Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
19-04-2021 18:10
Static task
static1
Behavioral task
behavioral1
Sample
1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.exe
Resource
win10v20210410
General
-
Target
1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.exe
-
Size
6.8MB
-
MD5
ab92733eecc19ba622bea402e36217d7
-
SHA1
0b989591194acec8782070b4d92db2963bfb17a0
-
SHA256
1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5
-
SHA512
382b6fb60bbc4e8f9f8f0b8615f3bab247546f209aec35b2cab8a2038216319067a14073f1f0df8558183261fb387fb7bfb519d2052aa5bcfb09980a64f24213
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 3 IoCs
Processes:
1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmpFileOpenManager64.exeFileOpenBroker64.exepid process 1672 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp 3848 FileOpenManager64.exe 1444 FileOpenBroker64.exe -
Sets service image path in registry 2 TTPs
-
Loads dropped DLL 4 IoCs
Processes:
1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmpAcroRd32.exepid process 1672 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp 2476 AcroRd32.exe 2476 AcroRd32.exe 2476 AcroRd32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmpdescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FileOpenBroker = "\"C:\\Program Files\\FileOpen\\Services\\FileOpenBroker64.exe\"" 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 22 IoCs
Processes:
1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmpdescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\FileOpen.api 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp File opened for modification C:\Program Files\FileOpen\Services\FileOpenScreenHook64.dll 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp File opened for modification C:\Program Files\FileOpen\Services\FileOpenManager64.exe 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp File created C:\Program Files\FileOpen\is-AS5A7.tmp 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp File created C:\Program Files\FileOpen\Services\is-3E15C.tmp 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp File created C:\Program Files\FileOpen\Services\is-7IG1B.tmp 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp File opened for modification C:\Program Files\FileOpen\Services\fileopen32.sys 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp File opened for modification C:\Program Files\FileOpen\Services\FileOpenBroker64.exe 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp File created C:\Program Files\FileOpen\unins000.dat 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp File created C:\Program Files\FileOpen\examples\is-PC85Q.tmp 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp File created C:\Program Files\FileOpen\Services\is-VQM2E.tmp 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp File created C:\Program Files\FileOpen\Services\is-FGNFD.tmp 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp File created C:\Program Files\FileOpen\Services\is-TILH4.tmp 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp File created C:\Program Files\FileOpen\unins000.msg 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp File opened for modification C:\Program Files\FileOpen\Services\FileOpenScreenHook32.dll 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp File opened for modification C:\Program Files\FileOpen\UtilDll.dll 