danabot | a5f4f4c2a2e7dc35fd28e2f0d7327f04f36a7b1094023db2d2127f77678f6162

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2022 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5f4f4c2a2e7dc35fd28e2f0d7327f04f36a7b1094023db2d2127f77678f6162.exe
Size

220KB
MD5

f8e39a71181e2c58912af2da7ab7a797
SHA1

9562e4135653a854657d05dde5073ebd7a9b958a
SHA256

a5f4f4c2a2e7dc35fd28e2f0d7327f04f36a7b1094023db2d2127f77678f6162
SHA512

40db32b014305a6dc57ce0e63261313da48520907d7a4b78f9f5374d3c9745cebcb2d81e69a3f35495237809d3459f9c6c23e98e7fdbd54e3c44af6b50886603
SSDEEP

3072:M/lXL0N115qEPG87BONAU7WcXmLm33MKKGeJmSndiqV7b/hQL44rFZNHCDml:KxL0NRPP7Qd71cKKdNvJQkKFzCa

Score

10^/10

danabot smokeloader backdoor banker discovery trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4824-133-0x00000000004B0000-0x00000000004B9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

39 4352 rundll32.exe
41 4352 rundll32.exe
57 4352 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

D0F1.exesstcwve

pid process

5080 D0F1.exe
1460 sstcwve
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4352 rundll32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

flow	pid	process
39	4352	rundll32.exe
41	4352	rundll32.exe
57	4352	rundll32.exe

pid	process
5080	D0F1.exe
1460	sstcwve

pid	process
4352	rundll32.exe

Drops file in Program Files directory 12 IoCs

Processes:

rundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\email_initiator.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Comments.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\email_initiator.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\drvSOFT.x3d	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\duplicate.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PDFSigQFormalRep.pdf	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\MCIMPP.mpp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\duplicate.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\MCIMPP.mpp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\duplicate.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\drvSOFT.x3d	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3996 5080 WerFault.exe D0F1.exe

pid	pid_target	process	target process
3996	5080	WerFault.exe	D0F1.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

a5f4f4c2a2e7dc35fd28e2f0d7327f04f36a7b1094023db2d2127f77678f6162.exesstcwve

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a5f4f4c2a2e7dc35fd28e2f0d7327f04f36a7b1094023db2d2127f77678f6162.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a5f4f4c2a2e7dc35fd28e2f0d7327f04f36a7b1094023db2d2127f77678f6162.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a5f4f4c2a2e7dc35fd28e2f0d7327f04f36a7b1094023db2d2127f77678f6162.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sstcwve
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sstcwve
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sstcwve

Checks processor information in registry 2 TTPs 22 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a5f4f4c2a2e7dc35fd28e2f0d7327f04f36a7b1094023db2d2127f77678f6162.exe

pid	process
4824	a5f4f4c2a2e7dc35fd28e2f0d7327f04f36a7b1094023db2d2127f77678f6162.exe
4824	a5f4f4c2a2e7dc35fd28e2f0d7327f04f36a7b1094023db2d2127f77678f6162.exe
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044
1044

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1044
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

a5f4f4c2a2e7dc35fd28e2f0d7327f04f36a7b1094023db2d2127f77678f6162.exesstcwve

pid process

4824 a5f4f4c2a2e7dc35fd28e2f0d7327f04f36a7b1094023db2d2127f77678f6162.exe
1460 sstcwve

pid	process
1044

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	1044
Token: SeCreatePagefilePrivilege	1044
Token: SeShutdownPrivilege	1044
Token: SeCreatePagefilePrivilege	1044
Token: SeShutdownPrivilege	1044
Token: SeCreatePagefilePrivilege	1044
Token: SeShutdownPrivilege	1044
Token: SeCreatePagefilePrivilege	1044
Token: SeShutdownPrivilege	1044
Token: SeCreatePagefilePrivilege	1044

