Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
03-03-2021 18:19
Static task
static1
Behavioral task
behavioral1
Sample
9526e9792bed9efe4ed6101deff93b649701cf0f77b024567b5c0540b4b3c7bf.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
9526e9792bed9efe4ed6101deff93b649701cf0f77b024567b5c0540b4b3c7bf.exe
Resource
win10v20201028
General
-
Target
9526e9792bed9efe4ed6101deff93b649701cf0f77b024567b5c0540b4b3c7bf.exe
-
Size
1.4MB
-
MD5
f3da87fb27befc3df1eec757587fe93b
-
SHA1
798f0f6dba708beb6aee86469e5084b08d2e2714
-
SHA256
9526e9792bed9efe4ed6101deff93b649701cf0f77b024567b5c0540b4b3c7bf
-
SHA512
51d0a44359eeacb8344955099dce9fec20e46ddf509aea1036503eb0e278fbac363d797fb8745ea3b8ddd5e6f5c3c81f496e0354a10603e80c3028492bc7adaa
Malware Config
Signatures
-
DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
-
DiamondFox payload 2 IoCs
Detects DiamondFox payload in file/memory.
Processes:
resource yara_rule behavioral2/memory/3920-4-0x0000000000400000-0x0000000000435000-memory.dmp diamondfox behavioral2/memory/3920-3-0x00000000001C0000-0x00000000001F3000-memory.dmp diamondfox -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/3764-22-0x0000000000400000-0x000000000047C000-memory.dmp WebBrowserPassView behavioral2/memory/3764-23-0x00000000004466F4-mapping.dmp WebBrowserPassView behavioral2/memory/3764-25-0x0000000000400000-0x000000000047C000-memory.dmp WebBrowserPassView -
Nirsoft 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3764-22-0x0000000000400000-0x000000000047C000-memory.dmp Nirsoft behavioral2/memory/3764-23-0x00000000004466F4-mapping.dmp Nirsoft behavioral2/memory/3764-25-0x0000000000400000-0x000000000047C000-memory.dmp Nirsoft -
Executes dropped EXE 4 IoCs
Processes:
MicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exepid process 188 MicrosoftEdgeCPS.exe 3284 MicrosoftEdgeCPS.exe 3764 MicrosoftEdgeCPS.exe 2128 MicrosoftEdgeCPS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 18 IoCs
Processes:
MicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exedescription pid process target process PID 188 set thread context of 3284 188 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 188 set thread context of 3764 188 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 188 set thread context of 2128 188 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3284 set thread context of 4092 3284 MicrosoftEdgeCPS.exe WerFault.exe PID 188 set thread context of 0 188 MicrosoftEdgeCPS.exe PID 188 set thread context of 0 188 MicrosoftEdgeCPS.exe PID 188 set thread context of 0 188 MicrosoftEdgeCPS.exe PID 188 set thread context of 0 188 MicrosoftEdgeCPS.exe PID 188 set thread context of 0 188 MicrosoftEdgeCPS.exe PID 188 set thread context of 0 188 MicrosoftEdgeCPS.exe PID 188 set thread context of 0 188 MicrosoftEdgeCPS.exe PID 188 set thread context of 0 188 MicrosoftEdgeCPS.exe PID 188 set thread context of 0 188 MicrosoftEdgeCPS.exe PID 188 set thread context of 0 188 MicrosoftEdgeCPS.exe PID 188 set thread context of 0 188 MicrosoftEdgeCPS.exe PID 188 set thread context of 0 188 MicrosoftEdgeCPS.exe PID 188 set thread context of 0 188 MicrosoftEdgeCPS.exe PID 188 set thread context of 0 188 MicrosoftEdgeCPS.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
MicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exepid process 188 MicrosoftEdgeCPS.exe 188 MicrosoftEdgeCPS.exe 3764 MicrosoftEdgeCPS.exe 3764 MicrosoftEdgeCPS.exe 3764 MicrosoftEdgeCPS.exe 3764 MicrosoftEdgeCPS.exe 188 MicrosoftEdgeCPS.exe 188 MicrosoftEdgeCPS.exe 188 MicrosoftEdgeCPS.exe 188 MicrosoftEdgeCPS.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
