danabot | c76a9b5f3a1d4456cf2fe90c115f808e4a53f04a5520eabd945af7d41c44b986

Analysis

max time kernel
150s
max time network
151s
platform
windows10_x64
resource
win10v20210408
submitted
19-07-2021 22:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c65eb22434cbf550e158d45cf9a64470.exe
Size

1.0MB
MD5

c65eb22434cbf550e158d45cf9a64470
SHA1

65bc53c6b4866cdc82a55a24c107359ed424cc55
SHA256

c76a9b5f3a1d4456cf2fe90c115f808e4a53f04a5520eabd945af7d41c44b986
SHA512

395b7404dde5a9b7ca42c5cda84ad92184ea23f471747f8b86ed91b7b832b2797d473e58156504ede1ae1327795c3f5967edbf505d14545639a89003afb36bf7

Score

10^/10

danabot 4 banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1987

Botnet

142.11.244.124:443

142.11.206.50:443

Attributes

embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB

rsa_privkey.plain

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

flow pid process

15 3688 rundll32.exe
16 4092 RUNDLL32.EXE
Loads dropped DLL 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

pid process

3688 rundll32.exe
4092 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

RUNDLL32.EXE

description pid process target process

PID 4092 set thread context of 580 4092 RUNDLL32.EXE rundll32.exe
Drops file in Program Files directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\PROGRA~3\Jvgzbfh.tmp rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
15	3688	rundll32.exe
16	4092	RUNDLL32.EXE

pid	process
3688	rundll32.exe
4092	RUNDLL32.EXE

description	pid	process	target process
PID 4092 set thread context of 580	4092	RUNDLL32.EXE	rundll32.exe

description	ioc	process
File created	C:\PROGRA~3\Jvgzbfh.tmp	rundll32.exe

Checks processor information in registry 2 TTPs 23 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXE

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

RUNDLL32.EXE

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A672D776EE33A054B15B4766321280FAA2D7A7A0\Blob = 030000000100000014000000a672d776ee33a054b15b4766321280faa2d7a7a02000000001000000300200003082022c30820195a00302010202087d43433e141702fa300d06092a864886f70d01010b050030403118301606035504030c0f4453305420526f6f7420434120583331243022060355040a0c1b4469676974616c205369676e617475726520547275737420436f2e301e170d3139303732313030303935325a170d3233303732303030303935325a30403118301606035504030c0f4453305420526f6f7420434120583331243022060355040a0c1b4469676974616c205369676e617475726520547275737420436f2e30819f300d06092a864886f70d010101050003818d0030818902818100c622a4ea51f619a810f6b399b4f793fabeb8dae1d5694204ebb077891714737869001f635c666f96134b87cf7e3c3b7dbbbb84a1aeb058f05f8a6520ab12b820294e619d1c63a222ab58a891247dcdc9197cd2a517ae3f7bdb554d2e2b2c55a7d68e185543558947a0bdf8dc9498cc90ad2f57982fb4a52e0061266d49ea7c210203010001a32f302d300f0603551d130101ff040530030101ff301a0603551d1104133011820f4453305420526f6f74204341205833300d06092a864886f70d01010b0500038181008cc6b492cd4d326a519340b720cb2f2f2d3fbcd1922c4017a375ccc4c33a6f5ec3a1406d37cde9a13dc4cf6211e865123d89e8a9398d5268a693ee356c5edc7652e934db954b757d66a5933c74189779278ccfd8f5c99f8606a08f2af7d0359b88b580eee93e28f53a5a522e0343618df0b5328139cf84fcbc2c23c2dda59111	RUNDLL32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A672D776EE33A054B15B4766321280FAA2D7A7A0	RUNDLL32.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

RUNDLL32.EXEpowershell.exepowershell.exe

pid	process
4092	RUNDLL32.EXE
4092	RUNDLL32.EXE
4092	RUNDLL32.EXE
4092	RUNDLL32.EXE
4092	RUNDLL32.EXE
4092	RUNDLL32.EXE
4092	RUNDLL32.EXE
4092	RUNDLL32.EXE
964	powershell.exe
964	powershell.exe
964	powershell.exe
4092	RUNDLL32.EXE
4092	RUNDLL32.EXE
3060	powershell.exe
3060	powershell.exe
3060	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