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

D0F1.exe

description	pid	process	target process
PID 1044 wrote to memory of 5080	1044		D0F1.exe
PID 1044 wrote to memory of 5080	1044		D0F1.exe
PID 1044 wrote to memory of 5080	1044		D0F1.exe
PID 5080 wrote to memory of 4352	5080	D0F1.exe	rundll32.exe
PID 5080 wrote to memory of 4352	5080	D0F1.exe	rundll32.exe
PID 5080 wrote to memory of 4352	5080	D0F1.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\a5f4f4c2a2e7dc35fd28e2f0d7327f04f36a7b1094023db2d2127f77678f6162.exe
"C:\Users\Admin\AppData\Local\Temp\a5f4f4c2a2e7dc35fd28e2f0d7327f04f36a7b1094023db2d2127f77678f6162.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4824

C:\Users\Admin\AppData\Local\Temp\D0F1.exe
C:\Users\Admin\AppData\Local\Temp\D0F1.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Checks processor information in registry
PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 528
2⤵
- Program crash
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5080 -ip 5080
1⤵
PID:3920

C:\Users\Admin\AppData\Roaming\sstcwve
C:\Users\Admin\AppData\Roaming\sstcwve
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1460

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
PID:3148

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\duplicate.dll",YSFAYQ==
2⤵
PID:4716

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\duplicate.dll
Filesize
797KB

MD5
dd844585bcfc85e3845deefe7fa556ec

SHA1
bd4bcfe880d5bfc24246b0f57ad13e62f1e29385

SHA256
091bed85ce0342d79db327bc91d1decf803aa5e202a1588333a0a6635b22bd68

SHA512
f4e89386555129fc9f429d8b104af244cc561eeb43233de1d6800cd204940a3916716437e18bb1f93525c3e7ac38968022b803c777f441cffed08ef9e49d8dfe

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\duplicate.dll
Filesize
797KB

MD5
dd844585bcfc85e3845deefe7fa556ec

SHA1
bd4bcfe880d5bfc24246b0f57ad13e62f1e29385

SHA256
091bed85ce0342d79db327bc91d1decf803aa5e202a1588333a0a6635b22bd68

SHA512
f4e89386555129fc9f429d8b104af244cc561eeb43233de1d6800cd204940a3916716437e18bb1f93525c3e7ac38968022b803c777f441cffed08ef9e49d8dfe

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\EventStore.db
Filesize
20KB

MD5
72826e5803ebc0340e8160023462c34e

SHA1
7d9d99f9736ca166940af9f58ba4db9d941c5371

SHA256
0b8650225becad950a23402a3a1c7d53116182100e21a1765f261d6e369cfa0e

SHA512
a8939e64b7f6d07ed179d4319eb06b2a03656eea37f581468f4eec5346a6b7ecf66e9367250f95b001ab7ca9d4cc711b75c7c367c492f50f8845431c7998bf3e

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp
Filesize
2.3MB

MD5
968aa87be32437273382fb97f6d8c21e

SHA1
39403d4378eb77e1708d2aacabb07ae55135890a

SHA256
69cbd403098daee988608b8abe77268608dd1c0bb0197b259a1ea6cf1a9a2838

SHA512
39d73bf797f8cde63dc3c69c28a080ed08146f265734a47d112a25ce7c2f725adeee7d9dec47cd264b0e7df8c551d759b80006adb1ee7d7f18ab333a9f8096ac

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp
Filesize
2.3MB

MD5
1e55a5653031f8c327040e74e5f12454

SHA1
75b276940a4b0d0e82d6257ecee78b9d310da33e

SHA256
b99811aa302b11b48f9d9674ace5ea5a059305411d1540d5531085a63164a167

SHA512
6adb6984ab24d92db1b9f872977af01786a88fdf2343946e742be857f51da61975137d389e871e07cebf8db531ea4e6485a0bb29ff2df13b432b3eddaa2a1533

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe.xml
Filesize
57KB

MD5
f99bb3ad5412bb6ac6a062dbfe3573ca

SHA1
2d9df718568e656340832029b100a5d5fd706c34

SHA256
3c43fe71e86b7ec70627b894241e3cdbe2be83a863f42c04e96ab58278222495

SHA512
e9110973f9cac453386804053db5ef68fa528a50d0c5f2dbe7e2d139ad0f5a49aaee1b0e81e60274525b05896ecbb542774a56fad57174e266d90d2bdbd91311

