Analysis
-
max time kernel
82s -
max time network
81s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
31-03-2021 17:23
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Mal.GandCrypt-A.26403.26463.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Mal.GandCrypt-A.26403.26463.exe
Resource
win10v20201028
Errors
General
-
Target
SecuriteInfo.com.Mal.GandCrypt-A.26403.26463.exe
-
Size
176KB
-
MD5
de276c3b5b196028e89b37f04230a39d
-
SHA1
77df36a5cccf073b4fb998efe4e42df8b78e3277
-
SHA256
ed4c8f72e049a22a51ff3d1b871fb42c1e333d4831710b7180e040d5a27a8b24
-
SHA512
0268a4deb27a2874a7796086e1635b325ac98d2a83d93521a8b3fb7fc3142d3165a55724b411bf5934a1c80c7096374690afebf4edbf0d57a954343de4a5a4ea
Malware Config
Extracted
smokeloader
2020
http://xsss99.icu/upload/
http://bingooodsg.icu/upload/
http://junntd.xyz/upload/
http://ginessa11.xyz/upload/
http://overplayninsx.xyz/upload/
http://bananinze.com/upload/
http://daunimlas.com/upload/
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
mpcmdrun.exepid process 3116 mpcmdrun.exe -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
Processes:
WerFault.exeWerFault.exedescription pid process target process PID 3164 created 3820 3164 WerFault.exe viivgvw PID 2224 created 3572 2224 WerFault.exe 5.exe -
Creates new service(s) 1 TTPs
-
Drops file in Drivers directory 1 IoCs
Processes:
updatewin2.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts updatewin2.exe -
Executes dropped EXE 12 IoCs
Processes:
viivgvw1492.exe1492.exeupdatewin1.exeupdatewin2.exeupdatewin.exe5.exe327C.exe471E.exeupdatewin1.exe58C2.exexjiwhrzt.exepid process 3820 viivgvw 4012 1492.exe 3924 1492.exe 208 updatewin1.exe 2364 updatewin2.exe 412 updatewin.exe 3572 5.exe 1136 327C.exe 2264 471E.exe 2964 updatewin1.exe 2832 58C2.exe 3532 xjiwhrzt.exe -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Deletes itself 1 IoCs
Processes:
pid process 3020 -
Loads dropped DLL 3 IoCs
Processes:
SecuriteInfo.com.Mal.GandCrypt-A.26403.26463.exe327C.exepid process 1908 SecuriteInfo.com.Mal.GandCrypt-A.26403.26463.exe 1136 327C.exe 1136 327C.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1492.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\19a4b7da-4d2e-4577-9b4b-1ba1d63ee53b\\1492.exe\" --AutoStart" 1492.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 39 api.2ip.ua 40 api.2ip.ua 46 api.2ip.ua -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
58C2.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 58C2.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
xjiwhrzt.exedescription pid process target process PID 3532 set thread context of 1576 3532 xjiwhrzt.exe svchost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3164 3820 WerFault.exe viivgvw 2224 3572 WerFault.exe 5.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SecuriteInfo.com.Mal.GandCrypt-A.26403.26463.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI SecuriteInfo.com.Mal.GandCrypt-A.26403.26463.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI SecuriteInfo.com.Mal.GandCrypt-A.26403.26463.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI SecuriteInfo.com.Mal.GandCrypt-A.26403.26463.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
327C.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 327C.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 327C.exe -
Delays execution with timeout.exe 2 IoCs
Processes:
timeout.exetimeout.exepid process 2764 timeout.exe 608 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2420 taskkill.exe -
Processes:
