danabot | 9610051a347d56ae5d91e3a3c471a2d90b5a4e02b2aa714f931d4cbe164eb42c

Analysis

max time kernel
141s
max time network
135s
platform
windows10_x64
resource
win10v20210410
submitted
25-07-2021 21:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbcc5e3ca7e87e9050071b250a55d59b.exe
Size

1.2MB
MD5

bbcc5e3ca7e87e9050071b250a55d59b
SHA1

899efad6150077f3d3a80d82ed567799467bacce
SHA256

9610051a347d56ae5d91e3a3c471a2d90b5a4e02b2aa714f931d4cbe164eb42c
SHA512

ab676ee81674ac67ad9694c8d29ed59bfac79c0802b671ad87d19bc47532a37e2e1c2c7dfe1a70873107999a75de64d24ba8678194bcf1e6032c1e214d0b99db

Score

10^/10

danabot 4 banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1987

Botnet

142.11.244.124:443

142.11.206.50:443

Attributes

embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB

rsa_privkey.plain

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

flow pid process

15 2164 rundll32.exe
16 2016 RUNDLL32.EXE
Loads dropped DLL 4 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

pid process

2164 rundll32.exe
2164 rundll32.exe
2016 RUNDLL32.EXE
2016 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops file in Program Files directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\PROGRA~3\Jvgzbfh.tmp rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
15	2164	rundll32.exe
16	2016	RUNDLL32.EXE

pid	process
2164	rundll32.exe
2164	rundll32.exe
2016	RUNDLL32.EXE
2016	RUNDLL32.EXE

description	ioc	process
File created	C:\PROGRA~3\Jvgzbfh.tmp	rundll32.exe

Checks processor information in registry 2 TTPs 22 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXE

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	RUNDLL32.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

RUNDLL32.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7DB36DD316686DE6A2B55A4E153DF876D729228B	RUNDLL32.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7DB36DD316686DE6A2B55A4E153DF876D729228B\Blob = 0300000001000000140000007db36dd316686de6a2b55a4e153df876d729228b2000000001000000710200003082026d308201d6a00302010202087ba783ba36a654d5300d06092a864886f70d01010b0500305b3123302106035504030c1a4261326c74696d6f7265204379626572547275737420526f6f7431133011060355040b0c0a4379626572547275737431123010060355040a0c0942616c74696d6f7265310b3009060355040613024945301e170d3139303732363231343635385a170d3233303732353231343635385a305b3123302106035504030c1a4261326c74696d6f7265204379626572547275737420526f6f7431133011060355040b0c0a4379626572547275737431123010060355040a0c0942616c74696d6f7265310b300906035504061302494530819f300d06092a864886f70d010101050003818d0030818902818100bce0e206c98463d0a3532c3960ded812378033d6ce6c36fea6919e813060494c3ab0976d49120b8da8948224d7a8a1eb7551754f31e6427f3d832d574dbcbd1aebb4435b20909a81e88f59e9750b550f78e6307a907d6e7445bc82c604eec16908fb4afaef413efb92da7a03989aa21be3bc50a7057486bf9af517ad29525eb30203010001a33a3038300f0603551d130101ff040530030101ff30250603551d11041e301c821a4261326c74696d6f7265204379626572547275737420526f6f74300d06092a864886f70d01010b0500038181009a02b6a753a920c60cfe770672fb8438827245adf74384f6b02e230a7f9ac8757bb0e3e50584e3c8831a1a142a5f5ff14cd8b15c45f11dfea47b534b72445a98203bb75b131e44baef099d22f56066c42c4f3c9d84f96353cadb7728cb1a568047bd62c85cee2f49575eff961c852293653e0c06692522bb05bccbe00c06aa18	RUNDLL32.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

RUNDLL32.EXEpowershell.exepowershell.exe

pid	process
2016	RUNDLL32.EXE
2016	RUNDLL32.EXE
2016	RUNDLL32.EXE
2016	RUNDLL32.EXE
2016	RUNDLL32.EXE
2016	RUNDLL32.EXE
4056	powershell.exe
4056	powershell.exe
4056	powershell.exe
2016	RUNDLL32.EXE
2016	RUNDLL32.EXE
2988	powershell.exe
2988	powershell.exe
2988	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

