diamondfox | 4798591a79be1fe28b70af10883e655ee16ca90e858b0463154bccada7cb0fa4

Analysis

max time kernel
150s
max time network
148s
platform
windows10_x64
resource
win10v20201028
submitted
17-11-2020 04:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

90KB
MD5

1d5b46ff3cd12fd31362557299d6f488
SHA1

42f5d828b03f5e4c03e9f935683b5d82e6e7dc26
SHA256

2f134d1467c3765898a1befc311b86414f8df96d307a6f05b23eebbb8866a69c
SHA512

4dd2071b369bd150da53446313fff30b08054b8724a02444c400db2f0b14062c51a5aff2390b1845cc87b629ffc77ecc5e72877f77f824553b6f68a7b39a9d23

Score

10^/10

diamondfox botnet discovery spyware stealer

Malware Config

Extracted

Family

diamondfox

https://www.datanalysis.club/ms/gate.php

https://www.datanalysis.site/ms/gate.php

https://www.datanalysis.space/ms/gate.php

Mutex

cBFxpht5aCf0jy4gnUs3JgtqCB2O2tWJ

xor.plain

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox

DiamondFox payload 7 IoCs

Detects DiamondFox payload in file/memory.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe	diamondfox
C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe	diamondfox
C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe	diamondfox
C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe	diamondfox
C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe	diamondfox
C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe	diamondfox
C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe	diamondfox

Executes dropped EXE 6 IoCs

Processes:

atiedxx.exeatiedxx.exeatiedxx.exeatiedxx.exeatiedxx.exeatiedxx.exe

pid process

1708 atiedxx.exe
2076 atiedxx.exe
3296 atiedxx.exe
3948 atiedxx.exe
1008 atiedxx.exe
4056 atiedxx.exe
Drops startup file 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atiedxx.lnk powershell.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1708	atiedxx.exe
2076	atiedxx.exe
3296	atiedxx.exe
3948	atiedxx.exe
1008	atiedxx.exe
4056	atiedxx.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atiedxx.lnk	powershell.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

atiedxx.exe

description	pid	process	target process
PID 1708 set thread context of 2076	1708	atiedxx.exe	atiedxx.exe
PID 1708 set thread context of 3296	1708	atiedxx.exe	atiedxx.exe
PID 1708 set thread context of 3948	1708	atiedxx.exe	atiedxx.exe
PID 1708 set thread context of 1008	1708	atiedxx.exe	atiedxx.exe
PID 1708 set thread context of 4056	1708	atiedxx.exe	atiedxx.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

520 PING.EXE

pid	process
520	PING.EXE

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

powershell.exepowershell.exePowershell.exeatiedxx.exeatiedxx.exeatiedxx.exe

pid	process
188	powershell.exe
188	powershell.exe
188	powershell.exe
3696	powershell.exe
3696	powershell.exe
3696	powershell.exe
428	Powershell.exe
428	Powershell.exe
428	Powershell.exe
2076	atiedxx.exe
2076	atiedxx.exe
2076	atiedxx.exe
2076	atiedxx.exe
3296	atiedxx.exe
3296	atiedxx.exe
3296	atiedxx.exe
3296	atiedxx.exe
3948	atiedxx.exe
3948	atiedxx.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exePowershell.exeatiedxx.exeatiedxx.exe

description	pid	process
Token: SeDebugPrivilege	188	powershell.exe
Token: SeDebugPrivilege	3696	powershell.exe
Token: SeDebugPrivilege	428	Powershell.exe
Token: SeDebugPrivilege	2076	atiedxx.exe
Token: SeDebugPrivilege	3948	atiedxx.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