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp File opened for modification C:\Program Files\FileOpen\examples\installcomplete.pdf 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp File opened for modification C:\Program Files\FileOpen\Services\fileopen64.sys 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp File created C:\Program Files\FileOpen\is-24J99.tmp 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\is-0F3QM.tmp 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp File created C:\Program Files\FileOpen\Services\is-QPM10.tmp 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp File opened for modification C:\Program Files\FileOpen\unins000.dat 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
Processes:
1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmpAcroRd32.exepid process 1672 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp 1672 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp 1672 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp 1672 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp 1672 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp 1672 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp 1672 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp 1672 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp 2476 AcroRd32.exe 2476 AcroRd32.exe 2476 AcroRd32.exe 2476 AcroRd32.exe 2476 AcroRd32.exe 2476 AcroRd32.exe 2476 AcroRd32.exe 2476 AcroRd32.exe 2476 AcroRd32.exe 2476 AcroRd32.exe 2476 AcroRd32.exe 2476 AcroRd32.exe 2476 AcroRd32.exe 2476 AcroRd32.exe 2476 AcroRd32.exe 2476 AcroRd32.exe 2476 AcroRd32.exe 2476 AcroRd32.exe 2476 AcroRd32.exe 2476 AcroRd32.exe 2476 AcroRd32.exe 2476 AcroRd32.exe 2476 AcroRd32.exe 2476 AcroRd32.exe 2476 AcroRd32.exe 2476 AcroRd32.exe 2476 AcroRd32.exe 2476 AcroRd32.exe 2476 AcroRd32.exe 2476 AcroRd32.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
FileOpenManager64.exepid process 3848 FileOpenManager64.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
Processes:
FileOpenManager64.exeFileOpenBroker64.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 3848 FileOpenManager64.exe Token: SeIncreaseQuotaPrivilege 3848 FileOpenManager64.exe Token: SeSecurityPrivilege 3848 FileOpenManager64.exe Token: SeLoadDriverPrivilege 3848 FileOpenManager64.exe Token: SeSystemtimePrivilege 3848 FileOpenManager64.exe Token: SeShutdownPrivilege 3848 FileOpenManager64.exe Token: SeSystemEnvironmentPrivilege 3848 FileOpenManager64.exe Token: SeUndockPrivilege 3848 FileOpenManager64.exe Token: SeManageVolumePrivilege 3848 FileOpenManager64.exe Token: SeIncreaseQuotaPrivilege 1444 FileOpenBroker64.exe Token: SeSecurityPrivilege 1444 FileOpenBroker64.exe Token: SeLoadDriverPrivilege 1444 FileOpenBroker64.exe Token: SeSystemProfilePrivilege 1444 FileOpenBroker64.exe Token: SeSystemtimePrivilege 1444 FileOpenBroker64.exe Token: SeProfSingleProcessPrivilege 1444 FileOpenBroker64.exe Token: SeIncBasePriorityPrivilege 1444 FileOpenBroker64.exe Token: SeCreatePagefilePrivilege 1444 FileOpenBroker64.exe Token: SeShutdownPrivilege 1444 FileOpenBroker64.exe Token: SeDebugPrivilege 1444 FileOpenBroker64.exe Token: SeSystemEnvironmentPrivilege 1444 FileOpenBroker64.exe Token: SeRemoteShutdownPrivilege 1444 FileOpenBroker64.exe Token: SeUndockPrivilege 1444 FileOpenBroker64.exe Token: SeManageVolumePrivilege 1444 FileOpenBroker64.exe Token: 33 1444 FileOpenBroker64.exe Token: 34 1444 FileOpenBroker64.exe Token: 35 1444 FileOpenBroker64.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmpAcroRd32.exepid process 1672 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp 2476 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
