diamondfox | 63dac056d672b1987462b41f44987cb470e5b94fd528e521040e98c70de2732a

Analysis

max time kernel
143s
max time network
138s
platform
windows10_x64
resource
win10v20201028
submitted
19-01-2021 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

123rd48.exe
Size

579KB
MD5

de4b296cb2891bd1c3ed085ed648a62d
SHA1

73aaa5d6869bd25abb78ba5beb27ec8c5ee71e57
SHA256

63dac056d672b1987462b41f44987cb470e5b94fd528e521040e98c70de2732a
SHA512

122402092f03e9ee35ad0fa5128e4d50795894790f088918d0ca3f6e128d85c8b6b7f64eaecdf6d66b2a8d41f921a1446056129d7b9eb28822afb8eacb20d453

Score

10^/10

diamondfox botnet spyware stealer

Malware Config

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox

DiamondFox payload 1 IoCs

Detects DiamondFox payload in file/memory.

Processes:

resource	yara_rule
behavioral2/memory/3496-5-0x0000000000400000-0x0000000000470000-memory.dmp	diamondfox

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/2424-91-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/2424-92-0x000000000041211A-mapping.dmp	MailPassView
behavioral2/memory/2424-94-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/2484-82-0x0000000000400000-0x0000000000477000-memory.dmp	WebBrowserPassView
behavioral2/memory/2484-83-0x0000000000447D8A-mapping.dmp	WebBrowserPassView
behavioral2/memory/2484-85-0x0000000000400000-0x0000000000477000-memory.dmp	WebBrowserPassView

Nirsoft 9 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2484-82-0x0000000000400000-0x0000000000477000-memory.dmp	Nirsoft
behavioral2/memory/2484-83-0x0000000000447D8A-mapping.dmp	Nirsoft
behavioral2/memory/2484-85-0x0000000000400000-0x0000000000477000-memory.dmp	Nirsoft
behavioral2/memory/3188-87-0x0000000000400000-0x0000000000422000-memory.dmp	Nirsoft
behavioral2/memory/3188-88-0x0000000000413E10-mapping.dmp	Nirsoft
behavioral2/memory/3188-90-0x0000000000400000-0x0000000000422000-memory.dmp	Nirsoft
behavioral2/memory/2424-91-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/2424-92-0x000000000041211A-mapping.dmp	Nirsoft
behavioral2/memory/2424-94-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Executes dropped EXE 5 IoCs

Processes:

audiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exe

pid process

3844 audiodg.exe
2484 audiodg.exe
3188 audiodg.exe
2424 audiodg.exe
2408 audiodg.exe
Drops startup file 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.lnk powershell.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3844	audiodg.exe
2484	audiodg.exe
3188	audiodg.exe
2424	audiodg.exe
2408	audiodg.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

audiodg.exe

description	pid	process	target process
PID 3844 set thread context of 2484	3844	audiodg.exe	audiodg.exe
PID 3844 set thread context of 3188	3844	audiodg.exe	audiodg.exe
PID 3844 set thread context of 2424	3844	audiodg.exe	audiodg.exe
PID 3844 set thread context of 2408	3844	audiodg.exe	audiodg.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

powershell.exepowershell.exePowershell.exeaudiodg.exeaudiodg.exe

pid	process
3208	powershell.exe
3208	powershell.exe
3208	powershell.exe
3968	powershell.exe
3968	powershell.exe
3968	powershell.exe
2848	Powershell.exe
2848	Powershell.exe
2848	Powershell.exe
2484	audiodg.exe
2484	audiodg.exe
2484	audiodg.exe
2484	audiodg.exe
3188	audiodg.exe
3188	audiodg.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exePowershell.exeaudiodg.exe

description	pid	process
Token: SeDebugPrivilege	3208	powershell.exe
Token: SeDebugPrivilege	3968	powershell.exe
Token: SeDebugPrivilege	2848	Powershell.exe
Token: SeDebugPrivilege	3188	audiodg.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