MicrosoftEdgeCPS.exepid process 3284 MicrosoftEdgeCPS.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 932 wmic.exe Token: SeSecurityPrivilege 932 wmic.exe Token: SeTakeOwnershipPrivilege 932 wmic.exe Token: SeLoadDriverPrivilege 932 wmic.exe Token: SeSystemProfilePrivilege 932 wmic.exe Token: SeSystemtimePrivilege 932 wmic.exe Token: SeProfSingleProcessPrivilege 932 wmic.exe Token: SeIncBasePriorityPrivilege 932 wmic.exe Token: SeCreatePagefilePrivilege 932 wmic.exe Token: SeBackupPrivilege 932 wmic.exe Token: SeRestorePrivilege 932 wmic.exe Token: SeShutdownPrivilege 932 wmic.exe Token: SeDebugPrivilege 932 wmic.exe Token: SeSystemEnvironmentPrivilege 932 wmic.exe Token: SeRemoteShutdownPrivilege 932 wmic.exe Token: SeUndockPrivilege 932 wmic.exe Token: SeManageVolumePrivilege 932 wmic.exe Token: 33 932 wmic.exe Token: 34 932 wmic.exe Token: 35 932 wmic.exe Token: 36 932 wmic.exe Token: SeIncreaseQuotaPrivilege 932 wmic.exe Token: SeSecurityPrivilege 932 wmic.exe Token: SeTakeOwnershipPrivilege 932 wmic.exe Token: SeLoadDriverPrivilege 932 wmic.exe Token: SeSystemProfilePrivilege 932 wmic.exe Token: SeSystemtimePrivilege 932 wmic.exe Token: SeProfSingleProcessPrivilege 932 wmic.exe Token: SeIncBasePriorityPrivilege 932 wmic.exe Token: SeCreatePagefilePrivilege 932 wmic.exe Token: SeBackupPrivilege 932 wmic.exe Token: SeRestorePrivilege 932 wmic.exe Token: SeShutdownPrivilege 932 wmic.exe Token: SeDebugPrivilege 932 wmic.exe Token: SeSystemEnvironmentPrivilege 932 wmic.exe Token: SeRemoteShutdownPrivilege 932 wmic.exe Token: SeUndockPrivilege 932 wmic.exe Token: SeManageVolumePrivilege 932 wmic.exe Token: 33 932 wmic.exe Token: 34 932 wmic.exe Token: 35 932 wmic.exe Token: 36 932 wmic.exe Token: SeIncreaseQuotaPrivilege 3272 wmic.exe Token: SeSecurityPrivilege 3272 wmic.exe Token: SeTakeOwnershipPrivilege 3272 wmic.exe Token: SeLoadDriverPrivilege 3272 wmic.exe Token: SeSystemProfilePrivilege 3272 wmic.exe Token: SeSystemtimePrivilege 3272 wmic.exe Token: SeProfSingleProcessPrivilege 3272 wmic.exe Token: SeIncBasePriorityPrivilege 3272 wmic.exe Token: SeCreatePagefilePrivilege 3272 wmic.exe Token: SeBackupPrivilege 3272 wmic.exe Token: SeRestorePrivilege 3272 wmic.exe Token: SeShutdownPrivilege 3272 wmic.exe Token: SeDebugPrivilege 3272 wmic.exe Token: SeSystemEnvironmentPrivilege 3272 wmic.exe Token: SeRemoteShutdownPrivilege 3272 wmic.exe Token: SeUndockPrivilege 3272 wmic.exe Token: SeManageVolumePrivilege 3272 wmic.exe Token: 33 3272 wmic.exe Token: 34 3272 wmic.exe Token: 35 3272 wmic.exe Token: 36 3272 wmic.exe Token: SeIncreaseQuotaPrivilege 3272 wmic.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MicrosoftEdgeCPS.exepid process 2128 MicrosoftEdgeCPS.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9526e9792bed9efe4ed6101deff93b649701cf0f77b024567b5c0540b4b3c7bf.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exedescription pid process target process PID 3920 wrote to memory of 188 3920 9526e9792bed9efe4ed6101deff93b649701cf0f77b024567b5c0540b4b3c7bf.exe MicrosoftEdgeCPS.exe PID 3920 wrote to memory of 188 3920 9526e9792bed9efe4ed6101deff93b649701cf0f77b024567b5c0540b4b3c7bf.exe MicrosoftEdgeCPS.exe PID 3920 wrote to memory of 188 3920 9526e9792bed9efe4ed6101deff93b649701cf0f77b024567b5c0540b4b3c7bf.exe MicrosoftEdgeCPS.exe PID 188 wrote to memory of 932 188 MicrosoftEdgeCPS.exe wmic.exe PID 188 wrote to memory of 932 188 MicrosoftEdgeCPS.exe wmic.exe PID 188 wrote to memory of 932 188 MicrosoftEdgeCPS.exe wmic.exe PID 188 wrote