AcroRd32.exepid process 2476 AcroRd32.exe 2476 AcroRd32.exe 2476 AcroRd32.exe 2476 AcroRd32.exe 2476 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.exe1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmpAcroRd32.exeRdrCEF.exedescription pid process target process PID 3952 wrote to memory of 1672 3952 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.exe 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp PID 3952 wrote to memory of 1672 3952 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.exe 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp PID 3952 wrote to memory of 1672 3952 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.exe 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp PID 1672 wrote to memory of 2664 1672 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp sc.exe PID 1672 wrote to memory of 2664 1672 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp sc.exe PID 1672 wrote to memory of 3236 1672 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp sc.exe PID 1672 wrote to memory of 3236 1672 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp sc.exe PID 1672 wrote to memory of 1240 1672 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp sc.exe PID 1672 wrote to memory of 1240 1672 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp sc.exe PID 1672 wrote to memory of 1444 1672 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp FileOpenBroker64.exe PID 1672 wrote to memory of 1444 1672 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp FileOpenBroker64.exe PID 1672 wrote to memory of 2476 1672 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp AcroRd32.exe PID 1672 wrote to memory of 2476 1672 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp AcroRd32.exe PID 1672 wrote to memory of 2476 1672 1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp AcroRd32.exe PID 2476 wrote to memory of 2016 2476 AcroRd32.exe RdrCEF.exe PID 2476 wrote to memory of 2016 2476 AcroRd32.exe RdrCEF.exe PID 2476 wrote to memory of 2016 2476 AcroRd32.exe RdrCEF.exe PID 2016 wrote to memory of 1804 2016 RdrCEF.exe RdrCEF.exe PID 2016 wrote to memory of 1804 2016 RdrCEF.exe RdrCEF.exe PID 2016 wrote to memory of 1804 2016 RdrCEF.exe RdrCEF.exe PID 2016 wrote to memory of 1804 2016 RdrCEF.exe RdrCEF.exe PID 2016 wrote to memory of 1804 2016 RdrCEF.exe RdrCEF.exe PID 2016 wrote to memory of 1804 2016 RdrCEF.exe RdrCEF.exe PID 2016 wrote to memory of 1804 2016 RdrCEF.exe RdrCEF.exe PID 2016 wrote to memory of 1804 2016 RdrCEF.exe RdrCEF.exe PID 2016 wrote to memory of 1804 2016 RdrCEF.exe RdrCEF.exe PID 2016 wrote to memory of 1804 2016 RdrCEF.exe RdrCEF.exe PID 2016 wrote to memory of 1804 2016 RdrCEF.exe RdrCEF.exe PID 2016 wrote to memory of 1804 2016 RdrCEF.exe RdrCEF.exe PID 2016 wrote to memory of 1804 2016 RdrCEF.exe RdrCEF.exe PID 2016 wrote to memory of 1804 2016 RdrCEF.exe RdrCEF.exe PID 2016 wrote to memory of 1804 2016 RdrCEF.exe RdrCEF.exe PID 2016 wrote to memory of 1804 2016 RdrCEF.exe RdrCEF.exe PID 2016 wrote to memory of 1804 2016 RdrCEF.exe RdrCEF.exe PID 2016 wrote to memory of 1804 2016 