123rd48.exeaudiodg.exeaudiodg.exe

pid process

3496 123rd48.exe
3844 audiodg.exe
2408 audiodg.exe

pid	process
3496	123rd48.exe
3844	audiodg.exe
2408	audiodg.exe

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

123rd48.exepowershell.exeaudiodg.exe

description	pid	process	target process
PID 3496 wrote to memory of 3208	3496	123rd48.exe	powershell.exe
PID 3496 wrote to memory of 3208	3496	123rd48.exe	powershell.exe
PID 3496 wrote to memory of 3208	3496	123rd48.exe	powershell.exe
PID 3208 wrote to memory of 3844	3208	powershell.exe	audiodg.exe
PID 3208 wrote to memory of 3844	3208	powershell.exe	audiodg.exe
PID 3208 wrote to memory of 3844	3208	powershell.exe	audiodg.exe
PID 3844 wrote to memory of 3968	3844	audiodg.exe	powershell.exe
PID 3844 wrote to memory of 3968	3844	audiodg.exe	powershell.exe
PID 3844 wrote to memory of 3968	3844	audiodg.exe	powershell.exe
PID 3844 wrote to memory of 2848	3844	audiodg.exe	Powershell.exe
PID 3844 wrote to memory of 2848	3844	audiodg.exe	Powershell.exe
PID 3844 wrote to memory of 2848	3844	audiodg.exe	Powershell.exe
PID 3844 wrote to memory of 2484	3844	audiodg.exe	audiodg.exe
PID 3844 wrote to memory of 2484	3844	audiodg.exe	audiodg.exe
PID 3844 wrote to memory of 2484	3844	audiodg.exe	audiodg.exe
PID 3844 wrote to memory of 2484	3844	audiodg.exe	audiodg.exe
PID 3844 wrote to memory of 2484	3844	audiodg.exe	audiodg.exe
PID 3844 wrote to memory of 2484	3844	audiodg.exe	audiodg.exe
PID 3844 wrote to memory of 2484	3844	audiodg.exe	audiodg.exe
PID 3844 wrote to memory of 2484	3844	audiodg.exe	audiodg.exe
PID 3844 wrote to memory of 2484	3844	audiodg.exe	audiodg.exe
PID 3844 wrote to memory of 3188	3844	audiodg.exe	audiodg.exe
PID 3844 wrote to memory of 3188	3844	audiodg.exe	audiodg.exe
PID 3844 wrote to memory of 3188	3844	audiodg.exe	audiodg.exe
PID 3844 wrote to memory of 3188	3844	audiodg.exe	audiodg.exe
PID 3844 wrote to memory of 3188	3844	audiodg.exe	audiodg.exe
PID 3844 wrote to memory of 3188	3844	audiodg.exe	audiodg.exe
PID 3844 wrote to memory of 3188	3844	audiodg.exe	audiodg.exe
PID 3844 wrote to memory of 3188	3844	audiodg.exe	audiodg.exe
PID 3844 wrote to memory of 3188	3844	audiodg.exe	audiodg.exe
PID 3844 wrote to memory of 2424	3844	audiodg.exe	audiodg.exe
PID 3844 wrote to memory of 2424	3844	audiodg.exe	audiodg.exe
PID 3844 wrote to memory of 2424	3844	audiodg.exe	audiodg.exe
PID 3844 wrote to memory of 2424	3844	audiodg.exe	audiodg.exe
PID 3844 wrote to memory of 2424	3844	audiodg.exe	audiodg.exe
PID 3844 wrote to memory of 2424	3844	audiodg.exe	audiodg.exe
PID 3844 wrote to memory of 2424	3844	audiodg.exe	audiodg.exe
PID 3844 wrote to memory of 2424	3844	audiodg.exe	audiodg.exe
PID 3844 wrote to memory of 2424	3844	audiodg.exe	audiodg.exe
PID 3844 wrote to memory of 2408	3844	audiodg.exe	audiodg.exe
PID 3844 wrote to memory of 2408	3844	audiodg.exe	audiodg.exe
PID 3844 wrote to memory of 2408	3844	audiodg.exe	audiodg.exe
PID 3844 wrote to memory of 2408	3844	audiodg.exe	audiodg.exe
PID 3844 wrote to memory of 2408	3844	audiodg.exe	audiodg.exe
PID 3844 wrote to memory of 2408	3844	audiodg.exe	audiodg.exe
PID 3844 wrote to memory of 2408	3844	audiodg.exe	audiodg.exe
PID 3844 wrote to memory of 2408	3844	audiodg.exe	audiodg.exe

