Analysis
-
max time kernel
119s -
max time network
139s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
04-03-2021 14:50
Static task
static1
Behavioral task
behavioral1
Sample
8343d0955b6e122e915e7c381d597f60eeb96b18c9069bc35276c04e0fe52448.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
8343d0955b6e122e915e7c381d597f60eeb96b18c9069bc35276c04e0fe52448.bin.exe
Resource
win10v20201028
General
-
Target
8343d0955b6e122e915e7c381d597f60eeb96b18c9069bc35276c04e0fe52448.bin.exe
-
Size
199KB
-
MD5
694aeb997cad16f5d2a82fe34447c2f5
-
SHA1
99151301e07d13301ce5a579d087b6a78389c38b
-
SHA256
8343d0955b6e122e915e7c381d597f60eeb96b18c9069bc35276c04e0fe52448
-
SHA512
f0979eea4e1b2141442d48f6b84b76d2dfae24f59df6b5e9446c4652e566415bc09e2a9d8ca5628fbfc7e260e5d2a5992023bcd5a13f980ebf204c2d80ff95ba
Malware Config
Signatures
-
DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
-
DiamondFox payload 7 IoCs
Detects DiamondFox payload in file/memory.
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox \Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox \Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe diamondfox -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/1764-22-0x0000000000400000-0x000000000047C000-memory.dmp WebBrowserPassView behavioral1/memory/1764-23-0x00000000004466F4-mapping.dmp WebBrowserPassView behavioral1/memory/1764-27-0x0000000000400000-0x000000000047C000-memory.dmp WebBrowserPassView -
Nirsoft 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1764-22-0x0000000000400000-0x000000000047C000-memory.dmp Nirsoft behavioral1/memory/1764-23-0x00000000004466F4-mapping.dmp Nirsoft behavioral1/memory/1764-27-0x0000000000400000-0x000000000047C000-memory.dmp Nirsoft -
Executes dropped EXE 3 IoCs
Processes:
MicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exepid process 604 MicrosoftEdgeCPS.exe 976 MicrosoftEdgeCPS.exe 1764 MicrosoftEdgeCPS.exe -
Loads dropped DLL 3 IoCs
Processes:
8343d0955b6e122e915e7c381d597f60eeb96b18c9069bc35276c04e0fe52448.bin.exeMicrosoftEdgeCPS.exepid process 1152 8343d0955b6e122e915e7c381d597f60eeb96b18c9069bc35276c04e0fe52448.bin.exe 1152 8343d0955b6e122e915e7c381d597f60eeb96b18c9069bc35276c04e0fe52448.bin.exe 604 MicrosoftEdgeCPS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 17 IoCs
Processes:
MicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exedescription pid process target process PID 604 set thread context of 976 604 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 604 set thread context of 1764 604 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 976 set thread context of 524 976 MicrosoftEdgeCPS.exe WerFault.exe PID 604 set thread context of 0 604 MicrosoftEdgeCPS.exe PID 604 set thread context of 0 604 MicrosoftEdgeCPS.exe PID 604 set thread context of 0 604 MicrosoftEdgeCPS.exe PID 604 set thread context of 0 604 MicrosoftEdgeCPS.exe PID 604 set thread context of 0 604 MicrosoftEdgeCPS.exe PID 604 set thread context of 0 604 MicrosoftEdgeCPS.exe PID 604 set thread context of 0 604 MicrosoftEdgeCPS.exe PID 604 set thread context of 0 604 MicrosoftEdgeCPS.exe PID 604 set thread context of 0 604 MicrosoftEdgeCPS.exe PID 604 set thread context of 0 604 MicrosoftEdgeCPS.exe PID 604 set thread context of 0 604 MicrosoftEdgeCPS.exe PID 604 set thread context of 0 604 MicrosoftEdgeCPS.exe PID 604 set thread context of 0 604 MicrosoftEdgeCPS.exe PID 604 set thread context of 0 604 MicrosoftEdgeCPS.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
MicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exepid process 604 MicrosoftEdgeCPS.exe 1764 MicrosoftEdgeCPS.exe 1764 MicrosoftEdgeCPS.exe 604 MicrosoftEdgeCPS.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