RdrCEF.exe RdrCEF.exe PID 2016 wrote to memory of 1804 2016 RdrCEF.exe RdrCEF.exe PID 2016 wrote to memory of 1804 2016 RdrCEF.exe RdrCEF.exe PID 2016 wrote to memory of 1804 2016 RdrCEF.exe RdrCEF.exe PID 2016 wrote to memory of 1804 2016 RdrCEF.exe RdrCEF.exe PID 2016 wrote to memory of 1804 2016 RdrCEF.exe RdrCEF.exe PID 2016 wrote to memory of 1804 2016 RdrCEF.exe RdrCEF.exe PID 2016 wrote to memory of 1804 2016 RdrCEF.exe RdrCEF.exe PID 2016 wrote to memory of 1804 2016 RdrCEF.exe RdrCEF.exe PID 2016 wrote to memory of 1804 2016 RdrCEF.exe RdrCEF.exe PID 2016 wrote to memory of 1804 2016 RdrCEF.exe RdrCEF.exe PID 2016 wrote to memory of 1804 2016 RdrCEF.exe RdrCEF.exe PID 2016 wrote to memory of 1804 2016 RdrCEF.exe RdrCEF.exe PID 2016 wrote to memory of 1804 2016 RdrCEF.exe RdrCEF.exe PID 2016 wrote to memory of 1804 2016 RdrCEF.exe RdrCEF.exe PID 2016 wrote to memory of 1804 2016 RdrCEF.exe RdrCEF.exe PID 2016 wrote to memory of 1804 2016 RdrCEF.exe RdrCEF.exe PID 2016 wrote to memory of 1804 2016 RdrCEF.exe RdrCEF.exe PID 2016 wrote to memory of 1804 2016 RdrCEF.exe RdrCEF.exe PID 2016 wrote to memory of 1804 2016 RdrCEF.exe RdrCEF.exe PID 2016 wrote to memory of 1804 2016 RdrCEF.exe RdrCEF.exe PID 2016 wrote to memory of 1804 2016 RdrCEF.exe RdrCEF.exe PID 2016 wrote to memory of 1804 2016 RdrCEF.exe RdrCEF.exe PID 2016 wrote to memory of 1804 2016 RdrCEF.exe RdrCEF.exe PID 2016 wrote to memory of 2284 2016 RdrCEF.exe RdrCEF.exe PID 2016 wrote to memory of 2284 2016 RdrCEF.exe RdrCEF.exe PID 2016 wrote to memory of 2284 2016 RdrCEF.exe RdrCEF.exe PID 2016 wrote to memory of 2284 2016 RdrCEF.exe RdrCEF.exe PID 2016 wrote to memory of 2284 2016 RdrCEF.exe RdrCEF.exe PID 2016 wrote to memory of 2284 2016 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.exe"C:\Users\Admin\AppData\Local\Temp\1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-C5HRH.tmp\1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp"C:\Users\Admin\AppData\Local\Temp\is-C5HRH.tmp\1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmp" /SL5="$40038,6349734,1320960,C:\Users\Admin\AppData\Local\Temp\1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" create FileOpenManager binpath= "\"C:\Program Files\FileOpen\Services\FileOpenManager64.exe\"" start= auto3⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" description FileOpenManager "FileOpen Client Manager"3⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" start FileOpenManager3⤵
-
C:\Program Files\FileOpen\Services\FileOpenBroker64.exe"C:\Program Files\FileOpen\Services\FileOpenBroker64.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" installcomplete.pdf3⤵
- Loads dropped DLL
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140434⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=76F54ECDF871B0B8B466A27F72F01A58 --mojo-platform-channel-handle=1632 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=3B2BAA496E409E8B49D659357C89D557 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=3B2BAA496E409E8B49D659357C89D557 --renderer-client-id=2 --mojo-platform-channel-handle=1624 --allow-no-sandbox-job /prefetch:15⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=646028492069FFBC0C4EE68DB9989D95 --mojo-platform-channel-handle=2196 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=159673C3D6E4B2336192EB79BA0F919F --mojo-platform-channel-handle=2288 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A9ECA8C15C0A2D143B5200D01F25AD6F --mojo-platform-channel-handle=2220 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=530BBDB7A8A3170193470E4FC18E7B9C --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=530BBDB7A8A3170193470E4FC18E7B9C --renderer-client-id=8 --mojo-platform-channel-handle=2412 --allow-no-sandbox-job /prefetch:15⤵