1492.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 1492.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 1492.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
SecuriteInfo.com.Mal.GandCrypt-A.26403.26463.exepid process 1908 SecuriteInfo.com.Mal.GandCrypt-A.26403.26463.exe 1908 SecuriteInfo.com.Mal.GandCrypt-A.26403.26463.exe 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
SecuriteInfo.com.Mal.GandCrypt-A.26403.26463.exepid process 1908 SecuriteInfo.com.Mal.GandCrypt-A.26403.26463.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
WerFault.exeWerFault.exetaskkill.exe58C2.exedescription pid process Token: SeRestorePrivilege 3164 WerFault.exe Token: SeBackupPrivilege 3164 WerFault.exe Token: SeDebugPrivilege 3164 WerFault.exe Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeDebugPrivilege 2224 WerFault.exe Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeDebugPrivilege 2420 taskkill.exe Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 2832 58C2.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3020 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1492.exe1492.exeupdatewin.execmd.exeupdatewin1.exe327C.exe471E.execmd.exedescription pid process target process PID 3020 wrote to memory of 4012 3020 1492.exe PID 3020 wrote to memory of 4012 3020 1492.exe PID 3020 wrote to memory of 4012 3020 1492.exe PID 4012 wrote to memory of 3216 4012 1492.exe icacls.exe PID 4012 wrote to memory of 3216 4012 1492.exe icacls.exe PID 4012 wrote to memory of 3216 4012 1492.exe icacls.exe PID 4012 wrote to memory of 3924 4012 1492.exe 1492.exe PID 4012 wrote to memory of 3924 4012 1492.exe 1492.exe PID 4012 wrote to memory of 3924 4012 1492.exe 1492.exe PID 3924 wrote to memory of 208 3924 1492.exe updatewin1.exe PID 3924 wrote to memory of 208 3924 1492.exe updatewin1.exe PID 3924 wrote to memory of 208 3924 1492.exe updatewin1.exe PID 3924 wrote to memory of 2364 3924 1492.exe updatewin2.exe PID 3924 wrote to memory of 2364 3924 1492.exe updatewin2.exe PID 3924 wrote to memory of 2364 3924 1492.exe updatewin2.exe PID 3924 wrote to memory of 412 3924 1492.exe updatewin.exe PID 3924 wrote to memory of 412 3924 1492.exe updatewin.exe PID 3924 wrote to memory of 412 3924 1492.exe updatewin.exe PID 3924 wrote to memory of 3572 3924 1492.exe 5.exe PID 3924 wrote to memory of 3572 3924 1492.exe 5.exe PID 3924 wrote to memory of 3572 3924 1492.exe 5.exe PID 3020 wrote to memory of 1136 3020 327C.exe PID 3020 wrote to memory of 1136 3020 327C.exe PID 3020 wrote to memory of 1136 3020 327C.exe PID 412 wrote to memory of 1916 412 updatewin.exe cmd.exe PID 412 wrote to memory of 1916 412 updatewin.exe cmd.exe PID 412 wrote to memory of 1916 412 updatewin.exe cmd.exe PID 1916 wrote to memory of 608 1916 cmd.exe timeout.exe PID 1916 wrote to memory of 608 1916 cmd.exe timeout.exe PID 1916 wrote to memory of 608 1916 cmd.exe timeout.exe PID 3020 wrote to memory of 2264 3020 471E.exe PID 3020 wrote to memory of 2264 3020 471E.exe PID 3020 wrote to memory of 2264 3020 471E.exe PID 208 wrote to memory of 2964 208 updatewin1.exe updatewin1.exe PID 208 wrote to memory of 2964 208 updatewin1.exe updatewin1.exe PID 208 wrote to memory of 2964 208 updatewin1.exe updatewin1.exe PID 1136 wrote to memory of 2736 1136 327C.exe cmd.exe PID 1136 wrote to memory of 2736 1136 327C.exe cmd.exe PID 1136 wrote to memory of 2736 1136 327C.exe cmd.exe PID 2264 wrote to memory of 2232 2264 471E.exe cmd.exe PID 2264 wrote to memory of 2232 2264 471E.exe cmd.exe PID 