setup.exeatiedxx.exeatiedxx.exe

pid process

1080 setup.exe
1708 atiedxx.exe
4056 atiedxx.exe

pid	process
1080	setup.exe
1708	atiedxx.exe
4056	atiedxx.exe

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

setup.exepowershell.exeatiedxx.exeatiedxx.execmd.exe

description	pid	process	target process
PID 1080 wrote to memory of 188	1080	setup.exe	powershell.exe
PID 1080 wrote to memory of 188	1080	setup.exe	powershell.exe
PID 1080 wrote to memory of 188	1080	setup.exe	powershell.exe
PID 188 wrote to memory of 1708	188	powershell.exe	atiedxx.exe
PID 188 wrote to memory of 1708	188	powershell.exe	atiedxx.exe
PID 188 wrote to memory of 1708	188	powershell.exe	atiedxx.exe
PID 1708 wrote to memory of 3696	1708	atiedxx.exe	powershell.exe
PID 1708 wrote to memory of 3696	1708	atiedxx.exe	powershell.exe
PID 1708 wrote to memory of 3696	1708	atiedxx.exe	powershell.exe
PID 1708 wrote to memory of 428	1708	atiedxx.exe	Powershell.exe
PID 1708 wrote to memory of 428	1708	atiedxx.exe	Powershell.exe
PID 1708 wrote to memory of 428	1708	atiedxx.exe	Powershell.exe
PID 1708 wrote to memory of 2076	1708	atiedxx.exe	atiedxx.exe
PID 1708 wrote to memory of 2076	1708	atiedxx.exe	atiedxx.exe
PID 1708 wrote to memory of 2076	1708	atiedxx.exe	atiedxx.exe
PID 1708 wrote to memory of 2076	1708	atiedxx.exe	atiedxx.exe
PID 1708 wrote to memory of 2076	1708	atiedxx.exe	atiedxx.exe
PID 1708 wrote to memory of 2076	1708	atiedxx.exe	atiedxx.exe
PID 1708 wrote to memory of 2076	1708	atiedxx.exe	atiedxx.exe
PID 1708 wrote to memory of 2076	1708	atiedxx.exe	atiedxx.exe
PID 1708 wrote to memory of 3296	1708	atiedxx.exe	atiedxx.exe
PID 1708 wrote to memory of 3296	1708	atiedxx.exe	atiedxx.exe
PID 1708 wrote to memory of 3296	1708	atiedxx.exe	atiedxx.exe
PID 1708 wrote to memory of 3296	1708	atiedxx.exe	atiedxx.exe
PID 2076 wrote to memory of 968	2076	atiedxx.exe	cmd.exe
PID 2076 wrote to memory of 968	2076	atiedxx.exe	cmd.exe
PID 2076 wrote to memory of 968	2076	atiedxx.exe	cmd.exe
PID 968 wrote to memory of 520	968	cmd.exe	PING.EXE
PID 968 wrote to memory of 520	968	cmd.exe	PING.EXE
PID 968 wrote to memory of 520	968	cmd.exe	PING.EXE
PID 1708 wrote to memory of 3296	1708	atiedxx.exe	atiedxx.exe
PID 1708 wrote to memory of 3296	1708	atiedxx.exe	atiedxx.exe
PID 1708 wrote to memory of 3296	1708	atiedxx.exe	atiedxx.exe
PID 1708 wrote to memory of 3296	1708	atiedxx.exe	atiedxx.exe
PID 1708 wrote to memory of 3296	1708	atiedxx.exe	atiedxx.exe
PID 1708 wrote to memory of 3948	1708	atiedxx.exe	atiedxx.exe
PID 1708 wrote to memory of 3948	1708	atiedxx.exe	atiedxx.exe
PID 1708 wrote to memory of 3948	1708	atiedxx.exe	atiedxx.exe
PID 1708 wrote to memory of 3948	1708	atiedxx.exe	atiedxx.exe
PID 1708 wrote to memory of 3948	1708	atiedxx.exe	atiedxx.exe
PID 1708 wrote to memory of 3948	1708	atiedxx.exe	atiedxx.exe
PID 1708 wrote to memory of 3948	1708	atiedxx.exe	atiedxx.exe
PID 1708 wrote to memory of 3948	1708	atiedxx.exe	atiedxx.exe
PID 1708 wrote to memory of 3948	1708	atiedxx.exe	atiedxx.exe
PID 1708 wrote to memory of 1008	1708	atiedxx.exe	atiedxx.exe
PID 1708 wrote to memory of 1008	1708	atiedxx.exe	atiedxx.exe
PID 1708 wrote to memory of 1008	1708	atiedxx.exe	atiedxx.exe
PID 1708 wrote to memory of 1008	1708	atiedxx.exe	atiedxx.exe
PID 1708 wrote to memory of 1008	1708	atiedxx.exe	atiedxx.exe
PID 1708 wrote to memory of 1008	1708	atiedxx.exe	atiedxx.exe
PID 1708 wrote to memory of 1008	1708	atiedxx.exe	atiedxx.exe
PID 1708 wrote to memory of 1008	1708	atiedxx.exe	atiedxx.exe
PID 1708 wrote to memory of 1008	1708	atiedxx.exe	atiedxx.exe
PID 1708 wrote to memory of 4056	1708	atiedxx.exe	atiedxx.exe
PID 1708 wrote to memory of 4056	1708	atiedxx.exe	atiedxx.exe
PID 1708 wrote to memory of 4056	1708	atiedxx.exe	atiedxx.exe
PID 1708 wrote to memory of 4056	1708	atiedxx.exe	atiedxx.exe
PID 1708 wrote to memory of 4056	1708	atiedxx.exe	atiedxx.exe
PID 1708 wrote to memory of 4056	1708	atiedxx.exe	atiedxx.exe
PID 1708 wrote to memory of 4056	1708	atiedxx.exe	atiedxx.exe
PID 1708 wrote to memory of 4056	1708	atiedxx.exe	atiedxx.exe

