danabot | f7c566ca7413a1259a7bcc120bc431a5ad129438b1e8b9b51c398d5eecfc51a5

Analysis

max time kernel
144s
max time network
120s
platform
windows10_x64
resource
win10v20210408
submitted
25-07-2021 06:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab4cf6181cfb102ec86c66d56af2d229.exe
Size

1.1MB
MD5

ab4cf6181cfb102ec86c66d56af2d229
SHA1

ac756cbff2887e804e9957898b0d6450a33a0aa1
SHA256

f7c566ca7413a1259a7bcc120bc431a5ad129438b1e8b9b51c398d5eecfc51a5
SHA512

dec2910e395b1714966c85741f1062f6a4b62a9a1ab3f8f92c573a2b44a49ced2a963f383247b871eb90ec7cc795a4226dc0944b8bce3e74bb3f5bd2024b0a2f

Score

10^/10

danabot 4 banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1987

Botnet

142.11.244.124:443

142.11.206.50:443

Attributes

embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB

rsa_privkey.plain

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

flow pid process

14 2004 rundll32.exe
15 2352 RUNDLL32.EXE
Loads dropped DLL 4 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

pid process

2004 rundll32.exe
2004 rundll32.exe
2352 RUNDLL32.EXE
2352 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

RUNDLL32.EXE

description pid process target process

PID 2352 set thread context of 2108 2352 RUNDLL32.EXE rundll32.exe
Drops file in Program Files directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\PROGRA~3\Jvgzbfh.tmp rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
14	2004	rundll32.exe
15	2352	RUNDLL32.EXE

pid	process
2004	rundll32.exe
2004	rundll32.exe
2352	RUNDLL32.EXE
2352	RUNDLL32.EXE

description	pid	process	target process
PID 2352 set thread context of 2108	2352	RUNDLL32.EXE	rundll32.exe

description	ioc	process
File created	C:\PROGRA~3\Jvgzbfh.tmp	rundll32.exe

Checks processor information in registry 2 TTPs 23 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXE

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

RUNDLL32.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C0A0DA32F87DAC968C8D11C980D3E338068CA9C4	RUNDLL32.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C0A0DA32F87DAC968C8D11C980D3E338068CA9C4\Blob = 030000000100000014000000c0a0da32f87dac968c8d11c980d3e338068ca9c42000000001000000b3020000308202af30820218a003020102020829c0d7236b15420d300d06092a864886f70d01010b050030743133303106035504030c2a4d693063726f736f667420526f6f7420436572746966696361746520417574686f726974792032303131311e301c060355040a0c154d6963726f736f667420436f72706f726174696f6e310b30090603550406130255533110300e06035504070c075265646d6f6e64301e170d3139303732363038323530375a170d3233303732353038323530375a30743133303106035504030c2a4d693063726f736f667420526f6f7420436572746966696361746520417574686f726974792032303131311e301c060355040a0c154d6963726f736f667420436f72706f726174696f6e310b30090603550406130255533110300e06035504070c075265646d6f6e6430819f300d06092a864886f70d010101050003818d0030818902818100b746128a1496d434a06403664c8ca81c8da4e4dc8f54aee6cdae38c854df3970f96da107796af9f06ed42fa90c891da5911981ef3747a8d905992d2f86dc6b563b50c87d8ad6e2c8e402437f13c4b6a4e09a55b76d1d759097cc9f6bb55ee8d9e7717a16cc87255ea58e2aa840dfb46431b7d8bd483e661e1b7aa39182ba42d30203010001a34a3048300f0603551d130101ff040530030101ff30350603551d11042e302c822a4d693063726f736f667420526f6f7420436572746966696361746520417574686f726974792032303131300d06092a864886f70d01010b05000381810079da4660fb2301cc5cdd78719c861feeebf9b43cd79fbe67068b643f39ab43300bf201410abfc6eb8493dd8a3c96bcf535d65fdbe74a0eede82b1145ae2a51e44735916460bbc8221ef7813fbb13cdfea0f32af42ae49bb71a95e4b59c8908681e970bbf8e84f95ceaac001c9021345879aaf3e233c545b6f8bb6fc5f22ee446	RUNDLL32.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

