danabot | 7a79e2248392fa193b734c9442588144434853006dd6b54545ab3e4ef7971cba

Analysis

max time kernel
146s
max time network
112s
platform
windows10_x64
resource
win10v20210408
submitted
24-07-2021 00:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6b7419ef5704c67f35d42beeeba83ba.exe
Size

1.1MB
MD5

e6b7419ef5704c67f35d42beeeba83ba
SHA1

feedc1394fa98c479c41fc1211c530f3201fde06
SHA256

7a79e2248392fa193b734c9442588144434853006dd6b54545ab3e4ef7971cba
SHA512

0807f5e4691cddb6a44c4f231a084857919a223c98fee3f7441f9be35e9eab6597077114eff067508c9b615aed006a155ac6a124d44fc436a52ec770d040a0b1

Score

10^/10

danabot 4 banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1987

Botnet

142.11.244.124:443

142.11.206.50:443

Attributes

embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB

rsa_privkey.plain

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

flow pid process

14 3720 rundll32.exe
15 2680 RUNDLL32.EXE
Loads dropped DLL 4 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

pid process

3720 rundll32.exe
3720 rundll32.exe
2680 RUNDLL32.EXE
2680 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

RUNDLL32.EXE

description pid process target process

PID 2680 set thread context of 1220 2680 RUNDLL32.EXE rundll32.exe
Drops file in Program Files directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\PROGRA~3\Jvgzbfh.tmp rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
14	3720	rundll32.exe
15	2680	RUNDLL32.EXE

pid	process
3720	rundll32.exe
3720	rundll32.exe
2680	RUNDLL32.EXE
2680	RUNDLL32.EXE

description	pid	process	target process
PID 2680 set thread context of 1220	2680	RUNDLL32.EXE	rundll32.exe

description	ioc	process
File created	C:\PROGRA~3\Jvgzbfh.tmp	rundll32.exe

Checks processor information in registry 2 TTPs 24 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

RUNDLL32.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4DCB91123D996BFCBE5FD7703A8A14A09C14BB36	RUNDLL32.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4DCB91123D996BFCBE5FD7703A8A14A09C14BB36\Blob = 0300000001000000140000004dcb91123d996bfcbe5fd7703a8a14a09c14bb362000000001000000c3020000308202bf30820228a0030201020208433997ef63a2a031300d06092a864886f70d01010b050030793139303706035504030c3056653272695369676e20556e6976657273616c20526f6f742043657274696669636174696f6e20417574686f72697479311b3019060355040b0c1222286329203230303820566572695369676e31123010060355040a0c0922566572695369676e310b3009060355040613025553301e170d3139303732353032353435355a170d3233303732343032353435355a30793139303706035504030c3056653272695369676e20556e6976657273616c20526f6f742043657274696669636174696f6e20417574686f72697479311b3019060355040b0c1222286329203230303820566572695369676e31123010060355040a0c0922566572695369676e310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100c39cb4e0113eb33f7b5c7dbb82aa9f01af82df07f448313fcfe4a79a0c26ebaf383170c97a4fbc1c2f5b2fd41ecdcd83c5978a14e31e87ca3fd652c8e87a9608762cd128eb531e8da9192584195fe0ebe6180a70bb4fc2b53829cae495c6a35c8fc2a8218ee4b30ad1203ba69767f1387f0680d34ccf694dbf0489c72704cae30203010001a350304e300f0603551d130101ff040530030101ff303b0603551d1104343032823056653272695369676e20556e6976657273616c20526f6f742043657274696669636174696f6e20417574686f72697479300d06092a864886f70d01010b0500038181004226ddbf375fd7afe6e272201e514a7f5282f9dc02a3dedb90c567738cb986bb7497deebb4b88e1e5d400a3b2a8ae9231cd9fc634ec8767cdafb1a25bc9331efc06871631b58b9d6541d15fe51d582274ca2f570799dc61e6e54b8336c2d6aaf5f2f3e03fbdb033d80dbf678a9f488c0b6e147f6d0bc038c59ae070e31fcce6a	RUNDLL32.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

RUNDLL32.EXEpowershell.exepowershell.exe

pid	process
2680	RUNDLL32.EXE
2680	RUNDLL32.EXE
2680	RUNDLL32.EXE
2680	RUNDLL32.EXE
2680	RUNDLL32.EXE
2680	RUNDLL32.EXE
2680	RUNDLL32.EXE
2680	RUNDLL32.EXE
4088	powershell.exe
4088	powershell.exe
4088	powershell.exe
2680	RUNDLL32.EXE
2680	RUNDLL32.EXE
1808	powershell.exe
1808	powershell.exe
1808	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

