danabot | c0c908fdb5c67cd4ab56ab911320adaf68e4bc9a230a4a04eaf2cf6ae92443f4

Analysis

max time kernel
72s
max time network
136s
platform
windows10_x64
resource
win10-en-20210920
submitted
22-10-2021 10:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b24b06fc8dd46d543cd12f15e182884.exe
Size

1.2MB
MD5

0b24b06fc8dd46d543cd12f15e182884
SHA1

c4e01c51b4f17c644e85d308fcde80ac0d8f971b
SHA256

c0c908fdb5c67cd4ab56ab911320adaf68e4bc9a230a4a04eaf2cf6ae92443f4
SHA512

7b32e2f2dacbe5eda936e1780ec68646bc004b0110f66ffa47e2d7fe57e967c022ea8071cfcfd63be500069c4c6da95077273baf5e308091a8bce7c16df88ff4

Score

10^/10

danabot 4 banker discovery trojan

Malware Config

Extracted

Family

danabot

192.119.110.73:443

192.236.147.159:443

192.210.222.88:443

Attributes

embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Extracted

Family

danabot

Version

2052

Botnet

192.119.110.73:443

192.236.147.159:443

192.210.222.88:443

Attributes

embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
type
main

rsa_privkey.plain

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\0B24B0~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\0B24B0~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\0B24B0~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\0B24B0~1.DLL	DanabotLoader2021
behavioral2/memory/1304-126-0x0000000000C20000-0x0000000000D84000-memory.dmp	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\0B24B0~1.DLL	DanabotLoader2021

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 1332 created 3352 1332 WerFault.exe 0b24b06fc8dd46d543cd12f15e182884.exe
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

27 4056 rundll32.exe
Loads dropped DLL 3 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

pid process

4056 rundll32.exe
1304 RUNDLL32.EXE
1304 RUNDLL32.EXE
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops file in Program Files directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\PROGRA~3\zohplghndapsm.tmp rundll32.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1332 3352 WerFault.exe 0b24b06fc8dd46d543cd12f15e182884.exe
3852 2308 WerFault.exe RUNDLL32.EXE

description	pid	process	target process
PID 1332 created 3352	1332	WerFault.exe	0b24b06fc8dd46d543cd12f15e182884.exe

flow	pid	process
27	4056	rundll32.exe

pid	process
4056	rundll32.exe
1304	RUNDLL32.EXE
1304	RUNDLL32.EXE

description	ioc	process
File created	C:\PROGRA~3\zohplghndapsm.tmp	rundll32.exe

pid	pid_target	process	target process
1332	3352	WerFault.exe	0b24b06fc8dd46d543cd12f15e182884.exe
3852	2308	WerFault.exe	RUNDLL32.EXE

Checks processor information in registry 2 TTPs 25 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

pid	process
1332	WerFault.exe
1332	WerFault.exe
1332	WerFault.exe
1332	WerFault.exe
1332	WerFault.exe
1332	WerFault.exe
1332	WerFault.exe
1332	WerFault.exe
1332	WerFault.exe
1332	WerFault.exe
1332	WerFault.exe
1332	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1332 WerFault.exe
Token: SeBackupPrivilege 1332 WerFault.exe
Token: SeDebugPrivilege 1332 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	1332	WerFault.exe
Token: SeBackupPrivilege	1332	WerFault.exe
Token: SeDebugPrivilege	1332	WerFault.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

0b24b06fc8dd46d543cd12f15e182884.exerundll32.exe

description	pid	process	target process
PID 3352 wrote to memory of 4056	3352	0b24b06fc8dd46d543cd12f15e182884.exe	rundll32.exe
PID 3352 wrote to memory of 4056	3352	0b24b06fc8dd46d543cd12f15e182884.exe	rundll32.exe
PID 3352 wrote to memory of 4056	3352	0b24b06fc8dd46d543cd12f15e182884.exe	rundll32.exe
PID 4056 wrote to memory of 1304	4056	rundll32.exe	RUNDLL32.EXE
PID 4056 wrote to memory of 1304	4056	rundll32.exe	RUNDLL32.EXE
PID 4056 wrote to memory of 1304	4056	rundll32.exe	RUNDLL32.EXE

C:\Users\Admin\AppData\Local\Temp\0b24b06fc8dd46d543cd12f15e182884.exe
"C:\Users\Admin\AppData\Local\Temp\0b24b06fc8dd46d543cd12f15e182884.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3352

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\0B24B0~1.DLL,s C:\Users\Admin\AppData\Local\Temp\0B24B0~1.EXE
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4056

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\0B24B0~1.DLL,T0gHM3A=
3⤵
- Loads dropped DLL
- Checks processor information in registry
PID:1304