to memory of 3272 188 MicrosoftEdgeCPS.exe wmic.exe PID 188 wrote to memory of 3272 188 MicrosoftEdgeCPS.exe wmic.exe PID 188 wrote to memory of 3272 188 MicrosoftEdgeCPS.exe wmic.exe PID 188 wrote to memory of 2096 188 MicrosoftEdgeCPS.exe wmic.exe PID 188 wrote to memory of 2096 188 MicrosoftEdgeCPS.exe wmic.exe PID 188 wrote to memory of 2096 188 MicrosoftEdgeCPS.exe wmic.exe PID 188 wrote to memory of 936 188 MicrosoftEdgeCPS.exe wmic.exe PID 188 wrote to memory of 936 188 MicrosoftEdgeCPS.exe wmic.exe PID 188 wrote to memory of 936 188 MicrosoftEdgeCPS.exe wmic.exe PID 188 wrote to memory of 2176 188 MicrosoftEdgeCPS.exe wmic.exe PID 188 wrote to memory of 2176 188 MicrosoftEdgeCPS.exe wmic.exe PID 188 wrote to memory of 2176 188 MicrosoftEdgeCPS.exe wmic.exe PID 188 wrote to memory of 4080 188 MicrosoftEdgeCPS.exe wmic.exe PID 188 wrote to memory of 4080 188 MicrosoftEdgeCPS.exe wmic.exe PID 188 wrote to memory of 4080 188 MicrosoftEdgeCPS.exe wmic.exe PID 188 wrote to memory of 200 188 MicrosoftEdgeCPS.exe wmic.exe PID 188 wrote to memory of 200 188 MicrosoftEdgeCPS.exe wmic.exe PID 188 wrote to memory of 200 188 MicrosoftEdgeCPS.exe wmic.exe PID 188 wrote to memory of 3284 188 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 188 wrote to memory of 3284 188 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 188 wrote to memory of 3284 188 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 188 wrote to memory of 3284 188 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 188 wrote to memory of 3284 188 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 188 wrote to memory of 3284 188 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 188 wrote to memory of 3284 188 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 188 wrote to memory of 3284 188 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 188 wrote to memory of 3284 188 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 188 wrote to memory of 3284 188 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 188 wrote to memory of 3284 188 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 188 wrote to memory of 3284 188 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 188 wrote to memory of 3764 188 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 188 wrote to memory of 3764 188 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 188 wrote to memory of 3764 188 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 188 wrote to memory of 3764 188 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 188 wrote to memory of 3764 188 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 188 wrote to memory of 3764 188 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 188 wrote to memory of 3764 188 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 188 wrote to memory of 3764 188 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 188 wrote to memory of 3764 188 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 188 wrote to memory of 2128 188 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 188 wrote to memory of 2128 188 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 188 wrote to memory of 2128 188 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 188 wrote to memory of 2128 188 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 188 wrote to memory of 2128 188 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 188 wrote to memory of 2128 188 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 188 wrote to memory of 2128 188 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 