Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
04-05-2021 20:38
Behavioral task
behavioral1
Sample
5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe
Resource
win7v20210408
General
-
Target
5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe
-
Size
13.9MB
-
MD5
ec2c59967ea1ba9fdbeaa79e41ee0c94
-
SHA1
9ff11413e265839c6994d473146ae5cf1c3cf256
-
SHA256
5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479
-
SHA512
3bf9d5e84d71f3f00425dd4a47e3a1838866d2d887490484610322a562849120d90e173051de6fbe0f8c72062232a42038ded2d28922cb804c654a00c5fbbe94
Malware Config
Signatures
-
XMRig Miner Payload 1 IoCs
Processes:
resource yara_rule C:\Windows\svchost.exe xmrig -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 1420 svchost.exe -
Sets file execution options in registry 2 TTPs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe" 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe -
Processes:
5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe -
Drops file in System32 directory 64 IoCs
Processes:
5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exedescription ioc process File created C:\Windows\SysWOW64\sdbinst.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\IME\IMESC5\IMSCPROP.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\calc.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\certreq.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\MRINFO.EXE 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\newdev.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\RpcPing.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\MuiUnattend.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\unregmp2.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\verclsid.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\winver.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\LocationNotifications.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\raserver.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\setup16.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\shrpubw.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\unlodctr.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\systray.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\taskkill.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\System32\DriverStore\FileRepository\brmfcmf.inf_amd64_neutral_67b5984f8e8ff717\BrmfRsmg.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\wbem\WMIADAP.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\nslookup.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\PING.EXE 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\resmon.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\com\comrepl.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\IME\IMEJP10\IMJPDADM.EXE 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\fsutil.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\help.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\ocsetup.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\whoami.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\wlanext.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\print.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\sfc.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\credwiz.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\dplaysvr.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\eventcreate.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\HOSTNAME.EXE 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\msra.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\InstallShield\_isdel.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\certutil.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\hdwwiz.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\regini.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\SearchIndexer.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\SystemPropertiesRemote.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\waitfor.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\WerFault.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\IME\shared\IMCCPHR.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\mstsc.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\osk.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\shutdown.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\SystemPropertiesHardware.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\TCPSVCS.EXE 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\tcmsetup.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\IME\IMEJP10\IMJPDSVR.EXE 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\diskperf.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\dllhst3g.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\expand.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\psr.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\RmClient.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\msiexec.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\typeperf.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\System32\DriverStore\FileRepository\brmfcwia.inf_amd64_neutral_817b8835aed3d6b7\BrmfRsmg.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\IME\IMETC10\IMTCPROP.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\replace.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\System32\DriverStore\FileRepository\divacx64.inf_amd64_neutral_fa0f82f024789743\ditrace.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe -
