danabot | 9610051a347d56ae5d91e3a3c471a2d90b5a4e02b2aa714f931d4cbe164eb42c

Analysis

max time kernel
142s
max time network
135s
platform
windows10_x64
resource
win10v20210408
submitted
25-07-2021 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbcc5e3ca7e87e9050071b250a55d59b.exe
Size

1.2MB
MD5

bbcc5e3ca7e87e9050071b250a55d59b
SHA1

899efad6150077f3d3a80d82ed567799467bacce
SHA256

9610051a347d56ae5d91e3a3c471a2d90b5a4e02b2aa714f931d4cbe164eb42c
SHA512

ab676ee81674ac67ad9694c8d29ed59bfac79c0802b671ad87d19bc47532a37e2e1c2c7dfe1a70873107999a75de64d24ba8678194bcf1e6032c1e214d0b99db

Score

10^/10

danabot 4 banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1987

Botnet

142.11.244.124:443

142.11.206.50:443

Attributes

embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB

rsa_privkey.plain

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

flow pid process

15 3308 rundll32.exe
16 3548 RUNDLL32.EXE
Loads dropped DLL 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

pid process

3308 rundll32.exe
3548 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

RUNDLL32.EXE

description pid process target process

PID 3548 set thread context of 764 3548 RUNDLL32.EXE rundll32.exe
Drops file in Program Files directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\PROGRA~3\Jvgzbfh.tmp rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
15	3308	rundll32.exe
16	3548	RUNDLL32.EXE

pid	process
3308	rundll32.exe
3548	RUNDLL32.EXE

description	pid	process	target process
PID 3548 set thread context of 764	3548	RUNDLL32.EXE	rundll32.exe

description	ioc	process
File created	C:\PROGRA~3\Jvgzbfh.tmp	rundll32.exe

Checks processor information in registry 2 TTPs 24 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXE

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

RUNDLL32.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\2CC159954CC78AA81B170BDEE91E29D0C015D21D	RUNDLL32.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\2CC159954CC78AA81B170BDEE91E29D0C015D21D\Blob = 0300000001000000140000002cc159954cc78aa81b170bdee91e29d0c015d21d20000000010000007d02000030820279308201e2a00302010202087f677da575d79093300d06092a864886f70d01010b050030623121301f06035504030c1844693267694365727420476c6f62616c20526f6f7420434131193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b3009060355040613025553301e170d3139303732373030303131365a170d3233303732363030303131365a30623121301f06035504030c1844693267694365727420476c6f62616c20526f6f7420434131193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100a9283b969ed5e54d8c36ab2b70b90651bea3b09ba641003f0fe3840988a79fcd1e46040a0a7f0979ea3221c843c8c439e131f5ae16e98cc458ed6f9400d0ae8ebe995036a6e72a9c3a3e45c34a7809913e385f9dc1f3647358c344ffd4f7da94404d044170008e1cef67761cd40c3501002af3f6c0794c63557f999580bb96070203010001a3383036300f0603551d130101ff040530030101ff30230603551d11041c301a821844693267694365727420476c6f62616c20526f6f74204341300d06092a864886f70d01010b050003818100358c82f342ee66c4537af381cea1ce78f56642fee0183e76a06f1691e8e9ccddea9168b92e4f374b5b488348e6de89f5b66bef5718a1c007145acffe4a8afe5b77b69f817d70d31cf45c189d43a5e5abb10f92cc19913fb1ae3d80e6e369622f7c322d1c4709a704c12705f61cae0469ca78f200d43064b8391d0b48510bb413	RUNDLL32.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

RUNDLL32.EXEpowershell.exepowershell.exe

pid	process
3548	RUNDLL32.EXE
3548	RUNDLL32.EXE
3548	RUNDLL32.EXE
3548	RUNDLL32.EXE
3548	RUNDLL32.EXE
3548	RUNDLL32.EXE
3548	RUNDLL32.EXE
3548	RUNDLL32.EXE
1324	powershell.exe
1324	powershell.exe
1324	powershell.exe
3548	RUNDLL32.EXE
3548	RUNDLL32.EXE
2480	powershell.exe
2480	powershell.exe
2480	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

RUNDLL32.EXEpowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3548 RUNDLL32.EXE
Token: SeDebugPrivilege 1324 powershell.exe
Token: SeDebugPrivilege 2480 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

RUNDLL32.EXE

pid process

3548 RUNDLL32.EXE

description	pid	process
Token: SeDebugPrivilege	3548	RUNDLL32.EXE
Token: SeDebugPrivilege	1324	powershell.exe
Token: SeDebugPrivilege	2480	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