188 wrote to memory of 2128 188 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 3284 wrote to memory of 4092 3284 MicrosoftEdgeCPS.exe WerFault.exe PID 3284 wrote to memory of 4092 3284 MicrosoftEdgeCPS.exe WerFault.exe PID 3284 wrote to memory of 4092 3284 MicrosoftEdgeCPS.exe WerFault.exe PID 3284 wrote to memory of 4092 3284 MicrosoftEdgeCPS.exe WerFault.exe PID 3284 wrote to memory of 4092 3284 MicrosoftEdgeCPS.exe WerFault.exe PID 188 wrote to memory of 4044 188 MicrosoftEdgeCPS.exe wmic.exe PID 188 wrote to memory of 4044 188 MicrosoftEdgeCPS.exe wmic.exe PID 188 wrote to memory of 4044 188 MicrosoftEdgeCPS.exe wmic.exe PID 188 wrote to memory of 3908 188 MicrosoftEdgeCPS.exe wmic.exe PID 188 wrote to memory of 3908 188 MicrosoftEdgeCPS.exe wmic.exe PID 188 wrote to memory of 3908 188 MicrosoftEdgeCPS.exe wmic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9526e9792bed9efe4ed6101deff93b649701cf0f77b024567b5c0540b4b3c7bf.exe"C:\Users\Admin\AppData\Local\Temp\9526e9792bed9efe4ed6101deff93b649701cf0f77b024567b5c0540b4b3c7bf.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" /Node:localhost /Namespace:\\root\SecurityCenter2 path AntiVirusProduct get DisplayName /FORMAT:List3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" os get caption /FORMAT:List3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_VideoController get caption /FORMAT:List3⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_NetworkAdapterConfiguration where IPEnabled=1 get IPAddress /FORMAT:List3⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" LogicalDisk Where DriveType=4 get VolumeName /FORMAT:List3⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='185.193.88.150' get StatusCode /FORMAT:List3⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='185.193.88.150' get ResponseTime /FORMAT:List3⤵
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe4⤵
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe/scomma "C:\Users\Admin\AppData\Roaming\EdgeCP\1.log"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe/scomma "C:\Users\Admin\AppData\Roaming\EdgeCP\4.log"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='185.193.88.150' get StatusCode /FORMAT:List3⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='185.193.88.150' get ResponseTime /FORMAT:List3⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='185.193.88.150' get StatusCode /FORMAT:List3⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='185.193.88.150' get ResponseTime /FORMAT:List3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\EdgeCP\1.logMD5
de4f4a0e812333a204277f4ca32e0f1e
SHA11987425deb61435c610d18fb63ac3d6d84f499b7
SHA256028d1db1620f8e08f7c5b85f5c6ddd2d20afa5af4f852c4f300ab6ba79dcfa15
SHA512888e2e7c3315ddff655a94f2d0276a852bd539582acd8758129d5b95f6dcf729eb82e56111c51bb5be8f3f5d4071f13b02151b08c1d0b8bb8dc0763d740df9c2
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
f3da87fb27befc3df1eec757587fe93b
SHA1798f0f6dba708beb6aee86469e5084b08d2e2714
SHA2569526e9792bed9efe4ed6101deff93b649701cf0f77b024567b5c0540b4b3c7bf
SHA51251d0a44359eeacb8344955099dce9fec20e46ddf509aea1036503eb0e278fbac363d797fb8745ea3b8ddd5e6f5c3c81f496e0354a10603e80c3028492bc7adaa
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
f3da87fb27befc3df1eec757587fe93b
SHA1798f0f6dba708beb6aee86469e5084b08d2e2714
SHA2569526e9792bed9efe4ed6101deff93b649701cf0f77b024567b5c0540b4b3c7bf
SHA51251d0a44359eeacb8344955099dce9fec20e46ddf509aea1036503eb0e278fbac363d797fb8745ea3b8ddd5e6f5c3c81f496e0354a10603e80c3028492bc7adaa
