danabot | a90987c6f1bd0e657b82bac0317add6223c16af9b560601b14a9a8a07f3b650f

Analysis

max time kernel
79s
max time network
138s
platform
windows10_x64
resource
win10-en-20210920
submitted
21-10-2021 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a90987c6f1bd0e657b82bac0317add6223c16af9b560601b14a9a8a07f3b650f.exe
Size

1.1MB
MD5

3706c833733dabb3b1cad921fd0abbb9
SHA1

de7725afccc13a55755885c066a8247f0e16f653
SHA256

a90987c6f1bd0e657b82bac0317add6223c16af9b560601b14a9a8a07f3b650f
SHA512

d77734ad3a7929439c4194b11fdff6e6b0f95b089c414239a7510eb92da819a7831d42e5081af3b2ca7053f94f0c00f11fc41decc6859e1f3125f696f22325e2

Score

10^/10

danabot 4 banker discovery trojan

Malware Config

Extracted

Family

danabot

192.119.110.73:443

192.236.147.159:443

192.210.222.88:443

Attributes

embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Extracted

Family

danabot

Version

2052

Botnet

192.119.110.73:443

192.236.147.159:443

192.210.222.88:443

Attributes

embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
type
main

rsa_privkey.plain

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

35 1016 rundll32.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

pid process

1016 rundll32.exe
676 RUNDLL32.EXE
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops file in Program Files directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\PROGRA~3\zohplghndapsm.tmp rundll32.exe

flow	pid	process
35	1016	rundll32.exe

pid	process
1016	rundll32.exe
676	RUNDLL32.EXE

description	ioc	process
File created	C:\PROGRA~3\zohplghndapsm.tmp	rundll32.exe

Checks processor information in registry 2 TTPs 24 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

a90987c6f1bd0e657b82bac0317add6223c16af9b560601b14a9a8a07f3b650f.exerundll32.exe

description	pid	process	target process
PID 2176 wrote to memory of 1016	2176	a90987c6f1bd0e657b82bac0317add6223c16af9b560601b14a9a8a07f3b650f.exe	rundll32.exe
PID 2176 wrote to memory of 1016	2176	a90987c6f1bd0e657b82bac0317add6223c16af9b560601b14a9a8a07f3b650f.exe	rundll32.exe
PID 2176 wrote to memory of 1016	2176	a90987c6f1bd0e657b82bac0317add6223c16af9b560601b14a9a8a07f3b650f.exe	rundll32.exe
PID 1016 wrote to memory of 676	1016	rundll32.exe	RUNDLL32.EXE
PID 1016 wrote to memory of 676	1016	rundll32.exe	RUNDLL32.EXE
PID 1016 wrote to memory of 676	1016	rundll32.exe	RUNDLL32.EXE

C:\Users\Admin\AppData\Local\Temp\a90987c6f1bd0e657b82bac0317add6223c16af9b560601b14a9a8a07f3b650f.exe
"C:\Users\Admin\AppData\Local\Temp\a90987c6f1bd0e657b82bac0317add6223c16af9b560601b14a9a8a07f3b650f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2176

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\A90987~1.DLL,s C:\Users\Admin\AppData\Local\Temp\A90987~1.EXE
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\A90987~1.DLL,l0pNQVA0Ug==
3⤵
- Loads dropped DLL
- Checks processor information in registry
PID:676

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\A90987~1.DLL
4⤵
PID:1152

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\A90987~1.DLL,SC0aNg==
4⤵
PID:1472

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 19638
5⤵
PID:1368

C:\Windows\system32\ctfmon.exe
ctfmon.exe
6⤵
PID:1580

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\58cfb4a6.dll,Start
4⤵
PID:3568

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp2755.tmp.ps1"
4⤵
PID:1968

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp8AB5.tmp.ps1"
4⤵
PID:3648

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
5⤵
PID:3396

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:2176

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:3496

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\zohplghndapsm.tmp
MD5
f53286c775f8be6a910a790370434473