2264 wrote to memory of 2232 2264 471E.exe cmd.exe PID 2736 wrote to memory of 2420 2736 cmd.exe taskkill.exe PID 2736 wrote to memory of 2420 2736 cmd.exe taskkill.exe PID 2736 wrote to memory of 2420 2736 cmd.exe taskkill.exe PID 2736 wrote to memory of 2764 2736 cmd.exe timeout.exe PID 2736 wrote to memory of 2764 2736 cmd.exe timeout.exe PID 2736 wrote to memory of 2764 2736 cmd.exe timeout.exe PID 2264 wrote to memory of 1408 2264 471E.exe cmd.exe PID 2264 wrote to memory of 1408 2264 471E.exe cmd.exe PID 2264 wrote to memory of 1408 2264 471E.exe cmd.exe PID 2264 wrote to memory of 504 2264 471E.exe sc.exe PID 2264 wrote to memory of 504 2264 471E.exe sc.exe PID 2264 wrote to memory of 504 2264 471E.exe sc.exe PID 2264 wrote to memory of 1060 2264 471E.exe sc.exe PID 2264 wrote to memory of 1060 2264 471E.exe sc.exe PID 2264 wrote to memory of 1060 2264 471E.exe sc.exe PID 3020 wrote to memory of 2832 3020 58C2.exe PID 3020 wrote to memory of 2832 3020 58C2.exe PID 3020 wrote to memory of 2832 3020 58C2.exe PID 2264 wrote to memory of 3916 2264 471E.exe sc.exe PID 2264 wrote to memory of 3916 2264 471E.exe sc.exe PID 2264 wrote to memory of 3916 2264 471E.exe sc.exe PID 2264 wrote to memory of 3876 2264 471E.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Mal.GandCrypt-A.26403.26463.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Mal.GandCrypt-A.26403.26463.exe"1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1908
-
C:\Users\Admin\AppData\Roaming\viivgvwC:\Users\Admin\AppData\Roaming\viivgvw1⤵
- Executes dropped EXE
PID:3820 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 4842⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3164
-
C:\Users\Admin\AppData\Local\Temp\1492.exeC:\Users\Admin\AppData\Local\Temp\1492.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\19a4b7da-4d2e-4577-9b4b-1ba1d63ee53b" /deny *S-1-1-0:(OI)(CI)(DE,DC)2⤵
- Modifies file permissions
PID:3216 -
C:\Users\Admin\AppData\Local\Temp\1492.exe"C:\Users\Admin\AppData\Local\Temp\1492.exe" --Admin IsNotAutoStart IsNotTask2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Users\Admin\AppData\Local\4ab960c4-ed8e-405a-88c4-6c064abe8eb3\updatewin1.exe"C:\Users\Admin\AppData\Local\4ab960c4-ed8e-405a-88c4-6c064abe8eb3\updatewin1.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Users\Admin\AppData\Local\4ab960c4-ed8e-405a-88c4-6c064abe8eb3\updatewin1.exe"C:\Users\Admin\AppData\Local\4ab960c4-ed8e-405a-88c4-6c064abe8eb3\updatewin1.exe" --Admin4⤵
- Executes dropped EXE
PID:2964 -
C:\Program Files\Windows Defender\mpcmdrun.exe"C:\Program Files\Windows Defender\mpcmdrun.exe" -removedefinitions -all5⤵
- Deletes Windows Defender Definitions
PID:3116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat""5⤵PID:1572
-
C:\Users\Admin\AppData\Local\4ab960c4-ed8e-405a-88c4-6c064abe8eb3\updatewin2.exe"C:\Users\Admin\AppData\Local\4ab960c4-ed8e-405a-88c4-6c064abe8eb3\updatewin2.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:2364 -
C:\Users\Admin\AppData\Local\4ab960c4-ed8e-405a-88c4-6c064abe8eb3\updatewin.exe"C:\Users\Admin\AppData\Local\4ab960c4-ed8e-405a-88c4-6c064abe8eb3\updatewin.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\SysWOW64\cmd.exe/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\4ab960c4-ed8e-405a-88c4-6c064abe8eb3\updatewin.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\timeout.exetimeout /t 35⤵
- Delays execution with timeout.exe
PID:608 -
C:\Users\Admin\AppData\Local\4ab960c4-ed8e-405a-88c4-6c064abe8eb3\5.exe"C:\Users\Admin\AppData\Local\4ab960c4-ed8e-405a-88c4-6c064abe8eb3\5.exe"3⤵
