cryptbot | ada1c5359c35e6b70c5a2d5533f9d725f86a1e155c8486bfd2941c9b40478ea2

Analysis

max time kernel
146s
max time network
143s
platform
windows7_x64
resource
win7v20201028
submitted
03-12-2020 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2626e0990d2db399b35b6e357fd53ed1.exe
Size

548KB
MD5

2626e0990d2db399b35b6e357fd53ed1
SHA1

28cc3944167b0da48c4e81333e08b5c80244c572
SHA256

ada1c5359c35e6b70c5a2d5533f9d725f86a1e155c8486bfd2941c9b40478ea2
SHA512

7b741f662f70e78f9a7094b0892e93fba461f992ac938f922379179e365b4ecdeaf8fc7996f6da9aa44e52d5f815ffacbe17d425545da605d89845183938f2f1

Score

10^/10

cryptbot danabot 3 banker discovery evasion spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1732

Botnet

23.254.215.116:443

104.227.34.227:443

23.254.118.230:443

51.195.73.129:443

Attributes

embedded_hash
4A3DA3F8025592B0C9FF1DB7E462C9FA

rsa_pubkey.plain

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 6 IoCs

Processes:

RUNDLL32.EXEWScript.exe

flow pid process

24 2740 RUNDLL32.EXE
27 2892 WScript.exe
29 2892 WScript.exe
31 2892 WScript.exe
33 2892 WScript.exe
35 2892 WScript.exe
Downloads MZ/PE file

flow	pid	process
24	2740	RUNDLL32.EXE
27	2892	WScript.exe
29	2892	WScript.exe
31	2892	WScript.exe
33	2892	WScript.exe
35	2892	WScript.exe

Executes dropped EXE 13 IoCs

Processes:

File2.exelvloa.exe6owe.exe4aer.exestartnat.exeSmartClock.exeCL_Debug_Log.txtwrgeqcmnju.exeHelper.exeHelper.exeHelper.exetor.exeHelper.exe

pid	process
1848	File2.exe
1256	lvloa.exe
1060	6owe.exe
936	4aer.exe
1392	startnat.exe
1556	SmartClock.exe
2296	CL_Debug_Log.txt
2644	wrgeqcmnju.exe
2036	Helper.exe
1996	Helper.exe
1440	Helper.exe
2396	tor.exe
1156	Helper.exe

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

lvloa.exe6owe.exe4aer.exestartnat.exeSmartClock.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	lvloa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6owe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4aer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4aer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	startnat.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	startnat.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SmartClock.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	lvloa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SmartClock.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6owe.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

776 cmd.exe
Drops startup file 1 IoCs

Processes:

4aer.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4aer.exe

pid	process
776	cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	4aer.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

4aer.exestartnat.exeSmartClock.exelvloa.exe6owe.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Wine	4aer.exe
Key opened	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Wine	startnat.exe
Key opened	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Wine	SmartClock.exe
Key opened	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Wine	lvloa.exe
Key opened	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Wine	6owe.exe

Loads dropped DLL 53 IoCs

Processes:

2626e0990d2db399b35b6e357fd53ed1.exeFile2.exelvloa.exe6owe.exe4aer.exestartnat.exeSmartClock.execmd.exewrgeqcmnju.exerundll32.exeRUNDLL32.EXEHelper.exetor.exe

pid	process
1824	2626e0990d2db399b35b6e357fd53ed1.exe
1848	File2.exe
1848	File2.exe
1848	File2.exe
1848	File2.exe
1848	File2.exe
1256	lvloa.exe
1256	lvloa.exe
1848	File2.exe
1848	File2.exe
1060	6owe.exe
1060	6owe.exe
1060	6owe.exe
1848	File2.exe
1848	File2.exe
936	4aer.exe
936	4aer.exe
936	4aer.exe
936	4aer.exe
1848	File2.exe
1848	File2.exe
1392	startnat.exe
1392	startnat.exe
1392	startnat.exe
936	4aer.exe
936	4aer.exe
1556	SmartClock.exe
1556	SmartClock.exe
1556	SmartClock.exe
1392	startnat.exe
2616	cmd.exe
2616	cmd.exe
2644	wrgeqcmnju.exe
2644	wrgeqcmnju.exe
2696	rundll32.exe
2696	rundll32.exe
2696	rundll32.exe
2696	rundll32.exe
2740	RUNDLL32.EXE
2740	RUNDLL32.EXE
2740	RUNDLL32.EXE
2740	RUNDLL32.EXE
2036	Helper.exe
2036	Helper.exe
2036	Helper.exe
2036	Helper.exe
2396	tor.exe
2396	tor.exe
2396	tor.exe
2396	tor.exe
2396	tor.exe
2396	tor.exe
2396	tor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 3 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\6O9TWDTA\desktop.ini	RUNDLL32.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	RUNDLL32.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	RUNDLL32.EXE

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

lvloa.exe4aer.exe6owe.exestartnat.exeSmartClock.exe

pid process

1256 lvloa.exe
936 4aer.exe
1060 6owe.exe
1392 startnat.exe
1556 SmartClock.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Helper.exe

description pid process target process

PID 2036 set thread context of 1440 2036 Helper.exe Helper.exe

flow	ioc
11	ip-api.com

description	pid	process	target process
PID 2036 set thread context of 1440	2036	Helper.exe	Helper.exe

autoit_exe 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\32.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\64.exe	autoit_exe

Drops file in Program Files directory 10 IoCs

Processes:

File2.exepowershell.exepowershell.exe

description	ioc	process
File created	C:\Program Files (x86)\solfer\wiatrace.log	File2.exe
File created	C:\Program Files (x86)\solfer\4aer.exe	File2.exe
File created	C:\Program Files (x86)\solfer\boleroh\msorcl32.chm	File2.exe
File created	C:\Program Files (x86)\solfer\boleroh\lvloa.exe	File2.exe
File opened for modification	C:\Program Files (x86)\solfer\boleroh\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Program Files (x86)\solfer\Microsoft.IdentityServer.Web.Resources.dll	File2.exe
File created	C:\Program Files (x86)\solfer\6owe.exe	File2.exe
File created	C:\Program Files (x86)\solfer\startnat.exe	File2.exe
File created	C:\Program Files (x86)\solfer\boleroh\msdasc.chm	File2.exe
File opened for modification	C:\Program Files (x86)\solfer\boleroh\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXE2626e0990d2db399b35b6e357fd53ed1.exelvloa.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2626e0990d2db399b35b6e357fd53ed1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2626e0990d2db399b35b6e357fd53ed1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	lvloa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	lvloa.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2552 schtasks.exe
Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

1660 timeout.exe
2364 timeout.exe
2484 timeout.exe

pid	process
2552	schtasks.exe

pid	process
1660	timeout.exe
2364	timeout.exe
2484	timeout.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

lvloa.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	lvloa.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	lvloa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

1556 SmartClock.exe

pid	process
1556	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

lvloa.exe6owe.exe4aer.exestartnat.exeSmartClock.exepowershell.exeHelper.exeRUNDLL32.EXEpowershell.exetor.exe

pid	process
1256	lvloa.exe
1060	6owe.exe
936	4aer.exe
1392	startnat.exe
1556	SmartClock.exe
616	powershell.exe
616	powershell.exe
2036	Helper.exe
2036	Helper.exe
2036	Helper.exe
2036	Helper.exe
2036	Helper.exe
2036	Helper.exe
2036	Helper.exe
2036	Helper.exe
2036	Helper.exe
2036	Helper.exe
2036	Helper.exe
2036	Helper.exe
2036	Helper.exe
2036	Helper.exe
2036	Helper.exe
2036	Helper.exe
2036	Helper.exe
2036	Helper.exe
2036	Helper.exe
2036	Helper.exe
2036	Helper.exe
2740	RUNDLL32.EXE
2740	RUNDLL32.EXE
2312	powershell.exe
2312	powershell.exe
2036	Helper.exe
2396	tor.exe
2396	tor.exe
2396	tor.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