Drops file in Program Files directory 64 IoCs
Processes:
5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exedescription ioc process File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Program Files\Windows Photo Viewer\ImagingDevices.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Program Files (x86)\Windows Sidebar\sidebar.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Java\jre7\bin\klist.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Program Files\Windows Defender\MSASCui.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Program Files\Windows Media Player\wmpenc.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\7-Zip\7z.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Program Files (x86)\Windows Media Player\wmpenc.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Program Files\Internet Explorer\ieinstal.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Program Files\Windows Media Player\wmplayer.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Program Files\Internet Explorer\iexplore.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Program Files\Windows Media Player\WMPDMC.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\XLICONS.EXE 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Program Files\Internet Explorer\iediagcmd.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Program Files (x86)\Windows Media Player\wmprph.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Program Files\Windows Media Player\wmprph.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe -
Drops file in Windows directory 64 IoCs
Processes:
5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exedescription ioc process File created C:\Windows\splwow64.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\MSBuild\af28543d9b3e7d9f110448ecce53cd72\MSBuild.ni.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\winsxs\amd64_microsoft-windows-ie-iediag_31bf3856ad364e35_11.2.9600.16428_none_f937400aa65f97cc\iediagcmd.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\winsxs\amd64_microsoft-windows-ie-iexpress_31bf3856ad364e35_11.2.9600.16428_none_46d2efef53c02386\wextract.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMConfigInstaller.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\winsxs\amd64_microsoft-windows-a..atibility-assistant_31bf3856ad364e35_6.1.7600.16385_none_8fbb77bb3cd808d1\pcawrk.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\winsxs\amd64_microsoft-windows-getmac_31bf3856ad364e35_6.1.7600.16385_none_67f38861bbac1910\getmac.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\winsxs\amd64_microsoft-windows-grpconv_31bf3856ad364e35_6.1.7600.16385_none_fe7d1685575edfa6\grpconv.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\winsxs\amd64_microsoft-windows-ie-gc-registeriepkeys_31bf3856ad364e35_11.2.9600.16428_none_0a3fe92b38dd8c45\RegisterIEPKEYs.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\winsxs\amd64_microsoft-windows-devicepairingapp_31bf3856ad364e35_6.1.7600.16385_none_cb9353551bbd8ed8\DevicePairingWizard.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\winsxs\amd64_microsoft-windows-eventcollector_31bf3856ad364e35_6.1.7601.22252_none_598fe67da49281af\wecutil.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\winsxs\amd64_microsoft-windows-ping-utilities_31bf3856ad364e35_6.1.7600.16385_none_052696aea98bcefc\PATHPING.EXE 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\cagicon.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\xlicons.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\winsxs\amd64_microsoft-windows-ehome-devices-mcx2prov_31bf3856ad364e35_6.1.7600.16385_none_3482237b32c1daff\Mcx2Prov.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\LoadMxf\d09b54cd68bc772b3be3832926e940d4\LoadMxf.ni.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\winsxs\amd64_microsoft-windows-ie-feedsbs_31bf3856ad364e35_8.0.7601.17514_none_752e3bb068638683\msfeedssync.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\ehome\mcGlidHost.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\winsxs\amd64_microsoft-windows-authentication-logonui_31bf3856ad364e35_6.1.7601.17514_none_c3b917fd89d834f3\LogonUI.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\winsxs\amd64_microsoft-windows-m..lepc-mobilitycenter_31bf3856ad364e35_6.1.7601.17514_none_b8bffa4921e2a435\mblctr.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\mcupdate\f30beba36940b5a2b55a32ea7f42d694\mcupdate.ni.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\ehome\WTVConverter.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\inficon.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\winsxs\amd64_microsoft-windows-ftp_31bf3856ad364e35_6.1.7601.17514_none_0b11635f6f2987f7\ftp.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\winsxs\amd64_microsoft-windows-ie-iecleanup_31bf3856ad364e35_11.2.9600.16428_none_a03d6846a99c1c87\iecleanup.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\winsxs\amd64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.1.7600.16385_none_d911df4e81059b22\find.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_6.1.7601.17514_none_bf4980401574a899\typeperf.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..integration-support_31bf3856ad364e35_6.1.7600.16385_none_8429bbdebd38db4a\isintsup.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\winsxs\amd64_microsoft-windows-m..