RUNDLL32.EXEpowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2016 RUNDLL32.EXE
Token: SeDebugPrivilege 4056 powershell.exe
Token: SeDebugPrivilege 2988 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

RUNDLL32.EXE

pid process

2016 RUNDLL32.EXE

description	pid	process
Token: SeDebugPrivilege	2016	RUNDLL32.EXE
Token: SeDebugPrivilege	4056	powershell.exe
Token: SeDebugPrivilege	2988	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

bbcc5e3ca7e87e9050071b250a55d59b.exerundll32.exeRUNDLL32.EXEpowershell.exe

description	pid	process	target process
PID 4016 wrote to memory of 2164	4016	bbcc5e3ca7e87e9050071b250a55d59b.exe	rundll32.exe
PID 4016 wrote to memory of 2164	4016	bbcc5e3ca7e87e9050071b250a55d59b.exe	rundll32.exe
PID 4016 wrote to memory of 2164	4016	bbcc5e3ca7e87e9050071b250a55d59b.exe	rundll32.exe
PID 2164 wrote to memory of 2016	2164	rundll32.exe	RUNDLL32.EXE
PID 2164 wrote to memory of 2016	2164	rundll32.exe	RUNDLL32.EXE
PID 2164 wrote to memory of 2016	2164	rundll32.exe	RUNDLL32.EXE
PID 2016 wrote to memory of 4056	2016	RUNDLL32.EXE	powershell.exe
PID 2016 wrote to memory of 4056	2016	RUNDLL32.EXE	powershell.exe
PID 2016 wrote to memory of 4056	2016	RUNDLL32.EXE	powershell.exe
PID 2016 wrote to memory of 2988	2016	RUNDLL32.EXE	powershell.exe
PID 2016 wrote to memory of 2988	2016	RUNDLL32.EXE	powershell.exe
PID 2016 wrote to memory of 2988	2016	RUNDLL32.EXE	powershell.exe
PID 2988 wrote to memory of 3796	2988	powershell.exe	nslookup.exe
PID 2988 wrote to memory of 3796	2988	powershell.exe	nslookup.exe
PID 2988 wrote to memory of 3796	2988	powershell.exe	nslookup.exe
PID 2016 wrote to memory of 3780	2016	RUNDLL32.EXE	schtasks.exe
PID 2016 wrote to memory of 3780	2016	RUNDLL32.EXE	schtasks.exe
PID 2016 wrote to memory of 3780	2016	RUNDLL32.EXE	schtasks.exe
PID 2016 wrote to memory of 2880	2016	RUNDLL32.EXE	schtasks.exe
PID 2016 wrote to memory of 2880	2016	RUNDLL32.EXE	schtasks.exe
PID 2016 wrote to memory of 2880	2016	RUNDLL32.EXE	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\bbcc5e3ca7e87e9050071b250a55d59b.exe
"C:\Users\Admin\AppData\Local\Temp\bbcc5e3ca7e87e9050071b250a55d59b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4016

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\BBCC5E~1.TMP,S C:\Users\Admin\AppData\Local\Temp\BBCC5E~1.EXE
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\BBCC5E~1.TMP,Xk8P
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp5AD3.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4056

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp6F09.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
5⤵
PID:3796

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:3780

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:2880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Jvgzbfh.tmp
MD5
9dfb4eac08903bbcd3fe69d3ea4105d6

SHA1
437976017e144d0fe0a030ea423dd278c4763c93

SHA256
cb2be3a089353da61efc58b5ff63b9180202eb25270fdd99c783cd5f70512110

SHA512
06c84845ad90848fff740b3512cade834e2166aea63058db92e3f4c7d921ebb1fad311e3d27ce8b25042e957f78d04b0d186d5a3c5e401b9867a7f6af897e038

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
47eebe401625bbc55e75dbfb72e9e89a

SHA1
db3b2135942d2532c59b9788253638eb77e5995e

SHA256
f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3

SHA512
590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
19e61689cdacb43e72bd1e5fb33fc110