CL_Debug_Log.txtrundll32.exeRUNDLL32.EXEpowershell.exeHelper.exepowershell.exe

description	pid	process
Token: SeRestorePrivilege	2296	CL_Debug_Log.txt
Token: 35	2296	CL_Debug_Log.txt
Token: SeSecurityPrivilege	2296	CL_Debug_Log.txt
Token: SeSecurityPrivilege	2296	CL_Debug_Log.txt
Token: SeDebugPrivilege	2696	rundll32.exe
Token: SeDebugPrivilege	2740	RUNDLL32.EXE
Token: SeDebugPrivilege	616	powershell.exe
Token: SeRestorePrivilege	1440	Helper.exe
Token: 35	1440	Helper.exe
Token: SeSecurityPrivilege	1440	Helper.exe
Token: SeSecurityPrivilege	1440	Helper.exe
Token: SeDebugPrivilege	2312	powershell.exe

Suspicious use of FindShellTrayWindow 15 IoCs

Processes:

2626e0990d2db399b35b6e357fd53ed1.exestartnat.exeHelper.exeHelper.exeRUNDLL32.EXEHelper.exe

pid	process
1824	2626e0990d2db399b35b6e357fd53ed1.exe
1824	2626e0990d2db399b35b6e357fd53ed1.exe
1392	startnat.exe
1392	startnat.exe
1392	startnat.exe
2036	Helper.exe
2036	Helper.exe
2036	Helper.exe
1996	Helper.exe
1996	Helper.exe
1996	Helper.exe
2740	RUNDLL32.EXE
1156	Helper.exe
1156	Helper.exe
1156	Helper.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

startnat.exeHelper.exeHelper.exeHelper.exe

pid	process
1392	startnat.exe
1392	startnat.exe
1392	startnat.exe
2036	Helper.exe
2036	Helper.exe
2036	Helper.exe
1996	Helper.exe
1996	Helper.exe
1996	Helper.exe
1156	Helper.exe
1156	Helper.exe
1156	Helper.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2626e0990d2db399b35b6e357fd53ed1.execmd.exeFile2.exe4aer.exestartnat.exe6owe.exe

description	pid	process	target process
PID 1824 wrote to memory of 1848	1824	2626e0990d2db399b35b6e357fd53ed1.exe	File2.exe
PID 1824 wrote to memory of 1848	1824	2626e0990d2db399b35b6e357fd53ed1.exe	File2.exe
PID 1824 wrote to memory of 1848	1824	2626e0990d2db399b35b6e357fd53ed1.exe	File2.exe
PID 1824 wrote to memory of 1848	1824	2626e0990d2db399b35b6e357fd53ed1.exe	File2.exe
PID 1824 wrote to memory of 1848	1824	2626e0990d2db399b35b6e357fd53ed1.exe	File2.exe
PID 1824 wrote to memory of 1848	1824	2626e0990d2db399b35b6e357fd53ed1.exe	File2.exe
PID 1824 wrote to memory of 1848	1824	2626e0990d2db399b35b6e357fd53ed1.exe	File2.exe
PID 1824 wrote to memory of 776	1824	2626e0990d2db399b35b6e357fd53ed1.exe	cmd.exe
PID 1824 wrote to memory of 776	1824	2626e0990d2db399b35b6e357fd53ed1.exe	cmd.exe
PID 1824 wrote to memory of 776	1824	2626e0990d2db399b35b6e357fd53ed1.exe	cmd.exe
PID 1824 wrote to memory of 776	1824	2626e0990d2db399b35b6e357fd53ed1.exe	cmd.exe
PID 776 wrote to memory of 1660	776	cmd.exe	timeout.exe
PID 776 wrote to memory of 1660	776	cmd.exe	timeout.exe
PID 776 wrote to memory of 1660	776	cmd.exe	timeout.exe
PID 776 wrote to memory of 1660	776	cmd.exe	timeout.exe
PID 1848 wrote to memory of 1256	1848	File2.exe	lvloa.exe
PID 1848 wrote to memory of 1256	1848	File2.exe	lvloa.exe
PID 1848 wrote to memory of 1256	1848	File2.exe	lvloa.exe
PID 1848 wrote to memory of 1256	1848	File2.exe	lvloa.exe
PID 1848 wrote to memory of 1256	1848	File2.exe	lvloa.exe
PID 1848 wrote to memory of 1256	1848	File2.exe	lvloa.exe
PID 1848 wrote to memory of 1256	1848	File2.exe	lvloa.exe
PID 1848 wrote to memory of 1060	1848	File2.exe	6owe.exe
PID 1848 wrote to memory of 1060	1848	File2.exe	6owe.exe
PID 1848 wrote to memory of 1060	1848	File2.exe	6owe.exe
PID 1848 wrote to memory of 1060	1848	File2.exe	6owe.exe
PID 1848 wrote to memory of 1060	1848	File2.exe	6owe.exe
PID 1848 wrote to memory of 1060	1848	File2.exe	6owe.exe
PID 1848 wrote to memory of 1060	1848	File2.exe	6owe.exe
PID 1848 wrote to memory of 936	1848	File2.exe	4aer.exe
PID 1848 wrote to memory of 936	1848	File2.exe	4aer.exe
PID 1848 wrote to memory of 936	1848	File2.exe	4aer.exe
PID 1848 wrote to memory of 936	1848	File2.exe	4aer.exe
PID 1848 wrote to memory of 936	1848	File2.exe	4aer.exe
PID 1848 wrote to memory of 936	1848	File2.exe	4aer.exe
PID 1848 wrote to memory of 936	1848	File2.exe	4aer.exe
PID 1848 wrote to memory of 1392	1848	File2.exe	startnat.exe
PID 1848 wrote to memory of 1392	1848	File2.exe	startnat.exe
PID 1848 wrote to memory of 1392	1848	File2.exe	startnat.exe
PID 1848 wrote to memory of 1392	1848	File2.exe	startnat.exe
PID 1848 wrote to memory of 1392	1848	File2.exe	startnat.exe
PID 1848 wrote to memory of 1392	1848	File2.exe	startnat.exe
PID 1848 wrote to memory of 1392	1848	File2.exe	startnat.exe
PID 936 wrote to memory of 1556	936	4aer.exe	SmartClock.exe
PID 936 wrote to memory of 1556	936	4aer.exe	SmartClock.exe
PID 936 wrote to memory of 1556	936	4aer.exe	SmartClock.exe
PID 936 wrote to memory of 1556	936	4aer.exe	SmartClock.exe
PID 936 wrote to memory of 1556	936	4aer.exe	SmartClock.exe
PID 936 wrote to memory of 1556	936	4aer.exe	SmartClock.exe
PID 936 wrote to memory of 1556	936	4aer.exe	SmartClock.exe
PID 1392 wrote to memory of 2296	1392	startnat.exe	CL_Debug_Log.txt
PID 1392 wrote to memory of 2296	1392	startnat.exe	CL_Debug_Log.txt
PID 1392 wrote to memory of 2296	1392	startnat.exe	CL_Debug_Log.txt
PID 1392 wrote to memory of 2296	1392	startnat.exe	CL_Debug_Log.txt
PID 1392 wrote to memory of 2296	1392	startnat.exe	CL_Debug_Log.txt
PID 1392 wrote to memory of 2296	1392	startnat.exe	CL_Debug_Log.txt
PID 1392 wrote to memory of 2296	1392	startnat.exe	CL_Debug_Log.txt
PID 1060 wrote to memory of 2312	1060	6owe.exe	cmd.exe
PID 1060 wrote to memory of 2312	1060	6owe.exe	cmd.exe
PID 1060 wrote to memory of 2312	1060	6owe.exe	cmd.exe
PID 1060 wrote to memory of 2312	1060	6owe.exe	cmd.exe
PID 1060 wrote to memory of 2312	1060	6owe.exe	cmd.exe
PID 1060 wrote to memory of 2312	1060	6owe.exe	cmd.exe
PID 1060 wrote to memory of 2312	1060	6owe.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2626e0990d2db399b35b6e357fd53ed1.exe
"C:\Users\Admin\AppData\Local\Temp\2626e0990d2db399b35b6e357fd53ed1.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Users\Admin\AppData\Local\Temp\File2.exe
  "C:\Users\Admin\AppData\Local\Temp\File2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1848
- - C:\Program Files (x86)\solfer\boleroh\lvloa.exe
    "C:\Program Files (x86)\solfer\boleroh\lvloa.exe"
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Checks processor information in registry
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    PID:1256
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\wrgeqcmnju.exe"
      4⤵
      Loads dropped DLL
      PID:2616
    - - C:\Users\Admin\AppData\Local\Temp\wrgeqcmnju.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wrgeqcmnju.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2644
      - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\WRGEQC~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\WRGEQC~1.EXE
        6⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
        