MicrosoftEdgeCPS.exepid process 976 MicrosoftEdgeCPS.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 392 wmic.exe Token: SeSecurityPrivilege 392 wmic.exe Token: SeTakeOwnershipPrivilege 392 wmic.exe Token: SeLoadDriverPrivilege 392 wmic.exe Token: SeSystemProfilePrivilege 392 wmic.exe Token: SeSystemtimePrivilege 392 wmic.exe Token: SeProfSingleProcessPrivilege 392 wmic.exe Token: SeIncBasePriorityPrivilege 392 wmic.exe Token: SeCreatePagefilePrivilege 392 wmic.exe Token: SeBackupPrivilege 392 wmic.exe Token: SeRestorePrivilege 392 wmic.exe Token: SeShutdownPrivilege 392 wmic.exe Token: SeDebugPrivilege 392 wmic.exe Token: SeSystemEnvironmentPrivilege 392 wmic.exe Token: SeRemoteShutdownPrivilege 392 wmic.exe Token: SeUndockPrivilege 392 wmic.exe Token: SeManageVolumePrivilege 392 wmic.exe Token: 33 392 wmic.exe Token: 34 392 wmic.exe Token: 35 392 wmic.exe Token: SeIncreaseQuotaPrivilege 392 wmic.exe Token: SeSecurityPrivilege 392 wmic.exe Token: SeTakeOwnershipPrivilege 392 wmic.exe Token: SeLoadDriverPrivilege 392 wmic.exe Token: SeSystemProfilePrivilege 392 wmic.exe Token: SeSystemtimePrivilege 392 wmic.exe Token: SeProfSingleProcessPrivilege 392 wmic.exe Token: SeIncBasePriorityPrivilege 392 wmic.exe Token: SeCreatePagefilePrivilege 392 wmic.exe Token: SeBackupPrivilege 392 wmic.exe Token: SeRestorePrivilege 392 wmic.exe Token: SeShutdownPrivilege 392 wmic.exe Token: SeDebugPrivilege 392 wmic.exe Token: SeSystemEnvironmentPrivilege 392 wmic.exe Token: SeRemoteShutdownPrivilege 392 wmic.exe Token: SeUndockPrivilege 392 wmic.exe Token: SeManageVolumePrivilege 392 wmic.exe Token: 33 392 wmic.exe Token: 34 392 wmic.exe Token: 35 392 wmic.exe Token: SeIncreaseQuotaPrivilege 832 wmic.exe Token: SeSecurityPrivilege 832 wmic.exe Token: SeTakeOwnershipPrivilege 832 wmic.exe Token: SeLoadDriverPrivilege 832 wmic.exe Token: SeSystemProfilePrivilege 832 wmic.exe Token: SeSystemtimePrivilege 832 wmic.exe Token: SeProfSingleProcessPrivilege 832 wmic.exe Token: SeIncBasePriorityPrivilege 832 wmic.exe Token: SeCreatePagefilePrivilege 832 wmic.exe Token: SeBackupPrivilege 832 wmic.exe Token: SeRestorePrivilege 832 wmic.exe Token: SeShutdownPrivilege 832 wmic.exe Token: SeDebugPrivilege 832 wmic.exe Token: SeSystemEnvironmentPrivilege 832 wmic.exe Token: SeRemoteShutdownPrivilege 832 wmic.exe Token: SeUndockPrivilege 832 wmic.exe Token: SeManageVolumePrivilege 832 wmic.exe Token: 33 832 wmic.exe Token: 34 832 wmic.exe Token: 35 832 wmic.exe Token: SeIncreaseQuotaPrivilege 832 wmic.exe Token: SeSecurityPrivilege 832 wmic.exe Token: SeTakeOwnershipPrivilege 832 wmic.exe Token: SeLoadDriverPrivilege 832 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
8343d0955b6e122e915e7c381d597f60eeb96b18c9069bc35276c04e0fe52448.bin.exeMicrosoftEdgeCPS.exeMicrosoftEdgeCPS.exedescription pid process target process PID 1152 wrote to memory of 604 1152 8343d0955b6e122e915e7c381d597f60eeb96b18c9069bc35276c04e0fe52448.bin.exe MicrosoftEdgeCPS.exe PID 1152 wrote to memory of 604 1152 8343d0955b6e122e915e7c381d597f60eeb96b18c9069bc35276c04e0fe52448.bin.exe MicrosoftEdgeCPS.exe PID 1152 wrote to memory of 604 1152 8343d0955b6e122e915e7c381d597f60eeb96b18c9069bc35276c04e0fe52448.bin.exe MicrosoftEdgeCPS.exe PID 1152 wrote to memory of 604 1152 8343d0955b6e122e915e7c381d597f60eeb96b18c9069bc35276c04e0fe52448.bin.exe MicrosoftEdgeCPS.exe PID 604 wrote to memory of 392 604 MicrosoftEdgeCPS.exe wmic.exe PID 604 wrote to memory of 392 604 MicrosoftEdgeCPS.exe wmic.exe PID 604 wrote to memory of 392 604 MicrosoftEdgeCPS.exe wmic.exe PID 604 wrote to memory of 392 604 MicrosoftEdgeCPS.exe wmic.exe PID 