cryptbot | 69057a29d94d0ae3e51c435df396178b093d057db5addcdb273dcd5aedc6e1ef

Analysis

max time kernel
125s
max time network
125s
platform
windows10_x64
resource
win10v20201028
submitted
03-12-2020 07:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

313f90db50cc3d4164b90d648b83cd75.exe
Size

671KB
MD5

313f90db50cc3d4164b90d648b83cd75
SHA1

f861f285705a4eb7ef51de27baef8dae05c36e15
SHA256

69057a29d94d0ae3e51c435df396178b093d057db5addcdb273dcd5aedc6e1ef
SHA512

cb0acb7106a328a83848812e85d7f998e5c0ef0780b4f0c20ab33cf046053202c265c40d7f68ee156d2ad4f80c114529ef8d8e793302d45991337a5cf37d1546

Score

10^/10

cryptbot discovery evasion spyware stealer

Malware Config

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 4 IoCs

Processes:

WScript.exe

flow pid process

34 3668 WScript.exe
36 3668 WScript.exe
38 3668 WScript.exe
40 3668 WScript.exe
Downloads MZ/PE file
Executes dropped EXE 8 IoCs

Processes:

File2.exelvfuk.exe6las.exe4ger.exestartveu.exeSmartClock.exeCL_Debug_Log.txtegctmpmrbo.exe

pid process

2724 File2.exe
4012 lvfuk.exe
3012 6las.exe
3824 4ger.exe
1292 startveu.exe
3972 SmartClock.exe
3736 CL_Debug_Log.txt
3580 egctmpmrbo.exe

flow	pid	process
34	3668	WScript.exe
36	3668	WScript.exe
38	3668	WScript.exe
40	3668	WScript.exe

pid	process
2724	File2.exe
4012	lvfuk.exe
3012	6las.exe
3824	4ger.exe
1292	startveu.exe
3972	SmartClock.exe
3736	CL_Debug_Log.txt
3580	egctmpmrbo.exe

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SmartClock.exe6las.exelvfuk.exestartveu.exe4ger.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SmartClock.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6las.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	lvfuk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	lvfuk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	startveu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	startveu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SmartClock.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6las.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4ger.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4ger.exe

Drops startup file 1 IoCs

Processes:

4ger.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4ger.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	4ger.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

lvfuk.exe6las.exe4ger.exestartveu.exeSmartClock.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine	lvfuk.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine	6las.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine	4ger.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine	startveu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine	SmartClock.exe

Loads dropped DLL 3 IoCs

Processes:

File2.exerundll32.exe

pid process

2724 File2.exe
3516 rundll32.exe
3516 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

19 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

6las.exelvfuk.exe4ger.exestartveu.exeSmartClock.exe

pid process

3012 6las.exe
4012 lvfuk.exe
3824 4ger.exe
1292 startveu.exe
3972 SmartClock.exe

pid	process
2724	File2.exe
3516	rundll32.exe
3516	rundll32.exe

flow	ioc
19	ip-api.com

autoit_exe 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\32.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\64.exe	autoit_exe

Drops file in Program Files directory 8 IoCs

Processes:

File2.exe

description	ioc	process
File created	C:\Program Files (x86)\solfer\4ger.exe	File2.exe
File created	C:\Program Files (x86)\solfer\6las.exe	File2.exe
File created	C:\Program Files (x86)\solfer\startveu.exe	File2.exe
File created	C:\Program Files (x86)\solfer\boleroh\msdasc.chm	File2.exe
File created	C:\Program Files (x86)\solfer\boleroh\msorcl32.chm	File2.exe
File created	C:\Program Files (x86)\solfer\boleroh\lvfuk.exe	File2.exe
File created	C:\Program Files (x86)\solfer\wiatrace.log	File2.exe
File created	C:\Program Files (x86)\solfer\Microsoft.IdentityServer.Web.Resources.dll	File2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

lvfuk.exe313f90db50cc3d4164b90d648b83cd75.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	lvfuk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	313f90db50cc3d4164b90d648b83cd75.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	313f90db50cc3d4164b90d648b83cd75.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	lvfuk.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

648 schtasks.exe
Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

4076 timeout.exe
3344 timeout.exe
4004 timeout.exe
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings cmd.exe

pid	process
648	schtasks.exe

pid	process
4076	timeout.exe
3344	timeout.exe
4004	timeout.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	cmd.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