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft_Office_Office Feature Updates Logon.xml
Filesize
3KB

MD5
9663230fbff7b7ea27acf7cb5b2eb224

SHA1
c9061dc5a74944235155461a761456af38ec7de5

SHA256
189d7c143926ab4402258ecf47d9b4a6a2b55aa7564b853ddd81bbfcd2113bdb

SHA512
b96f74946a99d9cca64f7727dd0664fafd16a6a1242af773b36c5f531c071dbf1b91ff873962be2cd160bdcc128b3aaa5715a38f997e5cfa1b78863ab146493d

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\UserDeploymentConfiguration.xml
Filesize
614B

MD5
54cec4437128f703c259efb3dc734386

SHA1
9b15ebe33a771a7e12cd966fd8b583da06914015

SHA256
d44d8ffc6e0261e32c4b5c77573a0daa0b4066d4e160c2cd5b5728199f63dfb4

SHA512
c1793acc8f6dc9997fd0261d501ffed200f3c039c9b77e554a031262925878b56727bd84cf5fbeeccb481c1d4511f37e940a8f8436054c8f08adb8e5f46773ea

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\telemetry.ASM-WindowsDefault.json.bk
Filesize
146KB

MD5
d054101b077a5d6ee42f48bbe0a98033

SHA1
e27de6db98d496419be668cdbb0d63693353a08a

SHA256
b44915e8ebc59eb07e1571de5dfe8e7ae87aca64b2aa64bd5aaf3ebfe06f72a8

SHA512
364a15229a7563af5657355b3ec6838f1367f89163fa43cf835756d5b3ae7df1fbd6b577d31f275b5030f00255c2a1958c6d88b43e84b283a602931c9af1921b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D0F1.exe
Filesize
1.1MB

MD5
4f8f0cab806928b5c4985da540a0040e

SHA1
ab7d7eef9e748e0fb0dae857dfb9e730b745fbfd

SHA256
ce4234cebbaf5ad991b4e09bfcafbd80d772bbe8b88d3680e839e8280b29ec13

SHA512
959b03e140c2af071841ba96dc9e194d78f31be019cb1f5909695bcca6fc110e0dab4047f3cc87cd17fc96834b51254e2dd9eef83e7ff696b6e3be9b60c10d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D0F1.exe
Filesize
1.1MB

MD5
4f8f0cab806928b5c4985da540a0040e

SHA1
ab7d7eef9e748e0fb0dae857dfb9e730b745fbfd

SHA256
ce4234cebbaf5ad991b4e09bfcafbd80d772bbe8b88d3680e839e8280b29ec13

SHA512
959b03e140c2af071841ba96dc9e194d78f31be019cb1f5909695bcca6fc110e0dab4047f3cc87cd17fc96834b51254e2dd9eef83e7ff696b6e3be9b60c10d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
C:\Users\Admin\AppData\Roaming\sstcwve
Filesize
220KB

MD5
f8e39a71181e2c58912af2da7ab7a797

SHA1
9562e4135653a854657d05dde5073ebd7a9b958a

SHA256
a5f4f4c2a2e7dc35fd28e2f0d7327f04f36a7b1094023db2d2127f77678f6162

SHA512
40db32b014305a6dc57ce0e63261313da48520907d7a4b78f9f5374d3c9745cebcb2d81e69a3f35495237809d3459f9c6c23e98e7fdbd54e3c44af6b50886603

Download Submit
C:\Users\Admin\AppData\Roaming\sstcwve
Filesize
220KB

MD5
f8e39a71181e2c58912af2da7ab7a797

SHA1
9562e4135653a854657d05dde5073ebd7a9b958a

SHA256
a5f4f4c2a2e7dc35fd28e2f0d7327f04f36a7b1094023db2d2127f77678f6162

SHA512
40db32b014305a6dc57ce0e63261313da48520907d7a4b78f9f5374d3c9745cebcb2d81e69a3f35495237809d3459f9c6c23e98e7fdbd54e3c44af6b50886603