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\0B24B0~1.DLL
4⤵
PID:2440

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\0B24B0~1.DLL,RRA0Umo=
4⤵
PID:2308

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 19638
5⤵
PID:3948

C:\Windows\system32\ctfmon.exe
ctfmon.exe
6⤵
PID:1788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 796
5⤵
- Program crash
PID:3852

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\58cfb4a6.dll,Start
4⤵
PID:3084

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp1600.tmp.ps1"
4⤵
PID:3580

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp4F81.tmp.ps1"
4⤵
PID:840

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
5⤵
PID:3172

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:2884

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:1288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 584
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1332

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\zohplghndapsm.tmp
MD5
6ec6e496def143ecfe52db40b4856d3f

SHA1
c0aee1ba1f3b529b40c4156a3aeb6b88bd7e16ac

SHA256
05ab2a50bc30149d456e96547363954419ea5819383d526de75ecf2e573fcfae

SHA512
fa7d94016c504b14c256394cabf8910620a2f9ce9d218e392d0344e9e8d4a54e51b6cf695b9043332f1507a64df4a30dd8226c3e602eb8339dc4c7ecd66a5426

Download Submit
C:\PROGRA~3\zohplghndapsm.tmp
MD5
6ec6e496def143ecfe52db40b4856d3f

SHA1
c0aee1ba1f3b529b40c4156a3aeb6b88bd7e16ac

SHA256
05ab2a50bc30149d456e96547363954419ea5819383d526de75ecf2e573fcfae

SHA512
fa7d94016c504b14c256394cabf8910620a2f9ce9d218e392d0344e9e8d4a54e51b6cf695b9043332f1507a64df4a30dd8226c3e602eb8339dc4c7ecd66a5426

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
f7a808b5711f58fb4f85476c1bb24ac3

SHA1
fbdf9670d622e8fc3446ad4f53fbbd83016f03d1

SHA256
de4aadfe00c4cf41434a12450cdc69d37cb2d9cec951b074c3b5e7bfce9e94ec

SHA512
866848d13e999e6a1a79d77c33adb642d78d0a11adee293fca411b4ed5f7bf85324f90b3031148a66ac10dccc577d3c2a7c1ab6ed4237360de9911c27516a5af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
52e434ddc4d8b689f4226bf32a100ff8

SHA1
f381c41cb79bb4441b4545dcf0b20b6b3344d9b6

SHA256
0b6c992929e92fa18f9c0c3a9f2429287744a630d82eabd52def96295a4665a1

SHA512
27244b5eecc9417b836f4277c6f0b418419721f93b427af8976cd2ae0a9fb53b3513201b88f4ab1817e81d958fe12886d15f26b61ff41fcae123838dff705528

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
75719e967fe2c7030be4a0180bfe5124

SHA1
12184e20d8acb20ba0e1808c4681a5218c1f0db2

SHA256
05e407f4b914e5cf05678c48707acf634dfdf10c0584db06024959c300f9b60d

SHA512
b8637b394c2f55e9014893379ee32917e160321a09a3ee94b7e6e56ce125d5c08e310a5926ac8a2d16e5b900e90442f4cafab75007f2357a2ed9f2f5bc8eb46e

Download Submit
C:\Users\Admin\AppData\Local\Temp\0B24B0~1.DLL
MD5
0e3d91eb366dec463dc2f4ac7977f8b8

SHA1
b2028fb65b0362c76abd732769d5e8d1dac4154e

SHA256
2c1f402b39e4a914fdcf5677fff210e32e78d6b6a57f8cddb86303a12b2703f8

SHA512
db43bb4d4efe73dcf36a71a2bc94f2dd1eba01291880ec5cc6138c475a2f31edd986bd4e30c5970ff5fe444187cfc651b9f86edbbe495df06b4fe82e0e524a65

Download Submit
C:\Users\Admin\AppData\Local\Temp\58cfb4a6.dll
MD5
5951f0afa96cda14623b4cce74d58cca

SHA1
ad4a21bd28a3065037b1ea40fab4d7c4d7549fde

SHA256
8b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce

SHA512
b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1600.tmp.ps1
MD5
a1265b4f6fc184eb00dd78db8ef988b2

SHA1
124d184b0b69808dbc8f0b9d94453cfd49406afd

SHA256
dac900784f0038ec48e537e940e06a6f9931cf9450b6b4cf213672b2d70a5373

SHA512
b58df077142446b2b07deee73c58a69fac7a568c06730360c362fc57f6168ee4ff465334cffec614b3463a47cec8f1df47704c2683303f25b49536749bfd6acb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1601.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4F81.tmp.ps1
MD5
c4ae2260fb85fe98625a6fb788ba3cd4