3972 SmartClock.exe

pid	process
3972	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

6las.exelvfuk.exe4ger.exestartveu.exeSmartClock.exe

pid	process
3012	6las.exe
3012	6las.exe
4012	lvfuk.exe
4012	lvfuk.exe
3824	4ger.exe
3824	4ger.exe
1292	startveu.exe
1292	startveu.exe
3972	SmartClock.exe
3972	SmartClock.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

CL_Debug_Log.txt

description	pid	process
Token: SeRestorePrivilege	3736	CL_Debug_Log.txt
Token: 35	3736	CL_Debug_Log.txt
Token: SeSecurityPrivilege	3736	CL_Debug_Log.txt
Token: SeSecurityPrivilege	3736	CL_Debug_Log.txt

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

313f90db50cc3d4164b90d648b83cd75.exestartveu.exe

pid process

4048 313f90db50cc3d4164b90d648b83cd75.exe
4048 313f90db50cc3d4164b90d648b83cd75.exe
1292 startveu.exe
1292 startveu.exe
1292 startveu.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

startveu.exe

pid process

1292 startveu.exe
1292 startveu.exe
1292 startveu.exe

pid	process
4048	313f90db50cc3d4164b90d648b83cd75.exe
4048	313f90db50cc3d4164b90d648b83cd75.exe
1292	startveu.exe
1292	startveu.exe
1292	startveu.exe

pid	process
1292	startveu.exe
1292	startveu.exe
1292	startveu.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

313f90db50cc3d4164b90d648b83cd75.execmd.exeFile2.exe4ger.exestartveu.execmd.exe6las.execmd.execmd.exelvfuk.execmd.exeegctmpmrbo.execmd.exe