SHA1
7984fc16f296790d5a15cc9af82e01ea2a3f0adb

SHA256
a95c23b0d4cd1871f67822bf14b48e447644ce3985d8a725edec22b75da907d4

SHA512
3ff9036c8ab330acf1db56008d7f42f7dace72d3fa990ab052211f02cf7aad5cfedf8fe87de5191ebb12bf854a6b176c6ba1380f9ef74ec0d89efeb16e7d38bb

Download Submit
C:\PROGRA~3\zohplghndapsm.tmp
MD5
f53286c775f8be6a910a790370434473

SHA1
7984fc16f296790d5a15cc9af82e01ea2a3f0adb

SHA256
a95c23b0d4cd1871f67822bf14b48e447644ce3985d8a725edec22b75da907d4

SHA512
3ff9036c8ab330acf1db56008d7f42f7dace72d3fa990ab052211f02cf7aad5cfedf8fe87de5191ebb12bf854a6b176c6ba1380f9ef74ec0d89efeb16e7d38bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
f7a808b5711f58fb4f85476c1bb24ac3

SHA1
fbdf9670d622e8fc3446ad4f53fbbd83016f03d1

SHA256
de4aadfe00c4cf41434a12450cdc69d37cb2d9cec951b074c3b5e7bfce9e94ec

SHA512
866848d13e999e6a1a79d77c33adb642d78d0a11adee293fca411b4ed5f7bf85324f90b3031148a66ac10dccc577d3c2a7c1ab6ed4237360de9911c27516a5af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
7247129cd0644457905b7d6bf17fd078

SHA1
dbf9139b5a1b72141f170d2eae911bbbe7e128c8

SHA256
dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4

SHA512
9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
e0196fdf87c907f0f84964eb25c0b2f1

SHA1
52979f1dd152c3e3aa33e55c71a1b9d719afbc26

SHA256
9155e0303c719e7935707fbfa62d0474cf30873a26129dc200fc0ad169091fd7

SHA512
132fca17c26554cf49207fb8258558af251bdc3171ec7f4cb0ed90610f8724e5c8cec63b509c288a2bbcb8d800b8a68ac019d18b83856743f685b1403b343b19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
8d910026fae3eecdd63c79f7be635e72

SHA1
bea6ce03adbc3f0edbc11efa35545b74c130cd25

SHA256
4e92bd4b409412e70eb9be7ce8f15fe029c6f2205ffef300db9c73cf40cf82ba

SHA512
b4c7ab091b9e169afedf476b01de4240346b9c253643bde12274fc6aa5d85eb4858d8877900a3377546c33f7914099d0e6252355597870df8e27da54cdcb2608

Download Submit
C:\Users\Admin\AppData\Local\Temp\58cfb4a6.dll
MD5
5951f0afa96cda14623b4cce74d58cca

SHA1
ad4a21bd28a3065037b1ea40fab4d7c4d7549fde

SHA256
8b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce

SHA512
b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071

Download Submit
C:\Users\Admin\AppData\Local\Temp\A90987~1.DLL
MD5
b592b1add7161aae78887d2fbd38c29e

SHA1
f5e114403d50fb4722ef89df1b3d0fc7fb7dd78d

SHA256
383169372c0b02ce57f001429aa32b168c9f72da94a5b10c26cfb52526bffa8f

SHA512
347732e86d8a8812c055f42480b32352923aa82981bf756f408bc80b8995e17aa99dd61af491f5f6988b631bbd1847d3e8c4cafcbfbfb6d9f879d185bfed5308

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2755.tmp.ps1
MD5
a854cf9ff1de9e9ad2dd42dcd80c3956

SHA1
05f766172a64eecad746028de659adfbea25b323

SHA256
afb7d7575e47a5cc8774c289fb900e497ab6013588ce491a77a832b59f63278a

SHA512
fd3553e279591a791d31929ea93ab1bff7868504339dc51faad5629be00958f502f51c74c973201e1f1f4b3551f79d0d9a0e8f4aa578f7c965cb5cb92a72ef2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2756.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8AB5.tmp.ps1
MD5
8fd2a106ac8bf71c4dfc9dd712fe8beb