        C:\Windows\SysWOW64\RUNDLL32.EXE
        
        C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\WRGEQC~1.DLL,VAhMTBI=
        7⤵
        Blocklisted process makes network request
        Loads dropped DLL
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:2740
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpA026.tmp.ps1"
        8⤵
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:616
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpCEE5.tmp.ps1"
        8⤵
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
        
        C:\Windows\SysWOW64\nslookup.exe
        
        "C:\Windows\system32\nslookup.exe" -type=any localhost
        9⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
        8⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
        8⤵
        
        PID:1892
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\jovurlj.vbs"
      4⤵
      PID:2836
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\jovurlj.vbs"
        5⤵
        Blocklisted process makes network request
        Modifies system certificate store
        
        PID:2892
- - C:\Program Files (x86)\solfer\6owe.exe
    "C:\Program Files (x86)\solfer\6owe.exe"
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1060
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\nlrkhvudqavgn & timeout 2 & del /f /q "C:\Program Files (x86)\solfer\6owe.exe"
      4⤵
      PID:2312
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        5⤵
        Delays execution with timeout.exe
        
        PID:2364
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\nlrkhvudqavgn & timeout 2 & del /f /q "C:\Program Files (x86)\solfer\6owe.exe"
      4⤵
      PID:2416
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        5⤵
        Delays execution with timeout.exe
        
        PID:2484
- - C:\Program Files (x86)\solfer\4aer.exe
    "C:\Program Files (x86)\solfer\4aer.exe"
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Drops startup file
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:936
  - - C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
      "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
      4⤵
      Executes dropped EXE
      Checks BIOS information in registry
      Identifies Wine through registry keys
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      PID:1556
- - C:\Program Files (x86)\solfer\startnat.exe
    "C:\Program Files (x86)\solfer\startnat.exe"
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1392
  - - C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
      C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt e -p"JDQJndnqwdnqw2139dn21n3b312idDQDB" "C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt" -o"C:\Users\Admin\AppData\Local\Temp\"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2296
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
      4⤵
      PID:2500
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
        5⤵
        Creates scheduled task(s)
        
        PID:2552
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\y1nsc6FROj & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\2626e0990d2db399b35b6e357fd53ed1.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:776
- - C:\Windows\SysWOW64\timeout.exe
    timeout 2
    3⤵
    - Delays execution with timeout.exe
    PID:1660

C:\Windows\system32\taskeng.exe
taskeng.exe {E4B98E2F-06BC-4764-8647-FED9A1DBFE62} S-1-5-21-293278959-2699126792-324916226-1000:TUICJFPF\Admin:Interactive:[1]
1⤵
PID:2376
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2036
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1440
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe" -f TorConfig
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:2396
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1996
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1156
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  PID:616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\solfer\4aer.exe

MD5
c529d4296084b7299cb3b72e1d97e61a

SHA1
49f9563adc630879a7277bedb5235cbb080ede7e

SHA256
89213a479b97ab968520c3a7a49ca329c4952a4ead104f484ed0ef7c0e2c74ba

SHA512
c41324fc0dae17291412ec6b510ab9d3a439a4cfd2872f5f3b72c22eddd878cc80dbe4046e02dfc0df925a472d48465970402150b12052faf9d8ff3e480ec6f7

Download Submit
C:\Program Files (x86)\solfer\4aer.exe

MD5
c529d4296084b7299cb3b72e1d97e61a

SHA1
49f9563adc630879a7277bedb5235cbb080ede7e

SHA256
89213a479b97ab968520c3a7a49ca329c4952a4ead104f484ed0ef7c0e2c74ba

SHA512
c41324fc0dae17291412ec6b510ab9d3a439a4cfd2872f5f3b72c22eddd878cc80dbe4046e02dfc0df925a472d48465970402150b12052faf9d8ff3e480ec6f7

Download Submit
C:\Program Files (x86)\solfer\6owe.exe

MD5
5d9f66ead65bf9f69829155f1e374e44

SHA1
72d4f028167c156c5ba00ab85eae0283fba9d5be

SHA256
1196095d2c23784c26a53a1c277d3e6654dec4b348732df87d58a62867c35bc5

SHA512
621ddbfc6c1665102e4c980a9a9b82a70cfd007a7f2041b09394de969945d72268c258d0dc53938be923d405cb577a272e06129b867368af5231a124a71e35ad

Download Submit
C:\Program Files (x86)\solfer\6owe.exe

MD5
5d9f66ead65bf9f69829155f1e374e44

SHA1
72d4f028167c156c5ba00ab85eae0283fba9d5be

SHA256
1196095d2c23784c26a53a1c277d3e6654dec4b348732df87d58a62867c35bc5

SHA512
621ddbfc6c1665102e4c980a9a9b82a70cfd007a7f2041b09394de969945d72268c258d0dc53938be923d405cb577a272e06129b867368af5231a124a71e35ad

Download Submit
C:\Program Files (x86)\solfer\boleroh\lvloa.exe

MD5
f6b571cc7c4eb8314bed5b5af5a8bc4a

SHA1
7eefe3d35d181c5805f432d0f2e7438bbd55a673

SHA256
67d019b33400a3fdc8fed7159f0f9e5c27805ef7c85b786c11cd5e0e4dca089e

SHA512
c3d211de5a2adbcdd061fd8e95b3a70e1f9b073966c9cda5a972d8c290eba72cde85fd95f0148e85638f1403c6f8446299e098cfd52c4bcda5102938d9de4287

Download Submit
C:\Program Files (x86)\solfer\boleroh\lvloa.exe

MD5
f6b571cc7c4eb8314bed5b5af5a8bc4a

SHA1
7eefe3d35d181c5805f432d0f2e7438bbd55a673

SHA256
67d019b33400a3fdc8fed7159f0f9e5c27805ef7c85b786c11cd5e0e4dca089e

SHA512
c3d211de5a2adbcdd061fd8e95b3a70e1f9b073966c9cda5a972d8c290eba72cde85fd95f0148e85638f1403c6f8446299e098cfd52c4bcda5102938d9de4287

Download Submit
C:\Program Files (x86)\solfer\startnat.exe

MD5
e59cb4520b2241124689575d1d60d8e1

SHA1
f7af9c6a0bd1999412551c0abcb6bcc110266aa0

SHA256
bdd9d0f94b67c14ea208581500e425d0ba95eb3d9d7db3836c7e5b2af741f71e

SHA512
eef42b953c3668627cde1f8f386fea19b93304f45640fdb6a69b68064378e2c10ae3a7da41e5a031cdac2f139d8631d073e87b3ed729aa3892d4dba420313627