RUNDLL32.EXEpowershell.exepowershell.exe

pid	process
2352	RUNDLL32.EXE
2352	RUNDLL32.EXE
2352	RUNDLL32.EXE
2352	RUNDLL32.EXE
2352	RUNDLL32.EXE
2352	RUNDLL32.EXE
2352	RUNDLL32.EXE
2352	RUNDLL32.EXE
3376	powershell.exe
3376	powershell.exe
3376	powershell.exe
2352	RUNDLL32.EXE
2352	RUNDLL32.EXE
192	powershell.exe
192	powershell.exe
192	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

RUNDLL32.EXEpowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2352 RUNDLL32.EXE
Token: SeDebugPrivilege 3376 powershell.exe
Token: SeDebugPrivilege 192 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

RUNDLL32.EXE

pid process

2352 RUNDLL32.EXE

description	pid	process
Token: SeDebugPrivilege	2352	RUNDLL32.EXE
Token: SeDebugPrivilege	3376	powershell.exe
Token: SeDebugPrivilege	192	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

ab4cf6181cfb102ec86c66d56af2d229.exerundll32.exeRUNDLL32.EXEpowershell.exe

description	pid	process	target process
PID 632 wrote to memory of 2004	632	ab4cf6181cfb102ec86c66d56af2d229.exe	rundll32.exe
PID 632 wrote to memory of 2004	632	ab4cf6181cfb102ec86c66d56af2d229.exe	rundll32.exe
PID 632 wrote to memory of 2004	632	ab4cf6181cfb102ec86c66d56af2d229.exe	rundll32.exe
PID 2004 wrote to memory of 2352	2004	rundll32.exe	RUNDLL32.EXE
PID 2004 wrote to memory of 2352	2004	rundll32.exe	RUNDLL32.EXE
PID 2004 wrote to memory of 2352	2004	rundll32.exe	RUNDLL32.EXE
PID 2352 wrote to memory of 2108	2352	RUNDLL32.EXE	rundll32.exe
PID 2352 wrote to memory of 2108	2352	RUNDLL32.EXE	rundll32.exe
PID 2352 wrote to memory of 2108	2352	RUNDLL32.EXE	rundll32.exe
PID 2352 wrote to memory of 3376	2352	RUNDLL32.EXE	powershell.exe
PID 2352 wrote to memory of 3376	2352	RUNDLL32.EXE	powershell.exe
PID 2352 wrote to memory of 3376	2352	RUNDLL32.EXE	powershell.exe
PID 2352 wrote to memory of 192	2352	RUNDLL32.EXE	powershell.exe
PID 2352 wrote to memory of 192	2352	RUNDLL32.EXE	powershell.exe
PID 2352 wrote to memory of 192	2352	RUNDLL32.EXE	powershell.exe
PID 192 wrote to memory of 2520	192	powershell.exe	nslookup.exe
PID 192 wrote to memory of 2520	192	powershell.exe	nslookup.exe
PID 192 wrote to memory of 2520	192	powershell.exe	nslookup.exe
PID 2352 wrote to memory of 2940	2352	RUNDLL32.EXE	schtasks.exe
PID 2352 wrote to memory of 2940	2352	RUNDLL32.EXE	schtasks.exe
PID 2352 wrote to memory of 2940	2352	RUNDLL32.EXE	schtasks.exe
PID 2352 wrote to memory of 1944	2352	RUNDLL32.EXE	schtasks.exe
PID 2352 wrote to memory of 1944	2352	RUNDLL32.EXE	schtasks.exe
PID 2352 wrote to memory of 1944	2352	RUNDLL32.EXE	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\ab4cf6181cfb102ec86c66d56af2d229.exe
"C:\Users\Admin\AppData\Local\Temp\ab4cf6181cfb102ec86c66d56af2d229.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:632

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\AB4CF6~1.TMP,S C:\Users\Admin\AppData\Local\Temp\AB4CF6~1.EXE
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\AB4CF6~1.TMP,MhkZMWM0UQ==
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2352

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 17894
4⤵
PID:2108

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpFB87.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3376

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp1868.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:192

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
5⤵
PID:2520

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:2940

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:1944

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Jvgzbfh.tmp
MD5
d0567b9d156180c0703d7b867533bf55

SHA1
ddbaaff7a55fde4be5c3cd2b5ceb9e49535a4702

SHA256
5406a5325a4764b5e8772de776c3269b880c59cbd66f4a6682620fc675722a21

SHA512
7e6eb445c2c8a76d584183a8c4c1c193028a58634415fc2d4f9b53a1f585a3daa254fb0fe71522f4cc2098da201c4c29a062eab6cc6f330b52a69f4df22b806a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
47eebe401625bbc55e75dbfb72e9e89a