RUNDLL32.EXEpowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2680 RUNDLL32.EXE
Token: SeDebugPrivilege 4088 powershell.exe
Token: SeDebugPrivilege 1808 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

RUNDLL32.EXE

pid process

2680 RUNDLL32.EXE

description	pid	process
Token: SeDebugPrivilege	2680	RUNDLL32.EXE
Token: SeDebugPrivilege	4088	powershell.exe
Token: SeDebugPrivilege	1808	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

e6b7419ef5704c67f35d42beeeba83ba.exerundll32.exeRUNDLL32.EXEpowershell.exe

description	pid	process	target process
PID 528 wrote to memory of 3720	528	e6b7419ef5704c67f35d42beeeba83ba.exe	rundll32.exe
PID 528 wrote to memory of 3720	528	e6b7419ef5704c67f35d42beeeba83ba.exe	rundll32.exe
PID 528 wrote to memory of 3720	528	e6b7419ef5704c67f35d42beeeba83ba.exe	rundll32.exe
PID 3720 wrote to memory of 2680	3720	rundll32.exe	RUNDLL32.EXE
PID 3720 wrote to memory of 2680	3720	rundll32.exe	RUNDLL32.EXE
PID 3720 wrote to memory of 2680	3720	rundll32.exe	RUNDLL32.EXE
PID 2680 wrote to memory of 1220	2680	RUNDLL32.EXE	rundll32.exe
PID 2680 wrote to memory of 1220	2680	RUNDLL32.EXE	rundll32.exe
PID 2680 wrote to memory of 1220	2680	RUNDLL32.EXE	rundll32.exe
PID 2680 wrote to memory of 4088	2680	RUNDLL32.EXE	powershell.exe
PID 2680 wrote to memory of 4088	2680	RUNDLL32.EXE	powershell.exe
PID 2680 wrote to memory of 4088	2680	RUNDLL32.EXE	powershell.exe
PID 2680 wrote to memory of 1808	2680	RUNDLL32.EXE	powershell.exe
PID 2680 wrote to memory of 1808	2680	RUNDLL32.EXE	powershell.exe
PID 2680 wrote to memory of 1808	2680	RUNDLL32.EXE	powershell.exe
PID 1808 wrote to memory of 2292	1808	powershell.exe	nslookup.exe
PID 1808 wrote to memory of 2292	1808	powershell.exe	nslookup.exe
PID 1808 wrote to memory of 2292	1808	powershell.exe	nslookup.exe
PID 2680 wrote to memory of 3988	2680	RUNDLL32.EXE	schtasks.exe
PID 2680 wrote to memory of 3988	2680	RUNDLL32.EXE	schtasks.exe
PID 2680 wrote to memory of 3988	2680	RUNDLL32.EXE	schtasks.exe
PID 2680 wrote to memory of 3308	2680	RUNDLL32.EXE	schtasks.exe
PID 2680 wrote to memory of 3308	2680	RUNDLL32.EXE	schtasks.exe
PID 2680 wrote to memory of 3308	2680	RUNDLL32.EXE	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\e6b7419ef5704c67f35d42beeeba83ba.exe
"C:\Users\Admin\AppData\Local\Temp\e6b7419ef5704c67f35d42beeeba83ba.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:528

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\E6B741~1.TMP,S C:\Users\Admin\AppData\Local\Temp\E6B741~1.EXE
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3720

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\E6B741~1.TMP,GxsANjEzM1k=
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 17894
4⤵
PID:1220

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpA086.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4088

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpC4AA.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
5⤵
PID:2292

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:3988

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:3308

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Jvgzbfh.tmp
MD5
26af65cbb11480fa1e5ce0b232dd1dfb

SHA1
fa17c2c3f417d80dfed9a153b20b61a595046748

SHA256
63ac430b3c16751c4f3d083243f13f350783196f1e108ff6c3c235b3deb3dae8

SHA512
b0be9f589d61e5eea42ef98ade61f445017d5d2914ba081544616eda59294d4aaccb6c180a456986d6bd9ed897fc598dd8605f23a8c2267165590422d34f725c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
47eebe401625bbc55e75dbfb72e9e89a