- Executes dropped EXE
PID:3572 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 7644⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2224
-
C:\Users\Admin\AppData\Local\Temp\327C.exeC:\Users\Admin\AppData\Local\Temp\327C.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 327C.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\327C.exe" & del C:\ProgramData\*.dll & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im 327C.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2420 -
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
PID:2764
-
C:\Users\Admin\AppData\Local\Temp\471E.exeC:\Users\Admin\AppData\Local\Temp\471E.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\eqhogsrt\2⤵PID:2232
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xjiwhrzt.exe" C:\Windows\SysWOW64\eqhogsrt\2⤵PID:1408
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create eqhogsrt binPath= "C:\Windows\SysWOW64\eqhogsrt\xjiwhrzt.exe /d\"C:\Users\Admin\AppData\Local\Temp\471E.exe\"" type= own start= auto DisplayName= "wifi support"2⤵PID:504
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description eqhogsrt "wifi internet conection"2⤵PID:1060
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start eqhogsrt2⤵PID:3916
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵PID:3876
-
C:\Users\Admin\AppData\Local\Temp\58C2.exeC:\Users\Admin\AppData\Local\Temp\58C2.exe1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:2832
-
C:\Windows\SysWOW64\eqhogsrt\xjiwhrzt.exeC:\Windows\SysWOW64\eqhogsrt\xjiwhrzt.exe /d"C:\Users\Admin\AppData\Local\Temp\471E.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3532 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:1576
Network
MITRE ATT&CK Enterprise v6
Persistence
Bootkit
1Modify Existing Service
1New Service
1Registry Run Keys / Startup Folder
2Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
1Install Root Certificate
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\freebl3.dllMD5
ef2834ac4ee7d6724f255beaf527e635
SHA15be8c1e73a21b49f353c2ecfa4108e43a883cb7b
SHA256a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba
SHA512c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2
-
C:\ProgramData\mozglue.dllMD5
8f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
C:\ProgramData\msvcp140.dllMD5
109f0f02fd37c84bfc7508d4227d7ed5
SHA1ef7420141bb15ac334d3964082361a460bfdb975
SHA256334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA51246eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39
-
C:\ProgramData\nss3.dllMD5
bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
C:\ProgramData\softokn3.dllMD5
a2ee53de9167bf0d6c019303b7ca84e5
SHA12a3c737fa1157e8483815e98b666408a18c0db42
SHA25643536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083
SHA51245b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8
-
C:\ProgramData\vcruntime140.dllMD5
7587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850DMD5
0936d19232cfcdafbced53ad410a7302
SHA17ecf78bc4b20f07d1b4e37d3b6d23276d559b18a
SHA2569046bb77872ac1e6d8b9a6af797f1fdd5cac5b833de440cbd285f396938c54fa
SHA512642215bbc005909a0a4ff3e1cfd9fb3017838e7a6bdf03c5716e980b59d46a793fd24d63ce8e27867d58daa644112e53e63fac7f671ee6f3a9b28bbde805805c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
9c381e1c05936ad539bc8d0fe34981c3
SHA1cff61eb4121208e3fc90e0ae7cc605fc44e65ab9
SHA256bde1d8daaa1cb82ecab9742c4e06ae955070fb10be6689f5f177efe3496d32e3
