danabot | 0ff222e570a6934c471b2bcb13b78f88c75e95141b7c84bbd3dc936d7d46437b

Analysis

max time kernel
130s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ff222e570a6934c471b2bcb13b78f88c75e95141b7c84bbd3dc936d7d46437b.exe
Size

4.0MB
MD5

a8c0796d74fe9e34fe0c67a500dc7b32
SHA1

ebdd34cd4fda39ade14e4fc0c4e8ce4b397e8959
SHA256

0ff222e570a6934c471b2bcb13b78f88c75e95141b7c84bbd3dc936d7d46437b
SHA512

906db571ec138e9fec43e9182ecf2a6a2af7120f85169e14e68d4632c36bf785768a87e2043c9107b0db23f0a3f7c7473b8b1a45a943b79d68d9baf2d8bede33
SSDEEP

98304:acC8excbiUsPc9K7YrHDjJzp1PGcjXF1D4TQ4Ll5nZGv13dwsBD:acC8eKGU8c9fVpBLJ1MT5J5nZp

Score

10^/10

danabot 3 banker collection discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1765

Botnet

79.124.78.236:443

134.119.186.199:443

192.236.162.42:443

134.119.186.198:443

Attributes

embedded_hash
82C66843DE542BC5CB88F713DE39B52B
type
main

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 4 IoCs

Processes:

RUNDLL32.EXE

flow pid process

16 2952 RUNDLL32.EXE
18 2952 RUNDLL32.EXE
25 2952 RUNDLL32.EXE
30 2952 RUNDLL32.EXE

flow	pid	process
16	2952	RUNDLL32.EXE
18	2952	RUNDLL32.EXE
25	2952	RUNDLL32.EXE
30	2952	RUNDLL32.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	RUNDLL32.EXE

Loads dropped DLL 3 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

pid process

3920 rundll32.exe
2952 RUNDLL32.EXE
2952 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3920	rundll32.exe
2952	RUNDLL32.EXE
2952	RUNDLL32.EXE

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RUNDLL32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2204 3248 WerFault.exe 0ff222e570a6934c471b2bcb13b78f88c75e95141b7c84bbd3dc936d7d46437b.exe

pid	pid_target	process	target process
2204	3248	WerFault.exe	0ff222e570a6934c471b2bcb13b78f88c75e95141b7c84bbd3dc936d7d46437b.exe

Checks processor information in registry 2 TTPs 23 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exeRUNDLL32.EXEpowershell.exe

pid process

1164 powershell.exe
1164 powershell.exe
2952 RUNDLL32.EXE
2952 RUNDLL32.EXE
3712 powershell.exe
3712 powershell.exe

pid	process
1164	powershell.exe
1164	powershell.exe
2952	RUNDLL32.EXE
2952	RUNDLL32.EXE
3712	powershell.exe
3712	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

rundll32.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3920	rundll32.exe
Token: SeDebugPrivilege	2952	RUNDLL32.EXE
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeDebugPrivilege	3712	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

RUNDLL32.EXE

pid process

2952 RUNDLL32.EXE

pid	process
2952	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

0ff222e570a6934c471b2bcb13b78f88c75e95141b7c84bbd3dc936d7d46437b.exerundll32.exeRUNDLL32.EXEpowershell.exe

description	pid	process	target process
PID 3248 wrote to memory of 3920	3248	0ff222e570a6934c471b2bcb13b78f88c75e95141b7c84bbd3dc936d7d46437b.exe	rundll32.exe
PID 3248 wrote to memory of 3920	3248	0ff222e570a6934c471b2bcb13b78f88c75e95141b7c84bbd3dc936d7d46437b.exe	rundll32.exe
PID 3248 wrote to memory of 3920	3248	0ff222e570a6934c471b2bcb13b78f88c75e95141b7c84bbd3dc936d7d46437b.exe	rundll32.exe
PID 3920 wrote to memory of 2952	3920	rundll32.exe	RUNDLL32.EXE
PID 3920 wrote to memory of 2952	3920	rundll32.exe	RUNDLL32.EXE
PID 3920 wrote to memory of 2952	3920	rundll32.exe	RUNDLL32.EXE
PID 2952 wrote to memory of 1164	2952	RUNDLL32.EXE	powershell.exe
PID 2952 wrote to memory of 1164	2952	RUNDLL32.EXE	powershell.exe
PID 2952 wrote to memory of 1164	2952	RUNDLL32.EXE	powershell.exe
PID 2952 wrote to memory of 3712	2952	RUNDLL32.EXE	powershell.exe
PID 2952 wrote to memory of 3712	2952	RUNDLL32.EXE	powershell.exe
PID 2952 wrote to memory of 3712	2952	RUNDLL32.EXE	powershell.exe
PID 3712 wrote to memory of 4364	3712	powershell.exe	nslookup.exe
PID 3712 wrote to memory of 4364	3712	powershell.exe	nslookup.exe
PID 3712 wrote to memory of 4364	3712	powershell.exe	nslookup.exe
PID 2952 wrote to memory of 4968	2952	RUNDLL32.EXE	schtasks.exe
PID 2952 wrote to memory of 4968	2952	RUNDLL32.EXE	schtasks.exe
PID 2952 wrote to memory of 4968	2952	RUNDLL32.EXE	schtasks.exe
PID 2952 wrote to memory of 1948	2952	RUNDLL32.EXE	schtasks.exe
PID 2952 wrote to memory of 1948	2952	RUNDLL32.EXE	schtasks.exe
PID 2952 wrote to memory of 1948	2952	RUNDLL32.EXE	schtasks.exe