SHA1
db3b2135942d2532c59b9788253638eb77e5995e

SHA256
f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3

SHA512
590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
1f8546f6b0896a1567c5e1e6602ccdaa

SHA1
c89dbb35a6d98fbf1855b388e5fd0ea4b9d10eb6

SHA256
8971de44123cbb4606bf8a9d8ce45e44ac50bf0c1c408ad6a8f602fd91c2dadc

SHA512
a5bfe4c9a626a9039674766e52ef6c3311e405cbcafe01f1a4d517836d84f50ff92b6b225a5da88deb9a4be01f228de81053159a1306538e3110c32f226bda00

Download Submit
C:\Users\Admin\AppData\Local\Temp\E6B741~1.TMP
MD5
02e6a2ff71d8467f7d4113a20a66a039

SHA1
80c16bbcc268ee67bc149d2fd8c270eda9c1ecda

SHA256
d7fbb290d9f24ae5f547fe60268e636f205367104aed7fe7b9563f3996ced443

SHA512
030addbf66f19acb4b82446a0c3da786cb6a7080ab60418db24c335afbd26069ff26efe0b70512348db6f4404cfcfdaad4aa3874d6edf5fcb771cfab7eb872ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA086.tmp.ps1
MD5
fe42335d1ef34781f9182e6b7477fe81

SHA1
db6b9bd4170d99237b023f94330195e11c12b40e

SHA256
97b647963bcd2d6a9a095ea1af3cb3e0f8ed0fb3c40ca3a95f8001b3e3a0ad59

SHA512
0bd83473a194381bc6fec7707f5b3ba4b0d76e5daff63dd0298a1d450f07915c9bfe3a83aaeab6a98ed7cac5090076df4a2141dc41e1808e4161188b60ddfb74

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA087.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC4AA.tmp.ps1
MD5
e58e6b54a5b4c3de1e574cc0f89bde30

SHA1
5e76df17e633dc711888fcdc6dfb0d3c6e236ed6

SHA256
a0eb419ab56e073dc689ef0b4506c5d949dfc5727688363d84fa53cbbdca34a3

SHA512
2b84af944ec9880457bef4127014249770d361f0b5e20aaae4347fed4278ca4a4c60817b3bdc5a175a2288403b956533ba39d937ba5d84623eb4378aef2e602a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC4AB.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
\Users\Admin\AppData\Local\Temp\E6B741~1.TMP
MD5
02e6a2ff71d8467f7d4113a20a66a039

SHA1
80c16bbcc268ee67bc149d2fd8c270eda9c1ecda

SHA256
d7fbb290d9f24ae5f547fe60268e636f205367104aed7fe7b9563f3996ced443

SHA512
030addbf66f19acb4b82446a0c3da786cb6a7080ab60418db24c335afbd26069ff26efe0b70512348db6f4404cfcfdaad4aa3874d6edf5fcb771cfab7eb872ae

Download Submit
\Users\Admin\AppData\Local\Temp\E6B741~1.TMP
MD5
02e6a2ff71d8467f7d4113a20a66a039

SHA1
80c16bbcc268ee67bc149d2fd8c270eda9c1ecda

SHA256
d7fbb290d9f24ae5f547fe60268e636f205367104aed7fe7b9563f3996ced443

SHA512
030addbf66f19acb4b82446a0c3da786cb6a7080ab60418db24c335afbd26069ff26efe0b70512348db6f4404cfcfdaad4aa3874d6edf5fcb771cfab7eb872ae

Download Submit
\Users\Admin\AppData\Local\Temp\E6B741~1.TMP
MD5
02e6a2ff71d8467f7d4113a20a66a039

SHA1
80c16bbcc268ee67bc149d2fd8c270eda9c1ecda

SHA256
d7fbb290d9f24ae5f547fe60268e636f205367104aed7fe7b9563f3996ced443

SHA512
030addbf66f19acb4b82446a0c3da786cb6a7080ab60418db24c335afbd26069ff26efe0b70512348db6f4404cfcfdaad4aa3874d6edf5fcb771cfab7eb872ae

Download Submit
\Users\Admin\AppData\Local\Temp\E6B741~1.TMP
MD5
02e6a2ff71d8467f7d4113a20a66a039

SHA1
80c16bbcc268ee67bc149d2fd8c270eda9c1ecda

SHA256
d7fbb290d9f24ae5f547fe60268e636f205367104aed7fe7b9563f3996ced443

SHA512
030addbf66f19acb4b82446a0c3da786cb6a7080ab60418db24c335afbd26069ff26efe0b70512348db6f4404cfcfdaad4aa3874d6edf5fcb771cfab7eb872ae