SHA512bdc49a8fd3318658de368d640198e91a07dac3365fd1a6eff2265b1d909fb5a32d398b4fa94a6d8dd04876980b138217f15a579d1b47df0820f58ee4db295d65
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_9487BC0D4381A7CDEB9A8CC43F66D27CMD5
76f439a6a398afe5b0b20727b0901439
SHA15748620240760fd6ad0d9bdf1e939ff43c633dd8
SHA256f7dab184c24837703e198e3abe045d557d6ee5d2b68589f253c9203465834fd0
SHA51231647caa011e97fb9fc3421f2575384e791d3d5026444ae3e038626e883d5c3003289fde566ae1be324bc41d8e10bc438433d674d6fcab74e6b653d0833bf19c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850DMD5
7fb390e7b2e32ef49b44eac2d7665251
SHA18f4052efe3ec192d2065bb722ea44e8bea99330f
SHA2567edd38eec7a29055ec0c4c5ad734d0431f66c25e64fbdd42029a76c14433baec
SHA5124b70b9c962f4b1485319a9776d7b51096410587fee3a4329018fe3ca6d9ee0f88fe10469f328522f256ec99f71f31306a7bbabe24cdeb39943b8a47563fa9e2b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
eedc667ab69d316b76341ad28b7b9b08
SHA1dbfc1023e934fc1ffa71f9fb7ebfccf00270a8c5
SHA2564c981c355d4031630d19859798938896e44c63908af93d68ccbc349837e91f89
SHA5125a797449981aa1e76ac5aad428eb260a9344e56b27f441894810da944ac4dd3257f7df16fd7ea542797cfed3f60804fc4f2f5d684db96f3f404a344e5714478b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_9487BC0D4381A7CDEB9A8CC43F66D27CMD5
fe6cbb8e9a3902acef4f95cabc89c41f
SHA102e9c33d45a7c8cea35a04135ec8068db90dcae6
SHA256720a5f90965f67ecd51bc9e4ba4079687ff76f7f7744dd86e28544c888f49787
SHA512425539ad17a61358201c0663e97b1140e8c275bc8d2a5a8e630ce58e9430389697d7f8da52ded35eb7616d6f574269c3aab18187d800d960d3c8375a08ce4420
-
C:\Users\Admin\AppData\Local\19a4b7da-4d2e-4577-9b4b-1ba1d63ee53b\1492.exeMD5
dfbf4111aaf98ca30c0cf21e99a08ff7
SHA18d0fc08860666b9d619dc0f82cebc467705b46f3
SHA256a9cdf6379f7d8c42e258db15cacbd19dbb4702319f6db096f5dda7ef817ca75d
SHA512f248195b6fdfa87d404f6f17d4d3a772d48edda5d09f9fa3e85c626e41c3a5648c2dd2b52f0c2515d7ec6e9c01931b32a5db412996dd803f52159ac97fecb56a
-
C:\Users\Admin\AppData\Local\4ab960c4-ed8e-405a-88c4-6c064abe8eb3\5.exeMD5
e1edad05494a14cefa05fa28c3611a6e
SHA1718fe9cf4e4a7272ffa0583c0851e3134d6f1547
SHA25600b09aba4c90b634ce887da826fc74284f171698c203dcfd7da3e8b529ac6db1
SHA5127230dd424bb0e28f436239ab45a7bb93867e9ec8533b3fdd780b430762a0f5f6e8bc514841f09e49be608334f77c8d11b1ae884f032df2c05aca5739cfdacca5
-
C:\Users\Admin\AppData\Local\4ab960c4-ed8e-405a-88c4-6c064abe8eb3\5.exeMD5
e1edad05494a14cefa05fa28c3611a6e
SHA1718fe9cf4e4a7272ffa0583c0851e3134d6f1547
SHA25600b09aba4c90b634ce887da826fc74284f171698c203dcfd7da3e8b529ac6db1
SHA5127230dd424bb0e28f436239ab45a7bb93867e9ec8533b3fdd780b430762a0f5f6e8bc514841f09e49be608334f77c8d11b1ae884f032df2c05aca5739cfdacca5
-
C:\Users\Admin\AppData\Local\4ab960c4-ed8e-405a-88c4-6c064abe8eb3\updatewin.exeMD5
2ba02a23e7b421bb51d9c47665ed540b
SHA1f5e6d401c61760fe7f6edad47a0517fb85d9cdeb
SHA25653430b4106efc011a26b50b14b9cead42607cb1de2a6a7ef7bbb04b960baea92
SHA51216c9c254b8f78212f949d78c5e4679dcc9d365ad3188ffa0d12d6ad7f6f3e41b7db229075c99f31e35b58f7e6764f9177f9d1c4bf3bc5827503a8a793b54ade2
-
C:\Users\Admin\AppData\Local\4ab960c4-ed8e-405a-88c4-6c064abe8eb3\updatewin.exeMD5
2ba02a23e7b421bb51d9c47665ed540b
SHA1f5e6d401c61760fe7f6edad47a0517fb85d9cdeb
SHA25653430b4106efc011a26b50b14b9cead42607cb1de2a6a7ef7bbb04b960baea92
SHA51216c9c254b8f78212f949d78c5e4679dcc9d365ad3188ffa0d12d6ad7f6f3e41b7db229075c99f31e35b58f7e6764f9177f9d1c4bf3bc5827503a8a793b54ade2
-
C:\Users\Admin\AppData\Local\4ab960c4-ed8e-405a-88c4-6c064abe8eb3\updatewin1.exeMD5
5b4bd24d6240f467bfbc74803c9f15b0
SHA1c17f98c182d299845c54069872e8137645768a1a