604 wrote to memory of 832 604 MicrosoftEdgeCPS.exe wmic.exe PID 604 wrote to memory of 832 604 MicrosoftEdgeCPS.exe wmic.exe PID 604 wrote to memory of 832 604 MicrosoftEdgeCPS.exe wmic.exe PID 604 wrote to memory of 832 604 MicrosoftEdgeCPS.exe wmic.exe PID 604 wrote to memory of 1460 604 MicrosoftEdgeCPS.exe wmic.exe PID 604 wrote to memory of 1460 604 MicrosoftEdgeCPS.exe wmic.exe PID 604 wrote to memory of 1460 604 MicrosoftEdgeCPS.exe wmic.exe PID 604 wrote to memory of 1460 604 MicrosoftEdgeCPS.exe wmic.exe PID 604 wrote to memory of 1028 604 MicrosoftEdgeCPS.exe wmic.exe PID 604 wrote to memory of 1028 604 MicrosoftEdgeCPS.exe wmic.exe PID 604 wrote to memory of 1028 604 MicrosoftEdgeCPS.exe wmic.exe PID 604 wrote to memory of 1028 604 MicrosoftEdgeCPS.exe wmic.exe PID 604 wrote to memory of 1748 604 MicrosoftEdgeCPS.exe wmic.exe PID 604 wrote to memory of 1748 604 MicrosoftEdgeCPS.exe wmic.exe PID 604 wrote to memory of 1748 604 MicrosoftEdgeCPS.exe wmic.exe PID 604 wrote to memory of 1748 604 MicrosoftEdgeCPS.exe wmic.exe PID 604 wrote to memory of 1828 604 MicrosoftEdgeCPS.exe wmic.exe PID 604 wrote to memory of 1828 604 MicrosoftEdgeCPS.exe wmic.exe PID 604 wrote to memory of 1828 604 MicrosoftEdgeCPS.exe wmic.exe PID 604 wrote to memory of 1828 604 MicrosoftEdgeCPS.exe wmic.exe PID 604 wrote to memory of 268 604 MicrosoftEdgeCPS.exe wmic.exe PID 604 wrote to memory of 268 604 MicrosoftEdgeCPS.exe wmic.exe PID 604 wrote to memory of 268 604 MicrosoftEdgeCPS.exe wmic.exe PID 604 wrote to memory of 268 604 MicrosoftEdgeCPS.exe wmic.exe PID 604 wrote to memory of 976 604 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 604 wrote to memory of 976 604 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 604 wrote to memory of 976 604 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 604 wrote to memory of 976 604 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 604 wrote to memory of 976 604 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 604 wrote to memory of 976 604 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 604 wrote to memory of 976 604 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 604 wrote to memory of 976 604 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 604 wrote to memory of 976 604 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 604 wrote to memory of 976 604 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 604 wrote to memory of 976 604 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 604 wrote to memory of 976 604 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 604 wrote to memory of 976 604 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 604 wrote to memory of 1764 604 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 604 wrote to memory of 1764 604 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 604 wrote to memory of 1764 604 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 604 wrote to memory of 1764 604 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 604 wrote to memory of 1764 604 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 604 wrote to memory of 1764 604 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 604 wrote to memory of 1764 604 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 604 wrote to memory of 1764 604 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 604 wrote to memory of 1764 604 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 604 wrote to memory of 1764 604 MicrosoftEdgeCPS.exe MicrosoftEdgeCPS.exe PID 976 wrote to memory of 524 976 MicrosoftEdgeCPS.exe WerFault.exe PID 976 wrote to memory of 524 976 MicrosoftEdgeCPS.exe WerFault.exe PID 976 