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
f3da87fb27befc3df1eec757587fe93b
SHA1798f0f6dba708beb6aee86469e5084b08d2e2714
SHA2569526e9792bed9efe4ed6101deff93b649701cf0f77b024567b5c0540b4b3c7bf
SHA51251d0a44359eeacb8344955099dce9fec20e46ddf509aea1036503eb0e278fbac363d797fb8745ea3b8ddd5e6f5c3c81f496e0354a10603e80c3028492bc7adaa
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
f3da87fb27befc3df1eec757587fe93b
SHA1798f0f6dba708beb6aee86469e5084b08d2e2714
SHA2569526e9792bed9efe4ed6101deff93b649701cf0f77b024567b5c0540b4b3c7bf
SHA51251d0a44359eeacb8344955099dce9fec20e46ddf509aea1036503eb0e278fbac363d797fb8745ea3b8ddd5e6f5c3c81f496e0354a10603e80c3028492bc7adaa
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
f3da87fb27befc3df1eec757587fe93b
SHA1798f0f6dba708beb6aee86469e5084b08d2e2714
SHA2569526e9792bed9efe4ed6101deff93b649701cf0f77b024567b5c0540b4b3c7bf
SHA51251d0a44359eeacb8344955099dce9fec20e46ddf509aea1036503eb0e278fbac363d797fb8745ea3b8ddd5e6f5c3c81f496e0354a10603e80c3028492bc7adaa
-
memory/0-49-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/0-52-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/0-48-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/0-47-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/0-74-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/0-64-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/0-50-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/188-5-0x0000000000000000-mapping.dmp
-
memory/188-8-0x0000000000C70000-0x0000000000C71000-memory.dmpFilesize
4KB
-
memory/200-17-0x0000000000000000-mapping.dmp
-
memory/932-11-0x0000000000000000-mapping.dmp
-
memory/936-14-0x0000000000000000-mapping.dmp
-
memory/2096-13-0x0000000000000000-mapping.dmp
-
memory/2128-30-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/2128-31-0x0000000000401074-mapping.dmp
-
memory/2128-35-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/2176-15-0x0000000000000000-mapping.dmp
-
memory/3004-76-0x0000000000000000-mapping.dmp
-
memory/3272-12-0x0000000000000000-mapping.dmp
-
memory/3284-43-0x0000000000400000-0x000000000044D000-memory.dmpFilesize
308KB
-
memory/3284-21-0x0000000000400000-0x0000000002BE9000-memory.dmpFilesize
39.9MB
-
memory/3284-27-0x0000000002D70000-0x0000000002DE8000-memory.dmpFilesize
480KB
-
memory/3284-40-0x00000000004D0000-0x0000000000559000-memory.dmpFilesize
548KB
-
memory/3284-26-0x00000000031B0000-0x00000000031B1000-memory.dmpFilesize
4KB
-
memory/3284-42-0x0000000003140000-0x0000000003141000-memory.dmpFilesize
4KB
-
memory/3284-18-0x0000000000400000-0x0000000002BE9000-memory.dmpFilesize
39.9MB
-
memory/3284-44-0x00000000005B0000-0x00000000006F0000-memory.dmpFilesize
1.2MB
-
memory/3284-19-0x00000000004043A8-mapping.dmp
-
memory/3284-28-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/3764-23-0x00000000004466F4-mapping.dmp
-
memory/3764-22-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/3764-25-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/3908-73-0x0000000000000000-mapping.dmp
-
memory/3920-2-0x0000000000B30000-0x0000000000B31000-memory.dmpFilesize
4KB
-
memory/3920-3-0x00000000001C0000-0x00000000001F3000-memory.dmpFilesize
204KB
-
memory/3920-4-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/4028-77-0x0000000000000000-mapping.dmp
-
memory/4044-72-0x0000000000000000-mapping.dmp
-
memory/4080-16-0x0000000000000000-mapping.dmp
-
memory/4092-46-0x0000027B62310000-0x0000027B623D9000-memory.dmpFilesize
804KB
-
memory/4092-45-0x0000027B620B0000-0x0000027B620B1000-memory.dmpFilesize
4KB
-
memory/4092-41-0x0000000000000000-mapping.dmp