57e9894749242755d8b3620e1ae3a6137f63ebdc1b951cd0fe197a97d13dde05

General
Target

57e9894749242755d8b3620e1ae3a6137f63ebdc1b951cd0fe197a97d13dde05.dll

Filesize

14MB

Completed

11-01-2022 15:36

Score
10/10
MD5

cbac8f0600345f5fdc38a4c9f41e21f3

SHA1

606f627a922e4a22cc139474866559dabea1f0d5

SHA256

57e9894749242755d8b3620e1ae3a6137f63ebdc1b951cd0fe197a97d13dde05

Malware Config

Extracted

Family danabot
Version 2108
Botnet 4
C2

192.119.110.4:443

103.175.16.113:443

Attributes
embedded_hash
422236FD601D11EE82825A484D26DD6F
type
main
rsa_privkey.plain
rsa_pubkey.plain
Signatures 16

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
Persistence
  • Danabot

    Description

    Danabot is a modular banking Trojan that has been linked with other malware.

  • Blocklisted process makes network request
    RUNDLL32.EXE

    Reported IOCs

    flowpidprocess
    2768RUNDLL32.EXE
    7768RUNDLL32.EXE
    10768RUNDLL32.EXE
  • Sets DLL path for service in the registry

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Sets service image path in registry

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Enumerates connected drives
    RUNDLL32.EXE

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    File opened (read-only)\??\B:RUNDLL32.EXE
    File opened (read-only)\??\E:RUNDLL32.EXE
    File opened (read-only)\??\G:RUNDLL32.EXE
    File opened (read-only)\??\H:RUNDLL32.EXE
    File opened (read-only)\??\I:RUNDLL32.EXE
    File opened (read-only)\??\M:RUNDLL32.EXE
    File opened (read-only)\??\P:RUNDLL32.EXE
    File opened (read-only)\??\S:RUNDLL32.EXE
    File opened (read-only)\??\U:RUNDLL32.EXE
    File opened (read-only)\??\O:RUNDLL32.EXE
    File opened (read-only)\??\X:RUNDLL32.EXE
    File opened (read-only)\??\J:RUNDLL32.EXE
    File opened (read-only)\??\T:RUNDLL32.EXE
    File opened (read-only)\??\Z:RUNDLL32.EXE
    File opened (read-only)\??\A:RUNDLL32.EXE
    File opened (read-only)\??\F:RUNDLL32.EXE
    File opened (read-only)\??\K:RUNDLL32.EXE
    File opened (read-only)\??\L:RUNDLL32.EXE
    File opened (read-only)\??\N:RUNDLL32.EXE
    File opened (read-only)\??\Q:RUNDLL32.EXE
    File opened (read-only)\??\R:RUNDLL32.EXE
    File opened (read-only)\??\V:RUNDLL32.EXE
    File opened (read-only)\??\W:RUNDLL32.EXE
    File opened (read-only)\??\Y:RUNDLL32.EXE
  • Drops file in System32 directory
    RUNDLL32.EXErundll32.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.datRUNDLL32.EXE
    File opened for modificationC:\Windows\system32\config\systemprofile\AppData\Roaming\Mozilla\Firefox\Profiles\pkcs11.txtrundll32.exe
    File opened for modificationC:\Windows\system32\config\systemprofile\AppData\Roaming\Mozilla\Firefox\Profiles\cert9.dbrundll32.exe
  • Suspicious use of SetThreadContext
    RUNDLL32.EXE

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1680 set thread context of 5321680RUNDLL32.EXErundll32.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Checks processor information in registry
    rundll32.exesvchost.exeRUNDLL32.EXERUNDLL32.EXE

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value enumerated\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1rundll32.exe
    Key value enumerated\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0svchost.exe
    Key enumerated\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessorRUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\IdentifierRUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component InformationRUNDLL32.EXE
    Key value enumerated\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0RUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringRUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Statusrundll32.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifierrundll32.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update SignatureRUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSetRUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameStringRUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update SignatureRUNDLL32.EXE
    Key enumerated\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessorrundll32.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Datarundll32.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component InformationRUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update StatusRUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update SignatureRUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHzrundll32.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameStringrundll32.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHzRUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHzRUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHzsvchost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration DataRUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifierRUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSetRUNDLL32.EXE
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0rundll32.exe
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1rundll32.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Statusrundll32.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSetrundll32.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration DataRUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component InformationRUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifierrundll32.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifierrundll32.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform IDRUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringRUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration DataRUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHzRUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameStringRUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Informationsvchost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHzsvchost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Datasvchost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifiersvchost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signaturesvchost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Signaturesvchost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifierRUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\IdentifierRUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform IDRUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Statussvchost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform IDsvchost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSetsvchost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update SignatureRUNDLL32.EXE
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0RUNDLL32.EXE
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessorRUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifierrundll32.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Informationrundll32.exe
    Key enumerated\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessorsvchost.exe
    Key value enumerated\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1svchost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update StatusRUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\IdentifierRUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringrundll32.exe
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1svchost.exe
    Key value enumerated\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0RUNDLL32.EXE
    Key value enumerated\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1RUNDLL32.EXE
  • Modifies system certificate store
    RUNDLL32.EXE