bbcc5e3ca7e87e9050071b250a55d59b.exerundll32.exeRUNDLL32.EXEpowershell.exe

description	pid	process	target process
PID 808 wrote to memory of 3308	808	bbcc5e3ca7e87e9050071b250a55d59b.exe	rundll32.exe
PID 808 wrote to memory of 3308	808	bbcc5e3ca7e87e9050071b250a55d59b.exe	rundll32.exe
PID 808 wrote to memory of 3308	808	bbcc5e3ca7e87e9050071b250a55d59b.exe	rundll32.exe
PID 3308 wrote to memory of 3548	3308	rundll32.exe	RUNDLL32.EXE
PID 3308 wrote to memory of 3548	3308	rundll32.exe	RUNDLL32.EXE
PID 3308 wrote to memory of 3548	3308	rundll32.exe	RUNDLL32.EXE
PID 3548 wrote to memory of 764	3548	RUNDLL32.EXE	rundll32.exe
PID 3548 wrote to memory of 764	3548	RUNDLL32.EXE	rundll32.exe
PID 3548 wrote to memory of 764	3548	RUNDLL32.EXE	rundll32.exe
PID 3548 wrote to memory of 1324	3548	RUNDLL32.EXE	powershell.exe
PID 3548 wrote to memory of 1324	3548	RUNDLL32.EXE	powershell.exe
PID 3548 wrote to memory of 1324	3548	RUNDLL32.EXE	powershell.exe
PID 3548 wrote to memory of 2480	3548	RUNDLL32.EXE	powershell.exe
PID 3548 wrote to memory of 2480	3548	RUNDLL32.EXE	powershell.exe
PID 3548 wrote to memory of 2480	3548	RUNDLL32.EXE	powershell.exe
PID 2480 wrote to memory of 2808	2480	powershell.exe	nslookup.exe
PID 2480 wrote to memory of 2808	2480	powershell.exe	nslookup.exe
PID 2480 wrote to memory of 2808	2480	powershell.exe	nslookup.exe
PID 3548 wrote to memory of 1404	3548	RUNDLL32.EXE	schtasks.exe
PID 3548 wrote to memory of 1404	3548	RUNDLL32.EXE	schtasks.exe
PID 3548 wrote to memory of 1404	3548	RUNDLL32.EXE	schtasks.exe
PID 3548 wrote to memory of 3012	3548	RUNDLL32.EXE	schtasks.exe
PID 3548 wrote to memory of 3012	3548	RUNDLL32.EXE	schtasks.exe
PID 3548 wrote to memory of 3012	3548	RUNDLL32.EXE	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\bbcc5e3ca7e87e9050071b250a55d59b.exe
"C:\Users\Admin\AppData\Local\Temp\bbcc5e3ca7e87e9050071b250a55d59b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\BBCC5E~1.TMP,S C:\Users\Admin\AppData\Local\Temp\BBCC5E~1.EXE
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3308

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\BBCC5E~1.TMP,Li4AUlFIeA==
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3548

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 17894
4⤵
PID:764

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpE475.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpFEA6.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
5⤵
PID:2808

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:1404

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:3012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Jvgzbfh.tmp
MD5
9dfb4eac08903bbcd3fe69d3ea4105d6

SHA1
437976017e144d0fe0a030ea423dd278c4763c93

SHA256
cb2be3a089353da61efc58b5ff63b9180202eb25270fdd99c783cd5f70512110

SHA512
06c84845ad90848fff740b3512cade834e2166aea63058db92e3f4c7d921ebb1fad311e3d27ce8b25042e957f78d04b0d186d5a3c5e401b9867a7f6af897e038

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
47eebe401625bbc55e75dbfb72e9e89a

SHA1
db3b2135942d2532c59b9788253638eb77e5995e

SHA256
f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3

SHA512
590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
ab4daf10ae4ece5a591a92b4ca477a57

SHA1
6156d11b0e5f3abc67d0e75fb2afceca9850d0ac

SHA256
23a003967d3a4f8049d69783fd547e6b2a2a3138eceeb4fa4cdf5b3026c4122e

SHA512
d1cd9e633f2508240510f77afd833fa109099092af5879435efef0dc565d2c720fdbc3dc3bb227f16ac02e74efb4f18b47b0334f31140f9508d4e514a0655ab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\BBCC5E~1.TMP
MD5
13de044c4ce35f2eded6358956fd001b

SHA1
bd219d896a2f6ee552335e563fa6f68923fc57fa

SHA256
7a342a7788a4a014febcfaa2c31c584c422807ed91545a90056a86ecffa4f33d

SHA512
cf4f1044c0358a9b2469478c829afee36a4917abccce7eae741e192a34cd5130c873173693a42565bc0f432e2ce0e6e7c26ef2d75ac872ab6371929b9267b9fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE475.tmp.ps1
MD5
a42f4d429884e3354846449adac726fb

SHA1
8685d1433aa7a3fd67578fc740f5d0a8c23df5f4

SHA256
8a8ae84e26101ab0f9ee36f015d009a5eba1ad2e93ac661a9fc2e72cfdcd7806

SHA512
251c2bb855780fe5b6bb2488ca33cb71c70746f97991d5bc8de2680fd77316b16df3a89c137d9fecd79113a36fcd04b06f64b4cfdc8c6d40aad1ceab9f8ed2e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE476.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFEA6.tmp.ps1
MD5
ae6e20aeca76147c98b4e8ebb8570d3c

SHA1
4dd3efb5c87d187987eef8cc50c6c58533f3d488

SHA256
aea021115ba5f24ebc95d3546fed6499aa96356a725e9f80ee4ee600791fb254

SHA512
9e9f3e98b6b36aeeab451eb1015dbadf6d2cc8558ba2d2f781a761280f8b418d4c93cd1ece7c63e3d1e70e1626a17c97ba893dec45e4f19cd6c99f0970225786