description	pid	process	target process
PID 4048 wrote to memory of 2724	4048	313f90db50cc3d4164b90d648b83cd75.exe	File2.exe
PID 4048 wrote to memory of 2724	4048	313f90db50cc3d4164b90d648b83cd75.exe	File2.exe
PID 4048 wrote to memory of 2724	4048	313f90db50cc3d4164b90d648b83cd75.exe	File2.exe
PID 4048 wrote to memory of 3724	4048	313f90db50cc3d4164b90d648b83cd75.exe	cmd.exe
PID 4048 wrote to memory of 3724	4048	313f90db50cc3d4164b90d648b83cd75.exe	cmd.exe
PID 4048 wrote to memory of 3724	4048	313f90db50cc3d4164b90d648b83cd75.exe	cmd.exe
PID 3724 wrote to memory of 4076	3724	cmd.exe	timeout.exe
PID 3724 wrote to memory of 4076	3724	cmd.exe	timeout.exe
PID 3724 wrote to memory of 4076	3724	cmd.exe	timeout.exe
PID 2724 wrote to memory of 4012	2724	File2.exe	lvfuk.exe
PID 2724 wrote to memory of 4012	2724	File2.exe	lvfuk.exe
PID 2724 wrote to memory of 4012	2724	File2.exe	lvfuk.exe
PID 2724 wrote to memory of 3012	2724	File2.exe	6las.exe
PID 2724 wrote to memory of 3012	2724	File2.exe	6las.exe
PID 2724 wrote to memory of 3012	2724	File2.exe	6las.exe
PID 2724 wrote to memory of 3824	2724	File2.exe	4ger.exe
PID 2724 wrote to memory of 3824	2724	File2.exe	4ger.exe
PID 2724 wrote to memory of 3824	2724	File2.exe	4ger.exe
PID 2724 wrote to memory of 1292	2724	File2.exe	startveu.exe
PID 2724 wrote to memory of 1292	2724	File2.exe	startveu.exe
PID 2724 wrote to memory of 1292	2724	File2.exe	startveu.exe
PID 3824 wrote to memory of 3972	3824	4ger.exe	SmartClock.exe
PID 3824 wrote to memory of 3972	3824	4ger.exe	SmartClock.exe
PID 3824 wrote to memory of 3972	3824	4ger.exe	SmartClock.exe
PID 1292 wrote to memory of 3736	1292	startveu.exe	CL_Debug_Log.txt
PID 1292 wrote to memory of 3736	1292	startveu.exe	CL_Debug_Log.txt
PID 1292 wrote to memory of 3736	1292	startveu.exe	CL_Debug_Log.txt
PID 1292 wrote to memory of 2088	1292	startveu.exe	cmd.exe
PID 1292 wrote to memory of 2088	1292	startveu.exe	cmd.exe
PID 1292 wrote to memory of 2088	1292	startveu.exe	cmd.exe
PID 2088 wrote to memory of 648	2088	cmd.exe	schtasks.exe
PID 2088 wrote to memory of 648	2088	cmd.exe	schtasks.exe
PID 2088 wrote to memory of 648	2088	cmd.exe	schtasks.exe
PID 3012 wrote to memory of 2204	3012	6las.exe	cmd.exe
PID 3012 wrote to memory of 2204	3012	6las.exe	cmd.exe
PID 3012 wrote to memory of 2204	3012	6las.exe	cmd.exe
PID 2204 wrote to memory of 3344	2204	cmd.exe	timeout.exe
PID 2204 wrote to memory of 3344	2204	cmd.exe	timeout.exe
PID 2204 wrote to memory of 3344	2204	cmd.exe	timeout.exe
PID 3012 wrote to memory of 2312	3012	6las.exe	cmd.exe
PID 3012 wrote to memory of 2312	3012	6las.exe	cmd.exe
PID 3012 wrote to memory of 2312	3012	6las.exe	cmd.exe
PID 2312 wrote to memory of 4004	2312	cmd.exe	timeout.exe
PID 2312 wrote to memory of 4004	2312	cmd.exe	timeout.exe
PID 2312 wrote to memory of 4004	2312	cmd.exe	timeout.exe
PID 4012 wrote to memory of 3132	4012	lvfuk.exe	cmd.exe
PID 4012 wrote to memory of 3132	4012	lvfuk.exe	cmd.exe
PID 4012 wrote to memory of 3132	4012	lvfuk.exe	cmd.exe
PID 3132 wrote to memory of 3580	3132	cmd.exe	egctmpmrbo.exe
PID 3132 wrote to memory of 3580	3132	cmd.exe	egctmpmrbo.exe
PID 3132 wrote to memory of 3580	3132	cmd.exe	egctmpmrbo.exe
PID 3580 wrote to memory of 3516	3580	egctmpmrbo.exe	rundll32.exe
PID 3580 wrote to memory of 3516	3580	egctmpmrbo.exe	rundll32.exe
PID 3580 wrote to memory of 3516	3580	egctmpmrbo.exe	rundll32.exe
PID 4012 wrote to memory of 1364	4012	lvfuk.exe	cmd.exe
PID 4012 wrote to memory of 1364	4012	lvfuk.exe	cmd.exe
PID 4012 wrote to memory of 1364	4012	lvfuk.exe	cmd.exe
PID 1364 wrote to memory of 3668	1364	cmd.exe	WScript.exe
PID 1364 wrote to memory of 3668	1364	cmd.exe	WScript.exe
PID 1364 wrote to memory of 3668	1364	cmd.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\313f90db50cc3d4164b90d648b83cd75.exe
"C:\Users\Admin\AppData\Local\Temp\313f90db50cc3d4164b90d648b83cd75.exe"
1⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4048

C:\Users\Admin\AppData\Local\Temp\File2.exe
"C:\Users\Admin\AppData\Local\Temp\File2.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2724

C:\Program Files (x86)\solfer\boleroh\lvfuk.exe
"C:\Program Files (x86)\solfer\boleroh\lvfuk.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4012

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\egctmpmrbo.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:3132

C:\Users\Admin\AppData\Local\Temp\egctmpmrbo.exe
"C:\Users\Admin\AppData\Local\Temp\egctmpmrbo.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\EGCTMP~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\EGCTMP~1.EXE
6⤵
- Loads dropped DLL
PID:3516

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\nviwklwlbmhl.vbs"
4⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\nviwklwlbmhl.vbs"
5⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:3668

C:\Program Files (x86)\solfer\6las.exe
"C:\Program Files (x86)\solfer\6las.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3012

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\owjhardlnins & timeout 2 & del /f /q "C:\Program Files (x86)\solfer\6las.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\SysWOW64\timeout.exe
timeout 2
5⤵
- Delays execution with timeout.exe
PID:3344