Download Submit
C:\Program Files (x86)\solfer\startnat.exe

MD5
e59cb4520b2241124689575d1d60d8e1

SHA1
f7af9c6a0bd1999412551c0abcb6bcc110266aa0

SHA256
bdd9d0f94b67c14ea208581500e425d0ba95eb3d9d7db3836c7e5b2af741f71e

SHA512
eef42b953c3668627cde1f8f386fea19b93304f45640fdb6a69b68064378e2c10ae3a7da41e5a031cdac2f139d8631d073e87b3ed729aa3892d4dba420313627

Download Submit
C:\ProgramData\nlrkhvudqavgn\46173476.txt

MD5
95752e14a4e9145df584b9b0c82e41e1

SHA1
c25a788527df2adbe1b901f8be5f4d5aa314507b

SHA256
59db5e2f7ae5f0a88ff0ea8ac581bf4bf9bcb4b658b2a956db922c39baab6ce1

SHA512
cf14a56e93005878bcebc5ea90d4a46291fb8e98a9bb98f6918140d7483156a547337d70ceb9c75c9a2a182949074cba3864f832030915d80b432721e4ab00d9

Download Submit
C:\ProgramData\nlrkhvudqavgn\8372422.txt

MD5
550cc6486c1ac1d65c8f1b14517a8294

SHA1
6f7b60b1f5b90ac815ab56c78cd7a5de05311fe1

SHA256
176bf49d4a7f854a30e1fb19acc33650ad5531a95bba23a9b7108b0129d15e9b

SHA512
eb29aefebe6d2ce5d06082c9ea8750de5cf5141e51ecc39457362bd4e8c1ec0313801f805b8b7ef6eaaf24d3e6b5d3ed2912216728ed5308165c00b17dc6f726

Download Submit
C:\ProgramData\nlrkhvudqavgn\Files\_INFOR~1.TXT

MD5
0c7c4e57131e77da6047064fc5307b7b

SHA1
35191fbfb6256f84779d265ef634fe8118feadd2

SHA256
bbfdf7d526d013616cbeed5912581e24cc3591f2c729f6ea457969bea1807f86

SHA512
1812eb853e87cccb09b85f13d98f44e9b30f6ff9198fb03ba21f5d87d8eacfabb80120c6f9a208379db4fcf118121cb0e0229d14c8e9dc10d35a46de25ad801d

Download Submit
C:\ProgramData\nlrkhvudqavgn\NL_202~1.ZIP

MD5
0ba1f6b763ab609f0a39034f74788cac

SHA1
e15382030a58ea272eeda53efd64922e1700554c

SHA256
b9d4e8cb47a88b292faa494bcf437db162f6f7d9520bb609995ec5bf672538d0

SHA512
5bc7409fe2c9bc963efab2a4416082d4b922a694724111dfbfa5c10e42044f2d366c00622c5444ae076ec07b8fa7199cfa45bae6958aa51b1fd4593f55a659da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_03bfaf74-c48a-406b-812c-2684df821d22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1b0b2f5a-4fa9-4284-9780-9a1da7b14a47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_85c7c16f-de6b-4cda-bf8a-ede9c5910d3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a02197da-f9c8-43e6-9ff1-846e01d2d404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b771b377-145f-49e9-bf64-45e69646f7b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c356f451-13b2-41fc-8d4c-54a293efa6e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ce569c42-07bf-442e-b377-8e9695c9383c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_dadf780e-0f00-49bb-86e1-35585efd8a97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e9683bb9-e4bb-4f5b-a247-bdda7155c07d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IK0XRGX9\lexus[1].exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\32.exe

MD5
0f5061a241fbc0af8122361493768888

SHA1
06f91f5feaa174dc8ee8744bb3e2aa7df5d4ef08

SHA256
ff5a19440d2f264182e77d23371c52859c4e36c4a45a4865a653f51d31464552

SHA512
8887ae73431bd3955dc81662524fb8f3d795cb3f210d9dbd7ca0b6bd434fa6c538817cfa160a456215c749339902b907d005e4648ecafd3ce777d76212d56e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\388E.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\64.exe

MD5
914e77fa98f676288b4966db78704cb4

SHA1
d79cea6bbdeb71df71559f40c95875a273291232

SHA256
6a72c7ef50dccf8088fa6c2756efe7c0ac128e2eb58d81e0c6e40829122d9828

SHA512
4ac150557c3b19525d43d829c0b28ab0094cec74056ed870e9367e5b7107dfd9cdd9a5a820f92cf55464b252e1e10760b20df4b4e4944d6d7acb16ecdfd5271d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6616.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt

MD5
43141e85e7c36e31b52b22ab94d5e574

SHA1
cfd7079a9b268d84b856dc668edbb9ab9ef35312

SHA256
ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d

SHA512
9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt

MD5
43141e85e7c36e31b52b22ab94d5e574

SHA1
cfd7079a9b268d84b856dc668edbb9ab9ef35312

SHA256
ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d

SHA512
9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt

MD5
16b282a1eced9d1c26539373c939849b

SHA1
7a06867fabebd4b0aec7dd200eddc0407912e690

SHA256
636012546004d63066030e2b28bf81be5fb12912472b85941e9982b1af1899fb

SHA512
2e1c38e7162ba19d4287ca7d9c6f3c985f6b286883a533a0eb7f0bb9f20fa46483976932605d01820aeaf3aedfc5e65d2492a873b057132107c2129c853168b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\File2.exe

MD5
39d962975150700a92b4ef5bd3704b2f

SHA1
b94e01ed6edfa1c98da5599aab6553d97f8dbe38

SHA256
7f70839c7a3a71f4f81d57adc59a7daa1ed49fd9589e0f0c86e3a28461fc4ffa

SHA512
6ac03ef3c99928a96bb7029a7a4e0262d864d3dde2811e4239c95d23fc4c79753cab976966a716472489dd37d13229ef400ccdee2829616fe40c9468ec254af1

Download Submit
C:\Users\Admin\AppData\Local\Temp\File2.exe

MD5
39d962975150700a92b4ef5bd3704b2f

SHA1
b94e01ed6edfa1c98da5599aab6553d97f8dbe38

SHA256
7f70839c7a3a71f4f81d57adc59a7daa1ed49fd9589e0f0c86e3a28461fc4ffa

SHA512
6ac03ef3c99928a96bb7029a7a4e0262d864d3dde2811e4239c95d23fc4c79753cab976966a716472489dd37d13229ef400ccdee2829616fe40c9468ec254af1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml

MD5
9160347bec74471e1a79edfd950629ae

SHA1
c149a7e5aab6e349a70b7b458d0eaaa9d301c790

SHA256
0fe356f3d04bb43f772604b049fd2b20f3038ca2ce84bf9778b8ccdd481d77ab

SHA512
b8061834f658567a1e742496c38688bdecd60191a92163d47470f64aa1fba23e92dd36fa1d2bb7efa36f14002c0606013973718b9f107e62d845a17be4b0d358

Download Submit
C:\Users\Admin\AppData\Local\Temp\WRGEQC~1.DLL

Download Submit
C:\Users\Admin\AppData\Local\Temp\jovurlj.vbs

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA026.tmp.ps1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCEE5.tmp.ps1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCEE6.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\wrgeqcmnju.exe

MD5
7c9618fc9144078b99a1defd46994ad1

SHA1
988015c3b62fca23f1d9babbd76ba29f9a6a0e3f

SHA256
2c2bfbbecced378ee87e3c8ffc1f2394dd4fe4272322ee74cf61aa6b53e923d2

SHA512
fcc05df6fc573962c6153481e976b8c0fdf7bce922b1948e2c6f84ac87347e22360a1f68be313a870ecc89c608f6b8d3afa000a2fdc3f1daff0cc0cc300bfcce