SHA1
db3b2135942d2532c59b9788253638eb77e5995e

SHA256
f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3

SHA512
590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
dd3a177126997efa7bde22fdde8e1c4b

SHA1
24374f852aeb93e288e270c763ad64b8276c95e5

SHA256
b30386a450ac35cdc5d55fe9f65c15534ec0873a611b51ddcbebf5ce89055140

SHA512
e63a65f741eaf09e80fd529c3655eeadd8afedd38ccaf0ef58feccd1bbffc050ef90ebd7911092022fcbd166342806b4b9c75dcc3de01cf69f4585b69adc8965

Download Submit
C:\Users\Admin\AppData\Local\Temp\AB4CF6~1.TMP
MD5
279fd5be1ef6f78dceaea9160797d3ca

SHA1
02d83bb9752b2f9cb205fbba5ef084069204ce5c

SHA256
79e7f889f4d8c8475bef4a94124ffcdc68d1b2f8b632a6f3539179945f481477

SHA512
9459221ca625f4969ca4dbf68c9765f01b71d36b90cb5c0cee863e764da6c2fd2317581bdfdbfb0440133ed3435b90516ea36e06b20efd1267ca22bfe34bb216

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1868.tmp.ps1
MD5
57904d9aed1c4e5d6ab87cf548a26a64

SHA1
d4fb29ae58a8db1a314de953fb43acfa437472b8

SHA256
858806b623d778188f4ddc05ef0466bed0382891cc60169294f4d6230cb6e923

SHA512
b9fd8ef6d0aec7e4c18185684172f1c0e0f7b9c7999c5d159015aff6af43673c4eeab9d1150e9176e69b1f378a917441d5f5752be1f39cf7c56a6d9b0f275b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1869.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFB87.tmp.ps1
MD5
d5cc27ffd4cbb3fc0f6b67022b10fa26

SHA1
d585ca62a15178422f41b6655b181e7e16d40985

SHA256
82986ff0a32f5bff878032beb2ba37f7ac04f2f95e8fec72b629c225ee780f48

SHA512
3d025812a967e2f439869c31bcb5ec864739dcda1f78a56469aa26cb64f46105d12b1e4ed33e2d609c5fb6e34c6aec7cbc56a62ab108befa1f4db84f4a13830e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFB88.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
\Users\Admin\AppData\Local\Temp\AB4CF6~1.TMP
MD5
279fd5be1ef6f78dceaea9160797d3ca

SHA1
02d83bb9752b2f9cb205fbba5ef084069204ce5c

SHA256
79e7f889f4d8c8475bef4a94124ffcdc68d1b2f8b632a6f3539179945f481477

SHA512
9459221ca625f4969ca4dbf68c9765f01b71d36b90cb5c0cee863e764da6c2fd2317581bdfdbfb0440133ed3435b90516ea36e06b20efd1267ca22bfe34bb216

Download Submit
\Users\Admin\AppData\Local\Temp\AB4CF6~1.TMP
MD5
279fd5be1ef6f78dceaea9160797d3ca

SHA1
02d83bb9752b2f9cb205fbba5ef084069204ce5c

SHA256
79e7f889f4d8c8475bef4a94124ffcdc68d1b2f8b632a6f3539179945f481477

SHA512
9459221ca625f4969ca4dbf68c9765f01b71d36b90cb5c0cee863e764da6c2fd2317581bdfdbfb0440133ed3435b90516ea36e06b20efd1267ca22bfe34bb216

Download Submit
\Users\Admin\AppData\Local\Temp\AB4CF6~1.TMP
MD5
279fd5be1ef6f78dceaea9160797d3ca

SHA1
02d83bb9752b2f9cb205fbba5ef084069204ce5c

SHA256
79e7f889f4d8c8475bef4a94124ffcdc68d1b2f8b632a6f3539179945f481477

SHA512
9459221ca625f4969ca4dbf68c9765f01b71d36b90cb5c0cee863e764da6c2fd2317581bdfdbfb0440133ed3435b90516ea36e06b20efd1267ca22bfe34bb216

Download Submit
\Users\Admin\AppData\Local\Temp\AB4CF6~1.TMP
MD5
279fd5be1ef6f78dceaea9160797d3ca