RUNDLL32.EXEpowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4092 RUNDLL32.EXE
Token: SeDebugPrivilege 964 powershell.exe
Token: SeDebugPrivilege 3060 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

RUNDLL32.EXE

pid process

4092 RUNDLL32.EXE

description	pid	process
Token: SeDebugPrivilege	4092	RUNDLL32.EXE
Token: SeDebugPrivilege	964	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

c65eb22434cbf550e158d45cf9a64470.exerundll32.exeRUNDLL32.EXEpowershell.exe

description	pid	process	target process
PID 4648 wrote to memory of 3688	4648	c65eb22434cbf550e158d45cf9a64470.exe	rundll32.exe
PID 4648 wrote to memory of 3688	4648	c65eb22434cbf550e158d45cf9a64470.exe	rundll32.exe
PID 4648 wrote to memory of 3688	4648	c65eb22434cbf550e158d45cf9a64470.exe	rundll32.exe
PID 3688 wrote to memory of 4092	3688	rundll32.exe	RUNDLL32.EXE
PID 3688 wrote to memory of 4092	3688	rundll32.exe	RUNDLL32.EXE
PID 3688 wrote to memory of 4092	3688	rundll32.exe	RUNDLL32.EXE
PID 4092 wrote to memory of 580	4092	RUNDLL32.EXE	rundll32.exe
PID 4092 wrote to memory of 580	4092	RUNDLL32.EXE	rundll32.exe
PID 4092 wrote to memory of 580	4092	RUNDLL32.EXE	rundll32.exe
PID 4092 wrote to memory of 964	4092	RUNDLL32.EXE	powershell.exe
PID 4092 wrote to memory of 964	4092	RUNDLL32.EXE	powershell.exe
PID 4092 wrote to memory of 964	4092	RUNDLL32.EXE	powershell.exe
PID 4092 wrote to memory of 3060	4092	RUNDLL32.EXE	powershell.exe
PID 4092 wrote to memory of 3060	4092	RUNDLL32.EXE	powershell.exe
PID 4092 wrote to memory of 3060	4092	RUNDLL32.EXE	powershell.exe
PID 3060 wrote to memory of 4360	3060	powershell.exe	nslookup.exe
PID 3060 wrote to memory of 4360	3060	powershell.exe	nslookup.exe
PID 3060 wrote to memory of 4360	3060	powershell.exe	nslookup.exe
PID 4092 wrote to memory of 4448	4092	RUNDLL32.EXE	schtasks.exe
PID 4092 wrote to memory of 4448	4092	RUNDLL32.EXE	schtasks.exe
PID 4092 wrote to memory of 4448	4092	RUNDLL32.EXE	schtasks.exe
PID 4092 wrote to memory of 4476	4092	RUNDLL32.EXE	schtasks.exe
PID 4092 wrote to memory of 4476	4092	RUNDLL32.EXE	schtasks.exe
PID 4092 wrote to memory of 4476	4092	RUNDLL32.EXE	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\c65eb22434cbf550e158d45cf9a64470.exe
"C:\Users\Admin\AppData\Local\Temp\c65eb22434cbf550e158d45cf9a64470.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4648

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\C65EB2~1.TMP,S C:\Users\Admin\AppData\Local\Temp\C65EB2~1.EXE
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3688

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\C65EB2~1.TMP,giBiRzFL
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 17894
4⤵
PID:580

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpA643.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:964

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpCB13.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
5⤵
PID:4360

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:4448

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:4476

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Jvgzbfh.tmp
MD5
8303b2caddfa02d1e3bd7796fc8f36e0