wrote to memory of 524 976 MicrosoftEdgeCPS.exe WerFault.exe PID 976 wrote to memory of 524 976 MicrosoftEdgeCPS.exe WerFault.exe PID 976 wrote to memory of 524 976 MicrosoftEdgeCPS.exe WerFault.exe PID 976 wrote to memory of 524 976 MicrosoftEdgeCPS.exe WerFault.exe PID 976 wrote to memory of 524 976 MicrosoftEdgeCPS.exe WerFault.exe PID 604 wrote to memory of 1220 604 MicrosoftEdgeCPS.exe wmic.exe PID 604 wrote to memory of 1220 604 MicrosoftEdgeCPS.exe wmic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8343d0955b6e122e915e7c381d597f60eeb96b18c9069bc35276c04e0fe52448.bin.exe"C:\Users\Admin\AppData\Local\Temp\8343d0955b6e122e915e7c381d597f60eeb96b18c9069bc35276c04e0fe52448.bin.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" /Node:localhost /Namespace:\\root\SecurityCenter2 path AntiVirusProduct get DisplayName /FORMAT:List3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" os get caption /FORMAT:List3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_VideoController get caption /FORMAT:List3⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_NetworkAdapterConfiguration where IPEnabled=1 get IPAddress /FORMAT:List3⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" LogicalDisk Where DriveType=4 get VolumeName /FORMAT:List3⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='185.193.88.150' get StatusCode /FORMAT:List3⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='185.193.88.150' get ResponseTime /FORMAT:List3⤵
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe4⤵
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe/scomma "C:\Users\Admin\AppData\Roaming\EdgeCP\1.log"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='185.193.88.150' get StatusCode /FORMAT:List3⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='185.193.88.150' get ResponseTime /FORMAT:List3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\EdgeCP\1.logMD5
4f7d90f045ae07792fb8d76bce925854
SHA1c39b2866368f2c88c1865aa5577792bd2fb8bfe5
SHA256df74b997137fec63589828cafa9df9bfe272b330ffb8743fa4db79096a0fdc34
SHA5124ce48987acf465b7064d0162449eaf929b1e80dc760fe2da72e2841754a34536be5b2c17ade17d58e76c31bc9fdd6540820191395b9399287aabf4007274ae71
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
694aeb997cad16f5d2a82fe34447c2f5
SHA199151301e07d13301ce5a579d087b6a78389c38b
SHA2568343d0955b6e122e915e7c381d597f60eeb96b18c9069bc35276c04e0fe52448
SHA512f0979eea4e1b2141442d48f6b84b76d2dfae24f59df6b5e9446c4652e566415bc09e2a9d8ca5628fbfc7e260e5d2a5992023bcd5a13f980ebf204c2d80ff95ba
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
694aeb997cad16f5d2a82fe34447c2f5
SHA199151301e07d13301ce5a579d087b6a78389c38b
SHA2568343d0955b6e122e915e7c381d597f60eeb96b18c9069bc35276c04e0fe52448
SHA512f0979eea4e1b2141442d48f6b84b76d2dfae24f59df6b5e9446c4652e566415bc09e2a9d8ca5628fbfc7e260e5d2a5992023bcd5a13f980ebf204c2d80ff95ba
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
694aeb997cad16f5d2a82fe34447c2f5
SHA199151301e07d13301ce5a579d087b6a78389c38b
SHA2568343d0955b6e122e915e7c381d597f60eeb96b18c9069bc35276c04e0fe52448
SHA512f0979eea4e1b2141442d48f6b84b76d2dfae24f59df6b5e9446c4652e566415bc09e2a9d8ca5628fbfc7e260e5d2a5992023bcd5a13f980ebf204c2d80ff95ba
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
694aeb997cad16f5d2a82fe34447c2f5
SHA199151301e07d13301ce5a579d087b6a78389c38b
SHA2568343d0955b6e122e915e7c381d597f60eeb96b18c9069bc35276c04e0fe52448
SHA512f0979eea4e1b2141442d48f6b84b76d2dfae24f59df6b5e9446c4652e566415bc09e2a9d8ca5628fbfc7e260e5d2a5992023bcd5a13f980ebf204c2d80ff95ba
-
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
694aeb997cad16f5d2a82fe34447c2f5
SHA199151301e07d13301ce5a579d087b6a78389c38b