SHA1
16676556ba3d85d64246acee53e90da841ecd59c

SHA256
4a8ace1ca2bd5544f971fb6b13f8510a2738d97ea5dff9cd30047e004cfbf429

SHA512
6e074317b329b9b8896a1ed1cb141b7a202b06f584bec9db0ce327f6f61b78bdccf08b37e9fcd01f7b99104a59898541207e1bea11b30a1a7e2e5c84cdad08de

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4F82.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
\Users\Admin\AppData\Local\Temp\0B24B0~1.DLL
MD5
0e3d91eb366dec463dc2f4ac7977f8b8

SHA1
b2028fb65b0362c76abd732769d5e8d1dac4154e

SHA256
2c1f402b39e4a914fdcf5677fff210e32e78d6b6a57f8cddb86303a12b2703f8

SHA512
db43bb4d4efe73dcf36a71a2bc94f2dd1eba01291880ec5cc6138c475a2f31edd986bd4e30c5970ff5fe444187cfc651b9f86edbbe495df06b4fe82e0e524a65

Download Submit
\Users\Admin\AppData\Local\Temp\0B24B0~1.DLL
MD5
0e3d91eb366dec463dc2f4ac7977f8b8

SHA1
b2028fb65b0362c76abd732769d5e8d1dac4154e

SHA256
2c1f402b39e4a914fdcf5677fff210e32e78d6b6a57f8cddb86303a12b2703f8

SHA512
db43bb4d4efe73dcf36a71a2bc94f2dd1eba01291880ec5cc6138c475a2f31edd986bd4e30c5970ff5fe444187cfc651b9f86edbbe495df06b4fe82e0e524a65

Download Submit
\Users\Admin\AppData\Local\Temp\0B24B0~1.DLL
MD5
0e3d91eb366dec463dc2f4ac7977f8b8

SHA1
b2028fb65b0362c76abd732769d5e8d1dac4154e

SHA256
2c1f402b39e4a914fdcf5677fff210e32e78d6b6a57f8cddb86303a12b2703f8

SHA512
db43bb4d4efe73dcf36a71a2bc94f2dd1eba01291880ec5cc6138c475a2f31edd986bd4e30c5970ff5fe444187cfc651b9f86edbbe495df06b4fe82e0e524a65

Download Submit
\Users\Admin\AppData\Local\Temp\0B24B0~1.DLL
MD5
0e3d91eb366dec463dc2f4ac7977f8b8

SHA1
b2028fb65b0362c76abd732769d5e8d1dac4154e

SHA256
2c1f402b39e4a914fdcf5677fff210e32e78d6b6a57f8cddb86303a12b2703f8

SHA512
db43bb4d4efe73dcf36a71a2bc94f2dd1eba01291880ec5cc6138c475a2f31edd986bd4e30c5970ff5fe444187cfc651b9f86edbbe495df06b4fe82e0e524a65

Download Submit
\Users\Admin\AppData\Local\Temp\58cfb4a6.dll
MD5
5951f0afa96cda14623b4cce74d58cca

SHA1
ad4a21bd28a3065037b1ea40fab4d7c4d7549fde

SHA256
8b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce

SHA512
b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071

Download Submit
memory/840-333-0x0000000000000000-mapping.dmp

Download
memory/840-354-0x0000000003312000-0x0000000003313000-memory.dmp

Filesize
4KB

Download
memory/840-352-0x0000000003310000-0x0000000003311000-memory.dmp

Filesize
4KB

Download
memory/840-453-0x0000000003313000-0x0000000003314000-memory.dmp

Filesize
4KB

Download
memory/1288-454-0x0000000000000000-mapping.dmp

Download
memory/1304-129-0x00000000010C0000-0x00000000010C1000-memory.dmp

Filesize
4KB

Download
memory/1304-123-0x0000000000000000-mapping.dmp

Download
memory/1304-126-0x0000000000C20000-0x0000000000D84000-memory.dmp

Filesize
1.4MB

Download
memory/1304-128-0x00000000048A1000-0x0000000005885000-memory.dmp

Filesize
15.9MB

Download
memory/1788-162-0x0000000000000000-mapping.dmp

Download
memory/2308-133-0x0000000000000000-mapping.dmp

Download
memory/2308-163-0x0000000000AE0000-0x0000000000C2A000-memory.dmp

Filesize
1.3MB

Download
memory/2308-141-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2308-140-0x0000000004AD1000-0x0000000005AB5000-memory.dmp

Filesize
15.9MB

Download
memory/2308-154-0x0000000005B80000-0x0000000005CC0000-memory.dmp

Filesize
1.2MB

Download
memory/2308-146-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/2308-147-0x0000000005B80000-0x0000000005CC0000-memory.dmp