outlook_office_path 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

outlook_win_path 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

C:\Users\Admin\AppData\Local\Temp\0ff222e570a6934c471b2bcb13b78f88c75e95141b7c84bbd3dc936d7d46437b.exe
"C:\Users\Admin\AppData\Local\Temp\0ff222e570a6934c471b2bcb13b78f88c75e95141b7c84bbd3dc936d7d46437b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3248

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\0FF222~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\0FF222~1.EXE
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3920

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\0FF222~1.DLL,nkBefDZUAw==
3⤵
- Blocklisted process makes network request
- Checks computer location settings
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2952

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp2328.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp4D47.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3712

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
5⤵
PID:4364

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:4968

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:1948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 536
2⤵
- Program crash
PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3248 -ip 3248
1⤵
PID:3952

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
6ad58b45ba900fe2b784c35fe1ddd496

SHA1
7701cf4dfebc92b77e3d16a4094dac0def34f13a

SHA256
139a32ad96800367dc709be507e2b78e667610000be7c68f94c174e6fa60f84f

SHA512
168f58da543d5c3a645c9a51916528c8e291f0f49069fb8567328e6960874a97026839a31a3505bcd1cc26320a477fbd095406ff3e12c4419c5429b729cd9c1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
17KB

MD5
c54e1c0e2ea8b06a4b61c1a304658d8c

SHA1
d1e0766a307cd84e3bfda2db7ef01af707c96e53

SHA256
24bcbc97d203be6b6785e18242c8baec336e48cde52e0ceb02cca1f3b6be348d

SHA512
75b2032dcfe601ec3a48bba8245563bafb7b9b93ed3a57990d4c95de0ef84392b3666873cb75d2db53a16c055fdddbb3e93daec4950c64c3bc73a2c2df269fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\0FF222~1.DLL
Filesize
3.8MB

MD5
0fa776ebc6c175716ddae5d5ce2a5894

SHA1
3dbb9ac31089481cdba10345889f73d9acb59a02

SHA256
fda53157a533ba28a067f49b29c517b1e7ac91cba890aa5bcb2ed245a036cdd7

SHA512
55d11b53fe9134bf8b43a017591a27bedb9d539c5bac03e93cd3cd4a8a96b3f7030b9ad9fec373a0cf6e88a0776f32a3c57388dcb6114e895733fd45a5922b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\0FF222~1.EXE.dll
Filesize
3.8MB

MD5
0fa776ebc6c175716ddae5d5ce2a5894

SHA1
3dbb9ac31089481cdba10345889f73d9acb59a02

SHA256
fda53157a533ba28a067f49b29c517b1e7ac91cba890aa5bcb2ed245a036cdd7

SHA512
55d11b53fe9134bf8b43a017591a27bedb9d539c5bac03e93cd3cd4a8a96b3f7030b9ad9fec373a0cf6e88a0776f32a3c57388dcb6114e895733fd45a5922b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\0FF222~1.EXE.dll
Filesize
3.8MB

MD5
0fa776ebc6c175716ddae5d5ce2a5894

SHA1
3dbb9ac31089481cdba10345889f73d9acb59a02

SHA256
fda53157a533ba28a067f49b29c517b1e7ac91cba890aa5bcb2ed245a036cdd7

SHA512
55d11b53fe9134bf8b43a017591a27bedb9d539c5bac03e93cd3cd4a8a96b3f7030b9ad9fec373a0cf6e88a0776f32a3c57388dcb6114e895733fd45a5922b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\0FF222~1.EXE.dll
Filesize
3.8MB