-
C:\Program Files\FileOpen\Services\FileOpenManager64.exe"C:\Program Files\FileOpen\Services\FileOpenManager64.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\FileOpen.apiMD5
455e7742ad8a679932e631dddf39dee4
SHA17134203b2c18de0af3aae3563966c4a6c3e64adc
SHA256c373651aa734972cf2276a298abf9caa578f3f1b9b1dbf1de63227e92be09702
SHA512c7bed951530ac745286085bf49c786f1508b49ea70680fd95835d62b4eeb55ce8a996be026a53370b07b859409e4bed8c293e4f1025133242268f7a7118de1f9
-
C:\Program Files\FileOpen\Services\FileOpenBroker64.exeMD5
c3cd4128718c650a824d72cad5b6bf4f
SHA1ee21ba11ebd1c6bc912621e581b906e4ac5cdded
SHA2568b50b94dafc6b5857eeeeb8e420449adf69fa900f6f7b63f49f467603bdeef2f
SHA512bf36500e81bf82e2f53d9d375f0b0996655f47a8640e03b49ab4acc11a5fcf22f9fec3f4401d5f4daee51db9bfc4f4f1b9a506ecd6be1e0279536734180bcb73
-
C:\Program Files\FileOpen\Services\FileOpenBroker64.exeMD5
c3cd4128718c650a824d72cad5b6bf4f
SHA1ee21ba11ebd1c6bc912621e581b906e4ac5cdded
SHA2568b50b94dafc6b5857eeeeb8e420449adf69fa900f6f7b63f49f467603bdeef2f
SHA512bf36500e81bf82e2f53d9d375f0b0996655f47a8640e03b49ab4acc11a5fcf22f9fec3f4401d5f4daee51db9bfc4f4f1b9a506ecd6be1e0279536734180bcb73
-
C:\Program Files\FileOpen\Services\FileOpenManager64.exeMD5
099126827a21b862cb71f37b4fda4ece
SHA1d8036d5df3f66074b0ff110968fab1f7d42d9e94
SHA2560c369c57f68fdf0dcfbd5aaa0f104ca1928873c69058a83c60cfd14588d904c8
SHA51293c787f77634bc585a2e1602adde6e73c6717e740d8ec7bc53bfa24e56347c8ffd299c32bec001747bcc31f10d0607100c2f97acafe77bf263ce831c757b6f8c
-
C:\Program Files\FileOpen\Services\FileOpenManager64.exeMD5
099126827a21b862cb71f37b4fda4ece
SHA1d8036d5df3f66074b0ff110968fab1f7d42d9e94
SHA2560c369c57f68fdf0dcfbd5aaa0f104ca1928873c69058a83c60cfd14588d904c8
SHA51293c787f77634bc585a2e1602adde6e73c6717e740d8ec7bc53bfa24e56347c8ffd299c32bec001747bcc31f10d0607100c2f97acafe77bf263ce831c757b6f8c
-
C:\Program Files\FileOpen\examples\installcomplete.pdfMD5
d020b6ff764f08684688e772bccffa99
SHA1117ccba4d83b17914f4ff1ffe1996540a041c507
SHA256a6ef65b36f8521fc67269b9fbd024c7e98e0207ae76c8beca9b289f125f92383
SHA5125c8e7ffd0cbb3205f9164ef83500a9353c3d3f052fa4167ab0f49de44ca29cf90982ccd767646d339a64a0f26446cec4ba447d1cfd71388b17dd47f0dfee35f8
-
C:\ProgramData\FileOpen\Updates\L10n\fotk_de.lcdMD5
1ff1a88c097a10af0d2cb463bbb5e4c9
SHA1d149b1d0bcd84fad9a4bd143e7837999bc840141
SHA2563e077b1a201d71636dd045f7b2694afee90881df97704b012dc947c7429492a7
SHA51282aa26f7e0d877a0bea8d55c57d4d6b98df283c04360c730e6ed385a589d16438f9bc00b80609b48c33028202661e7343dd4a13a53ae31b6c9a4d8c2e63d1023
-
C:\ProgramData\FileOpen\Updates\L10n\fotk_fr.lcdMD5
02d3a1c956563ba31087ee811bcf1f41
SHA16bddfe58549c328d810b15b37bf93bcfcab1a14b
SHA256e6dcd083958db6fb9a3fb75a9ed320638c3cbf97b69aa24aaf68e96fb644f9f1
SHA512a385c69d7cfd88f637d3553beefa502563e9620fba1c502dbcb7cf868383f1cf86d6578fccce0ef6b5d0e246e1f94313ff6a3ac01b1529ac78df5f376b76c3e2
-
C:\ProgramData\FileOpen\Updates\L10n\fotk_ja.lcdMD5
7dd5a9a2ed2e595e660eab7b06449720
SHA1992cad591fb818a66dfec96cc32b5b94739692ff
