danabot | 0375df4950a841114b927ab0b52a9e237dd61565988233b96de7589be79465d5

Analysis

max time kernel
130s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2022 22:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0375df4950a841114b927ab0b52a9e237dd61565988233b96de7589be79465d5.exe
Size

1.1MB
MD5

aa2c4aeb51a56f83a696fdada3056a4e
SHA1

38b9c00bb231b8fbed2661cfbff61bacee81f7a8
SHA256

0375df4950a841114b927ab0b52a9e237dd61565988233b96de7589be79465d5
SHA512

bef5121f9f944a3b70ad80007a2bc9edb841eb69ee33ffa4ff41b6873217869b98f0be475c5ef215937ffa731c483a045a9be4a595cf364cdd7ef176fb3ceb2a
SSDEEP

24576:YVOLo9vAjkR9Jj7p9Y2FyQeyTloIJIZxSmIuu+NI/nNInr:YICojkvJ3RT/32fI/Cnr

Score

10^/10

danabot banker discovery persistence trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

13 4984 rundll32.exe
39 4984 rundll32.exe

flow	pid	process
13	4984	rundll32.exe
39	4984	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BIBUtils\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\BIBUtils.dll㈀"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BIBUtils\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 2 IoCs

Processes:

rundll32.exesvchost.exe

pid process

4984 rundll32.exe
564 svchost.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 4984 set thread context of 2436 4984 rundll32.exe rundll32.exe

pid	process
4984	rundll32.exe
564	svchost.exe

description	pid	process	target process
PID 4984 set thread context of 2436	4984	rundll32.exe	rundll32.exe

Drops file in Program Files directory 12 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\rss.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\3difr.x3d	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\back-arrow-down.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\submission_history.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\rss.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Comments.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\3difr.x3d	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\submission_history.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Comments.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-default.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\BIBUtils.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-down.svg	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4776 4912 WerFault.exe 0375df4950a841114b927ab0b52a9e237dd61565988233b96de7589be79465d5.exe

pid	pid_target	process	target process
4776	4912	WerFault.exe	0375df4950a841114b927ab0b52a9e237dd61565988233b96de7589be79465d5.exe

Checks processor information in registry 2 TTPs 37 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe

Modifies registry class 5 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 4984 rundll32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

2436 rundll32.exe

description	pid	process
Token: SeDebugPrivilege	4984	rundll32.exe

pid	process
2436	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

0375df4950a841114b927ab0b52a9e237dd61565988233b96de7589be79465d5.exerundll32.exe

description	pid	process	target process
PID 4912 wrote to memory of 4984	4912	0375df4950a841114b927ab0b52a9e237dd61565988233b96de7589be79465d5.exe	rundll32.exe
PID 4912 wrote to memory of 4984	4912	0375df4950a841114b927ab0b52a9e237dd61565988233b96de7589be79465d5.exe	rundll32.exe
PID 4912 wrote to memory of 4984	4912	0375df4950a841114b927ab0b52a9e237dd61565988233b96de7589be79465d5.exe	rundll32.exe
PID 4984 wrote to memory of 2436	4984	rundll32.exe	rundll32.exe
PID 4984 wrote to memory of 2436	4984	rundll32.exe	rundll32.exe
PID 4984 wrote to memory of 2436	4984	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\0375df4950a841114b927ab0b52a9e237dd61565988233b96de7589be79465d5.exe
"C:\Users\Admin\AppData\Local\Temp\0375df4950a841114b927ab0b52a9e237dd61565988233b96de7589be79465d5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4912

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4984

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14100
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2436

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1448

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 528
2⤵
- Program crash
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4912 -ip 4912
1⤵
PID:5052

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3012

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
PID:564

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\bibutils.dll",hSNiYlFN
2⤵
PID:3728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\BIBUtils.dll
Filesize
797KB