SHA1
b1b02156710b146139620b5fb8bf90ab8a3de615

SHA256
b1228441b57de321998f4697c8d62dd7ad676e032b52a7539171f10dafe7765d

SHA512
09f16b9281154f91c68b3609fe4468786be41005b3ce3af6997f11b7610a73ef61b8168ff093a375cae439f5231f1708bc33b05a9d566bdf5c74a590681773df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
47eebe401625bbc55e75dbfb72e9e89a

SHA1
db3b2135942d2532c59b9788253638eb77e5995e

SHA256
f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3

SHA512
590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
b077c370fe7a707180a8c64ab8959d28

SHA1
abcfc0049b29710d55d867491e5c66fc24c4d248

SHA256
3f3d234a9de1e981212695a94d0ef7ae26ba47e30939e0885f4104f458a67f81

SHA512
690430e2e64a262dec70cc6477c46a2e24b267a0a8425c2b70cf4d568103e75e7c9370b9ffb6e7cf4b3b1bf8682364683d0035ff9977017c7b7134ee07849231

Download Submit
C:\Users\Admin\AppData\Local\Temp\C65EB2~1.TMP
MD5
7421975d09f0de9fc505ba95c37e5794

SHA1
052e5981f44c5451d896f6383df93bcdf5235fe5

SHA256
643138b1767f6d5bb05ca771238afc2b2e6d70594d5c5d4b027d20c8c1b733bd

SHA512
7fb6e065e98a0f4c2f919e675ef2daa8932b575329965a6c1034340c7d1c219ea9500d032006346617975399e3b6f2fbf90054f9f135dccf6d1de170d753b2ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA643.tmp.ps1
MD5
2235ee713c761fe6a7943e197361e28e

SHA1
203543d7df09418f6428c6a698cf840c6884a8b8

SHA256
d625a6d059e61f0ef120a3a8dd6db76743316c41533b6859c6b57e5df54d6dbd

SHA512
60ef7f8d7173c0d9358aaaded8a27ebfb544683ac067171b0172c8a68b59589cf2f2673aabeacacdbd474f4573cadf3d7b0290b1b9853396d2efddf186bc4cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA654.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCB13.tmp.ps1
MD5
8b1d1f53a7cffb5b31d15ddfe3a20799

SHA1
5f0c0c4ababd75dd4a9852785e0adf75256a7fae

SHA256
5fc1695fb0cf40d0f1caca23772d1462239683d2ac7c0c742f74cf45c6a7f397

SHA512
44e8a9f9ba1281c220823dbcc00bf63da4ab2a8ed3c6d3f3056fc4678fef0f09192fa6ecfc763fef7577f4f3d30591c5785691cce49f84c99a8cc51b7e7cf1b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCB14.tmp
MD5
3154d454e465e6ac556a3da9d73e139f

SHA1
56633038f8372c0a639ad75f378edd0864e5d228

SHA256
e4a0eb823868d3c8288f3709c9ed230f90d3b4160e30b77d3a4faeb7902782be

SHA512
36179359ff1f72e8b856e6947d23e86817fe5c107500c713dfa92158ef75ec342e3f67416107990a2164309e4300e53ff630d1148230454d592a2a015085b262

Download Submit
\Users\Admin\AppData\Local\Temp\C65EB2~1.TMP
MD5
7421975d09f0de9fc505ba95c37e5794

SHA1
052e5981f44c5451d896f6383df93bcdf5235fe5

SHA256
643138b1767f6d5bb05ca771238afc2b2e6d70594d5c5d4b027d20c8c1b733bd

SHA512
7fb6e065e98a0f4c2f919e675ef2daa8932b575329965a6c1034340c7d1c219ea9500d032006346617975399e3b6f2fbf90054f9f135dccf6d1de170d753b2ec

Download Submit
\Users\Admin\AppData\Local\Temp\C65EB2~1.TMP
MD5
7421975d09f0de9fc505ba95c37e5794

SHA1
052e5981f44c5451d896f6383df93bcdf5235fe5

SHA256
643138b1767f6d5bb05ca771238afc2b2e6d70594d5c5d4b027d20c8c1b733bd

SHA512
7fb6e065e98a0f4c2f919e675ef2daa8932b575329965a6c1034340c7d1c219ea9500d032006346617975399e3b6f2fbf90054f9f135dccf6d1de170d753b2ec