SHA256168ed420ab4ac7c5468362ee5804a1ee1bc2304b3a61884adf1d9e764e66f889
SHA5122c335278e6e67fd26af6dcfc50417cb70ea35bdb4aba5185f023aec6ba1948f096677b4a6da3539b746cc79378f6dab82f386995cd56f3bd9f977815b11fe699
-
C:\ProgramData\FileOpen\Updates\L10n\fotk_zh.lcdMD5
03f4d28b17ce89cfe4c288ef7225451f
SHA13470ad6103983daabee0d8494e891123bca9804a
SHA2567c7509711730827da1a713398845a2e09adde8ecfca07db04b47f34eece52493
SHA51250ebdba872c08d18c54aeba31c025de7203c0e1444cda541857715bb186358c8d8c186f0419edd9a5c02e03d98d44b95c0edc4549cf725578cebd667482a3326
-
C:\ProgramData\FileOpen\Updates\Lists\fotkBus.lcdMD5
8c21d08ba2b447a7c85fa5575a3e57ee
SHA1a07e68f1613ad29a8274a07b6ec03b6266c06f15
SHA256bb6dfd0a1f9fa1658fa75bdc117f601398d9d132453ee7a7d1b858aed29e42f9
SHA5120ab5767c4ee3d0cfba28174c8a3fb6bb9326e1bf66554aefd4549c41fa096deefe76a6150da3c577e6c99b40efd3151c0a96d6460f3dd266f5928156d58cf56a
-
C:\ProgramData\FileOpen\Updates\Lists\fotkCnfs.lcdMD5
ca943a39a4f5dd13e54089690fec080a
SHA10dc95be92bf165a841d1881bc2a14212c31f4792
SHA256fdf6d2cbf65edcf9e84b66d484ba0fd18fad427e3eb1bf332c94caddf1d7ec63
SHA512ee0051b72252a61399e53288cd23eee59ca4a7139e941a07b750281cfcb77bfd143453bf86f54c03cad39cabeca7cec2c5e4d1dc1b8a41e16fb174fa131966fe
-
C:\ProgramData\FileOpen\Updates\Lists\fotkDrs.lcdMD5
30fe73410c791d4bf1d7a1fdcea9e54a
SHA1ed3eb0a5f503d1b7f84d19592249e0e7409e31eb
SHA256366c3aa0a8f734b055d685d1b4783c95b2e1830b7f25319b3577ffa3e66aa2b5
SHA512dd76385e04704077e0972db4bb58629538884a316f8b8ec5c75b7597b66d80a5c20c243a6ba70f67f4492c95bb86d04053e8f7d7dfd8cff5bc803b286c52ff2d
-
C:\ProgramData\FileOpen\Updates\Lists\fotkLngs.lcdMD5
55d02da6997b22d40ac0bbd083d0d79e
SHA15802069ebc18e6b83ef9974e1e88a5dc9aef3f16
SHA256323ca3057bbcd45288e40132953cd66b7f2aa1a403fa3d336f7e395fb51f94c3
SHA5124b78f7b57fd666ada151cfef2abab34a09b5270be7f7651aef0aaa1263512c8b35dcb09b70481f010d10417f9d71d13b86a6a51dc77c0fdca6d50bc5561d69a5
-
C:\ProgramData\FileOpen\Updates\Lists\fotkLsts.lcdMD5
de68d51f9bfed85374972fc4b778c7fe
SHA170cf0eb0a85e503f56d91404e3c25d140fa462f4
SHA2563115d9807b7f4558fa79d09f3ddebcfd41af2fa4761b006f108f9817165f0665
SHA51237fe62c56cdc889b321c650d87554715113710e081bae7b35f7c8d52def73a7c3e28fddacd3bbf48270bcbfaea27dfda49e0d5e6dec1a9ef9e8a1b88085ef53a
-
C:\ProgramData\FileOpen\Updates\Lists\fotkNis.lcdMD5
7f9d763543f94ca15b7158ada872c7e4
SHA19661f3c85a6e583eb455e50488530d40b5fd6c56
SHA2566e3c654da94bf2dab61704fa4787747da578df0ea8a7b808a7943e1d506fb373
SHA5120f2acd1b623362b15c1d634b6e18e14452eae3ba6f984eeef2496094ebb258b62eda2ce607fc99f571eef54e92507650bb83ba2ebbeaac223d2346d343dea871
-
C:\ProgramData\FileOpen\Updates\Lists\fotkPrs.lcdMD5
dd46349e256f66da49e6ed04dad039de
SHA132929544444286c63fa674f56bd19171eb851aab
SHA256d658b0aa15c2e36ad2c4c08bced8693e525387822a1604daa26d81bbfb6df6b1
SHA51229e9bdcbe21d95df93fabaf280b90c7ff860b64d692f2492ed642479c0306118f2032edb6e7fa216687efb963e71c4f691baa301060bae838916047b2ae782ef
-
C:\ProgramData\FileOpen\Updates\Lists\fotkRds.lcdMD5
baba88923dacac1b9ffccd1caa783903
SHA1bd9c1d4176b709671310eb31c197e54311df2e09
SHA25606793859377ade0f42f713178559a3189b9118884cc9d783e98c36820beab899
SHA512c834660d40616847458d21287692bb809101653ee8a29eb24aac7d7ac6d9967bd78866081216848e073d50ed2e30ef4219cc13bb494a5f6c0201b27cea5d0ed8
-
C:\Users\Admin\AppData\Local\Temp\is-C5HRH.tmp\1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmpMD5
9d8408c9bf6f711b668ef36084757f7d
SHA11c5fdb3445fbc80d7e7ab877424148155868d352