C:\Users\Admin\AppData\Local\Temp\123rd48.exe
"C:\Users\Admin\AppData\Local\Temp\123rd48.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3496

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Copy-Item -Path 'C:\Users\Admin\AppData\Local\Temp\123rd48.exe' -Destination 'C:\Users\Admin\AppData\Local\gadoiud\audiodg.exe';Start-Sleep -s 60;Start-Process 'C:\Users\Admin\AppData\Local\gadoiud\audiodg.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3208

C:\Users\Admin\AppData\Local\gadoiud\audiodg.exe
"C:\Users\Admin\AppData\Local\gadoiud\audiodg.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3844

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell $shell = New-Object -ComObject WScript.Shell;$shortcut = $shell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.lnk');$shortcut.TargetPath = 'C:\Users\Admin\AppData\Local\gadoiud\audiodg.exe';$shortcut.Save()
4⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
Powershell Set-MpPreference -DisableRealtimeMonitoring 1
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848

C:\Users\Admin\AppData\Local\gadoiud\audiodg.exe
/scomma C:\Users\Admin\AppData\Local\gadoiud\1.log
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2484

C:\Users\Admin\AppData\Local\gadoiud\audiodg.exe
/scomma C:\Users\Admin\AppData\Local\gadoiud\2.log
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3188

C:\Users\Admin\AppData\Local\gadoiud\audiodg.exe
/scomma C:\Users\Admin\AppData\Local\gadoiud\3.log
4⤵
- Executes dropped EXE
PID:2424

C:\Users\Admin\AppData\Local\gadoiud\audiodg.exe
/scomma C:\Users\Admin\AppData\Local\gadoiud\4.log
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2408

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
e71a0a7e48b10bde0a9c54387762f33e

SHA1
fed75947f1163b00096e24a46e67d9c21e7eeebd

SHA256
83d7be67d0eb544d655cc8e8eb687c26f772d6a40ebf8394e5c12b248976a2de

SHA512
394c25daef6143de894505189b1edcdffb82fd6ab9de1c9e43865fb790803ff5c384debfe16236d4a9d95a78d3eea548d3cef332ed5a6881ac9c50d252c3c34a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
594f8bcb3fe6b8d363c36965cff81b27

SHA1
98a91c5144501dc2ee1065a929e380607ccfcb91

SHA256
dc5edb59915bbb265d8725e30a4a630f69743bdf4aa0e9944314a7d24116e2b4

SHA512
932e69405711ed3ddfce96001f109054dc2d8fadedf35b243197ae65d45c5f06a20689a842147f1c04298cef6e5ee2c5380a79787b13bd99cacb0fc30c2b6ae3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
937ace2779ca8c8397b98c994583a918

SHA1
db8d5e1ee01b8df2d1a7aca526b03e0225dcee7c

SHA256
6d212d742549cddd54162997ef21f96acee5f070c27f45b257b691f5d66c28db

SHA512
5aaf0bc77e30f26ba0ebd1b476e0adb1f6ce3a29ae1ee268353ff99c86888649a64d46198701de22a3ada0955e53fbb5742a2e96e4562e833b68e2b471f5d2aa

Download Submit
C:\Users\Admin\AppData\Local\gadoiud\1.log
MD5
de4f4a0e812333a204277f4ca32e0f1e

SHA1
1987425deb61435c610d18fb63ac3d6d84f499b7

SHA256
028d1db1620f8e08f7c5b85f5c6ddd2d20afa5af4f852c4f300ab6ba79dcfa15

SHA512
888e2e7c3315ddff655a94f2d0276a852bd539582acd8758129d5b95f6dcf729eb82e56111c51bb5be8f3f5d4071f13b02151b08c1d0b8bb8dc0763d740df9c2

Download Submit
C:\Users\Admin\AppData\Local\gadoiud\audiodg.exe
MD5
de4b296cb2891bd1c3ed085ed648a62d