Filesize
1.2MB

Download
memory/2308-148-0x0000000005B80000-0x0000000005CC0000-memory.dmp

Filesize
1.2MB

Download
memory/2308-150-0x0000000005B80000-0x0000000005CC0000-memory.dmp

Filesize
1.2MB

Download
memory/2308-151-0x0000000005B80000-0x0000000005CC0000-memory.dmp

Filesize
1.2MB

Download
memory/2308-153-0x0000000005B80000-0x0000000005CC0000-memory.dmp

Filesize
1.2MB

Download
memory/2308-152-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/2440-136-0x0000000001000000-0x0000000001001000-memory.dmp

Filesize
4KB

Download
memory/2440-197-0x0000000007940000-0x0000000007941000-memory.dmp

Filesize
4KB

Download
memory/2440-130-0x0000000000000000-mapping.dmp

Download
memory/2440-145-0x0000000007490000-0x0000000007491000-memory.dmp

Filesize
4KB

Download
memory/2440-131-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/2440-132-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/2440-144-0x0000000006BF0000-0x0000000006BF1000-memory.dmp

Filesize
4KB

Download
memory/2440-143-0x00000000073B0000-0x00000000073B1000-memory.dmp

Filesize
4KB

Download
memory/2440-142-0x0000000006B50000-0x0000000006B51000-memory.dmp

Filesize
4KB

Download
memory/2440-137-0x0000000006C70000-0x0000000006C71000-memory.dmp

Filesize
4KB

Download
memory/2440-138-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/2440-166-0x0000000007440000-0x0000000007441000-memory.dmp

Filesize
4KB

Download
memory/2440-167-0x0000000007E40000-0x0000000007E41000-memory.dmp

Filesize
4KB

Download
memory/2440-168-0x0000000007BF0000-0x0000000007BF1000-memory.dmp

Filesize
4KB

Download
memory/2440-209-0x0000000000C23000-0x0000000000C24000-memory.dmp

Filesize
4KB

Download
memory/2440-206-0x0000000008EB0000-0x0000000008EB1000-memory.dmp

Filesize
4KB

Download
memory/2440-139-0x0000000000C22000-0x0000000000C23000-memory.dmp

Filesize
4KB

Download
memory/2440-203-0x0000000008D60000-0x0000000008D61000-memory.dmp

Filesize
4KB

Download
memory/2440-198-0x000000007EF10000-0x000000007EF11000-memory.dmp

Filesize
4KB

Download
memory/2440-178-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/2440-189-0x0000000008990000-0x00000000089C3000-memory.dmp

Filesize
204KB

Download
memory/2884-452-0x0000000000000000-mapping.dmp

Download
memory/3084-157-0x0000000000000000-mapping.dmp

Download
memory/3172-441-0x0000000000000000-mapping.dmp

Download
memory/3352-115-0x0000000000EB3000-0x0000000000FA3000-memory.dmp

Filesize
960KB

Download
memory/3352-119-0x0000000000FB0000-0x00000000010B7000-memory.dmp

Filesize
1.0MB

Download
memory/3352-120-0x0000000000400000-0x0000000000966000-memory.dmp

Filesize
5.4MB

Download
memory/3580-174-0x0000000007140000-0x0000000007141000-memory.dmp

Filesize
4KB

Download
memory/3580-205-0x0000000007370000-0x0000000007371000-memory.dmp

Filesize
4KB

Download
memory/3580-169-0x0000000000000000-mapping.dmp

Download
memory/3580-273-0x0000000007143000-0x0000000007144000-memory.dmp

Filesize
4KB

Download
memory/3580-171-0x00000000032A0000-0x00000000032A1000-memory.dmp

Filesize
4KB

Download
memory/3580-175-0x0000000007142000-0x0000000007143000-memory.dmp

Filesize
4KB

Download
memory/3580-170-0x00000000032A0000-0x00000000032A1000-memory.dmp

Filesize
4KB

Download
memory/3948-160-0x000002741ACB0000-0x000002741ACB2000-memory.dmp

Filesize
8KB

Download
memory/3948-155-0x00007FF7D90B5FD0-mapping.dmp

Download
memory/3948-161-0x000002741ACB0000-0x000002741ACB2000-memory.dmp

Filesize
8KB

Download
memory/3948-164-0x0000000000B20000-0x0000000000CC0000-memory.dmp

Filesize
1.6MB

Download
memory/3948-165-0x000002741AE80000-0x000002741B032000-memory.dmp

Filesize
1.7MB

Download
memory/4056-122-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4056-121-0x0000000005261000-0x0000000006245000-memory.dmp

Filesize
15.9MB

Download
memory/4056-116-0x0000000000000000-mapping.dmp

Download