SHA25614c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e
SHA512a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc
-
C:\Users\Admin\AppData\Local\4ab960c4-ed8e-405a-88c4-6c064abe8eb3\updatewin1.exeMD5
5b4bd24d6240f467bfbc74803c9f15b0
SHA1c17f98c182d299845c54069872e8137645768a1a
SHA25614c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e
SHA512a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc
-
C:\Users\Admin\AppData\Local\4ab960c4-ed8e-405a-88c4-6c064abe8eb3\updatewin1.exeMD5
5b4bd24d6240f467bfbc74803c9f15b0
SHA1c17f98c182d299845c54069872e8137645768a1a
SHA25614c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e
SHA512a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc
-
C:\Users\Admin\AppData\Local\4ab960c4-ed8e-405a-88c4-6c064abe8eb3\updatewin2.exeMD5
996ba35165bb62473d2a6743a5200d45
SHA152169b0b5cce95c6905873b8d12a759c234bd2e0
SHA2565caffdc76a562e098c471feaede5693f9ead92d5c6c10fb3951dd1fa6c12d21d
SHA5122a7fb9bdf8dcf577ac851752f8875a710a3694b99d107c397942fce1392fd99ee0b85f1fddc18c33fba56d7b8fd4dda5f40f28e64d8398e6048c2ab140780634
-
C:\Users\Admin\AppData\Local\4ab960c4-ed8e-405a-88c4-6c064abe8eb3\updatewin2.exeMD5
996ba35165bb62473d2a6743a5200d45
SHA152169b0b5cce95c6905873b8d12a759c234bd2e0
SHA2565caffdc76a562e098c471feaede5693f9ead92d5c6c10fb3951dd1fa6c12d21d
SHA5122a7fb9bdf8dcf577ac851752f8875a710a3694b99d107c397942fce1392fd99ee0b85f1fddc18c33fba56d7b8fd4dda5f40f28e64d8398e6048c2ab140780634
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\73LD4XN6.cookieMD5
329fe6efebd56dfca4484b38d563bf73
SHA1a70878499ecc0f23257c68b2e68293f4525c1e21
SHA25677d5e1ab38663e1f7e8801e1a01682aaad09428522865436ba7d627a871bc111
SHA5126103a0986fc0916e813978bc3f67749e22acba526e82c6380c7acddb2e0f99c7e3a3dc5b2f10aaa6a394a61f227b69177188c929efae21f02f4c3de9b87ecdb1
-
C:\Users\Admin\AppData\Local\Temp\1492.exeMD5
dfbf4111aaf98ca30c0cf21e99a08ff7
SHA18d0fc08860666b9d619dc0f82cebc467705b46f3
SHA256a9cdf6379f7d8c42e258db15cacbd19dbb4702319f6db096f5dda7ef817ca75d
SHA512f248195b6fdfa87d404f6f17d4d3a772d48edda5d09f9fa3e85c626e41c3a5648c2dd2b52f0c2515d7ec6e9c01931b32a5db412996dd803f52159ac97fecb56a
-
C:\Users\Admin\AppData\Local\Temp\1492.exeMD5
dfbf4111aaf98ca30c0cf21e99a08ff7
SHA18d0fc08860666b9d619dc0f82cebc467705b46f3
SHA256a9cdf6379f7d8c42e258db15cacbd19dbb4702319f6db096f5dda7ef817ca75d
SHA512f248195b6fdfa87d404f6f17d4d3a772d48edda5d09f9fa3e85c626e41c3a5648c2dd2b52f0c2515d7ec6e9c01931b32a5db412996dd803f52159ac97fecb56a
-
C:\Users\Admin\AppData\Local\Temp\1492.exeMD5
dfbf4111aaf98ca30c0cf21e99a08ff7
SHA18d0fc08860666b9d619dc0f82cebc467705b46f3
SHA256a9cdf6379f7d8c42e258db15cacbd19dbb4702319f6db096f5dda7ef817ca75d
SHA512f248195b6fdfa87d404f6f17d4d3a772d48edda5d09f9fa3e85c626e41c3a5648c2dd2b52f0c2515d7ec6e9c01931b32a5db412996dd803f52159ac97fecb56a
-
C:\Users\Admin\AppData\Local\Temp\327C.exeMD5
4328b263719a51a40732349a08ba3bb6
SHA1904bd397a12c124af4a24021c6a21060955c79a3
SHA256a351c1d494a1060fc9cd1c914bb846d87318181202c4f9c06c6931a73c933522
SHA51275a6cdea5867875cab4c8c446c950805ab643a81d5acba6e2fc459f2859f7606690a7f19b00fb4ab22ece57236bbeaaf83295901a1807eba1881c7342f298107
-
C:\Users\Admin\AppData\Local\Temp\327C.exeMD5
4328b263719a51a40732349a08ba3bb6
SHA1904bd397a12c124af4a24021c6a21060955c79a3
SHA256a351c1d494a1060fc9cd1c914bb846d87318181202c4f9c06c6931a73c933522
SHA51275a6cdea5867875cab4c8c446c950805ab643a81d5acba6e2fc459f2859f7606690a7f19b00fb4ab22ece57236bbeaaf83295901a1807eba1881c7342f298107
-
C:\Users\Admin\AppData\Local\Temp\471E.exeMD5