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Copy-Item -Path 'C:\Users\Admin\AppData\Local\Temp\setup.exe' -Destination 'C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe';Start-Sleep -s 60;Start-Process 'C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:188

C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe
"C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell $shell = New-Object -ComObject WScript.Shell;$shortcut = $shell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atiedxx.lnk');$shortcut.TargetPath = 'C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe';$shortcut.Save()
4⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3696

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
Powershell Set-MpPreference -DisableRealtimeMonitoring 1
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:428

C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2076

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:520

C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe
/scomma C:\Users\Admin\AppData\Local\tiedaxx\1.log
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3296

C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe
/scomma C:\Users\Admin\AppData\Local\tiedaxx\2.log
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3948

C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe
/scomma C:\Users\Admin\AppData\Local\tiedaxx\3.log
4⤵
- Executes dropped EXE
PID:1008

C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe
/scomma C:\Users\Admin\AppData\Local\tiedaxx\4.log
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4056

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
e71a0a7e48b10bde0a9c54387762f33e

SHA1
fed75947f1163b00096e24a46e67d9c21e7eeebd

SHA256
83d7be67d0eb544d655cc8e8eb687c26f772d6a40ebf8394e5c12b248976a2de

SHA512
394c25daef6143de894505189b1edcdffb82fd6ab9de1c9e43865fb790803ff5c384debfe16236d4a9d95a78d3eea548d3cef332ed5a6881ac9c50d252c3c34a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
8f9d8eceb8f036048e5cc3ede0fb8299

SHA1
c49a8af31ff6878f5ea1df0bdcc07ff0e3b1f388

SHA256
33785283b06a8908e7601ef4932025320e563f060fe3aebea33b87078a912be0

SHA512
1d7c1805351fc31c8e42bfe8f1d21036eed4dc435a234c626869c75b717f85f7e419067a63f7020eba3557e0cf138f41c857b2c3b96c18da5870f48d2e1b8878

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
1b00fcbd0dd28ce3da4ce4cce47d26dd

SHA1
2156a234800a592ef136446bc9980fb5a54a4342

SHA256
613240ad347a623867b2f956e5d8aa068245d639b426cccc44c534aabf8f4293

SHA512
20f9843ff99fee4459ef1cedbc397c12c61b847af5840b577c151408f6095f06ba0b20ef72b6cb4e0671ae9d5cf44d082b79d6a0923b40b307572e190d35d287