SHA25663ed8734dd7859fadef2fc184d8a25f90efc898e321358c73e876d97f5ceec72
SHA51260605cfc3a27cd3ad7ce73534405b17b671dce47177ddc2b7f72178e628d7a949d2924d552f738e8f4c837d86a148b78d687bd1885cc7efc37ebce3e06b07bde
-
C:\Users\Admin\AppData\Local\Temp\is-C5HRH.tmp\1363a87825c3c707e04e181932702eb2258a9b87adfded21909ea58b722047e5.tmpMD5
9d8408c9bf6f711b668ef36084757f7d
SHA11c5fdb3445fbc80d7e7ab877424148155868d352
SHA25663ed8734dd7859fadef2fc184d8a25f90efc898e321358c73e876d97f5ceec72
SHA51260605cfc3a27cd3ad7ce73534405b17b671dce47177ddc2b7f72178e628d7a949d2924d552f738e8f4c837d86a148b78d687bd1885cc7efc37ebce3e06b07bde
-
\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\FileOpen.apiMD5
455e7742ad8a679932e631dddf39dee4
SHA17134203b2c18de0af3aae3563966c4a6c3e64adc
SHA256c373651aa734972cf2276a298abf9caa578f3f1b9b1dbf1de63227e92be09702
SHA512c7bed951530ac745286085bf49c786f1508b49ea70680fd95835d62b4eeb55ce8a996be026a53370b07b859409e4bed8c293e4f1025133242268f7a7118de1f9
-
\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\FileOpen.apiMD5
455e7742ad8a679932e631dddf39dee4
SHA17134203b2c18de0af3aae3563966c4a6c3e64adc
SHA256c373651aa734972cf2276a298abf9caa578f3f1b9b1dbf1de63227e92be09702
SHA512c7bed951530ac745286085bf49c786f1508b49ea70680fd95835d62b4eeb55ce8a996be026a53370b07b859409e4bed8c293e4f1025133242268f7a7118de1f9
-
\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\FileOpen.apiMD5
455e7742ad8a679932e631dddf39dee4
SHA17134203b2c18de0af3aae3563966c4a6c3e64adc
SHA256c373651aa734972cf2276a298abf9caa578f3f1b9b1dbf1de63227e92be09702
SHA512c7bed951530ac745286085bf49c786f1508b49ea70680fd95835d62b4eeb55ce8a996be026a53370b07b859409e4bed8c293e4f1025133242268f7a7118de1f9
-
\Users\Admin\AppData\Local\Temp\is-GJKN8.tmp\UtilDll.dllMD5
79f2386cf7296e8661997193cf01baad
SHA1726fea5eabc5b38981b1d6cc5b8be01212c90616
SHA256101eba215ef5f833ec332da2c803fbff060eb55f32a88ec261b5c4192528e6dd
SHA512123f4ffa772fde8f901abf12c49b78eb81975e5e5f38a8ef80c10b4ca08da422c42ee72f51155fc87a6726217a29b0e8bf22cb927347d324d41e87485c5eff7e
-
memory/1240-123-0x0000000000000000-mapping.dmp
-
memory/1444-126-0x0000000000000000-mapping.dmp
-
memory/1672-115-0x0000000000000000-mapping.dmp
-
memory/1672-119-0x0000000000980000-0x0000000000981000-memory.dmpFilesize
4KB
-
memory/1728-171-0x0000000077A52000-0x0000000077A5200C-memory.dmpFilesize
12B
-
memory/1728-173-0x0000000000000000-mapping.dmp
-
memory/1804-151-0x0000000000000000-mapping.dmp
-
memory/1804-149-0x0000000077A52000-0x0000000077A5200C-memory.dmpFilesize
12B
-
memory/2016-147-0x0000000000000000-mapping.dmp
-
memory/2284-153-0x0000000077A52000-0x0000000077A5200C-memory.dmpFilesize
12B
-
memory/2284-155-0x0000000000000000-mapping.dmp
-
memory/2388-167-0x0000000077A52000-0x0000000077A5200C-memory.dmpFilesize
12B
-
memory/2388-169-0x0000000000000000-mapping.dmp
-
memory/2476-145-0x0000000005E70000-0x0000000006104000-memory.dmpFilesize
2.6MB
-
memory/2476-141-0x0000000000000000-mapping.dmp
-
memory/2664-121-0x0000000000000000-mapping.dmp
-
memory/2980-159-0x0000000077A52000-0x0000000077A5200C-memory.dmpFilesize
12B
-
memory/2980-161-0x0000000000000000-mapping.dmp
-
memory/3236-122-0x0000000000000000-mapping.dmp
-
memory/3644-165-0x0000000000000000-mapping.dmp
-
memory/3644-163-0x0000000077A52000-0x0000000077A5200C-memory.dmpFilesize
12B
-
memory/3952-114-0x0000000000400000-0x0000000000550000-memory.dmpFilesize
1.3MB