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\owjhardlnins & timeout 2 & del /f /q "C:\Program Files (x86)\solfer\6las.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2312

C:\Windows\SysWOW64\timeout.exe
timeout 2
5⤵
- Delays execution with timeout.exe
PID:4004

C:\Program Files (x86)\solfer\4ger.exe
"C:\Program Files (x86)\solfer\4ger.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3824

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:3972

C:\Program Files (x86)\solfer\startveu.exe
"C:\Program Files (x86)\solfer\startveu.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1292

C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt e -p"JDQJndnqwdnqw2139dn21n3b312idDQDB" "C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt" -o"C:\Users\Admin\AppData\Local\Temp\"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
4⤵
- Suspicious use of WriteProcessMemory
PID:2088

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
5⤵
- Creates scheduled task(s)
PID:648

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\GWSltiL & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\313f90db50cc3d4164b90d648b83cd75.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3724

C:\Windows\SysWOW64\timeout.exe
timeout 2
3⤵
- Delays execution with timeout.exe
PID:4076

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\solfer\4ger.exe
MD5
1b482bf0134c52d93039eb961d2e8077

SHA1
98488275e5ebd98bc53327956670521cf33f6d22

SHA256
86c95550820bf9627e81f256652d482e07f0cfb40504cd319727953197448fd7

SHA512
22bfcc05e1ccc8e7ce84598ba7cdfbca143971b5d48b55636b3d794b21483bc948977f5686ce2add1c416f5241908fcacbba96d8ced8cc074605dd6e778f9952

Download Submit
C:\Program Files (x86)\solfer\4ger.exe
MD5
1b482bf0134c52d93039eb961d2e8077

SHA1
98488275e5ebd98bc53327956670521cf33f6d22

SHA256
86c95550820bf9627e81f256652d482e07f0cfb40504cd319727953197448fd7

SHA512
22bfcc05e1ccc8e7ce84598ba7cdfbca143971b5d48b55636b3d794b21483bc948977f5686ce2add1c416f5241908fcacbba96d8ced8cc074605dd6e778f9952

Download Submit
C:\Program Files (x86)\solfer\6las.exe
MD5
cf3de7cc91e95a144227364f30736911

SHA1
4b9373d0dea078c5a86b6c9258d86f49bb3d8ac4

SHA256
5526d3dfc1a497cca23c282a2db8a9ae275fa481ef027f2b5752aaea504d6bbe

SHA512
a73c67740f27cab24939474ff55d603fdb2d749d3f868605d305b836256e27ed5f9eb104925d6d32a77eb8de94ec286745b7cd94497cb78ef8c603d74735d3bb

Download Submit
C:\Program Files (x86)\solfer\6las.exe
MD5
cf3de7cc91e95a144227364f30736911

SHA1
4b9373d0dea078c5a86b6c9258d86f49bb3d8ac4

SHA256
5526d3dfc1a497cca23c282a2db8a9ae275fa481ef027f2b5752aaea504d6bbe

SHA512
a73c67740f27cab24939474ff55d603fdb2d749d3f868605d305b836256e27ed5f9eb104925d6d32a77eb8de94ec286745b7cd94497cb78ef8c603d74735d3bb

Download Submit
C:\Program Files (x86)\solfer\boleroh\lvfuk.exe
MD5
64a76236492b14194d6bc86d85d94259

SHA1
b6e3f70b2c30b45353f5a98ce6aed407b89dd9f1

SHA256
23192ee63ad9c1159acf200c6d51f7b92e74a980630f25a02df23b8e7abf6521

SHA512
c94f00e6fe7f6d1c1d96d97d6b91c4c49f404bdac2db3e06fb19116a5091fee88408f202aca0af57a3bbfdb47451469f83ac58bfeddad4475bf586ff0f81448e

Download Submit
C:\Program Files (x86)\solfer\boleroh\lvfuk.exe
MD5
64a76236492b14194d6bc86d85d94259

SHA1
b6e3f70b2c30b45353f5a98ce6aed407b89dd9f1

SHA256
23192ee63ad9c1159acf200c6d51f7b92e74a980630f25a02df23b8e7abf6521

SHA512
c94f00e6fe7f6d1c1d96d97d6b91c4c49f404bdac2db3e06fb19116a5091fee88408f202aca0af57a3bbfdb47451469f83ac58bfeddad4475bf586ff0f81448e