MD5
f6bfd8ac0af9837490b411e1c46e1e25

SHA1
36708eeb16f4acb8c204cdce76016a8914a2e5a4

SHA256
c23f9b0a0831feb40c9bca3ffbb7ac9418000738243db3e27083cadf610a8c18

SHA512
9a385659f7f9280293a8ae9194a1621c8bcb82f513cf42cf7e38591dc22b21574e22d1f991040da71a791ecef50af9e517e39c0980ce61175c1a86d42fed68db

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\BIBUtils.dll
Filesize
797KB

MD5
f6bfd8ac0af9837490b411e1c46e1e25

SHA1
36708eeb16f4acb8c204cdce76016a8914a2e5a4

SHA256
c23f9b0a0831feb40c9bca3ffbb7ac9418000738243db3e27083cadf610a8c18

SHA512
9a385659f7f9280293a8ae9194a1621c8bcb82f513cf42cf7e38591dc22b21574e22d1f991040da71a791ecef50af9e517e39c0980ce61175c1a86d42fed68db

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\C2RManifest.Proof.Culture.msi.16.fr-fr.xml
Filesize
23KB

MD5
37cde9afb1540513bd564d71867021e0

SHA1
e319abb6093025dccc55618fb407c1182ccdafe7

SHA256
516aa640a48752bcadbd46e4f53c0560a1cb379d5366b1c9bb4d0706d1bd040f

SHA512
6746350447a6a0424c90571c7cc3442d34af0cb16fa1459bb76b25423f165f474073f1d359462cb805ac376a9d069236d6b7a796332c27253a4807f691292881

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp
Filesize
2.3MB

MD5
a3ce169ef7664f269c9d2211533eeae4

SHA1
e712768deb949664e15a3a651334e4171bd564dd

SHA256
ad507d233a4cd43d7afe81998ad2b76785798757581ce59e3f57c86a48c38d60

SHA512
7692faa05775ac76a9e45050926a31473868871c3d91663221a94d3073ffaa52727cf542d0e70421c5dd05c30e29c9c410aace37d1eb2111f7e17f098f53fdf0

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.MSPaint_2019.729.2301.0_neutral_~_8wekyb3d8bbwe.xml
Filesize
7KB

MD5
e585657cf3525fd22dad5e2409eb9e60

SHA1
1c0b9d97bb93098e1d8a162b9725a0d6134dc913

SHA256
581fd3d9aa551599bd691b5b23cdc51c48f7f3a65955adf1e1d0fef0a8cfb8b8

SHA512
601c03a19bb0d1170db8c3a05ff4a38d209e2ec53426b2048362504b75e3971f40480afd118cd741a52e69ba5a55c61dd4cc488f335be3d67584982009392ced

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_~_8wekyb3d8bbwe.xml
Filesize
28KB

MD5
b8c1eec848c415eea04839ad0af75950

SHA1
652ccb0f39fcb73b3fe31a231e490bbdb2a1d0bc

SHA256
694699e06fa830a2fb3b79d472b9d2560686e5ebd752022fd902ff2d1e82c162

SHA512
24f5629b1947690ee9fa911f1620a311db6f9433e77f8db67b468fb8624c3adcbfb21138c591a51d4e2e5f595ce9a5684203543890165fd2e88092cf303fe563

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\abcpy.ini
Filesize
608B

MD5
818d3a4899c5596d8d8da00a87e6d8bb

SHA1
4e0e04f5ca5d81661702877852fd9d059722762f

SHA256
9986830f6e44d24b86936851c2c0cd961ecdddbed3b34e8f6a64693f36e9429d

SHA512
1cd1c882adcee3d89bdc2b07ccf8d4913149565085d42e0f67a4c08b4c4d504b51c9ae44a11de906a1aed202391eb2b3461f63268158b6879cae9a18d56da239

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\edbres00001.jrs
Filesize
64KB