Download Submit
C:\Users\Admin\AppData\Local\Temp\wrgeqcmnju.exe

MD5
7c9618fc9144078b99a1defd46994ad1

SHA1
988015c3b62fca23f1d9babbd76ba29f9a6a0e3f

SHA256
2c2bfbbecced378ee87e3c8ffc1f2394dd4fe4272322ee74cf61aa6b53e923d2

SHA512
fcc05df6fc573962c6153481e976b8c0fdf7bce922b1948e2c6f84ac87347e22360a1f68be313a870ecc89c608f6b8d3afa000a2fdc3f1daff0cc0cc300bfcce

Download Submit
C:\Users\Admin\AppData\Local\Temp\y1nsc6FROj\2FN5FK~1.ZIP

MD5
58e7566e9d30b797653700a205bb469a

SHA1
bc21e7035c2262fb6c451e4ffbc7e9fd6502c6ac

SHA256
9a1295577cf786d373ff4e49a8b5fc4f835ce1afd2adc46688c19c50509e0cb6

SHA512
e0eae4913053c25381fd24f0ac6940a7b9e374b94e1a760dc23af6bba44cef8a29450818b06295bd42435f0a8684900374123b2d1246a2607e190aeaa56afd08

Download Submit
C:\Users\Admin\AppData\Local\Temp\y1nsc6FROj\AKFT2Q~1.ZIP

MD5
02d15965fb5da5cf5e0e9a098ff33f3a

SHA1
f16a9f9ba61adb8283ed6cd767ef4876c13e845a

SHA256
f48ff78be01814e4fe8867603a1f1357586cace911c099ba31213c2d03788fef

SHA512
791f4472853134123a72769704869dfe7ba8158227a9aefd395574dc440f2ce94ad20a253c95fbd5faeed968c3d9f0b669daf45e0e58606e725a83776236a8fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\y1nsc6FROj\_Files\_INFOR~1.TXT

MD5
3906f629d400ab8930bedccb0cb98990

SHA1
cd6d693c40ff37be8d17988128e3336d47e8036b

SHA256
4b1b0e01562d0ee222aabac5f36d5249785ce57cf053558a03f22eae311b7e15

SHA512
97c0a3575e129a2ccf41ebde6d070bd9415d40a47bac2d78d485e4e23f2608e6d5fd966667e1e6a870172edb75e82c8c3b23f8edfdbeb54f8ff595752d35ae42

Download Submit
C:\Users\Admin\AppData\Local\Temp\y1nsc6FROj\_Files\_SCREE~1.JPE

MD5
474cd7dd0629aa8e2dcbaa961e652d09

SHA1
079b5bf0e005ac2e1dc4c81c985dd2d1b2b512e4

SHA256
620b17f322867d00a3210e0b10b892f84974d7cbf7a32af0267005d369f9effd

SHA512
e0c00bf448ae5c7359f62995cd0af8d38bb9cb8b0acea0006bb55c166df09c1afcd1622eb212113dbee8077a64952f340cb2700e457cd5c5d608f56d127a036f

Download Submit
C:\Users\Admin\AppData\Local\Temp\y1nsc6FROj\files_\SCREEN~1.JPG

MD5
474cd7dd0629aa8e2dcbaa961e652d09

SHA1
079b5bf0e005ac2e1dc4c81c985dd2d1b2b512e4

SHA256
620b17f322867d00a3210e0b10b892f84974d7cbf7a32af0267005d369f9effd

SHA512
e0c00bf448ae5c7359f62995cd0af8d38bb9cb8b0acea0006bb55c166df09c1afcd1622eb212113dbee8077a64952f340cb2700e457cd5c5d608f56d127a036f

Download Submit
C:\Users\Admin\AppData\Local\Temp\y1nsc6FROj\files_\SYSTEM~1.TXT

MD5
49dd3c0ea4b1745cb4acd10cf66c3728

SHA1
8457e0958c0aacc39389ab692bca1d4375a426d2

SHA256
2a2b91362114db1fb26fa0534ab1e53642131b3b56a2dbe042836526e0dded93

SHA512
cd20037b6af7ffd89929f60c77cbd3d25662d0477a01b554a24481f2dc45136e9e29d107d44772e4cc3c5f85a230a941cb37666bb39724259b364dfbbe3bcf40

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\LIBEAY32.dll

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\SSLEAY32.dll

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorData\TorConfig

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libevent-2-1-6.dll

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libgcc_s_sjlj-1.dll

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libssp-0.dll

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libwinpthread-1.dll

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\zlib1.dll

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
c529d4296084b7299cb3b72e1d97e61a

SHA1
49f9563adc630879a7277bedb5235cbb080ede7e

SHA256
89213a479b97ab968520c3a7a49ca329c4952a4ead104f484ed0ef7c0e2c74ba

SHA512
c41324fc0dae17291412ec6b510ab9d3a439a4cfd2872f5f3b72c22eddd878cc80dbe4046e02dfc0df925a472d48465970402150b12052faf9d8ff3e480ec6f7

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
c529d4296084b7299cb3b72e1d97e61a

SHA1
49f9563adc630879a7277bedb5235cbb080ede7e

SHA256
89213a479b97ab968520c3a7a49ca329c4952a4ead104f484ed0ef7c0e2c74ba

SHA512
c41324fc0dae17291412ec6b510ab9d3a439a4cfd2872f5f3b72c22eddd878cc80dbe4046e02dfc0df925a472d48465970402150b12052faf9d8ff3e480ec6f7

Download Submit
\Program Files (x86)\solfer\4aer.exe

MD5
c529d4296084b7299cb3b72e1d97e61a

SHA1
49f9563adc630879a7277bedb5235cbb080ede7e

SHA256
89213a479b97ab968520c3a7a49ca329c4952a4ead104f484ed0ef7c0e2c74ba

SHA512
c41324fc0dae17291412ec6b510ab9d3a439a4cfd2872f5f3b72c22eddd878cc80dbe4046e02dfc0df925a472d48465970402150b12052faf9d8ff3e480ec6f7

Download Submit
\Program Files (x86)\solfer\4aer.exe

MD5
c529d4296084b7299cb3b72e1d97e61a

SHA1
49f9563adc630879a7277bedb5235cbb080ede7e

SHA256
89213a479b97ab968520c3a7a49ca329c4952a4ead104f484ed0ef7c0e2c74ba

SHA512
c41324fc0dae17291412ec6b510ab9d3a439a4cfd2872f5f3b72c22eddd878cc80dbe4046e02dfc0df925a472d48465970402150b12052faf9d8ff3e480ec6f7

Download Submit
\Program Files (x86)\solfer\4aer.exe

MD5
c529d4296084b7299cb3b72e1d97e61a

SHA1
49f9563adc630879a7277bedb5235cbb080ede7e

SHA256
89213a479b97ab968520c3a7a49ca329c4952a4ead104f484ed0ef7c0e2c74ba

SHA512
c41324fc0dae17291412ec6b510ab9d3a439a4cfd2872f5f3b72c22eddd878cc80dbe4046e02dfc0df925a472d48465970402150b12052faf9d8ff3e480ec6f7

Download Submit
\Program Files (x86)\solfer\4aer.exe

MD5
c529d4296084b7299cb3b72e1d97e61a

SHA1
49f9563adc630879a7277bedb5235cbb080ede7e

SHA256
89213a479b97ab968520c3a7a49ca329c4952a4ead104f484ed0ef7c0e2c74ba

SHA512
c41324fc0dae17291412ec6b510ab9d3a439a4cfd2872f5f3b72c22eddd878cc80dbe4046e02dfc0df925a472d48465970402150b12052faf9d8ff3e480ec6f7

Download Submit
\Program Files (x86)\solfer\4aer.exe

MD5
c529d4296084b7299cb3b72e1d97e61a

SHA1
49f9563adc630879a7277bedb5235cbb080ede7e

SHA256
89213a479b97ab968520c3a7a49ca329c4952a4ead104f484ed0ef7c0e2c74ba

SHA512
c41324fc0dae17291412ec6b510ab9d3a439a4cfd2872f5f3b72c22eddd878cc80dbe4046e02dfc0df925a472d48465970402150b12052faf9d8ff3e480ec6f7

