diamondfox | 48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e

Analysis

max time kernel
88s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
14-07-2022 03:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe
Size

216KB
MD5

670497e6310600fe3149d128946cf9df
SHA1

82a807efec4d2751e0834f5605e13001c6450841
SHA256

48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e
SHA512

4a631b40b65622206ed7f8afebab255f33d54486b377f33c428ddda98f6e1a27bed003c021fae06faafe5df063f835f4f9ddb194d89966eae2447e53e6c32090

Score

10^/10

diamondfox botnet evasion persistence stealer trojan

Malware Config

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

spoolsv.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" spoolsv.exe
Windows security bypass 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

spoolsv.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" spoolsv.exe
Executes dropped EXE 2 IoCs

Processes:

spoolsv.exespoolsv.exe

pid process

5092 spoolsv.exe
2696 spoolsv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	spoolsv.exe

pid	process
5092	spoolsv.exe
2696	spoolsv.exe

Drops startup file 4 IoCs

Processes:

spoolsv.exe48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exespoolsv.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spoolsv.exe	spoolsv.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.vbs	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.vbs	spoolsv.exe

Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

spoolsv.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" spoolsv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

spoolsv.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\run	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "C:\\Users\\Admin\\AppData\\Roaming\\lpt2.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\spoolsv.exe"	spoolsv.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

spoolsv.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" spoolsv.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exespoolsv.exespoolsv.exe

pid	process
3632	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe
4888	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe
5092	spoolsv.exe
2696	spoolsv.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exespoolsv.exe

description	pid	process	target process
PID 3632 wrote to memory of 4888	3632	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe
PID 3632 wrote to memory of 4888	3632	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe
PID 3632 wrote to memory of 4888	3632	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe
PID 3632 wrote to memory of 4888	3632	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe
PID 3632 wrote to memory of 4888	3632	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe
PID 3632 wrote to memory of 4888	3632	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe
PID 3632 wrote to memory of 4888	3632	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe
PID 3632 wrote to memory of 4888	3632	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe
PID 3632 wrote to memory of 4888	3632	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe
PID 3632 wrote to memory of 4888	3632	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe
PID 3632 wrote to memory of 4888	3632	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe
PID 3632 wrote to memory of 4888	3632	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe
PID 3632 wrote to memory of 4888	3632	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe
PID 3632 wrote to memory of 4888	3632	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe
PID 3632 wrote to memory of 4888	3632	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe
PID 4888 wrote to memory of 5092	4888	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe	spoolsv.exe
PID 4888 wrote to memory of 5092	4888	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe	spoolsv.exe
PID 4888 wrote to memory of 5092	4888	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe	spoolsv.exe
PID 4888 wrote to memory of 436	4888	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe	cmd.exe
PID 4888 wrote to memory of 436	4888	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe	cmd.exe
PID 4888 wrote to memory of 436	4888	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe	cmd.exe
PID 5092 wrote to memory of 2696	5092	spoolsv.exe	spoolsv.exe
PID 5092 wrote to memory of 2696	5092	spoolsv.exe	spoolsv.exe
PID 5092 wrote to memory of 2696	5092	spoolsv.exe	spoolsv.exe
PID 5092 wrote to memory of 2696	5092	spoolsv.exe	spoolsv.exe
PID 5092 wrote to memory of 2696	5092	spoolsv.exe	spoolsv.exe
PID 5092 wrote to memory of 2696	5092	spoolsv.exe	spoolsv.exe
PID 5092 wrote to memory of 2696	5092	spoolsv.exe	spoolsv.exe
PID 5092 wrote to memory of 2696	5092	spoolsv.exe	spoolsv.exe
PID 5092 wrote to memory of 2696	5092	spoolsv.exe	spoolsv.exe
PID 5092 wrote to memory of 2696	5092	spoolsv.exe	spoolsv.exe
PID 5092 wrote to memory of 2696	5092	spoolsv.exe	spoolsv.exe
PID 5092 wrote to memory of 2696	5092	spoolsv.exe	spoolsv.exe
PID 5092 wrote to memory of 2696	5092	spoolsv.exe	spoolsv.exe
PID 5092 wrote to memory of 2696	5092	spoolsv.exe	spoolsv.exe
PID 5092 wrote to memory of 2696	5092	spoolsv.exe	spoolsv.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

spoolsv.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe
"C:\Users\Admin\AppData\Local\Temp\48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3632
- C:\Users\Admin\AppData\Local\Temp\48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe
  "C:\Users\Admin\AppData\Local\Temp\48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4888
- - C:\Users\Admin\AppData\Roaming\lpt2.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\spoolsv.exe
    C:\Users\Admin\AppData\Roaming\lpt2.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\spoolsv.exe
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5092
  - - C:\Users\Admin\AppData\Roaming\lpt2.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\spoolsv.exe
      C:\Users\Admin\AppData\Roaming\lpt2.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\spoolsv.exe
      4⤵
      UAC bypass
      Windows security bypass
      Executes dropped EXE
      Drops startup file
      Windows security modification
      Adds Run key to start application
      Checks whether UAC is enabled
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\80016A89.cmd
    3⤵
    PID:436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\80016A89.cmd