Download Submit
C:\Program Files (x86)\solfer\startveu.exe
MD5
3a31563c5a9dfc6f78e37ec42225e624

SHA1
66fd7f14efd4e059a32e758531fbc909a9a3c451

SHA256
1b16a329db897f4b7aee0536c39e876a7469fe814ea3a706675c8bd859d1b8f2

SHA512
7f6cce8105a24c2052198297d378bf5ff749797cf39700bf18c4756c0da55e0e67232844ee7053b3996d0796ca4cef315f6fc491e84cfc9af76af70064cde62c

Download Submit
C:\Program Files (x86)\solfer\startveu.exe
MD5
3a31563c5a9dfc6f78e37ec42225e624

SHA1
66fd7f14efd4e059a32e758531fbc909a9a3c451

SHA256
1b16a329db897f4b7aee0536c39e876a7469fe814ea3a706675c8bd859d1b8f2

SHA512
7f6cce8105a24c2052198297d378bf5ff749797cf39700bf18c4756c0da55e0e67232844ee7053b3996d0796ca4cef315f6fc491e84cfc9af76af70064cde62c

Download Submit
C:\ProgramData\owjhardlnins\46173476.txt
MD5
28b4920a6ec28a27f132d2d6f405dffb

SHA1
27aef743af240cab37a8191188b586b9fab1c0c6

SHA256
f22d1cc281c5470c360c64d9e57773035f9c098435d85675725a34993b24cad1

SHA512
8a77efaea7e834f7bbc61913a23a76a8e7cf2a5a87d00f6b866345a4dad7fbbe1fa3cf3ab32f16785a72e679c3dcd79410d728dc45f45ceba795faee88573c14

Download Submit
C:\ProgramData\owjhardlnins\8372422.txt
MD5
550cc6486c1ac1d65c8f1b14517a8294

SHA1
6f7b60b1f5b90ac815ab56c78cd7a5de05311fe1

SHA256
176bf49d4a7f854a30e1fb19acc33650ad5531a95bba23a9b7108b0129d15e9b

SHA512
eb29aefebe6d2ce5d06082c9ea8750de5cf5141e51ecc39457362bd4e8c1ec0313801f805b8b7ef6eaaf24d3e6b5d3ed2912216728ed5308165c00b17dc6f726

Download Submit
C:\ProgramData\owjhardlnins\Files\_INFOR~1.TXT
MD5
c34a41c9fa74e5952d888b16829aa44f

SHA1
5cede3294d280f6c3a40eb2f7afc1e7a6abfefdb

SHA256
cf47cd2d2be93167ad2efddab042eb171b5373e534c3e7a823abf5d2334cb32f

SHA512
720840817c731daf291ea670ba91dca16f9160eb291450c99da4e1fece4fe38324121015c8ad90a3930632f34a9526e47df2cd3c19e6a7c09f11e6aaeace0a14

Download Submit
C:\ProgramData\owjhardlnins\NL_202~1.ZIP
MD5
3065be134b09c880f6761d20439f096d

SHA1
60c6b83653bc68da5b9b9afda652c6089fa4db3d

SHA256
1c3a8e98bde52c76b7a6d12995bf7c0cf9ecc23ce9bc99388bd5e785fba3478c

SHA512
8f60119c1dd621b2e13eb0322bce27255c25736cc14d96911c1c6325f3046f5502b2b879c2ad13b4aefeb849bcbcb71dfdacdf7efd1bd32f723a65384a6d51ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\32.exe
MD5
0f5061a241fbc0af8122361493768888

SHA1
06f91f5feaa174dc8ee8744bb3e2aa7df5d4ef08

SHA256
ff5a19440d2f264182e77d23371c52859c4e36c4a45a4865a653f51d31464552

SHA512
8887ae73431bd3955dc81662524fb8f3d795cb3f210d9dbd7ca0b6bd434fa6c538817cfa160a456215c749339902b907d005e4648ecafd3ce777d76212d56e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\64.exe
MD5
914e77fa98f676288b4966db78704cb4