SHA1
edf94e17d4262c6040bf040841b40f96daf236b8

SHA256
18d006368edd819373664ca689cb1225ceaa08604c81ca0121863c7e4e00ee8d

SHA512
fe4b17d4a4a0dce805a6a42d676f55a1fdaba286eeef799b5ca501ee8b4e2bb72efe3d57e19c1da17113d51332eaca4768359ca89abe5fd8f1d238a43de5d29b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8AB6.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
\Users\Admin\AppData\Local\Temp\58cfb4a6.dll
MD5
5951f0afa96cda14623b4cce74d58cca

SHA1
ad4a21bd28a3065037b1ea40fab4d7c4d7549fde

SHA256
8b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce

SHA512
b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071

Download Submit
\Users\Admin\AppData\Local\Temp\A90987~1.DLL
MD5
b592b1add7161aae78887d2fbd38c29e

SHA1
f5e114403d50fb4722ef89df1b3d0fc7fb7dd78d

SHA256
383169372c0b02ce57f001429aa32b168c9f72da94a5b10c26cfb52526bffa8f

SHA512
347732e86d8a8812c055f42480b32352923aa82981bf756f408bc80b8995e17aa99dd61af491f5f6988b631bbd1847d3e8c4cafcbfbfb6d9f879d185bfed5308

Download Submit
\Users\Admin\AppData\Local\Temp\A90987~1.DLL
MD5
b592b1add7161aae78887d2fbd38c29e

SHA1
f5e114403d50fb4722ef89df1b3d0fc7fb7dd78d

SHA256
383169372c0b02ce57f001429aa32b168c9f72da94a5b10c26cfb52526bffa8f

SHA512
347732e86d8a8812c055f42480b32352923aa82981bf756f408bc80b8995e17aa99dd61af491f5f6988b631bbd1847d3e8c4cafcbfbfb6d9f879d185bfed5308

Download Submit
\Users\Admin\AppData\Local\Temp\A90987~1.DLL
MD5
b592b1add7161aae78887d2fbd38c29e

SHA1
f5e114403d50fb4722ef89df1b3d0fc7fb7dd78d

SHA256
383169372c0b02ce57f001429aa32b168c9f72da94a5b10c26cfb52526bffa8f

SHA512
347732e86d8a8812c055f42480b32352923aa82981bf756f408bc80b8995e17aa99dd61af491f5f6988b631bbd1847d3e8c4cafcbfbfb6d9f879d185bfed5308

Download Submit
memory/676-127-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/676-126-0x0000000004B41000-0x0000000005B25000-memory.dmp

Filesize
15.9MB

Download
memory/676-123-0x0000000000000000-mapping.dmp

Download
memory/1016-122-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1016-121-0x0000000004F81000-0x0000000005F65000-memory.dmp

Filesize
15.9MB

Download
memory/1016-118-0x0000000000000000-mapping.dmp

Download
memory/1152-194-0x000000007EB50000-0x000000007EB51000-memory.dmp

Filesize
4KB

Download
memory/1152-201-0x0000000007333000-0x0000000007334000-memory.dmp

Filesize
4KB

Download
memory/1152-140-0x00000000080D0000-0x00000000080D1000-memory.dmp

Filesize
4KB

Download
memory/1152-138-0x00000000078E0000-0x00000000078E1000-memory.dmp

Filesize
4KB

Download
memory/1152-142-0x0000000007332000-0x0000000007333000-memory.dmp

Filesize
4KB

Download
memory/1152-141-0x00000000081B0000-0x00000000081B1000-memory.dmp

Filesize
4KB

Download
memory/1152-143-0x0000000008400000-0x0000000008401000-memory.dmp

Filesize
4KB

Download
memory/1152-128-0x0000000000000000-mapping.dmp

Download
memory/1152-129-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/1152-130-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/1152-135-0x0000000007330000-0x0000000007331000-memory.dmp