MD5
fcd6bcb56c1689fcef28b57c22475bad

SHA1
1adc95bebe9eea8c112d40cd04ab7a8d75c4f961

SHA256
de2f256064a0af797747c2b97505dc0b9f3df0de4f489eac731c23ae9ca9cc31

SHA512
73e4153936dab198397b74ee9efc26093dda721eaab2f8d92786891153b45b04265a161b169c988edb0db2c53124607b6eaaa816559c5ce54f3dbc9fa6a7a4b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\bibutils.dll
Filesize
797KB

MD5
f6bfd8ac0af9837490b411e1c46e1e25

SHA1
36708eeb16f4acb8c204cdce76016a8914a2e5a4

SHA256
c23f9b0a0831feb40c9bca3ffbb7ac9418000738243db3e27083cadf610a8c18

SHA512
9a385659f7f9280293a8ae9194a1621c8bcb82f513cf42cf7e38591dc22b21574e22d1f991040da71a791ecef50af9e517e39c0980ce61175c1a86d42fed68db

Download Submit
memory/564-169-0x00000000039D0000-0x00000000040F5000-memory.dmp

Filesize
7.1MB

Download
memory/564-157-0x00000000039D0000-0x00000000040F5000-memory.dmp

Filesize
7.1MB

Download
memory/1448-167-0x0000000000000000-mapping.dmp

Download
memory/2436-149-0x000001A719230000-0x000001A719370000-memory.dmp

Filesize
1.2MB

Download
memory/2436-151-0x0000000000F30000-0x0000000001149000-memory.dmp

Filesize
2.1MB

Download
memory/2436-148-0x000001A719230000-0x000001A719370000-memory.dmp

Filesize
1.2MB

Download
memory/2436-147-0x00007FF796436890-mapping.dmp

Download
memory/2436-152-0x000001A7193A0000-0x000001A7195CA000-memory.dmp

Filesize
2.2MB

Download
memory/3728-170-0x0000000004840000-0x0000000004F65000-memory.dmp

Filesize
7.1MB

Download
memory/3728-165-0x0000000004840000-0x0000000004F65000-memory.dmp

Filesize
7.1MB

Download
memory/3728-166-0x0000000004840000-0x0000000004F65000-memory.dmp

Filesize
7.1MB

Download
memory/3728-163-0x0000000000000000-mapping.dmp

Download
memory/4312-168-0x0000000000000000-mapping.dmp

Download
memory/4912-138-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4912-132-0x00000000008B9000-0x00000000009A8000-memory.dmp

Filesize
956KB

Download
memory/4912-134-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4912-133-0x0000000002350000-0x0000000002480000-memory.dmp

Filesize
1.2MB

Download
memory/4984-142-0x0000000004790000-0x00000000048D0000-memory.dmp

Filesize
1.2MB

Download
memory/4984-153-0x0000000005620000-0x0000000005D45000-memory.dmp

Filesize
7.1MB

Download
memory/4984-150-0x0000000004809000-0x000000000480B000-memory.dmp

Filesize
8KB

Download
memory/4984-146-0x0000000004790000-0x00000000048D0000-memory.dmp

Filesize
1.2MB

Download
memory/4984-145-0x0000000004790000-0x00000000048D0000-memory.dmp

Filesize
1.2MB

Download
memory/4984-144-0x0000000004790000-0x00000000048D0000-memory.dmp

Filesize
1.2MB

Download
memory/4984-143-0x0000000004790000-0x00000000048D0000-memory.dmp

Filesize
1.2MB

Download
memory/4984-141-0x0000000004790000-0x00000000048D0000-memory.dmp

Filesize
1.2MB

Download
memory/4984-140-0x0000000005620000-0x0000000005D45000-memory.dmp

Filesize
7.1MB

Download
memory/4984-139-0x0000000005620000-0x0000000005D45000-memory.dmp

Filesize
7.1MB

Download
memory/4984-135-0x0000000000000000-mapping.dmp

Download