-management-console_31bf3856ad364e35_6.1.7600.16385_none_6b683cb78f534561\mmc.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..inboxgames-freecell_31bf3856ad364e35_6.1.7600.16385_none_b466b741b68bd29a\FreeCell.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\winsxs\amd64_microsoft-windows-deviceproperties_31bf3856ad364e35_6.1.7600.16385_none_463f54aa539a0b62\DeviceProperties.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\winsxs\amd64_microsoft-windows-displayswitch_31bf3856ad364e35_6.1.7600.16385_none_48b6a2a03e2c7b21\DisplaySwitch.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\winsxs\amd64_microsoft-windows-driververifier_31bf3856ad364e35_6.1.7600.16385_none_1660ccbeb66c6cf1\verifier.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\winsxs\amd64_microsoft-windows-international-core_31bf3856ad364e35_6.1.7600.16385_none_459f562ff37206dd\MuiUnattend.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\winsxs\amd64_microsoft-windows-mediaplayer-logagent_31bf3856ad364e35_6.1.7600.16385_none_47357ddedbb9dec6\logagent.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p..g-xpsdocumentwriter_31bf3856ad364e35_6.1.7601.17514_none_80fea45979a5d3f2\MxdwGc.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\MSBuild\b93c627ec2e15c2675bcc81edafb10be\MSBuild.ni.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\ehome\MediaCenterWebLauncher.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\winsxs\amd64_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.1.7600.16385_none_ddf6cb6d7a745cbf\pcaui.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\winsxs\amd64_microsoft-windows-extrac32_31bf3856ad364e35_6.1.7600.16385_none_371e8c461d966a55\extrac32.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..-setieinstalleddate_31bf3856ad364e35_8.0.7600.16385_none_7f263a8951bc5a48\SetIEInstalledDate.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\dfsvc.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W71daf281#\5ada68cfa2258a2d4e3c3779106faf9b\Microsoft.Workflow.Compiler.ni.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\ehome\mcspad.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\winsxs\amd64_microsoft-windows-m..diagnostic-schedule_31bf3856ad364e35_6.1.7601.17514_none_f1fca1ab90570e8a\MdSched.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.17514_none_ca56670fcac29ca9\ntoskrnl.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..inboxgames-checkers_31bf3856ad364e35_6.1.7601.17514_none_d467c138cbce0b24\chkrzm.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\winsxs\amd64_brmfcmf.inf_31bf3856ad364e35_6.1.7600.16385_none_6f8740b92fea8e01\BrmfRsmg.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\winsxs\amd64_microsoft-windows-a..ion-telemetry-agent_31bf3856ad364e35_6.1.7601.17514_none_3092574c7d41010b\aitagent.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\winsxs\amd64_microsoft-windows-directshow-dvdplay_31bf3856ad364e35_6.1.7600.16385_none_5da314d233bb2676\dvdplay.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\winsxs\amd64_microsoft-windows-efs-rekeywiz_31bf3856ad364e35_6.1.7600.16385_none_63df9c242588e5fc\rekeywiz.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\winsxs\amd64_microsoft-windows-iis-adminservice_31bf3856ad364e35_6.1.7600.16385_none_b65cdbcf116dd7c5\WMSvc.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\winsxs\amd64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.1.7600.16385_none_d911df4e81059b22\print.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exesvchost.exedescription pid process Token: SeDebugPrivilege 1032 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe Token: 33 1032 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe Token: SeIncBasePriorityPrivilege 1032 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe Token: SeIncBasePriorityPrivilege 1420 svchost.exe Token: SeLockMemoryPrivilege 1420 svchost.exe Token: SeLockMemoryPrivilege 1420 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exepid process 1032 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exedescription pid process target process PID 1032 wrote to memory of 1420 1032 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe svchost.exe PID 1032 wrote to memory of 1420 1032 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe svchost.exe PID 1032 wrote to memory of 1420 1032 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe svchost.exe PID 1032 wrote to memory of 1420 1032 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe svchost.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe"C:\Users\Admin\AppData\Local\Temp\5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\config.jsonMD5
88c5c5706d2e237422eda18490dc6a59
SHA1bb8d12375f6b995301e756de2ef4fa3a3f6efd39
SHA2564756a234ed3d61fe187d9b6140792e54e7b757545edff82df594a507e528ed8e
SHA512a417270a0d46de5bb06a621c0383c893042a506524713f89ba55567df6e5c3ac8b198bce5a0300ec6e716897bb53fd3e8289a51240157dc743004517673d4ab7
-
C:\Windows\svchost.exeMD5
4a87a4d6677558706db4afaeeeb58d20
SHA17738dc6a459f8415f0265d36c626b48202cd6764
SHA25608b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7
SHA512bedd8ed4975df3fcd4a0f575d6f38e3841e7a4b771baac4f72033102a070818b8539eb101c50563d89d4f3454899a1cedb33047b02e421256dedf9aaf258b594
-
memory/1032-60-0x0000000075801000-0x0000000075803000-memory.dmpFilesize
8KB
-
memory/1420-61-0x0000000000000000-mapping.dmp