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFEA7.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
\Users\Admin\AppData\Local\Temp\BBCC5E~1.TMP
MD5
13de044c4ce35f2eded6358956fd001b

SHA1
bd219d896a2f6ee552335e563fa6f68923fc57fa

SHA256
7a342a7788a4a014febcfaa2c31c584c422807ed91545a90056a86ecffa4f33d

SHA512
cf4f1044c0358a9b2469478c829afee36a4917abccce7eae741e192a34cd5130c873173693a42565bc0f432e2ce0e6e7c26ef2d75ac872ab6371929b9267b9fb

Download Submit
\Users\Admin\AppData\Local\Temp\BBCC5E~1.TMP
MD5
13de044c4ce35f2eded6358956fd001b

SHA1
bd219d896a2f6ee552335e563fa6f68923fc57fa

SHA256
7a342a7788a4a014febcfaa2c31c584c422807ed91545a90056a86ecffa4f33d

SHA512
cf4f1044c0358a9b2469478c829afee36a4917abccce7eae741e192a34cd5130c873173693a42565bc0f432e2ce0e6e7c26ef2d75ac872ab6371929b9267b9fb

Download Submit
memory/764-128-0x00007FF6A0F45FD0-mapping.dmp

Download
memory/764-132-0x0000000000BD0000-0x0000000000D70000-memory.dmp

Filesize
1.6MB

Download
memory/764-133-0x000001E4D00A0000-0x000001E4D0251000-memory.dmp

Filesize
1.7MB

Download
memory/808-118-0x0000000000400000-0x0000000000548000-memory.dmp

Filesize
1.3MB

Download
memory/808-117-0x00000000022C0000-0x00000000023C1000-memory.dmp

Filesize
1.0MB

Download
memory/1324-144-0x0000000007AA0000-0x0000000007AA1000-memory.dmp

Filesize
4KB

Download
memory/1324-156-0x0000000006D50000-0x0000000006D51000-memory.dmp

Filesize
4KB

Download
memory/1324-140-0x0000000006BE2000-0x0000000006BE3000-memory.dmp

Filesize
4KB

Download
memory/1324-139-0x0000000006BE0000-0x0000000006BE1000-memory.dmp

Filesize
4KB

Download
memory/1324-141-0x0000000007140000-0x0000000007141000-memory.dmp

Filesize
4KB

Download
memory/1324-142-0x0000000007A30000-0x0000000007A31000-memory.dmp

Filesize
4KB

Download
memory/1324-143-0x0000000007850000-0x0000000007851000-memory.dmp

Filesize
4KB

Download
memory/1324-159-0x0000000006BE3000-0x0000000006BE4000-memory.dmp

Filesize
4KB

Download
memory/1324-145-0x0000000007900000-0x0000000007901000-memory.dmp

Filesize
4KB

Download
memory/1324-146-0x0000000007F30000-0x0000000007F31000-memory.dmp

Filesize
4KB

Download
memory/1324-147-0x0000000008250000-0x0000000008251000-memory.dmp

Filesize
4KB

Download
memory/1324-137-0x0000000006A40000-0x0000000006A41000-memory.dmp

Filesize
4KB

Download
memory/1324-149-0x0000000008330000-0x0000000008331000-memory.dmp

Filesize
4KB

Download
memory/1324-154-0x00000000099A0000-0x00000000099A1000-memory.dmp

Filesize
4KB

Download
memory/1324-155-0x0000000008F30000-0x0000000008F31000-memory.dmp

Filesize
4KB

Download
memory/1324-138-0x0000000007220000-0x0000000007221000-memory.dmp

Filesize
4KB

Download
memory/1324-134-0x0000000000000000-mapping.dmp

Download
memory/1404-187-0x0000000000000000-mapping.dmp

Download
memory/2480-174-0x0000000008D80000-0x0000000008D81000-memory.dmp

Filesize
4KB

Download
memory/2480-169-0x0000000008370000-0x0000000008371000-memory.dmp

Filesize
4KB

Download
memory/2480-171-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/2480-173-0x0000000005082000-0x0000000005083000-memory.dmp

Filesize
4KB

Download
memory/2480-186-0x0000000005083000-0x0000000005084000-memory.dmp

Filesize
4KB

Download
memory/2480-160-0x0000000000000000-mapping.dmp

Download
memory/2808-183-0x0000000000000000-mapping.dmp

Download
memory/3012-188-0x0000000000000000-mapping.dmp

Download
memory/3308-114-0x0000000000000000-mapping.dmp

Download
memory/3308-124-0x00000000050B0000-0x0000000006346000-memory.dmp

Filesize
18.6MB

Download
memory/3548-131-0x0000000006A50000-0x0000000006A51000-memory.dmp

Filesize
4KB

Download
memory/3548-127-0x0000000005090000-0x0000000006326000-memory.dmp

Filesize
18.6MB

Download
memory/3548-121-0x0000000000000000-mapping.dmp

Download