SHA2568343d0955b6e122e915e7c381d597f60eeb96b18c9069bc35276c04e0fe52448
SHA512f0979eea4e1b2141442d48f6b84b76d2dfae24f59df6b5e9446c4652e566415bc09e2a9d8ca5628fbfc7e260e5d2a5992023bcd5a13f980ebf204c2d80ff95ba
-
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
694aeb997cad16f5d2a82fe34447c2f5
SHA199151301e07d13301ce5a579d087b6a78389c38b
SHA2568343d0955b6e122e915e7c381d597f60eeb96b18c9069bc35276c04e0fe52448
SHA512f0979eea4e1b2141442d48f6b84b76d2dfae24f59df6b5e9446c4652e566415bc09e2a9d8ca5628fbfc7e260e5d2a5992023bcd5a13f980ebf204c2d80ff95ba
-
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeMD5
694aeb997cad16f5d2a82fe34447c2f5
SHA199151301e07d13301ce5a579d087b6a78389c38b
SHA2568343d0955b6e122e915e7c381d597f60eeb96b18c9069bc35276c04e0fe52448
SHA512f0979eea4e1b2141442d48f6b84b76d2dfae24f59df6b5e9446c4652e566415bc09e2a9d8ca5628fbfc7e260e5d2a5992023bcd5a13f980ebf204c2d80ff95ba
-
memory/0-49-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/0-63-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/0-73-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/0-74-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/0-65-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/0-66-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/0-46-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/0-50-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/0-64-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/0-47-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/0-57-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/0-55-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/0-48-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/0-53-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/0-51-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/268-17-0x0000000000000000-mapping.dmp
-
memory/316-8-0x000007FEF72E0000-0x000007FEF755A000-memory.dmpFilesize
2.5MB
-
memory/392-11-0x0000000000000000-mapping.dmp
-
memory/524-41-0x000007FEFB991000-0x000007FEFB993000-memory.dmpFilesize
8KB
-
memory/524-43-0x0000000001C70000-0x0000000001D39000-memory.dmpFilesize
804KB
-
memory/524-42-0x0000000000180000-0x0000000000181000-memory.dmpFilesize
4KB
-
memory/524-40-0x0000000000000000-mapping.dmp
-
memory/604-5-0x0000000000000000-mapping.dmp
-
memory/832-12-0x0000000000000000-mapping.dmp
-
memory/976-31-0x0000000000400000-0x0000000002BE9000-memory.dmpFilesize
39.9MB
-
memory/976-28-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/976-37-0x0000000000400000-0x000000000044D000-memory.dmpFilesize
308KB
-
memory/976-36-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB
-
memory/976-34-0x0000000010000000-0x0000000010089000-memory.dmpFilesize
548KB
-
memory/976-19-0x00000000004043A8-mapping.dmp
-
memory/976-30-0x00000000002F0000-0x0000000000368000-memory.dmpFilesize
480KB
-
memory/976-38-0x0000000000560000-0x00000000006A0000-memory.dmpFilesize
1.2MB
-
memory/976-18-0x0000000000400000-0x0000000002BE9000-memory.dmpFilesize
39.9MB
-
memory/976-26-0x0000000002F60000-0x0000000002F71000-memory.dmpFilesize
68KB
-
memory/976-21-0x0000000000400000-0x0000000002BE9000-memory.dmpFilesize
39.9MB
-
memory/1028-14-0x0000000000000000-mapping.dmp
-
memory/1152-2-0x00000000760C1000-0x00000000760C3000-memory.dmpFilesize
8KB
-
memory/1220-71-0x0000000000000000-mapping.dmp
-
memory/1460-13-0x0000000000000000-mapping.dmp
-
memory/1660-72-0x0000000000000000-mapping.dmp
-
memory/1748-15-0x0000000000000000-mapping.dmp
-
memory/1764-22-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/1764-23-0x00000000004466F4-mapping.dmp
-
memory/1764-27-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/1828-16-0x0000000000000000-mapping.dmp