SHA1
d79cea6bbdeb71df71559f40c95875a273291232

SHA256
6a72c7ef50dccf8088fa6c2756efe7c0ac128e2eb58d81e0c6e40829122d9828

SHA512
4ac150557c3b19525d43d829c0b28ab0094cec74056ed870e9367e5b7107dfd9cdd9a5a820f92cf55464b252e1e10760b20df4b4e4944d6d7acb16ecdfd5271d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
MD5
43141e85e7c36e31b52b22ab94d5e574

SHA1
cfd7079a9b268d84b856dc668edbb9ab9ef35312

SHA256
ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d

SHA512
9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt
MD5
16b282a1eced9d1c26539373c939849b

SHA1
7a06867fabebd4b0aec7dd200eddc0407912e690

SHA256
636012546004d63066030e2b28bf81be5fb12912472b85941e9982b1af1899fb

SHA512
2e1c38e7162ba19d4287ca7d9c6f3c985f6b286883a533a0eb7f0bb9f20fa46483976932605d01820aeaf3aedfc5e65d2492a873b057132107c2129c853168b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\EGCTMP~1.DLL
MD5
413dd46c87397ba80ccaa9d2254d96b7

SHA1
48cb3ec8463267723523b0861e634cf05319a1e0

SHA256
c00f2953530fa75cadad44cfb788138d70e32f9908f27a1939e88d2696037e66

SHA512
f692248cb48755e06b4eb0c8629bf161d64b71cf8587a80a56662a9c87d94e4fa354de8a3b374f4d6f9d212e4efb451a5fa2ecc27d577c03b74dd8b66a342b7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\File2.exe
MD5
810e25cc339feaae512e60b98da0a8fc

SHA1
46947273eecf22ab2b47492c5691b8297f564781

SHA256
d572f5ea3a8bb203dbb26c62bcbffbfbfc3e285560893135eebbf227f124e488

SHA512
b236ae60cc04d2c60c2944b70a3bea895ee106b2591838b1a450a2f0dc4898d4e2df768837041e508ec0ecc1242c3317b633f1f00ad927326718f5e0763e6394

Download Submit
C:\Users\Admin\AppData\Local\Temp\File2.exe
MD5
810e25cc339feaae512e60b98da0a8fc

SHA1
46947273eecf22ab2b47492c5691b8297f564781

SHA256
d572f5ea3a8bb203dbb26c62bcbffbfbfc3e285560893135eebbf227f124e488

SHA512
b236ae60cc04d2c60c2944b70a3bea895ee106b2591838b1a450a2f0dc4898d4e2df768837041e508ec0ecc1242c3317b633f1f00ad927326718f5e0763e6394

Download Submit
C:\Users\Admin\AppData\Local\Temp\GWSltiL\P0JCQW~1.ZIP
MD5
ff4f42d8a16bb304db14fc9a8a59a518

SHA1
7360b35de841367cbb3a85029bde1fd38e100eb6

SHA256
6c61499ddf3fa546d96104f90a2074ae8f3850b02cc5f123c9e04497be6c96c3

SHA512
16252e93f1282974f7f33fd84b232bd56519901b49bdbc7eb7b38cc0958201e1ca1c9e0f639e1373fbf3c2cc15870aebc81ad7408119cfd3efdcb3adc8b9835f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GWSltiL\SBZNV5~1.ZIP
MD5
3e6be11a0102f1fffc972f78e9f92462

SHA1
043eab6c102ba31f9d9c602b59782aa9ae1c3e8c

SHA256
86e85dbeb3e48027b0ae6479171b89b4ef8cbeca4fff8fb2705f32e9e282b632

SHA512
232b69b2de737294caa9aa024511bfb6a7b3699cb55be1953fe113cd1b3bf3f405a4a75f1142aa0f9cfca427d14a046e21a87e7a51567cc353d8ea0fa8a3d869

Download Submit
C:\Users\Admin\AppData\Local\Temp\GWSltiL\_Files\_INFOR~1.TXT
MD5
091e7c96371a993f795cadde7d68841f

SHA1
e1a6ec77702ac1bced888f9bad0eef985ec9db1a

SHA256
0704587a92e1b613b0ee5f4fbffe64b4fcec0ec01da14ef68ad38b7674b9c97a

SHA512
f8299b9c1a2b6526801d19fd527542bcc7d99f701835efe602f098316ce7eecc401b8c5c7fc1ba524c9bc68c0a1503bc170f00dadb78fa5ac60193c0c475bde1