Filesize
4KB

Download
memory/1152-133-0x00000000072D0000-0x00000000072D1000-memory.dmp

Filesize
4KB

Download
memory/1152-202-0x0000000009DB0000-0x0000000009DB1000-memory.dmp

Filesize
4KB

Download
memory/1152-165-0x0000000008AF0000-0x0000000008AF1000-memory.dmp

Filesize
4KB

Download
memory/1152-199-0x00000000099B0000-0x00000000099B1000-memory.dmp

Filesize
4KB

Download
memory/1152-164-0x0000000008C60000-0x0000000008C61000-memory.dmp

Filesize
4KB

Download
memory/1152-163-0x0000000008220000-0x0000000008221000-memory.dmp

Filesize
4KB

Download
memory/1152-136-0x0000000007970000-0x0000000007971000-memory.dmp

Filesize
4KB

Download
memory/1152-191-0x0000000008AA0000-0x0000000008AA1000-memory.dmp

Filesize
4KB

Download
memory/1152-173-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/1152-184-0x0000000009850000-0x0000000009883000-memory.dmp

Filesize
204KB

Download
memory/1368-159-0x000001F6F9750000-0x000001F6F9902000-memory.dmp

Filesize
1.7MB

Download
memory/1368-158-0x00000000004A0000-0x0000000000640000-memory.dmp

Filesize
1.6MB

Download
memory/1368-156-0x000001F6F9630000-0x000001F6F9632000-memory.dmp

Filesize
8KB

Download
memory/1368-155-0x000001F6F9630000-0x000001F6F9632000-memory.dmp

Filesize
8KB

Download
memory/1368-153-0x00007FF6A1F45FD0-mapping.dmp

Download
memory/1472-152-0x0000000006190000-0x00000000062D0000-memory.dmp

Filesize
1.2MB

Download
memory/1472-139-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1472-144-0x0000000003330000-0x0000000003331000-memory.dmp

Filesize
4KB

Download
memory/1472-145-0x0000000006190000-0x00000000062D0000-memory.dmp

Filesize
1.2MB

Download
memory/1472-146-0x0000000006190000-0x00000000062D0000-memory.dmp

Filesize
1.2MB

Download
memory/1472-131-0x0000000000000000-mapping.dmp

Download
memory/1472-137-0x00000000050E1000-0x00000000060C5000-memory.dmp

Filesize
15.9MB

Download
memory/1472-148-0x0000000006190000-0x00000000062D0000-memory.dmp

Filesize
1.2MB

Download
memory/1472-149-0x0000000006190000-0x00000000062D0000-memory.dmp

Filesize
1.2MB

Download
memory/1472-151-0x0000000006190000-0x00000000062D0000-memory.dmp

Filesize
1.2MB

Download
memory/1472-150-0x00000000062E0000-0x00000000062E1000-memory.dmp

Filesize
4KB

Download
memory/1580-157-0x0000000000000000-mapping.dmp

Download
memory/1968-170-0x0000000007220000-0x0000000007221000-memory.dmp

Filesize
4KB

Download
memory/1968-166-0x0000000000000000-mapping.dmp

Download
memory/1968-167-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download
memory/1968-280-0x0000000007223000-0x0000000007224000-memory.dmp

Filesize
4KB

Download
memory/1968-168-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download
memory/1968-172-0x0000000007222000-0x0000000007223000-memory.dmp

Filesize
4KB

Download
memory/2176-117-0x0000000000400000-0x0000000002FE6000-memory.dmp

Filesize
43.9MB

Download
memory/2176-116-0x0000000004FD0000-0x00000000050D5000-memory.dmp

Filesize
1.0MB

Download
memory/2176-451-0x0000000000000000-mapping.dmp

Download
memory/2176-115-0x0000000004EE0000-0x0000000004FCE000-memory.dmp

Filesize
952KB

Download
memory/3396-447-0x0000000000000000-mapping.dmp

Download
memory/3496-452-0x0000000000000000-mapping.dmp

Download
memory/3568-160-0x0000000000000000-mapping.dmp

Download
memory/3648-386-0x0000000006962000-0x0000000006963000-memory.dmp

Filesize
4KB

Download
memory/3648-384-0x0000000006960000-0x0000000006961000-memory.dmp

Filesize
4KB

Download
memory/3648-362-0x0000000000000000-mapping.dmp

Download
memory/3648-450-0x0000000006963000-0x0000000006964000-memory.dmp

Filesize
4KB

Download