Download Submit
C:\Users\Admin\AppData\Local\tiedaxx\1.log
MD5
c899085ae52e1212260bd31f38dd7cad

SHA1
482ebdfa75ac934e022670beea5258f08863abcb

SHA256
20c8330e6a19bd31b379f102f9ede1fd315fc763dd1d805b310ade04860d69cf

SHA512
3139ffb0e6c9ac312dd38aed58953b5249c8374529972553353e40bef982376b71f7a3551abd860f17443708d032c03feb2795860510a33df3abd35aebda155e

Download Submit
C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe
MD5
1d5b46ff3cd12fd31362557299d6f488

SHA1
42f5d828b03f5e4c03e9f935683b5d82e6e7dc26

SHA256
2f134d1467c3765898a1befc311b86414f8df96d307a6f05b23eebbb8866a69c

SHA512
4dd2071b369bd150da53446313fff30b08054b8724a02444c400db2f0b14062c51a5aff2390b1845cc87b629ffc77ecc5e72877f77f824553b6f68a7b39a9d23

Download Submit
C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe
MD5
1d5b46ff3cd12fd31362557299d6f488

SHA1
42f5d828b03f5e4c03e9f935683b5d82e6e7dc26

SHA256
2f134d1467c3765898a1befc311b86414f8df96d307a6f05b23eebbb8866a69c

SHA512
4dd2071b369bd150da53446313fff30b08054b8724a02444c400db2f0b14062c51a5aff2390b1845cc87b629ffc77ecc5e72877f77f824553b6f68a7b39a9d23

Download Submit
C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe
MD5
1d5b46ff3cd12fd31362557299d6f488

SHA1
42f5d828b03f5e4c03e9f935683b5d82e6e7dc26

SHA256
2f134d1467c3765898a1befc311b86414f8df96d307a6f05b23eebbb8866a69c

SHA512
4dd2071b369bd150da53446313fff30b08054b8724a02444c400db2f0b14062c51a5aff2390b1845cc87b629ffc77ecc5e72877f77f824553b6f68a7b39a9d23

Download Submit
C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe
MD5
1d5b46ff3cd12fd31362557299d6f488

SHA1
42f5d828b03f5e4c03e9f935683b5d82e6e7dc26

SHA256
2f134d1467c3765898a1befc311b86414f8df96d307a6f05b23eebbb8866a69c

SHA512
4dd2071b369bd150da53446313fff30b08054b8724a02444c400db2f0b14062c51a5aff2390b1845cc87b629ffc77ecc5e72877f77f824553b6f68a7b39a9d23

Download Submit
C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe
MD5
1d5b46ff3cd12fd31362557299d6f488

SHA1
42f5d828b03f5e4c03e9f935683b5d82e6e7dc26

SHA256
2f134d1467c3765898a1befc311b86414f8df96d307a6f05b23eebbb8866a69c

SHA512
4dd2071b369bd150da53446313fff30b08054b8724a02444c400db2f0b14062c51a5aff2390b1845cc87b629ffc77ecc5e72877f77f824553b6f68a7b39a9d23

Download Submit
C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe
MD5
1d5b46ff3cd12fd31362557299d6f488

SHA1
42f5d828b03f5e4c03e9f935683b5d82e6e7dc26

SHA256
2f134d1467c3765898a1befc311b86414f8df96d307a6f05b23eebbb8866a69c

SHA512
4dd2071b369bd150da53446313fff30b08054b8724a02444c400db2f0b14062c51a5aff2390b1845cc87b629ffc77ecc5e72877f77f824553b6f68a7b39a9d23

Download Submit
C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe
MD5
1d5b46ff3cd12fd31362557299d6f488

SHA1
42f5d828b03f5e4c03e9f935683b5d82e6e7dc26

SHA256
2f134d1467c3765898a1befc311b86414f8df96d307a6f05b23eebbb8866a69c

SHA512
4dd2071b369bd150da53446313fff30b08054b8724a02444c400db2f0b14062c51a5aff2390b1845cc87b629ffc77ecc5e72877f77f824553b6f68a7b39a9d23