Download Submit
memory/580-136-0x00007FF6745A5FD0-mapping.dmp

Download
memory/580-141-0x00000000001A0000-0x0000000000340000-memory.dmp

Filesize
1.6MB

Download
memory/580-140-0x000001F0A3570000-0x000001F0A3721000-memory.dmp

Filesize
1.7MB

Download
memory/964-142-0x0000000000000000-mapping.dmp

Download
memory/964-152-0x0000000008060000-0x0000000008061000-memory.dmp

Filesize
4KB

Download
memory/964-145-0x00000000070B0000-0x00000000070B1000-memory.dmp

Filesize
4KB

Download
memory/964-146-0x00000000077B0000-0x00000000077B1000-memory.dmp

Filesize
4KB

Download
memory/964-147-0x0000000007170000-0x0000000007171000-memory.dmp

Filesize
4KB

Download
memory/964-148-0x0000000007172000-0x0000000007173000-memory.dmp

Filesize
4KB

Download
memory/964-149-0x0000000007DE0000-0x0000000007DE1000-memory.dmp

Filesize
4KB

Download
memory/964-150-0x0000000007E80000-0x0000000007E81000-memory.dmp

Filesize
4KB

Download
memory/964-151-0x0000000007FF0000-0x0000000007FF1000-memory.dmp

Filesize
4KB

Download
memory/964-164-0x0000000009650000-0x0000000009651000-memory.dmp

Filesize
4KB

Download
memory/964-153-0x0000000008430000-0x0000000008431000-memory.dmp

Filesize
4KB

Download
memory/964-154-0x0000000008590000-0x0000000008591000-memory.dmp

Filesize
4KB

Download
memory/964-155-0x00000000088B0000-0x00000000088B1000-memory.dmp

Filesize
4KB

Download
memory/964-167-0x0000000007173000-0x0000000007174000-memory.dmp

Filesize
4KB

Download
memory/964-157-0x0000000007390000-0x0000000007391000-memory.dmp

Filesize
4KB

Download
memory/964-162-0x000000000A020000-0x000000000A021000-memory.dmp

Filesize
4KB

Download
memory/964-163-0x00000000095A0000-0x00000000095A1000-memory.dmp

Filesize
4KB

Download
memory/3060-168-0x0000000000000000-mapping.dmp

Download
memory/3060-180-0x0000000008B70000-0x0000000008B71000-memory.dmp

Filesize
4KB

Download
memory/3060-195-0x0000000007273000-0x0000000007274000-memory.dmp

Filesize
4KB

Download
memory/3060-182-0x0000000007272000-0x0000000007273000-memory.dmp

Filesize
4KB

Download
memory/3060-181-0x0000000007270000-0x0000000007271000-memory.dmp

Filesize
4KB

Download
memory/3060-177-0x00000000081A0000-0x00000000081A1000-memory.dmp

Filesize
4KB

Download
memory/3688-128-0x00000000051E0000-0x0000000006476000-memory.dmp

Filesize
18.6MB

Download
memory/3688-115-0x0000000000000000-mapping.dmp

Download
memory/4092-125-0x0000000000000000-mapping.dmp

Download
memory/4092-139-0x0000000006380000-0x0000000006381000-memory.dmp

Filesize
4KB

Download
memory/4092-135-0x0000000004E90000-0x0000000006126000-memory.dmp

Filesize
18.6MB

Download
memory/4360-191-0x0000000000000000-mapping.dmp

Download
memory/4448-194-0x0000000000000000-mapping.dmp

Download
memory/4476-196-0x0000000000000000-mapping.dmp

Download
memory/4648-114-0x0000000000DB0000-0x0000000000EAF000-memory.dmp

Filesize
1020KB

Download
memory/4648-118-0x0000000000400000-0x0000000000972000-memory.dmp

Filesize
5.4MB

Download