Filesize
170B

MD5
07490cb84315068c4b4574d0845fa079

SHA1
44abfd5f47b28257c27a6fdef058fd2807f373c5

SHA256
8be315ea075506ad8720caa7265bd99451a382be615528a099bf23ab5c1c80c9

SHA512
68d79cd335ecc219d4f1a5150bce5b2c2c3ffca13ca63d414bc58ea0a198b4596ab4ea02347401ba2754985a78c878520f71c101d4afaf98eb14b00304b57c11

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.vbs

Filesize
384B

MD5
824a719d4a5cce2f0603e9bd63bae64c

SHA1
381ea9689a1ca092dfa375f160bc269adde97f8d

SHA256
addece724ab9ff11addbf757c3f26b3499f1a372f391d67a04514a93ad8699ac

SHA512
8ef76ca77c9a970b7f33afb761d310587412dc8e411259422ca227faac5e51db8da87592545d5e8a10623ed26f1e51d43ae8d2cd471deffb4ca43e8a9832eb3e

Download Submit
C:\Users\Admin\AppData\Roaming\lpt2.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\spoolsv.exe

Filesize
216KB

MD5
670497e6310600fe3149d128946cf9df

SHA1
82a807efec4d2751e0834f5605e13001c6450841

SHA256
48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e

SHA512
4a631b40b65622206ed7f8afebab255f33d54486b377f33c428ddda98f6e1a27bed003c021fae06faafe5df063f835f4f9ddb194d89966eae2447e53e6c32090

Download Submit
C:\Users\Admin\AppData\Roaming\lpt2.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\spoolsv.exe

Filesize
216KB

MD5
670497e6310600fe3149d128946cf9df

SHA1
82a807efec4d2751e0834f5605e13001c6450841

SHA256
48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e

SHA512
4a631b40b65622206ed7f8afebab255f33d54486b377f33c428ddda98f6e1a27bed003c021fae06faafe5df063f835f4f9ddb194d89966eae2447e53e6c32090

Download Submit
C:\Users\Admin\AppData\Roaming\lpt2.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\spoolsv.exe

Filesize
216KB

MD5
670497e6310600fe3149d128946cf9df

SHA1
82a807efec4d2751e0834f5605e13001c6450841

SHA256
48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e

SHA512
4a631b40b65622206ed7f8afebab255f33d54486b377f33c428ddda98f6e1a27bed003c021fae06faafe5df063f835f4f9ddb194d89966eae2447e53e6c32090

Download Submit
memory/436-165-0x0000000000000000-mapping.dmp

Download
memory/2696-203-0x0000000000401000-0x0000000000411000-memory.dmp

Filesize
64KB

Download
memory/2696-197-0x0000000000401000-0x0000000000411000-memory.dmp

Filesize
64KB

Download
memory/2696-207-0x0000000000401000-0x0000000000411000-memory.dmp

Filesize
64KB

Download
memory/2696-206-0x0000000000401000-0x0000000000411000-memory.dmp

Filesize
64KB

Download
memory/2696-205-0x0000000000401000-0x0000000000411000-memory.dmp

Filesize
64KB

Download
memory/2696-204-0x0000000000401000-0x0000000000411000-memory.dmp

Filesize
64KB

Download
memory/2696-209-0x0000000000401000-0x0000000000411000-memory.dmp

Filesize
64KB

Download
memory/2696-210-0x0000000000401000-0x0000000000411000-memory.dmp

Filesize
64KB

Download
memory/2696-211-0x0000000000400000-0x000000000041024F-memory.dmp

Filesize
64KB

Download
memory/2696-202-0x0000000000401000-0x0000000000411000-memory.dmp

Filesize
64KB

Download
memory/2696-201-0x0000000000401000-0x0000000000411000-memory.dmp

Filesize
64KB

Download
memory/2696-214-0x0000000000400000-0x000000000041024F-memory.dmp

Filesize
64KB

Download
memory/2696-200-0x0000000000401000-0x0000000000411000-memory.dmp

Filesize
64KB

Download
memory/2696-213-0x0000000000400000-0x000000000041024F-memory.dmp

Filesize
64KB

Download
memory/2696-199-0x0000000000401000-0x0000000000411000-memory.dmp

Filesize
64KB

Download
memory/2696-198-0x0000000000401000-0x0000000000411000-memory.dmp

Filesize
64KB

Download
memory/2696-208-0x0000000000401000-0x0000000000411000-memory.dmp

Filesize
64KB

Download
memory/2696-196-0x0000000000401000-0x0000000000411000-memory.dmp

Filesize
64KB

Download
memory/2696-195-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2696-192-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/2696-212-0x0000000000400000-0x000000000041024F-memory.dmp