SHA1
02d83bb9752b2f9cb205fbba5ef084069204ce5c

SHA256
79e7f889f4d8c8475bef4a94124ffcdc68d1b2f8b632a6f3539179945f481477

SHA512
9459221ca625f4969ca4dbf68c9765f01b71d36b90cb5c0cee863e764da6c2fd2317581bdfdbfb0440133ed3435b90516ea36e06b20efd1267ca22bfe34bb216

Download Submit
memory/192-172-0x0000000000000000-mapping.dmp

Download
memory/192-198-0x0000000006573000-0x0000000006574000-memory.dmp

Filesize
4KB

Download
memory/192-181-0x0000000007650000-0x0000000007651000-memory.dmp

Filesize
4KB

Download
memory/192-184-0x0000000007DA0000-0x0000000007DA1000-memory.dmp

Filesize
4KB

Download
memory/192-188-0x0000000006572000-0x0000000006573000-memory.dmp

Filesize
4KB

Download
memory/192-187-0x0000000006570000-0x0000000006571000-memory.dmp

Filesize
4KB

Download
memory/632-114-0x0000000002730000-0x000000000282E000-memory.dmp

Filesize
1016KB

Download
memory/632-116-0x0000000000400000-0x0000000000982000-memory.dmp

Filesize
5.5MB

Download
memory/1944-200-0x0000000000000000-mapping.dmp

Download
memory/2004-115-0x0000000000000000-mapping.dmp

Download
memory/2004-132-0x0000000004810000-0x0000000005AA6000-memory.dmp

Filesize
18.6MB

Download
memory/2108-145-0x0000020DB6170000-0x0000020DB6321000-memory.dmp

Filesize
1.7MB

Download
memory/2108-144-0x0000000000DA0000-0x0000000000F40000-memory.dmp

Filesize
1.6MB

Download
memory/2108-140-0x00007FF6A7435FD0-mapping.dmp

Download
memory/2352-139-0x0000000004810000-0x0000000005AA6000-memory.dmp

Filesize
18.6MB

Download
memory/2352-127-0x0000000000000000-mapping.dmp

Download
memory/2352-130-0x0000000000C90000-0x0000000000DED000-memory.dmp

Filesize
1.4MB

Download
memory/2352-143-0x0000000005CF0000-0x0000000005CF1000-memory.dmp

Filesize
4KB

Download
memory/2520-195-0x0000000000000000-mapping.dmp

Download
memory/2940-199-0x0000000000000000-mapping.dmp

Download
memory/3376-154-0x0000000007650000-0x0000000007651000-memory.dmp

Filesize
4KB

Download
memory/3376-150-0x0000000006EB0000-0x0000000006EB1000-memory.dmp

Filesize
4KB

Download
memory/3376-156-0x00000000077A0000-0x00000000077A1000-memory.dmp

Filesize
4KB

Download
memory/3376-171-0x0000000004473000-0x0000000004474000-memory.dmp

Filesize
4KB

Download
memory/3376-155-0x0000000007730000-0x0000000007731000-memory.dmp

Filesize
4KB

Download
memory/3376-158-0x0000000007F90000-0x0000000007F91000-memory.dmp

Filesize
4KB

Download
memory/3376-153-0x0000000006D90000-0x0000000006D91000-memory.dmp

Filesize
4KB

Download
memory/3376-151-0x0000000004470000-0x0000000004471000-memory.dmp

Filesize
4KB

Download
memory/3376-152-0x0000000004472000-0x0000000004473000-memory.dmp

Filesize
4KB

Download
memory/3376-168-0x0000000008C30000-0x0000000008C31000-memory.dmp

Filesize
4KB

Download
memory/3376-149-0x0000000004340000-0x0000000004341000-memory.dmp

Filesize
4KB

Download
memory/3376-146-0x0000000000000000-mapping.dmp

Download
memory/3376-167-0x0000000008B90000-0x0000000008B91000-memory.dmp

Filesize
4KB

Download
memory/3376-166-0x0000000009610000-0x0000000009611000-memory.dmp

Filesize
4KB

Download
memory/3376-161-0x0000000007F30000-0x0000000007F31000-memory.dmp

Filesize
4KB

Download
memory/3376-157-0x0000000007600000-0x0000000007601000-memory.dmp

Filesize
4KB

Download
memory/3376-159-0x0000000007E30000-0x0000000007E31000-memory.dmp

Filesize
4KB

Download