Download Submit
\Program Files (x86)\solfer\6owe.exe

MD5
5d9f66ead65bf9f69829155f1e374e44

SHA1
72d4f028167c156c5ba00ab85eae0283fba9d5be

SHA256
1196095d2c23784c26a53a1c277d3e6654dec4b348732df87d58a62867c35bc5

SHA512
621ddbfc6c1665102e4c980a9a9b82a70cfd007a7f2041b09394de969945d72268c258d0dc53938be923d405cb577a272e06129b867368af5231a124a71e35ad

Download Submit
\Program Files (x86)\solfer\6owe.exe

MD5
5d9f66ead65bf9f69829155f1e374e44

SHA1
72d4f028167c156c5ba00ab85eae0283fba9d5be

SHA256
1196095d2c23784c26a53a1c277d3e6654dec4b348732df87d58a62867c35bc5

SHA512
621ddbfc6c1665102e4c980a9a9b82a70cfd007a7f2041b09394de969945d72268c258d0dc53938be923d405cb577a272e06129b867368af5231a124a71e35ad

Download Submit
\Program Files (x86)\solfer\6owe.exe

MD5
5d9f66ead65bf9f69829155f1e374e44

SHA1
72d4f028167c156c5ba00ab85eae0283fba9d5be

SHA256
1196095d2c23784c26a53a1c277d3e6654dec4b348732df87d58a62867c35bc5

SHA512
621ddbfc6c1665102e4c980a9a9b82a70cfd007a7f2041b09394de969945d72268c258d0dc53938be923d405cb577a272e06129b867368af5231a124a71e35ad

Download Submit
\Program Files (x86)\solfer\6owe.exe

MD5
5d9f66ead65bf9f69829155f1e374e44

SHA1
72d4f028167c156c5ba00ab85eae0283fba9d5be

SHA256
1196095d2c23784c26a53a1c277d3e6654dec4b348732df87d58a62867c35bc5

SHA512
621ddbfc6c1665102e4c980a9a9b82a70cfd007a7f2041b09394de969945d72268c258d0dc53938be923d405cb577a272e06129b867368af5231a124a71e35ad

Download Submit
\Program Files (x86)\solfer\6owe.exe

MD5
5d9f66ead65bf9f69829155f1e374e44

SHA1
72d4f028167c156c5ba00ab85eae0283fba9d5be

SHA256
1196095d2c23784c26a53a1c277d3e6654dec4b348732df87d58a62867c35bc5

SHA512
621ddbfc6c1665102e4c980a9a9b82a70cfd007a7f2041b09394de969945d72268c258d0dc53938be923d405cb577a272e06129b867368af5231a124a71e35ad

Download Submit
\Program Files (x86)\solfer\boleroh\lvloa.exe

MD5
f6b571cc7c4eb8314bed5b5af5a8bc4a

SHA1
7eefe3d35d181c5805f432d0f2e7438bbd55a673

SHA256
67d019b33400a3fdc8fed7159f0f9e5c27805ef7c85b786c11cd5e0e4dca089e

SHA512
c3d211de5a2adbcdd061fd8e95b3a70e1f9b073966c9cda5a972d8c290eba72cde85fd95f0148e85638f1403c6f8446299e098cfd52c4bcda5102938d9de4287

Download Submit
\Program Files (x86)\solfer\boleroh\lvloa.exe

MD5
f6b571cc7c4eb8314bed5b5af5a8bc4a

SHA1
7eefe3d35d181c5805f432d0f2e7438bbd55a673

SHA256
67d019b33400a3fdc8fed7159f0f9e5c27805ef7c85b786c11cd5e0e4dca089e

SHA512
c3d211de5a2adbcdd061fd8e95b3a70e1f9b073966c9cda5a972d8c290eba72cde85fd95f0148e85638f1403c6f8446299e098cfd52c4bcda5102938d9de4287

Download Submit
\Program Files (x86)\solfer\boleroh\lvloa.exe

MD5
f6b571cc7c4eb8314bed5b5af5a8bc4a

SHA1
7eefe3d35d181c5805f432d0f2e7438bbd55a673

SHA256
67d019b33400a3fdc8fed7159f0f9e5c27805ef7c85b786c11cd5e0e4dca089e

SHA512
c3d211de5a2adbcdd061fd8e95b3a70e1f9b073966c9cda5a972d8c290eba72cde85fd95f0148e85638f1403c6f8446299e098cfd52c4bcda5102938d9de4287

Download Submit
\Program Files (x86)\solfer\startnat.exe

MD5
e59cb4520b2241124689575d1d60d8e1

SHA1
f7af9c6a0bd1999412551c0abcb6bcc110266aa0

SHA256
bdd9d0f94b67c14ea208581500e425d0ba95eb3d9d7db3836c7e5b2af741f71e

SHA512
eef42b953c3668627cde1f8f386fea19b93304f45640fdb6a69b68064378e2c10ae3a7da41e5a031cdac2f139d8631d073e87b3ed729aa3892d4dba420313627

Download Submit
\Program Files (x86)\solfer\startnat.exe

MD5
e59cb4520b2241124689575d1d60d8e1

SHA1
f7af9c6a0bd1999412551c0abcb6bcc110266aa0

SHA256
bdd9d0f94b67c14ea208581500e425d0ba95eb3d9d7db3836c7e5b2af741f71e

SHA512
eef42b953c3668627cde1f8f386fea19b93304f45640fdb6a69b68064378e2c10ae3a7da41e5a031cdac2f139d8631d073e87b3ed729aa3892d4dba420313627

Download Submit
\Program Files (x86)\solfer\startnat.exe

MD5
e59cb4520b2241124689575d1d60d8e1

SHA1
f7af9c6a0bd1999412551c0abcb6bcc110266aa0

SHA256
bdd9d0f94b67c14ea208581500e425d0ba95eb3d9d7db3836c7e5b2af741f71e

SHA512
eef42b953c3668627cde1f8f386fea19b93304f45640fdb6a69b68064378e2c10ae3a7da41e5a031cdac2f139d8631d073e87b3ed729aa3892d4dba420313627

Download Submit
\Program Files (x86)\solfer\startnat.exe

MD5
e59cb4520b2241124689575d1d60d8e1

SHA1
f7af9c6a0bd1999412551c0abcb6bcc110266aa0

SHA256
bdd9d0f94b67c14ea208581500e425d0ba95eb3d9d7db3836c7e5b2af741f71e

SHA512
eef42b953c3668627cde1f8f386fea19b93304f45640fdb6a69b68064378e2c10ae3a7da41e5a031cdac2f139d8631d073e87b3ed729aa3892d4dba420313627

Download Submit
\Program Files (x86)\solfer\startnat.exe

MD5
e59cb4520b2241124689575d1d60d8e1

SHA1
f7af9c6a0bd1999412551c0abcb6bcc110266aa0

SHA256
bdd9d0f94b67c14ea208581500e425d0ba95eb3d9d7db3836c7e5b2af741f71e

SHA512
eef42b953c3668627cde1f8f386fea19b93304f45640fdb6a69b68064378e2c10ae3a7da41e5a031cdac2f139d8631d073e87b3ed729aa3892d4dba420313627

Download Submit
\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt

MD5
43141e85e7c36e31b52b22ab94d5e574

SHA1
cfd7079a9b268d84b856dc668edbb9ab9ef35312

SHA256
ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d

SHA512
9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

Download Submit
\Users\Admin\AppData\Local\Temp\File2.exe

MD5
39d962975150700a92b4ef5bd3704b2f

SHA1
b94e01ed6edfa1c98da5599aab6553d97f8dbe38

SHA256
7f70839c7a3a71f4f81d57adc59a7daa1ed49fd9589e0f0c86e3a28461fc4ffa

SHA512
6ac03ef3c99928a96bb7029a7a4e0262d864d3dde2811e4239c95d23fc4c79753cab976966a716472489dd37d13229ef400ccdee2829616fe40c9468ec254af1