SHA1
1aab9f64062dcfe244f78ccf5c5d4df94bfc8360

SHA256
29ff8bfd7204c4f4efc70f5dff81d174ff6093866355170ac9b0aa02697c53b7

SHA512
48cbe194c00bce3cf99de3d27c782fb8b8074a908563fa0e82f4fad697f768742697d641f413f3d84155cb8b80ce3a04c9c708f71aa200d64f8d3c8d4131dabf

Download Submit
C:\Users\Admin\AppData\Local\Temp\BBCC5E~1.TMP
MD5
13de044c4ce35f2eded6358956fd001b

SHA1
bd219d896a2f6ee552335e563fa6f68923fc57fa

SHA256
7a342a7788a4a014febcfaa2c31c584c422807ed91545a90056a86ecffa4f33d

SHA512
cf4f1044c0358a9b2469478c829afee36a4917abccce7eae741e192a34cd5130c873173693a42565bc0f432e2ce0e6e7c26ef2d75ac872ab6371929b9267b9fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5AD3.tmp.ps1
MD5
8a91f161bf4cc83597d38f386e055728

SHA1
87dd3512b79d6480c0cd29441fe6e0ebd9e53c58

SHA256
fc012f432955893c21ae6c6933971c75f8f4199056c80faedb93a73401b46ae0

SHA512
9e39705f593b6104796ed2cbd51e07c0b0879d4dbe5115beac1a625c7d0f4da8bcab0c5f57a1c522e4d8138ab7b67ecbfa5c1f7215c9e956661c56302c35ab36

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5AD4.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6F09.tmp.ps1
MD5
07e4c57e0caf4c4b4a310e310e22a180

SHA1
f95a91b4c94d03d9ba2dc25e747c58b64f6cc16f

SHA256
77a308551090fd050996f0b611402a66c79056eab0cc192d4f055897a3e5df14

SHA512
5159ede9c58ccf2bda5fa86ef96c28ffe1704d1c5c606d690ecc0de28134e428660478cb52391e846022493cd1d71561d5c56640108491ccf65cea5bb66e7eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6F0A.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
\Users\Admin\AppData\Local\Temp\BBCC5E~1.TMP
MD5
13de044c4ce35f2eded6358956fd001b

SHA1
bd219d896a2f6ee552335e563fa6f68923fc57fa

SHA256
7a342a7788a4a014febcfaa2c31c584c422807ed91545a90056a86ecffa4f33d

SHA512
cf4f1044c0358a9b2469478c829afee36a4917abccce7eae741e192a34cd5130c873173693a42565bc0f432e2ce0e6e7c26ef2d75ac872ab6371929b9267b9fb

Download Submit
\Users\Admin\AppData\Local\Temp\BBCC5E~1.TMP
MD5
13de044c4ce35f2eded6358956fd001b

SHA1
bd219d896a2f6ee552335e563fa6f68923fc57fa

SHA256
7a342a7788a4a014febcfaa2c31c584c422807ed91545a90056a86ecffa4f33d

SHA512
cf4f1044c0358a9b2469478c829afee36a4917abccce7eae741e192a34cd5130c873173693a42565bc0f432e2ce0e6e7c26ef2d75ac872ab6371929b9267b9fb

Download Submit
\Users\Admin\AppData\Local\Temp\BBCC5E~1.TMP
MD5
13de044c4ce35f2eded6358956fd001b

SHA1
bd219d896a2f6ee552335e563fa6f68923fc57fa

SHA256
7a342a7788a4a014febcfaa2c31c584c422807ed91545a90056a86ecffa4f33d

SHA512
cf4f1044c0358a9b2469478c829afee36a4917abccce7eae741e192a34cd5130c873173693a42565bc0f432e2ce0e6e7c26ef2d75ac872ab6371929b9267b9fb

Download Submit
\Users\Admin\AppData\Local\Temp\BBCC5E~1.TMP
MD5
13de044c4ce35f2eded6358956fd001b