Download Submit
C:\Users\Admin\AppData\Local\Temp\GWSltiL\_Files\_SCREE~1.JPE
MD5
2f25a13c0cf1d5b1b1a8cc10abb96bf9

SHA1
0b5e348a698a6a0a3fafaa645c3aacef30aef599

SHA256
1edf7f62a6898e329b9dfcb97382e4160541aab917a17227b76f8c5eb735bb0d

SHA512
b8ddc0a2c31fb9194a12047f0d170b219f29e35d8a8065f1654fb85bec11ed3ce8741dc839aaf0263fa896359e7d4ebbcdc67813018f333fa05f154aff0b7d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\GWSltiL\files_\SCREEN~1.JPG
MD5
2f25a13c0cf1d5b1b1a8cc10abb96bf9

SHA1
0b5e348a698a6a0a3fafaa645c3aacef30aef599

SHA256
1edf7f62a6898e329b9dfcb97382e4160541aab917a17227b76f8c5eb735bb0d

SHA512
b8ddc0a2c31fb9194a12047f0d170b219f29e35d8a8065f1654fb85bec11ed3ce8741dc839aaf0263fa896359e7d4ebbcdc67813018f333fa05f154aff0b7d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\GWSltiL\files_\SYSTEM~1.TXT
MD5
fcd02f400b8555033f656cd538b66f78

SHA1
61f558b02dd9ecfa1f36e705bdcb4bc2b4bcfb7c

SHA256
8200f9924c1a1b5c19b7bf052c9d7e4f89461db532d6c2489693f684572a6581

SHA512
070e151a36239fe72a6186eb514414bad62d37f2d295419039afa835d0a98918cd386cef360fbc6d5e0e6b679ab73ba1f41a849bb742e8114de4ec92f9ef75f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml
MD5
9160347bec74471e1a79edfd950629ae

SHA1
c149a7e5aab6e349a70b7b458d0eaaa9d301c790

SHA256
0fe356f3d04bb43f772604b049fd2b20f3038ca2ce84bf9778b8ccdd481d77ab

SHA512
b8061834f658567a1e742496c38688bdecd60191a92163d47470f64aa1fba23e92dd36fa1d2bb7efa36f14002c0606013973718b9f107e62d845a17be4b0d358

Download Submit
C:\Users\Admin\AppData\Local\Temp\egctmpmrbo.exe
MD5
edb521c6338fed6e392c559ca04e1891

SHA1
108a8c3df889431ca8a7d56b3345571623ec5e0c

SHA256
75c7c6d93c94bec95a35516df14c26ce1bea940426f341c48ae271040351dc57

SHA512
e45786224f7cc1ea9bb2d5fb0de27a2cfdbb432e7668f9ea7e7d2797de3f04a65c8602f03784e5629344d174535386e7028eac79cff30a75b61b0bc903a0ccb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\egctmpmrbo.exe
MD5
edb521c6338fed6e392c559ca04e1891

SHA1
108a8c3df889431ca8a7d56b3345571623ec5e0c

SHA256
75c7c6d93c94bec95a35516df14c26ce1bea940426f341c48ae271040351dc57

SHA512
e45786224f7cc1ea9bb2d5fb0de27a2cfdbb432e7668f9ea7e7d2797de3f04a65c8602f03784e5629344d174535386e7028eac79cff30a75b61b0bc903a0ccb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nviwklwlbmhl.vbs
MD5
ff27496053a0888e3216ec60d783a3e7

SHA1
a1c384c2e97417055face5069691bb1db5467ef5

SHA256
a71f928174af08ceb45c35b3ebca7551cad40c66b91d3a8d65e2cc7b4f117905

SHA512
e137e6ff9a264fcd03a111b46b8a87bebc44057a5af1cba58dd2fc021a0466b2c0f36ce49faedeed2df2ea62ab434c51f2411de986b9e807a2e1211bd1acdcd3

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
1b482bf0134c52d93039eb961d2e8077

SHA1
98488275e5ebd98bc53327956670521cf33f6d22

SHA256
86c95550820bf9627e81f256652d482e07f0cfb40504cd319727953197448fd7

SHA512
22bfcc05e1ccc8e7ce84598ba7cdfbca143971b5d48b55636b3d794b21483bc948977f5686ce2add1c416f5241908fcacbba96d8ced8cc074605dd6e778f9952