SHA1
73aaa5d6869bd25abb78ba5beb27ec8c5ee71e57

SHA256
63dac056d672b1987462b41f44987cb470e5b94fd528e521040e98c70de2732a

SHA512
122402092f03e9ee35ad0fa5128e4d50795894790f088918d0ca3f6e128d85c8b6b7f64eaecdf6d66b2a8d41f921a1446056129d7b9eb28822afb8eacb20d453

Download Submit
C:\Users\Admin\AppData\Local\gadoiud\audiodg.exe
MD5
de4b296cb2891bd1c3ed085ed648a62d

SHA1
73aaa5d6869bd25abb78ba5beb27ec8c5ee71e57

SHA256
63dac056d672b1987462b41f44987cb470e5b94fd528e521040e98c70de2732a

SHA512
122402092f03e9ee35ad0fa5128e4d50795894790f088918d0ca3f6e128d85c8b6b7f64eaecdf6d66b2a8d41f921a1446056129d7b9eb28822afb8eacb20d453

Download Submit
C:\Users\Admin\AppData\Local\gadoiud\audiodg.exe
MD5
de4b296cb2891bd1c3ed085ed648a62d

SHA1
73aaa5d6869bd25abb78ba5beb27ec8c5ee71e57

SHA256
63dac056d672b1987462b41f44987cb470e5b94fd528e521040e98c70de2732a

SHA512
122402092f03e9ee35ad0fa5128e4d50795894790f088918d0ca3f6e128d85c8b6b7f64eaecdf6d66b2a8d41f921a1446056129d7b9eb28822afb8eacb20d453

Download Submit
C:\Users\Admin\AppData\Local\gadoiud\audiodg.exe
MD5
de4b296cb2891bd1c3ed085ed648a62d

SHA1
73aaa5d6869bd25abb78ba5beb27ec8c5ee71e57

SHA256
63dac056d672b1987462b41f44987cb470e5b94fd528e521040e98c70de2732a

SHA512
122402092f03e9ee35ad0fa5128e4d50795894790f088918d0ca3f6e128d85c8b6b7f64eaecdf6d66b2a8d41f921a1446056129d7b9eb28822afb8eacb20d453

Download Submit
C:\Users\Admin\AppData\Local\gadoiud\audiodg.exe
MD5
de4b296cb2891bd1c3ed085ed648a62d

SHA1
73aaa5d6869bd25abb78ba5beb27ec8c5ee71e57

SHA256
63dac056d672b1987462b41f44987cb470e5b94fd528e521040e98c70de2732a

SHA512
122402092f03e9ee35ad0fa5128e4d50795894790f088918d0ca3f6e128d85c8b6b7f64eaecdf6d66b2a8d41f921a1446056129d7b9eb28822afb8eacb20d453

Download Submit
C:\Users\Admin\AppData\Local\gadoiud\audiodg.exe
MD5
de4b296cb2891bd1c3ed085ed648a62d

SHA1
73aaa5d6869bd25abb78ba5beb27ec8c5ee71e57

SHA256
63dac056d672b1987462b41f44987cb470e5b94fd528e521040e98c70de2732a

SHA512
122402092f03e9ee35ad0fa5128e4d50795894790f088918d0ca3f6e128d85c8b6b7f64eaecdf6d66b2a8d41f921a1446056129d7b9eb28822afb8eacb20d453

Download Submit
memory/2408-95-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2408-96-0x00000000004068E0-mapping.dmp

Download
memory/2408-100-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2424-91-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2424-92-0x000000000041211A-mapping.dmp

Download
memory/2424-94-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2484-83-0x0000000000447D8A-mapping.dmp

Download
memory/2484-82-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2484-85-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2848-66-0x0000000009440000-0x0000000009473000-memory.dmp