f0ec8474c63bb4e444e1599c0ae13bdc
SHA154e55cb1cfe9f0740606440dcec373cd77b039ce
SHA25699c144c609271eb14b404fb5966761c1e0b3910dec6fc785eb303cbe14de380b
SHA51207499872199ec83c5d33aad7f9b3eebbab07f1ba0feb32e8966840827139c364e1ff121065a64614c90f90453f36fb3d2ef9a20da087ce20f60441caa24720ed
-
C:\Users\Admin\AppData\Local\Temp\471E.exeMD5
f0ec8474c63bb4e444e1599c0ae13bdc
SHA154e55cb1cfe9f0740606440dcec373cd77b039ce
SHA25699c144c609271eb14b404fb5966761c1e0b3910dec6fc785eb303cbe14de380b
SHA51207499872199ec83c5d33aad7f9b3eebbab07f1ba0feb32e8966840827139c364e1ff121065a64614c90f90453f36fb3d2ef9a20da087ce20f60441caa24720ed
-
C:\Users\Admin\AppData\Local\Temp\58C2.exeMD5
6dbd51216cd2949871a16a9a7d053570
SHA11b348105ab9f358544960a3736418d11219767dd
SHA256d7d500029478331ae0485f3b1b806c319be5644c94318f73fc66f39f0da6cc0c
SHA512f502f5b207296c02a9e165b7589f53298fbd07b101ed8079ca31add36e088e5b1d2bc8b14d3638a7b1b01725e9b0002e1ada75d29ad5ac097518ce95556e7528
-
C:\Users\Admin\AppData\Local\Temp\58C2.exeMD5
6dbd51216cd2949871a16a9a7d053570
SHA11b348105ab9f358544960a3736418d11219767dd
SHA256d7d500029478331ae0485f3b1b806c319be5644c94318f73fc66f39f0da6cc0c
SHA512f502f5b207296c02a9e165b7589f53298fbd07b101ed8079ca31add36e088e5b1d2bc8b14d3638a7b1b01725e9b0002e1ada75d29ad5ac097518ce95556e7528
-
C:\Users\Admin\AppData\Local\Temp\CC4F.tmpMD5
50741b3f2d7debf5d2bed63d88404029
SHA156210388a627b926162b36967045be06ffb1aad3
SHA256f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c
SHA512fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3
-
C:\Users\Admin\AppData\Local\Temp\xjiwhrzt.exeMD5
17ef41e1a7c31c609267f4c43b75869f
SHA155ba2b441289049b5f1431701dcd065dce120571
SHA25624ef6ed3fecdc58330d090302299d27f4d401069f54254edccbd537c3716a22b
SHA512e3ae2d331b5b3928f7c56d9773114cefe755324166f65f7cd01003e3666ef422b2deb7eefe3b0e3d0d43c31799755b86a4f58c80bfb40fd36c83fc4b6fcef551
-
C:\Users\Admin\AppData\Roaming\viivgvwMD5
de276c3b5b196028e89b37f04230a39d
SHA177df36a5cccf073b4fb998efe4e42df8b78e3277
SHA256ed4c8f72e049a22a51ff3d1b871fb42c1e333d4831710b7180e040d5a27a8b24
SHA5120268a4deb27a2874a7796086e1635b325ac98d2a83d93521a8b3fb7fc3142d3165a55724b411bf5934a1c80c7096374690afebf4edbf0d57a954343de4a5a4ea
-
C:\Users\Admin\AppData\Roaming\viivgvwMD5
de276c3b5b196028e89b37f04230a39d
SHA177df36a5cccf073b4fb998efe4e42df8b78e3277
SHA256ed4c8f72e049a22a51ff3d1b871fb42c1e333d4831710b7180e040d5a27a8b24
SHA5120268a4deb27a2874a7796086e1635b325ac98d2a83d93521a8b3fb7fc3142d3165a55724b411bf5934a1c80c7096374690afebf4edbf0d57a954343de4a5a4ea
-
C:\Windows\SysWOW64\eqhogsrt\xjiwhrzt.exeMD5
17ef41e1a7c31c609267f4c43b75869f
SHA155ba2b441289049b5f1431701dcd065dce120571
SHA25624ef6ed3fecdc58330d090302299d27f4d401069f54254edccbd537c3716a22b
SHA512e3ae2d331b5b3928f7c56d9773114cefe755324166f65f7cd01003e3666ef422b2deb7eefe3b0e3d0d43c31799755b86a4f58c80bfb40fd36c83fc4b6fcef551
-
\ProgramData\mozglue.dllMD5
8f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
\ProgramData\nss3.dllMD5
bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
\Users\Admin\AppData\Local\Temp\CC4F.tmpMD5
50741b3f2d7debf5d2bed63d88404029
SHA156210388a627b926162b36967045be06ffb1aad3
SHA256f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c
SHA512fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3
-
memory/208-31-0x0000000000000000-mapping.dmp
-
memory/208-34-0x00000000023C0000-0x00000000023C1000-memory.dmpFilesize
4KB
-
memory/208-78-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/412-40-0x0000000000000000-mapping.dmp
-