SHA1
bd219d896a2f6ee552335e563fa6f68923fc57fa

SHA256
7a342a7788a4a014febcfaa2c31c584c422807ed91545a90056a86ecffa4f33d

SHA512
cf4f1044c0358a9b2469478c829afee36a4917abccce7eae741e192a34cd5130c873173693a42565bc0f432e2ce0e6e7c26ef2d75ac872ab6371929b9267b9fb

Download Submit
memory/2016-130-0x0000000000A70000-0x0000000000B1E000-memory.dmp

Filesize
696KB

Download
memory/2016-139-0x0000000004610000-0x00000000058A6000-memory.dmp

Filesize
18.6MB

Download
memory/2016-127-0x0000000000000000-mapping.dmp

Download
memory/2164-131-0x0000000004950000-0x0000000005BE6000-memory.dmp

Filesize
18.6MB

Download
memory/2164-120-0x0000000000AA0000-0x0000000000B4E000-memory.dmp

Filesize
696KB

Download
memory/2164-116-0x0000000000000000-mapping.dmp

Download
memory/2880-200-0x0000000000000000-mapping.dmp

Download
memory/2988-172-0x0000000000000000-mapping.dmp

Download
memory/2988-199-0x00000000067E3000-0x00000000067E4000-memory.dmp

Filesize
4KB

Download
memory/2988-187-0x00000000067E2000-0x00000000067E3000-memory.dmp

Filesize
4KB

Download
memory/2988-186-0x00000000067E0000-0x00000000067E1000-memory.dmp

Filesize
4KB

Download
memory/2988-184-0x0000000007A20000-0x0000000007A21000-memory.dmp

Filesize
4KB

Download
memory/2988-181-0x0000000007630000-0x0000000007631000-memory.dmp

Filesize
4KB

Download
memory/3780-198-0x0000000000000000-mapping.dmp

Download
memory/3796-195-0x0000000000000000-mapping.dmp

Download
memory/4016-114-0x0000000002310000-0x0000000002411000-memory.dmp

Filesize
1.0MB

Download
memory/4016-115-0x0000000000400000-0x0000000000548000-memory.dmp

Filesize
1.3MB

Download
memory/4056-153-0x00000000075D0000-0x00000000075D1000-memory.dmp

Filesize
4KB

Download
memory/4056-155-0x00000000040D2000-0x00000000040D3000-memory.dmp

Filesize
4KB

Download
memory/4056-152-0x00000000074F0000-0x00000000074F1000-memory.dmp

Filesize
4KB

Download
memory/4056-171-0x00000000040D3000-0x00000000040D4000-memory.dmp

Filesize
4KB

Download
memory/4056-167-0x0000000008A10000-0x0000000008A11000-memory.dmp

Filesize
4KB

Download
memory/4056-151-0x0000000006C10000-0x0000000006C11000-memory.dmp

Filesize
4KB

Download
memory/4056-166-0x0000000009490000-0x0000000009491000-memory.dmp

Filesize
4KB

Download
memory/4056-150-0x0000000006C70000-0x0000000006C71000-memory.dmp

Filesize
4KB

Download
memory/4056-161-0x0000000007E10000-0x0000000007E11000-memory.dmp

Filesize
4KB

Download
memory/4056-168-0x0000000008AE0000-0x0000000008AE1000-memory.dmp

Filesize
4KB

Download
memory/4056-159-0x0000000007D20000-0x0000000007D21000-memory.dmp

Filesize
4KB

Download
memory/4056-149-0x00000000041C0000-0x00000000041C1000-memory.dmp

Filesize
4KB

Download
memory/4056-158-0x0000000007CD0000-0x0000000007CD1000-memory.dmp

Filesize
4KB

Download
memory/4056-146-0x0000000000000000-mapping.dmp

Download
memory/4056-157-0x0000000007360000-0x0000000007361000-memory.dmp

Filesize
4KB

Download
memory/4056-156-0x0000000007640000-0x0000000007641000-memory.dmp

Filesize
4KB

Download
memory/4056-154-0x00000000040D0000-0x00000000040D1000-memory.dmp

Filesize
4KB

Download