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
1b482bf0134c52d93039eb961d2e8077

SHA1
98488275e5ebd98bc53327956670521cf33f6d22

SHA256
86c95550820bf9627e81f256652d482e07f0cfb40504cd319727953197448fd7

SHA512
22bfcc05e1ccc8e7ce84598ba7cdfbca143971b5d48b55636b3d794b21483bc948977f5686ce2add1c416f5241908fcacbba96d8ced8cc074605dd6e778f9952

Download Submit
\Users\Admin\AppData\Local\Temp\EGCTMP~1.DLL
MD5
413dd46c87397ba80ccaa9d2254d96b7

SHA1
48cb3ec8463267723523b0861e634cf05319a1e0

SHA256
c00f2953530fa75cadad44cfb788138d70e32f9908f27a1939e88d2696037e66

SHA512
f692248cb48755e06b4eb0c8629bf161d64b71cf8587a80a56662a9c87d94e4fa354de8a3b374f4d6f9d212e4efb451a5fa2ecc27d577c03b74dd8b66a342b7d

Download Submit
\Users\Admin\AppData\Local\Temp\EGCTMP~1.DLL
MD5
413dd46c87397ba80ccaa9d2254d96b7

SHA1
48cb3ec8463267723523b0861e634cf05319a1e0

SHA256
c00f2953530fa75cadad44cfb788138d70e32f9908f27a1939e88d2696037e66

SHA512
f692248cb48755e06b4eb0c8629bf161d64b71cf8587a80a56662a9c87d94e4fa354de8a3b374f4d6f9d212e4efb451a5fa2ecc27d577c03b74dd8b66a342b7d

Download Submit
\Users\Admin\AppData\Local\Temp\nszB7FC.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/648-46-0x0000000000000000-mapping.dmp

Download
memory/1292-23-0x0000000000000000-mapping.dmp

Download
memory/1292-32-0x000000000A9B0000-0x000000000A9B1000-memory.dmp

Filesize
4KB

Download
memory/1292-34-0x000000000B1B0000-0x000000000B1B1000-memory.dmp

Filesize
4KB

Download
memory/1364-68-0x0000000000000000-mapping.dmp

Download
memory/2088-45-0x0000000000000000-mapping.dmp

Download
memory/2204-48-0x0000000000000000-mapping.dmp

Download
memory/2312-55-0x0000000000000000-mapping.dmp

Download
memory/2724-3-0x0000000000000000-mapping.dmp

Download
memory/3012-30-0x0000000005800000-0x0000000005801000-memory.dmp

Filesize
4KB

Download
memory/3012-27-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/3012-18-0x0000000000000000-mapping.dmp

Download
memory/3132-57-0x0000000000000000-mapping.dmp

Download
memory/3344-54-0x0000000000000000-mapping.dmp

Download
memory/3516-64-0x0000000000000000-mapping.dmp

Download
memory/3580-59-0x0000000000000000-mapping.dmp

Download
memory/3580-63-0x0000000002D00000-0x0000000002D01000-memory.dmp

Filesize
4KB

Download
memory/3580-58-0x0000000000000000-mapping.dmp

Download
memory/3668-70-0x0000000000000000-mapping.dmp

Download
memory/3724-6-0x0000000000000000-mapping.dmp

Download
memory/3736-41-0x0000000000000000-mapping.dmp

Download
memory/3824-21-0x0000000000000000-mapping.dmp

Download
memory/3824-29-0x0000000004810000-0x0000000004811000-memory.dmp

Filesize
4KB

Download
memory/3824-35-0x0000000004810000-0x0000000004811000-memory.dmp

Filesize
4KB

Download
memory/3824-33-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/3972-36-0x0000000000000000-mapping.dmp

Download
memory/3972-40-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/3972-39-0x0000000004980000-0x0000000004981000-memory.dmp

Filesize
4KB

Download
memory/4004-56-0x0000000000000000-mapping.dmp

Download
memory/4012-31-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/4012-28-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/4012-15-0x0000000000000000-mapping.dmp

Download
memory/4048-2-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/4076-14-0x0000000000000000-mapping.dmp

Download