Filesize
64KB

Download
memory/2696-189-0x0000000000000000-mapping.dmp

Download
memory/3632-156-0x0000000002340000-0x0000000002355000-memory.dmp

Filesize
84KB

Download
memory/3632-132-0x0000000002340000-0x0000000002355000-memory.dmp

Filesize
84KB

Download
memory/4888-153-0x0000000000400000-0x000000000041024F-memory.dmp

Filesize
64KB

Download
memory/4888-161-0x0000000000400000-0x000000000041024F-memory.dmp

Filesize
64KB

Download
memory/4888-169-0x0000000000400000-0x000000000041024F-memory.dmp

Filesize
64KB

Download
memory/4888-171-0x0000000000400000-0x000000000041024F-memory.dmp

Filesize
64KB

Download
memory/4888-170-0x0000000000400000-0x000000000041024F-memory.dmp

Filesize
64KB

Download
memory/4888-172-0x0000000000400000-0x000000000041024F-memory.dmp

Filesize
64KB

Download
memory/4888-173-0x0000000000400000-0x000000000041024F-memory.dmp

Filesize
64KB

Download
memory/4888-174-0x0000000000400000-0x000000000041024F-memory.dmp

Filesize
64KB

Download
memory/4888-175-0x0000000000400000-0x000000000041024F-memory.dmp

Filesize
64KB

Download
memory/4888-176-0x0000000000400000-0x000000000041024F-memory.dmp

Filesize
64KB

Download
memory/4888-177-0x0000000000400000-0x000000000041024F-memory.dmp

Filesize
64KB

Download
memory/4888-178-0x0000000000400000-0x000000000041024F-memory.dmp

Filesize
64KB

Download
memory/4888-179-0x0000000000400000-0x000000000041024F-memory.dmp

Filesize
64KB

Download
memory/4888-180-0x0000000000400000-0x000000000041024F-memory.dmp

Filesize
64KB

Download
memory/4888-182-0x0000000000400000-0x000000000041024F-memory.dmp

Filesize
64KB

Download
memory/4888-181-0x0000000000400000-0x000000000041024F-memory.dmp

Filesize
64KB

Download
memory/4888-184-0x0000000000400000-0x000000000041024F-memory.dmp

Filesize
64KB

Download
memory/4888-183-0x0000000000400000-0x000000000041024F-memory.dmp

Filesize
64KB

Download
memory/4888-185-0x0000000000400000-0x000000000041024F-memory.dmp

Filesize
64KB

Download
memory/4888-186-0x0000000000400000-0x000000000041024F-memory.dmp

Filesize
64KB

Download
memory/4888-187-0x0000000000400000-0x000000000041024F-memory.dmp

Filesize
64KB

Download
memory/4888-167-0x0000000000400000-0x000000000041024F-memory.dmp

Filesize
64KB

Download
memory/4888-164-0x0000000000400000-0x000000000041024F-memory.dmp

Filesize
64KB

Download
memory/4888-168-0x0000000000400000-0x000000000041024F-memory.dmp

Filesize
64KB

Download
memory/4888-163-0x0000000000400000-0x000000000041024F-memory.dmp

Filesize
64KB

Download
memory/4888-162-0x0000000000400000-0x000000000041024F-memory.dmp

Filesize
64KB

Download
memory/4888-160-0x0000000000400000-0x000000000041024F-memory.dmp

Filesize
64KB

Download
memory/4888-159-0x0000000000400000-0x000000000041024F-memory.dmp

Filesize
64KB

Download
memory/4888-158-0x0000000000400000-0x000000000041024F-memory.dmp

Filesize
64KB

Download
memory/4888-157-0x0000000000400000-0x000000000041024F-memory.dmp

Filesize
64KB

Download
memory/4888-155-0x0000000000400000-0x000000000041024F-memory.dmp

Filesize
64KB

Download
memory/4888-154-0x0000000000400000-0x000000000041024F-memory.dmp

Filesize
64KB

Download
memory/4888-152-0x0000000000400000-0x000000000041024F-memory.dmp

Filesize
64KB

Download
memory/4888-151-0x0000000000400000-0x000000000041024F-memory.dmp

Filesize
64KB

Download
memory/4888-133-0x0000000000000000-mapping.dmp

Download
memory/4888-145-0x0000000000400000-0x000000000041024F-memory.dmp

Filesize
64KB

Download
memory/4888-144-0x0000000000400000-0x000000000041024F-memory.dmp

Filesize
64KB

Download
memory/4888-143-0x0000000000400000-0x000000000041024F-memory.dmp

Filesize
64KB

Download
memory/4888-142-0x0000000000400000-0x000000000041024F-memory.dmp

Filesize
64KB

Download
memory/4888-141-0x0000000000400000-0x000000000041024F-memory.dmp

Filesize
64KB

Download
memory/4888-140-0x0000000000400000-0x000000000041024F-memory.dmp

Filesize
64KB

Download
memory/4888-139-0x0000000000400000-0x000000000041024F-memory.dmp

Filesize
64KB

Download
memory/4888-135-0x0000000000400000-0x000000000041024F-memory.dmp

Filesize
64KB

Download
memory/4888-134-0x0000000000401000-0x0000000000411000-memory.dmp

Filesize
64KB

Download
memory/5092-146-0x0000000000000000-mapping.dmp

Download