Download Submit
memory/188-9-0x0000000007850000-0x0000000007851000-memory.dmp

Filesize
4KB

Download
memory/188-11-0x0000000008290000-0x0000000008291000-memory.dmp

Filesize
4KB

Download
memory/188-16-0x00000000093C0000-0x00000000093C1000-memory.dmp

Filesize
4KB

Download
memory/188-17-0x0000000009F40000-0x0000000009F41000-memory.dmp

Filesize
4KB

Download
memory/188-14-0x0000000008D00000-0x0000000008D01000-memory.dmp

Filesize
4KB

Download
memory/188-13-0x0000000008DA0000-0x0000000008DA1000-memory.dmp

Filesize
4KB

Download
memory/188-12-0x0000000007FE0000-0x0000000007FE1000-memory.dmp

Filesize
4KB

Download
memory/188-15-0x0000000008D20000-0x0000000008D21000-memory.dmp

Filesize
4KB

Download
memory/188-10-0x0000000007BC0000-0x0000000007BC1000-memory.dmp

Filesize
4KB

Download
memory/188-8-0x0000000006FD0000-0x0000000006FD1000-memory.dmp

Filesize
4KB

Download
memory/188-7-0x00000000070B0000-0x00000000070B1000-memory.dmp

Filesize
4KB

Download
memory/188-6-0x0000000006F30000-0x0000000006F31000-memory.dmp

Filesize
4KB

Download
memory/188-5-0x0000000007120000-0x0000000007121000-memory.dmp

Filesize
4KB

Download
memory/188-4-0x0000000001080000-0x0000000001081000-memory.dmp

Filesize
4KB

Download
memory/188-3-0x0000000072860000-0x0000000072F4E000-memory.dmp

Filesize
6.9MB

Download
memory/188-2-0x0000000000000000-mapping.dmp

Download
memory/428-40-0x0000000071CE0000-0x00000000723CE000-memory.dmp

Filesize
6.9MB

Download
memory/428-64-0x0000000008AA0000-0x0000000008AA1000-memory.dmp

Filesize
4KB

Download
memory/428-49-0x0000000007E00000-0x0000000007E01000-memory.dmp

Filesize
4KB

Download
memory/428-52-0x00000000089E0000-0x0000000008A13000-memory.dmp

Filesize
204KB

Download
memory/428-59-0x00000000089A0000-0x00000000089A1000-memory.dmp

Filesize
4KB

Download
memory/428-60-0x0000000008DB0000-0x0000000008DB1000-memory.dmp

Filesize
4KB

Download
memory/428-62-0x0000000008E60000-0x0000000008E61000-memory.dmp

Filesize
4KB

Download
memory/428-39-0x0000000000000000-mapping.dmp

Download
memory/428-46-0x0000000007510000-0x0000000007511000-memory.dmp

Filesize
4KB

Download
memory/520-70-0x0000000000000000-mapping.dmp

Download
memory/968-69-0x0000000000000000-mapping.dmp

Download
memory/1008-80-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1008-83-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1008-81-0x000000000041211A-mapping.dmp

Download
memory/1708-18-0x0000000000000000-mapping.dmp

Download
memory/2076-66-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2076-67-0x0000000000415D43-mapping.dmp

Download
memory/3296-74-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3296-71-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3296-72-0x0000000000447D8A-mapping.dmp

Download
memory/3696-34-0x00000000084E0000-0x00000000084E1000-memory.dmp

Filesize
4KB

Download
memory/3696-25-0x0000000072500000-0x0000000072BEE000-memory.dmp

Filesize
6.9MB

Download
memory/3696-23-0x0000000000000000-mapping.dmp

Download
memory/3696-31-0x0000000007A80000-0x0000000007A81000-memory.dmp

Filesize
4KB

Download
memory/3948-79-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3948-77-0x0000000000413E10-mapping.dmp

Download
memory/3948-76-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4056-84-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4056-85-0x00000000004068E0-mapping.dmp

Download
memory/4056-87-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4056-88-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download