    TTPs

    Install Root CertificateModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\367741F623154970EFB9C3D2C9C872206FEF8459RUNDLL32.EXE
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\367741F623154970EFB9C3D2C9C872206FEF8459\Blob = 030000000100000014000000367741f623154970efb9c3d2c9c872206fef845920000000010000009f0200003082029b30820204a0030201020208364d23b329967880300d06092a864886f70d01010b05003074311f301d06035504030c1654686177746520546a6d657374616d70696e67204341311d301b060355040b0c145468617774652043657274696669636174696f6e310f300d060355040a0c06546861777465310b3009060355040613025a413114301206035504070c0b44757262616e76696c6c65301e170d3230303131323135333431385a170d3234303131313135333431385a3074311f301d06035504030c1654686177746520546a6d657374616d70696e67204341311d301b060355040b0c145468617774652043657274696669636174696f6e310f300d060355040a0c06546861777465310b3009060355040613025a413114301206035504070c0b44757262616e76696c6c6530819f300d06092a864886f70d010101050003818d0030818902818100da5a02c229909db7b8a58bf719d65880e658346da712353f3a8061e196599e08a41448231027cfdb114a4d7c4f8daed03d71596a99a5f1cfd5e98913f663f8a09b0853e15e2b52ca8efb2930a1cb67beaa658d998b1087ea8857990b35e9860b4925285ab5cd9d7f4417a9c6d6d49baa5ef2db88d934b1e19af2f1d5104e9f970203010001a3363034300f0603551d130101ff040530030101ff30210603551d11041a3018821654686177746520546a6d657374616d70696e67204341300d06092a864886f70d01010b05000381810022e4f31fc205b903d37a7bbc1d84411a2d36da996e62ed28a54e2b003d7a8791050e20a90ebd41a5bf08076e31bc6fdb0b18fbaab0d74197fcae71fb8f9415447cb84aed5f5007269cb29cf5e79f73df68ecbf84c9a072835bbf1be1843396462a6e277f3ecc5090c120cdd5455cb87afdae5ff7f0881beb13806bf4b70ff0e9RUNDLL32.EXE
  • Suspicious behavior: EnumeratesProcesses
    svchost.exeRUNDLL32.EXERUNDLL32.EXE

    Reported IOCs

    pidprocess
    544svchost.exe
    768RUNDLL32.EXE
    768RUNDLL32.EXE
    768RUNDLL32.EXE
    768RUNDLL32.EXE
    544svchost.exe
    544svchost.exe
    1680RUNDLL32.EXE
    544svchost.exe
    544svchost.exe
    544svchost.exe
    544svchost.exe
    544svchost.exe
    544svchost.exe
    544svchost.exe
  • Suspicious use of AdjustPrivilegeToken
    RUNDLL32.EXE

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege768RUNDLL32.EXE
  • Suspicious use of FindShellTrayWindow
    rundll32.exe