memory/412-49-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/412-47-0x0000000002620000-0x0000000002621000-memory.dmpFilesize
4KB
-
memory/412-48-0x0000000000AA0000-0x0000000000AD6000-memory.dmpFilesize
216KB
-
memory/504-89-0x0000000000000000-mapping.dmp
-
memory/608-63-0x0000000000000000-mapping.dmp
-
memory/1060-90-0x0000000000000000-mapping.dmp
-
memory/1136-68-0x0000000002500000-0x0000000002594000-memory.dmpFilesize
592KB
-
memory/1136-64-0x00000000026D0000-0x00000000026D1000-memory.dmpFilesize
4KB
-
memory/1136-59-0x0000000000000000-mapping.dmp
-
memory/1136-69-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/1408-85-0x0000000000000000-mapping.dmp
-
memory/1576-101-0x0000000002BD9A6B-mapping.dmp
-
memory/1576-99-0x0000000002BD0000-0x0000000002BE5000-memory.dmpFilesize
84KB
-
memory/1908-2-0x00000000048D0000-0x00000000048D1000-memory.dmpFilesize
4KB
-
memory/1908-4-0x0000000002C00000-0x0000000002C09000-memory.dmpFilesize
36KB
-
memory/1908-5-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1916-62-0x0000000000000000-mapping.dmp
-
memory/2224-56-0x0000000004BF0000-0x0000000004BF1000-memory.dmpFilesize
4KB
-
memory/2224-53-0x00000000047F0000-0x00000000047F1000-memory.dmpFilesize
4KB
-
memory/2224-52-0x00000000047F0000-0x00000000047F1000-memory.dmpFilesize
4KB
-
memory/2232-82-0x0000000000000000-mapping.dmp
-
memory/2264-72-0x0000000000000000-mapping.dmp
-
memory/2264-88-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/2264-80-0x0000000004BC0000-0x0000000004BC1000-memory.dmpFilesize
4KB
-
memory/2264-87-0x00000000001D0000-0x00000000001E3000-memory.dmpFilesize
76KB
-
memory/2364-35-0x0000000000000000-mapping.dmp
-
memory/2364-38-0x0000000002250000-0x0000000002251000-memory.dmpFilesize
4KB
-
memory/2364-79-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2420-83-0x0000000000000000-mapping.dmp
-
memory/2736-81-0x0000000000000000-mapping.dmp
-
memory/2764-84-0x0000000000000000-mapping.dmp
-
memory/2832-105-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/2832-91-0x0000000000000000-mapping.dmp
-
memory/2832-104-0x0000000002E80000-0x0000000002EEB000-memory.dmpFilesize
428KB
-
memory/2832-100-0x0000000004A60000-0x0000000004A61000-memory.dmpFilesize
4KB
-
memory/2964-77-0x0000000002160000-0x0000000002161000-memory.dmpFilesize
4KB
-
memory/2964-75-0x0000000000000000-mapping.dmp
-
memory/3020-6-0x0000000000A40000-0x0000000000A56000-memory.dmpFilesize
88KB
-
memory/3164-12-0x0000000004F10000-0x0000000004F11000-memory.dmpFilesize
4KB
-
memory/3164-11-0x0000000004F10000-0x0000000004F11000-memory.dmpFilesize
4KB
-
memory/3216-22-0x0000000000000000-mapping.dmp
-
memory/3532-97-0x00000000034D0000-0x00000000034D1000-memory.dmpFilesize
4KB
-
memory/3572-50-0x0000000002590000-0x0000000002591000-memory.dmpFilesize
4KB
-
memory/3572-58-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/3572-44-0x0000000000000000-mapping.dmp
-
memory/3572-57-0x0000000000B20000-0x0000000000BB5000-memory.dmpFilesize
596KB
-
memory/3820-9-0x00000000049B0000-0x00000000049B1000-memory.dmpFilesize
4KB
-
memory/3876-96-0x0000000000000000-mapping.dmp
-
memory/3916-94-0x0000000000000000-mapping.dmp
-
memory/3924-24-0x0000000000000000-mapping.dmp
-
memory/3924-26-0x0000000001D70000-0x0000000001D71000-memory.dmpFilesize
4KB
-
memory/4012-21-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4012-16-0x0000000000000000-mapping.dmp
-
memory/4012-19-0x0000000001FE0000-0x0000000001FE1000-memory.dmpFilesize
4KB
-
memory/4012-20-0x0000000001D00000-0x0000000001E1A000-memory.dmpFilesize
1.1MB