\UAC.dll

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
\Users\Admin\AppData\Local\Temp\ssoujhvp.exe

Download Submit
\Users\Admin\AppData\Local\Temp\ssoujhvp.exe

Download Submit
\Users\Admin\AppData\Local\Temp\ssoujhvp.exe

Download Submit
\Users\Admin\AppData\Local\Temp\ssoujhvp.exe

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libeay32.dll

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libevent-2-1-6.dll

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libgcc_s_sjlj-1.dll

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libssp-0.dll

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libwinpthread-1.dll

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\ssleay32.dll

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\zlib1.dll

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

Download Submit
memory/280-671-0x0000000000400000-0x0000000000B59000-memory.dmp

Filesize
7.3MB

Download
memory/280-670-0x0000000000400000-0x0000000000B59000-memory.dmp

Filesize
7.3MB

Download
memory/280-669-0x00000000004014C0-mapping.dmp

Download
memory/280-668-0x0000000000400000-0x0000000000B59000-memory.dmp

Filesize
7.3MB

Download
memory/308-6-0x0000000000000000-mapping.dmp

Download
memory/564-40-0x0000000004540000-0x0000000004551000-memory.dmp

Filesize
68KB

Download
memory/564-18-0x0000000000000000-mapping.dmp

Download
memory/564-42-0x0000000004950000-0x0000000004961000-memory.dmp

Filesize
68KB

Download
memory/748-53-0x0000000004E40000-0x0000000004E51000-memory.dmp

Filesize
68KB

Download
memory/748-52-0x0000000004A30000-0x0000000004A41000-memory.dmp

Filesize
68KB

Download
memory/748-34-0x0000000000000000-mapping.dmp

Download
memory/820-50-0x0000000004B60000-0x0000000004B71000-memory.dmp

Filesize
68KB

Download
memory/820-44-0x0000000000000000-mapping.dmp

Download
memory/820-51-0x0000000004F70000-0x0000000004F81000-memory.dmp

Filesize
68KB

Download
memory/980-9-0x0000000000000000-mapping.dmp

Download
memory/1080-27-0x0000000000000000-mapping.dmp

Download
memory/1368-143-0x0000000003200000-0x0000000003211000-memory.dmp

Filesize
68KB

Download
memory/1368-311-0x0000000002DF0000-0x0000000002E01000-memory.dmp

Filesize
68KB

Download
memory/1368-360-0x0000000003C00000-0x0000000003C11000-memory.dmp

Filesize
68KB

Download
memory/1368-361-0x00000000037F0000-0x0000000003801000-memory.dmp

Filesize
68KB

Download
memory/1368-310-0x0000000003200000-0x0000000003211000-memory.dmp

Filesize
68KB

Download
memory/1368-141-0x0000000064B40000-0x0000000064BBE000-memory.dmp

Filesize
504KB

Download
memory/1368-309-0x0000000002DF0000-0x0000000002E01000-memory.dmp

Filesize
68KB

Download
memory/1368-142-0x0000000002DF0000-0x0000000002E01000-memory.dmp

Filesize
68KB

Download
memory/1368-125-0x0000000000000000-mapping.dmp

Download
memory/1368-144-0x0000000002DF0000-0x0000000002E01000-memory.dmp

Filesize
68KB

Download
memory/1368-359-0x00000000037F0000-0x0000000003801000-memory.dmp

Filesize
68KB

Download
memory/1408-2-0x0000000002580000-0x0000000002591000-memory.dmp

Filesize
68KB

Download
memory/1408-3-0x0000000002780000-0x0000000002781000-memory.dmp

Filesize
4KB

Download
memory/1724-4-0x000007FEF6680000-0x000007FEF68FA000-memory.dmp

Filesize
2.5MB

Download
memory/2144-72-0x000000000B1C0000-0x000000000B1D1000-memory.dmp

Filesize
68KB

Download
memory/2144-71-0x000000000ADB0000-0x000000000ADC1000-memory.dmp

Filesize
68KB

Download
memory/2144-57-0x0000000000000000-mapping.dmp

Download
memory/2228-74-0x0000000004FF0000-0x0000000005001000-memory.dmp

Filesize
68KB

Download
memory/2228-73-0x0000000004BE0000-0x0000000004BF1000-memory.dmp

Filesize
68KB

Download
memory/2228-65-0x0000000000000000-mapping.dmp

Download
memory/2492-75-0x0000000000000000-mapping.dmp

Download
memory/2524-78-0x0000000000000000-mapping.dmp

Download
memory/2536-77-0x0000000000000000-mapping.dmp

Download
memory/2576-83-0x0000000000000000-mapping.dmp

Download
memory/2624-85-0x0000000000000000-mapping.dmp

Download
memory/2660-89-0x0000000000000000-mapping.dmp

Download
memory/2664-672-0x0000000000000000-mapping.dmp

Download
memory/2680-673-0x0000000000000000-mapping.dmp

Download
memory/2688-90-0x0000000000000000-mapping.dmp

Download
memory/2788-93-0x0000000000000000-mapping.dmp

Download
memory/2800-354-0x0000000000000000-mapping.dmp

Download
memory/2820-97-0x0000000000000000-mapping.dmp

Download
memory/2820-98-0x0000000000000000-mapping.dmp

Download
memory/2820-102-0x00000000026C0000-0x0000000002A8B000-memory.dmp

Filesize
3.8MB

Download
memory/2820-103-0x0000000002A90000-0x0000000002AA1000-memory.dmp

Filesize
68KB

Download
memory/2844-657-0x0000000000080000-0x0000000000140000-memory.dmp

Filesize
768KB

Download
memory/2844-654-0x0000000000080000-0x0000000000140000-memory.dmp

Filesize
768KB

Download
memory/2844-655-0x0000000000111C58-mapping.dmp

Download
memory/2880-357-0x0000000000000000-mapping.dmp

Download
memory/2880-424-0x0000000002970000-0x0000000002974000-memory.dmp

Filesize
16KB

Download
memory/2904-104-0x0000000000000000-mapping.dmp

Download
memory/2980-112-0x0000000000000000-mapping.dmp

Download
memory/2988-111-0x0000000000000000-mapping.dmp

Download
memory/3016-115-0x0000000000820000-0x00000000008E0000-memory.dmp

Filesize
768KB

Download
memory/3016-116-0x00000000008B1C58-mapping.dmp

Download
memory/3016-118-0x0000000000820000-0x00000000008E0000-memory.dmp

Filesize
768KB

Download