    Reported IOCs

    pidprocess
    532rundll32.exe
  • Suspicious use of WriteProcessMemory
    rundll32.exesvchost.exeRUNDLL32.EXERUNDLL32.EXErundll32.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1472 wrote to memory of 17241472rundll32.exerundll32.exe
    PID 1472 wrote to memory of 17241472rundll32.exerundll32.exe
    PID 1472 wrote to memory of 17241472rundll32.exerundll32.exe
    PID 1472 wrote to memory of 17241472rundll32.exerundll32.exe
    PID 1472 wrote to memory of 17241472rundll32.exerundll32.exe
    PID 1472 wrote to memory of 17241472rundll32.exerundll32.exe
    PID 1472 wrote to memory of 17241472rundll32.exerundll32.exe
    PID 544 wrote to memory of 768544svchost.exeRUNDLL32.EXE
    PID 544 wrote to memory of 768544svchost.exeRUNDLL32.EXE
    PID 544 wrote to memory of 768544svchost.exeRUNDLL32.EXE
    PID 544 wrote to memory of 768544svchost.exeRUNDLL32.EXE
    PID 544 wrote to memory of 768544svchost.exeRUNDLL32.EXE
    PID 544 wrote to memory of 768544svchost.exeRUNDLL32.EXE
    PID 544 wrote to memory of 768544svchost.exeRUNDLL32.EXE
    PID 768 wrote to memory of 1680768RUNDLL32.EXERUNDLL32.EXE
    PID 768 wrote to memory of 1680768RUNDLL32.EXERUNDLL32.EXE
    PID 768 wrote to memory of 1680768RUNDLL32.EXERUNDLL32.EXE
    PID 768 wrote to memory of 1680768RUNDLL32.EXERUNDLL32.EXE
    PID 768 wrote to memory of 1680768RUNDLL32.EXERUNDLL32.EXE
    PID 768 wrote to memory of 1680768RUNDLL32.EXERUNDLL32.EXE
    PID 768 wrote to memory of 1680768RUNDLL32.EXERUNDLL32.EXE
    PID 1680 wrote to memory of 5321680RUNDLL32.EXErundll32.exe
    PID 1680 wrote to memory of 5321680RUNDLL32.EXErundll32.exe
    PID 1680 wrote to memory of 5321680RUNDLL32.EXErundll32.exe
    PID 1680 wrote to memory of 5321680RUNDLL32.EXErundll32.exe
    PID 1680 wrote to memory of 5321680RUNDLL32.EXErundll32.exe
    PID 532 wrote to memory of 1352532rundll32.exectfmon.exe
    PID 532 wrote to memory of 1352532rundll32.exectfmon.exe
    PID 532 wrote to memory of 1352532rundll32.exectfmon.exe
Processes 7
  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\57e9894749242755d8b3620e1ae3a6137f63ebdc1b951cd0fe197a97d13dde05.dll,#1
    Suspicious use of WriteProcessMemory
    PID:1472
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\57e9894749242755d8b3620e1ae3a6137f63ebdc1b951cd0fe197a97d13dde05.dll,#1
      Checks processor information in registry
      PID:1724
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k LocalService
    Checks processor information in registry
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of WriteProcessMemory
    PID:544
    • C:\Windows\SysWOW64\RUNDLL32.EXE
      C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\57e9894749242755d8b3620e1ae3a6137f63ebdc1b951cd0fe197a97d13dde05.dll,OgsvODY1
      Blocklisted process makes network request
      Enumerates connected drives
      Drops file in System32 directory
      Checks processor information in registry
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:768
      • C:\Windows\SysWOW64\RUNDLL32.EXE
        C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\57e9894749242755d8b3620e1ae3a6137f63ebdc1b951cd0fe197a97d13dde05.dll,YwdbRnY=
        Suspicious use of SetThreadContext
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        PID:1680
        • C:\Windows\system32\rundll32.exe
          C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 7295
          Drops file in System32 directory
          Suspicious use of FindShellTrayWindow
          Suspicious use of WriteProcessMemory
          PID:532
          • C:\Windows\system32\ctfmon.exe
            ctfmon.exe
            PID:1352
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Privilege Escalation
                Replay Monitor
                00:00 00:00
                Downloads
                • memory/532-81-0x0000000000190000-0x0000000000341000-memory.dmp

                • memory/532-82-0x0000000001DD0000-0x0000000001F92000-memory.dmp

                • memory/532-80-0x000007FEFC451000-0x000007FEFC453000-memory.dmp

                • memory/532-78-0x00000000FFFF3CEC-mapping.dmp

                • memory/532-73-0x0000000000190000-0x0000000000341000-memory.dmp

                • memory/544-57-0x00000000021D0000-0x00000000031D1000-memory.dmp

                • memory/544-59-0x00000000032B0000-0x00000000032B1000-memory.dmp

                • memory/768-60-0x0000000000000000-mapping.dmp

                • memory/768-62-0x0000000001F70000-0x0000000002F71000-memory.dmp

                • memory/1352-83-0x0000000000000000-mapping.dmp

                • memory/1680-69-0x0000000000B20000-0x0000000000C60000-memory.dmp

                • memory/1680-68-0x0000000000140000-0x0000000000141000-memory.dmp

                • memory/1680-67-0x0000000003310000-0x0000000003311000-memory.dmp

                • memory/1680-70-0x0000000000B20000-0x0000000000C60000-memory.dmp

                • memory/1680-72-0x0000000000B20000-0x0000000000C60000-memory.dmp

                • memory/1680-66-0x00000000022F0000-0x00000000032F1000-memory.dmp

                • memory/1680-74-0x0000000000B20000-0x0000000000C60000-memory.dmp

                • memory/1680-77-0x0000000000B20000-0x0000000000C60000-memory.dmp

                • memory/1680-76-0x0000000000B20000-0x0000000000C60000-memory.dmp

                • memory/1680-75-0x00000000003A0000-0x00000000003A1000-memory.dmp

                • memory/1680-64-0x0000000000000000-mapping.dmp

                • memory/1724-56-0x0000000003230000-0x0000000003231000-memory.dmp

                • memory/1724-55-0x0000000002210000-0x0000000003211000-memory.dmp

                • memory/1724-54-0x0000000076491000-0x0000000076493000-memory.dmp

                • memory/1724-53-0x0000000000000000-mapping.dmp