Download Submit
memory/528-115-0x00000000028D0000-0x00000000029CF000-memory.dmp

Filesize
1020KB

Download
memory/528-116-0x0000000000400000-0x000000000097F000-memory.dmp

Filesize
5.5MB

Download
memory/1220-145-0x0000014D5EF50000-0x0000014D5F101000-memory.dmp

Filesize
1.7MB

Download
memory/1220-144-0x0000000000BB0000-0x0000000000D50000-memory.dmp

Filesize
1.6MB

Download
memory/1220-140-0x00007FF6529D5FD0-mapping.dmp

Download
memory/1808-199-0x0000000004E93000-0x0000000004E94000-memory.dmp

Filesize
4KB

Download
memory/1808-184-0x0000000008BD0000-0x0000000008BD1000-memory.dmp

Filesize
4KB

Download
memory/1808-185-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/1808-181-0x00000000081F0000-0x00000000081F1000-memory.dmp

Filesize
4KB

Download
memory/1808-172-0x0000000000000000-mapping.dmp

Download
memory/1808-186-0x0000000004E92000-0x0000000004E93000-memory.dmp

Filesize
4KB

Download
memory/2292-195-0x0000000000000000-mapping.dmp

Download
memory/2680-133-0x0000000005E90000-0x0000000005E91000-memory.dmp

Filesize
4KB

Download
memory/2680-143-0x0000000005FB0000-0x0000000005FB1000-memory.dmp

Filesize
4KB

Download
memory/2680-127-0x0000000000000000-mapping.dmp

Download
memory/2680-130-0x0000000000EE0000-0x000000000103D000-memory.dmp

Filesize
1.4MB

Download
memory/2680-139-0x0000000004AA0000-0x0000000005D36000-memory.dmp

Filesize
18.6MB

Download
memory/3308-200-0x0000000000000000-mapping.dmp

Download
memory/3720-120-0x00000000010B0000-0x000000000115E000-memory.dmp

Filesize
696KB

Download
memory/3720-121-0x0000000005C60000-0x0000000005C61000-memory.dmp

Filesize
4KB

Download
memory/3720-132-0x0000000004730000-0x00000000059C6000-memory.dmp

Filesize
18.6MB

Download
memory/3720-114-0x0000000000000000-mapping.dmp

Download
memory/3988-198-0x0000000000000000-mapping.dmp

Download
memory/4088-159-0x0000000008070000-0x0000000008071000-memory.dmp

Filesize
4KB

Download
memory/4088-161-0x0000000006BE0000-0x0000000006BE1000-memory.dmp

Filesize
4KB

Download
memory/4088-169-0x0000000001213000-0x0000000001214000-memory.dmp

Filesize
4KB

Download
memory/4088-151-0x00000000070F0000-0x00000000070F1000-memory.dmp

Filesize
4KB

Download
memory/4088-150-0x00000000010C0000-0x00000000010C1000-memory.dmp

Filesize
4KB

Download
memory/4088-149-0x0000000001210000-0x0000000001211000-memory.dmp

Filesize
4KB

Download
memory/4088-146-0x0000000000000000-mapping.dmp

Download
memory/4088-167-0x0000000008D90000-0x0000000008D91000-memory.dmp

Filesize
4KB

Download
memory/4088-166-0x0000000009810000-0x0000000009811000-memory.dmp

Filesize
4KB

Download
memory/4088-168-0x0000000008190000-0x0000000008191000-memory.dmp

Filesize
4KB

Download
memory/4088-152-0x0000000001212000-0x0000000001213000-memory.dmp

Filesize
4KB

Download
memory/4088-153-0x0000000006E90000-0x0000000006E91000-memory.dmp

Filesize
4KB

Download
memory/4088-158-0x0000000008250000-0x0000000008251000-memory.dmp

Filesize
4KB

Download
memory/4088-157-0x0000000007D40000-0x0000000007D41000-memory.dmp

Filesize
4KB

Download
memory/4088-156-0x0000000007970000-0x0000000007971000-memory.dmp

Filesize
4KB

Download
memory/4088-155-0x0000000007900000-0x0000000007901000-memory.dmp

Filesize
4KB

Download
memory/4088-154-0x0000000007790000-0x0000000007791000-memory.dmp

Filesize
4KB

Download