Download Submit
\Users\Admin\AppData\Local\Temp\File2.exe

MD5
39d962975150700a92b4ef5bd3704b2f

SHA1
b94e01ed6edfa1c98da5599aab6553d97f8dbe38

SHA256
7f70839c7a3a71f4f81d57adc59a7daa1ed49fd9589e0f0c86e3a28461fc4ffa

SHA512
6ac03ef3c99928a96bb7029a7a4e0262d864d3dde2811e4239c95d23fc4c79753cab976966a716472489dd37d13229ef400ccdee2829616fe40c9468ec254af1

Download Submit
\Users\Admin\AppData\Local\Temp\File2.exe

MD5
39d962975150700a92b4ef5bd3704b2f

SHA1
b94e01ed6edfa1c98da5599aab6553d97f8dbe38

SHA256
7f70839c7a3a71f4f81d57adc59a7daa1ed49fd9589e0f0c86e3a28461fc4ffa

SHA512
6ac03ef3c99928a96bb7029a7a4e0262d864d3dde2811e4239c95d23fc4c79753cab976966a716472489dd37d13229ef400ccdee2829616fe40c9468ec254af1

Download Submit
\Users\Admin\AppData\Local\Temp\File2.exe

MD5
39d962975150700a92b4ef5bd3704b2f

SHA1
b94e01ed6edfa1c98da5599aab6553d97f8dbe38

SHA256
7f70839c7a3a71f4f81d57adc59a7daa1ed49fd9589e0f0c86e3a28461fc4ffa

SHA512
6ac03ef3c99928a96bb7029a7a4e0262d864d3dde2811e4239c95d23fc4c79753cab976966a716472489dd37d13229ef400ccdee2829616fe40c9468ec254af1

Download Submit
\Users\Admin\AppData\Local\Temp\WRGEQC~1.DLL

Download Submit
\Users\Admin\AppData\Local\Temp\WRGEQC~1.DLL

Download Submit
\Users\Admin\AppData\Local\Temp\WRGEQC~1.DLL

Download Submit
\Users\Admin\AppData\Local\Temp\WRGEQC~1.DLL

Download Submit
\Users\Admin\AppData\Local\Temp\WRGEQC~1.DLL

Download Submit
\Users\Admin\AppData\Local\Temp\WRGEQC~1.DLL

Download Submit
\Users\Admin\AppData\Local\Temp\WRGEQC~1.DLL

Download Submit
\Users\Admin\AppData\Local\Temp\WRGEQC~1.DLL

Download Submit
\Users\Admin\AppData\Local\Temp\nsnD682.tmp\UAC.dll

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
\Users\Admin\AppData\Local\Temp\wrgeqcmnju.exe

MD5
7c9618fc9144078b99a1defd46994ad1

SHA1
988015c3b62fca23f1d9babbd76ba29f9a6a0e3f

SHA256
2c2bfbbecced378ee87e3c8ffc1f2394dd4fe4272322ee74cf61aa6b53e923d2

SHA512
fcc05df6fc573962c6153481e976b8c0fdf7bce922b1948e2c6f84ac87347e22360a1f68be313a870ecc89c608f6b8d3afa000a2fdc3f1daff0cc0cc300bfcce

Download Submit
\Users\Admin\AppData\Local\Temp\wrgeqcmnju.exe

MD5
7c9618fc9144078b99a1defd46994ad1

SHA1
988015c3b62fca23f1d9babbd76ba29f9a6a0e3f

SHA256
2c2bfbbecced378ee87e3c8ffc1f2394dd4fe4272322ee74cf61aa6b53e923d2

SHA512
fcc05df6fc573962c6153481e976b8c0fdf7bce922b1948e2c6f84ac87347e22360a1f68be313a870ecc89c608f6b8d3afa000a2fdc3f1daff0cc0cc300bfcce

Download Submit
\Users\Admin\AppData\Local\Temp\wrgeqcmnju.exe

MD5
7c9618fc9144078b99a1defd46994ad1

SHA1
988015c3b62fca23f1d9babbd76ba29f9a6a0e3f

SHA256
2c2bfbbecced378ee87e3c8ffc1f2394dd4fe4272322ee74cf61aa6b53e923d2

SHA512
fcc05df6fc573962c6153481e976b8c0fdf7bce922b1948e2c6f84ac87347e22360a1f68be313a870ecc89c608f6b8d3afa000a2fdc3f1daff0cc0cc300bfcce

Download Submit
\Users\Admin\AppData\Local\Temp\wrgeqcmnju.exe

MD5
7c9618fc9144078b99a1defd46994ad1

SHA1
988015c3b62fca23f1d9babbd76ba29f9a6a0e3f

SHA256
2c2bfbbecced378ee87e3c8ffc1f2394dd4fe4272322ee74cf61aa6b53e923d2

SHA512
fcc05df6fc573962c6153481e976b8c0fdf7bce922b1948e2c6f84ac87347e22360a1f68be313a870ecc89c608f6b8d3afa000a2fdc3f1daff0cc0cc300bfcce

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libeay32.dll

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libevent-2-1-6.dll

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libgcc_s_sjlj-1.dll

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libssp-0.dll

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libwinpthread-1.dll

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\ssleay32.dll

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\zlib1.dll

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
c529d4296084b7299cb3b72e1d97e61a

SHA1
49f9563adc630879a7277bedb5235cbb080ede7e

SHA256
89213a479b97ab968520c3a7a49ca329c4952a4ead104f484ed0ef7c0e2c74ba

SHA512
c41324fc0dae17291412ec6b510ab9d3a439a4cfd2872f5f3b72c22eddd878cc80dbe4046e02dfc0df925a472d48465970402150b12052faf9d8ff3e480ec6f7

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
c529d4296084b7299cb3b72e1d97e61a

SHA1
49f9563adc630879a7277bedb5235cbb080ede7e

SHA256
89213a479b97ab968520c3a7a49ca329c4952a4ead104f484ed0ef7c0e2c74ba

SHA512
c41324fc0dae17291412ec6b510ab9d3a439a4cfd2872f5f3b72c22eddd878cc80dbe4046e02dfc0df925a472d48465970402150b12052faf9d8ff3e480ec6f7

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
c529d4296084b7299cb3b72e1d97e61a

SHA1
49f9563adc630879a7277bedb5235cbb080ede7e

SHA256
89213a479b97ab968520c3a7a49ca329c4952a4ead104f484ed0ef7c0e2c74ba

SHA512
c41324fc0dae17291412ec6b510ab9d3a439a4cfd2872f5f3b72c22eddd878cc80dbe4046e02dfc0df925a472d48465970402150b12052faf9d8ff3e480ec6f7

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
c529d4296084b7299cb3b72e1d97e61a

SHA1
49f9563adc630879a7277bedb5235cbb080ede7e

SHA256
89213a479b97ab968520c3a7a49ca329c4952a4ead104f484ed0ef7c0e2c74ba

SHA512
c41324fc0dae17291412ec6b510ab9d3a439a4cfd2872f5f3b72c22eddd878cc80dbe4046e02dfc0df925a472d48465970402150b12052faf9d8ff3e480ec6f7

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
c529d4296084b7299cb3b72e1d97e61a

SHA1
49f9563adc630879a7277bedb5235cbb080ede7e

SHA256
89213a479b97ab968520c3a7a49ca329c4952a4ead104f484ed0ef7c0e2c74ba

SHA512
c41324fc0dae17291412ec6b510ab9d3a439a4cfd2872f5f3b72c22eddd878cc80dbe4046e02dfc0df925a472d48465970402150b12052faf9d8ff3e480ec6f7

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
c529d4296084b7299cb3b72e1d97e61a