Filesize
204KB

Download
memory/2848-78-0x00000000096E0000-0x00000000096E1000-memory.dmp

Filesize
4KB

Download
memory/2848-77-0x0000000003363000-0x0000000003364000-memory.dmp

Filesize
4KB

Download
memory/2848-51-0x0000000000000000-mapping.dmp

Download
memory/2848-74-0x00000000095A0000-0x00000000095A1000-memory.dmp

Filesize
4KB

Download
memory/2848-73-0x0000000009400000-0x0000000009401000-memory.dmp

Filesize
4KB

Download
memory/2848-80-0x00000000096D0000-0x00000000096D1000-memory.dmp

Filesize
4KB

Download
memory/2848-76-0x000000007EE40000-0x000000007EE41000-memory.dmp

Filesize
4KB

Download
memory/2848-64-0x0000000003362000-0x0000000003363000-memory.dmp

Filesize
4KB

Download
memory/2848-63-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/2848-52-0x0000000072800000-0x0000000072EEE000-memory.dmp

Filesize
6.9MB

Download
memory/2848-61-0x0000000008760000-0x0000000008761000-memory.dmp

Filesize
4KB

Download
memory/3188-88-0x0000000000413E10-mapping.dmp

Download
memory/3188-87-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3188-90-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3208-19-0x0000000008960000-0x0000000008961000-memory.dmp

Filesize
4KB

Download
memory/3208-14-0x0000000007200000-0x0000000007201000-memory.dmp

Filesize
4KB

Download
memory/3208-6-0x0000000000000000-mapping.dmp

Download
memory/3208-7-0x0000000073320000-0x0000000073A0E000-memory.dmp

Filesize
6.9MB

Download
memory/3208-8-0x0000000006420000-0x0000000006421000-memory.dmp

Filesize
4KB

Download
memory/3208-9-0x0000000006BD0000-0x0000000006BD1000-memory.dmp

Filesize
4KB

Download
memory/3208-10-0x0000000006B20000-0x0000000006B21000-memory.dmp

Filesize
4KB

Download
memory/3208-11-0x00000000073E0000-0x00000000073E1000-memory.dmp

Filesize
4KB

Download
memory/3208-29-0x0000000006593000-0x0000000006594000-memory.dmp

Filesize
4KB

Download
memory/3208-13-0x0000000006592000-0x0000000006593000-memory.dmp

Filesize
4KB

Download
memory/3208-12-0x0000000006590000-0x0000000006591000-memory.dmp

Filesize
4KB

Download
memory/3208-23-0x0000000009D20000-0x0000000009D21000-memory.dmp

Filesize
4KB

Download
memory/3208-22-0x00000000091A0000-0x00000000091A1000-memory.dmp

Filesize
4KB

Download
memory/3208-21-0x00000000088E0000-0x00000000088E1000-memory.dmp

Filesize
4KB

Download
memory/3208-20-0x00000000088C0000-0x00000000088C1000-memory.dmp

Filesize
4KB

Download
memory/3208-15-0x0000000007470000-0x0000000007471000-memory.dmp

Filesize
4KB

Download
memory/3208-18-0x0000000007BF0000-0x0000000007BF1000-memory.dmp

Filesize
4KB

Download
memory/3208-17-0x0000000007AB0000-0x0000000007AB1000-memory.dmp

Filesize
4KB

Download
memory/3208-16-0x00000000077C0000-0x00000000077C1000-memory.dmp

Filesize
4KB

Download
memory/3496-4-0x0000000002200000-0x0000000002270000-memory.dmp

Filesize
448KB

Download
memory/3496-3-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/3496-5-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3844-24-0x0000000000000000-mapping.dmp

Download
memory/3844-30-0x00000000020E0000-0x0000000002150000-memory.dmp

Filesize
448KB

Download
memory/3968-50-0x0000000007293000-0x0000000007294000-memory.dmp

Filesize
4KB

Download
memory/3968-32-0x0000000000000000-mapping.dmp

Download
memory/3968-34-0x00000000728E0000-0x0000000072FCE000-memory.dmp

Filesize
6.9MB

Download
memory/3968-40-0x0000000008190000-0x0000000008191000-memory.dmp

Filesize
4KB

Download
memory/3968-43-0x0000000008B80000-0x0000000008B81000-memory.dmp

Filesize
4KB

Download
memory/3968-45-0x0000000007290000-0x0000000007291000-memory.dmp

Filesize
4KB

Download
memory/3968-46-0x0000000007292000-0x0000000007293000-memory.dmp

Filesize
4KB

Download