MD5
0fa776ebc6c175716ddae5d5ce2a5894

SHA1
3dbb9ac31089481cdba10345889f73d9acb59a02

SHA256
fda53157a533ba28a067f49b29c517b1e7ac91cba890aa5bcb2ed245a036cdd7

SHA512
55d11b53fe9134bf8b43a017591a27bedb9d539c5bac03e93cd3cd4a8a96b3f7030b9ad9fec373a0cf6e88a0776f32a3c57388dcb6114e895733fd45a5922b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2328.tmp.ps1
Filesize
261B

MD5
f84d05c90d7201f60b1811e693d93373

SHA1
8476a1e2ae10497a1cd7d3c8964ce85f12cbaad0

SHA256
d1814a71743501a80bdc3711ad4460748b333a0d66cb07b78ce34169dd65810b

SHA512
d0a0be55a5b40ea10d4d969a7cd12c0e14775cc0fb2ab5ec71ab0d72e22ef3e0eba35e987e6ac300ebbb78e7be41b55e3194d9bede5c60e36ff0d2bc3bd9367f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2329.tmp
Filesize
1KB

MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4D47.tmp.ps1
Filesize
80B

MD5
f572f34fe6a4bb7bbcf754072325dcbe

SHA1
e430b7a8f92b80d3f8ff08c96fc5f52d432a1480

SHA256
2c4ea6d1a10afdf0e71b8247560850f74900120a2ff0b6c84213539b802e9531

SHA512
fb9a21ad3ed05c257fe9e772dcc9ce67a542a1d47242f7eec17b6c7f5a110f59ac0c2826c7a097abb8f74a232ee3e83adab5335995f208007039e667a19ffa55

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4D48.tmp
Filesize
86B

MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
memory/1164-165-0x0000000006980000-0x0000000006988000-memory.dmp

Filesize
32KB

Download
memory/1164-161-0x00000000067B0000-0x00000000067BA000-memory.dmp

Filesize
40KB

Download
memory/1164-163-0x00000000069F0000-0x0000000006A0A000-memory.dmp

Filesize
104KB

Download
memory/1164-162-0x0000000007CB0000-0x000000000832A000-memory.dmp

Filesize
6.5MB

Download
memory/1164-159-0x0000000006480000-0x000000000649E000-memory.dmp

Filesize
120KB

Download
memory/1164-153-0x0000000000000000-mapping.dmp

Download
memory/1164-154-0x0000000004EA0000-0x0000000004ED6000-memory.dmp

Filesize
216KB

Download
memory/1164-155-0x0000000005520000-0x0000000005B48000-memory.dmp

Filesize
6.2MB

Download
memory/1164-156-0x0000000005BE0000-0x0000000005C02000-memory.dmp

Filesize
136KB

Download
memory/1164-157-0x0000000005D80000-0x0000000005DE6000-memory.dmp

Filesize
408KB

Download
memory/1164-158-0x0000000005DF0000-0x0000000005E56000-memory.dmp

Filesize
408KB

Download
memory/1948-175-0x0000000000000000-mapping.dmp

Download
memory/2952-167-0x0000000002960000-0x0000000002FC2000-memory.dmp

Filesize
6.4MB

Download
memory/2952-151-0x0000000002960000-0x0000000002FC2000-memory.dmp

Filesize
6.4MB

Download
memory/2952-150-0x0000000002960000-0x0000000002FC2000-memory.dmp

Filesize
6.4MB

Download
memory/2952-145-0x0000000000000000-mapping.dmp

Download
memory/2952-149-0x0000000002010000-0x00000000023DD000-memory.dmp

Filesize
3.8MB

Download
memory/3248-134-0x0000000000400000-0x0000000000C49000-memory.dmp

Filesize
8.3MB

Download
memory/3248-132-0x00000000012DA000-0x00000000016A6000-memory.dmp

Filesize
3.8MB

Download
memory/3248-152-0x0000000000400000-0x0000000000C49000-memory.dmp

Filesize
8.3MB

Download
memory/3248-133-0x00000000016B0000-0x0000000001A8F000-memory.dmp

Filesize
3.9MB

Download
memory/3712-168-0x0000000000000000-mapping.dmp

Download
memory/3920-146-0x0000000002CF0000-0x0000000003352000-memory.dmp

Filesize
6.4MB

Download
memory/3920-135-0x0000000000000000-mapping.dmp

Download
memory/3920-138-0x0000000002CF0000-0x0000000003352000-memory.dmp

Filesize
6.4MB

Download
memory/3920-164-0x0000000002CF0000-0x0000000003352000-memory.dmp

Filesize
6.4MB

Download
memory/4364-172-0x0000000000000000-mapping.dmp

Download
memory/4968-174-0x0000000000000000-mapping.dmp

Download