SHA1
49f9563adc630879a7277bedb5235cbb080ede7e

SHA256
89213a479b97ab968520c3a7a49ca329c4952a4ead104f484ed0ef7c0e2c74ba

SHA512
c41324fc0dae17291412ec6b510ab9d3a439a4cfd2872f5f3b72c22eddd878cc80dbe4046e02dfc0df925a472d48465970402150b12052faf9d8ff3e480ec6f7

Download Submit
memory/616-146-0x0000000006280000-0x0000000006281000-memory.dmp

Filesize
4KB

Download
memory/616-160-0x0000000006700000-0x0000000006701000-memory.dmp

Filesize
4KB

Download
memory/616-159-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/616-148-0x0000000006350000-0x0000000006351000-memory.dmp

Filesize
4KB

Download
memory/616-141-0x0000000005840000-0x0000000005841000-memory.dmp

Filesize
4KB

Download
memory/616-697-0x0000000000000000-mapping.dmp

Download
memory/616-131-0x0000000000000000-mapping.dmp

Download
memory/616-132-0x0000000072BF0000-0x00000000732DE000-memory.dmp

Filesize
6.9MB

Download
memory/616-133-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/616-134-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/616-135-0x0000000001220000-0x0000000001221000-memory.dmp

Filesize
4KB

Download
memory/616-136-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/776-10-0x0000000000000000-mapping.dmp

Download
memory/936-47-0x0000000004D90000-0x0000000004DA1000-memory.dmp

Filesize
68KB

Download
memory/936-48-0x00000000051A0000-0x00000000051B1000-memory.dmp

Filesize
68KB

Download
memory/936-40-0x0000000000000000-mapping.dmp

Download
memory/1060-30-0x0000000000000000-mapping.dmp

Download
memory/1060-49-0x0000000004D30000-0x0000000004D41000-memory.dmp

Filesize
68KB

Download
memory/1060-46-0x0000000004920000-0x0000000004931000-memory.dmp

Filesize
68KB

Download
memory/1156-695-0x0000000000000000-mapping.dmp

Download
memory/1256-37-0x0000000004D10000-0x0000000004D21000-memory.dmp

Filesize
68KB

Download
memory/1256-32-0x0000000004900000-0x0000000004911000-memory.dmp

Filesize
68KB

Download
memory/1256-23-0x0000000000000000-mapping.dmp

Download
memory/1392-68-0x000000000AF60000-0x000000000AF71000-memory.dmp

Filesize
68KB

Download
memory/1392-67-0x000000000AB50000-0x000000000AB61000-memory.dmp

Filesize
68KB

Download
memory/1392-53-0x0000000000000000-mapping.dmp

Download
memory/1440-161-0x0000000000080000-0x0000000000140000-memory.dmp

Filesize
768KB

Download
memory/1440-164-0x0000000000080000-0x0000000000140000-memory.dmp

Filesize
768KB

Download
memory/1440-162-0x0000000000111C58-mapping.dmp

Download
memory/1472-396-0x0000000000000000-mapping.dmp

Download
memory/1556-70-0x0000000005030000-0x0000000005041000-memory.dmp

Filesize
68KB

Download
memory/1556-69-0x0000000004C20000-0x0000000004C31000-memory.dmp

Filesize
68KB

Download
memory/1556-61-0x0000000000000000-mapping.dmp

Download
memory/1660-20-0x0000000000000000-mapping.dmp

Download
memory/1768-5-0x000007FEF7FE0000-0x000007FEF825A000-memory.dmp

Filesize
2.5MB

Download
memory/1824-4-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/1824-2-0x0000000000A0D000-0x0000000000A0E000-memory.dmp

Filesize
4KB

Download
memory/1824-3-0x00000000023F0000-0x0000000002401000-memory.dmp

Filesize
68KB

Download
memory/1848-7-0x0000000000000000-mapping.dmp

Download
memory/1892-694-0x0000000000000000-mapping.dmp

Download
memory/1996-151-0x0000000000000000-mapping.dmp

Download
memory/2036-149-0x0000000000000000-mapping.dmp

Download
memory/2296-72-0x0000000000000000-mapping.dmp

Download
memory/2312-177-0x0000000002730000-0x0000000002731000-memory.dmp

Filesize
4KB

Download
memory/2312-226-0x00000000062B0000-0x00000000062B1000-memory.dmp

Filesize
4KB

Download
memory/2312-173-0x0000000004940000-0x0000000004941000-memory.dmp

Filesize
4KB

Download
memory/2312-172-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/2312-171-0x0000000072AD0000-0x00000000731BE000-memory.dmp

Filesize
6.9MB

Download
memory/2312-167-0x0000000000000000-mapping.dmp

Download
memory/2312-194-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/2312-73-0x0000000000000000-mapping.dmp

Download
memory/2364-79-0x0000000000000000-mapping.dmp

Download
memory/2396-196-0x0000000002FB0000-0x0000000002FC1000-memory.dmp

Filesize
68KB

Download
memory/2396-402-0x0000000003430000-0x0000000003441000-memory.dmp

Filesize
68KB

Download
memory/2396-227-0x0000000002BA0000-0x0000000002BB1000-memory.dmp

Filesize
68KB

Download
memory/2396-229-0x0000000002BA0000-0x0000000002BB1000-memory.dmp

Filesize
68KB

Download
memory/2396-193-0x0000000064B40000-0x0000000064BBE000-memory.dmp

Filesize
504KB

Download
memory/2396-228-0x0000000002FB0000-0x0000000002FC1000-memory.dmp

Filesize
68KB

Download
memory/2396-195-0x0000000002BA0000-0x0000000002BB1000-memory.dmp

Filesize
68KB

Download
memory/2396-400-0x0000000003430000-0x0000000003441000-memory.dmp

Filesize
68KB

Download
memory/2396-197-0x0000000002BA0000-0x0000000002BB1000-memory.dmp

Filesize
68KB

Download
memory/2396-401-0x0000000003840000-0x0000000003851000-memory.dmp

Filesize
68KB

Download
memory/2396-176-0x0000000000000000-mapping.dmp

Download
memory/2416-82-0x0000000000000000-mapping.dmp

Download
memory/2484-83-0x0000000000000000-mapping.dmp

Download
memory/2500-85-0x0000000000000000-mapping.dmp

Download
memory/2552-86-0x0000000000000000-mapping.dmp

Download
memory/2616-89-0x0000000000000000-mapping.dmp

Download
memory/2644-99-0x0000000002660000-0x0000000002671000-memory.dmp

Filesize
68KB

Download
memory/2644-93-0x0000000000000000-mapping.dmp

Download
memory/2644-98-0x0000000002290000-0x000000000265A000-memory.dmp

Filesize
3.8MB

Download
memory/2644-94-0x0000000000000000-mapping.dmp

Download
memory/2696-100-0x0000000000000000-mapping.dmp

Download
memory/2696-106-0x00000000742B0000-0x0000000074453000-memory.dmp

Filesize
1.6MB

Download
memory/2696-107-0x0000000002810000-0x0000000002E70000-memory.dmp

Filesize
6.4MB

Download
memory/2740-108-0x0000000000000000-mapping.dmp

Download
memory/2740-113-0x0000000073DA0000-0x0000000073F43000-memory.dmp

Filesize
1.6MB

Download
memory/2740-114-0x0000000002550000-0x0000000002BB0000-memory.dmp

Filesize
6.4MB

Download
memory/2740-125-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/2740-126-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/2740-127-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/2740-128-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/2740-129-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/2740-130-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/2752-255-0x0000000000000000-mapping.dmp

Download
memory/2836-116-0x0000000000000000-mapping.dmp

Download
memory/2892-118-0x0000000000000000-mapping.dmp

Download
memory/2892-120-0x0000000002690000-0x0000000002694000-memory.dmp

Filesize
16KB

Download