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\duplicate.dll
Filesize
797KB

MD5
dd844585bcfc85e3845deefe7fa556ec

SHA1
bd4bcfe880d5bfc24246b0f57ad13e62f1e29385

SHA256
091bed85ce0342d79db327bc91d1decf803aa5e202a1588333a0a6635b22bd68

SHA512
f4e89386555129fc9f429d8b104af244cc561eeb43233de1d6800cd204940a3916716437e18bb1f93525c3e7ac38968022b803c777f441cffed08ef9e49d8dfe

Download Submit
memory/1044-153-0x0000000007430000-0x0000000007440000-memory.dmp

Filesize
64KB

Download
memory/1044-183-0x0000000007430000-0x0000000007440000-memory.dmp

Filesize
64KB

Download
memory/1044-150-0x0000000007430000-0x0000000007440000-memory.dmp

Filesize
64KB

Download
memory/1044-151-0x0000000007430000-0x0000000007440000-memory.dmp

Filesize
64KB

Download
memory/1044-152-0x0000000007430000-0x0000000007440000-memory.dmp

Filesize
64KB

Download
memory/1044-145-0x0000000007430000-0x0000000007440000-memory.dmp

Filesize
64KB

Download
memory/1044-154-0x0000000007430000-0x0000000007440000-memory.dmp

Filesize
64KB

Download
memory/1044-155-0x0000000007430000-0x0000000007440000-memory.dmp

Filesize
64KB

Download
memory/1044-156-0x0000000007430000-0x0000000007440000-memory.dmp

Filesize
64KB

Download
memory/1044-157-0x0000000007430000-0x0000000007440000-memory.dmp

Filesize
64KB

Download
memory/1044-158-0x0000000007430000-0x0000000007440000-memory.dmp

Filesize
64KB

Download
memory/1044-159-0x0000000007430000-0x0000000007440000-memory.dmp

Filesize
64KB

Download
memory/1044-160-0x0000000007430000-0x0000000007440000-memory.dmp

Filesize
64KB

Download
memory/1044-161-0x0000000007430000-0x0000000007440000-memory.dmp

Filesize
64KB

Download
memory/1044-162-0x0000000007DA0000-0x0000000007DB0000-memory.dmp

Filesize
64KB

Download
memory/1044-163-0x0000000007F30000-0x0000000007F40000-memory.dmp

Filesize
64KB

Download
memory/1044-164-0x0000000007F30000-0x0000000007F40000-memory.dmp

Filesize
64KB

Download
memory/1044-165-0x0000000007F30000-0x0000000007F40000-memory.dmp

Filesize
64KB

Download
memory/1044-166-0x0000000007F30000-0x0000000007F40000-memory.dmp

Filesize
64KB

Download
memory/1044-146-0x0000000007430000-0x0000000007440000-memory.dmp

Filesize
64KB

Download
memory/1044-147-0x0000000007430000-0x0000000007440000-memory.dmp

Filesize
64KB

Download
memory/1044-148-0x0000000007430000-0x0000000007440000-memory.dmp

Filesize
64KB

Download
memory/1044-170-0x0000000007430000-0x0000000007440000-memory.dmp

Filesize
64KB

Download
memory/1044-171-0x0000000007430000-0x0000000007440000-memory.dmp

Filesize
64KB

Download
memory/1044-172-0x0000000007430000-0x0000000007440000-memory.dmp

Filesize
64KB

Download
memory/1044-173-0x0000000007430000-0x0000000007440000-memory.dmp

Filesize
64KB

Download
memory/1044-174-0x0000000007430000-0x0000000007440000-memory.dmp

Filesize
64KB

Download
memory/1044-175-0x0000000007430000-0x0000000007440000-memory.dmp

Filesize
64KB

Download
memory/1044-176-0x0000000007430000-0x0000000007440000-memory.dmp

Filesize
64KB

Download
memory/1044-177-0x0000000007430000-0x0000000007440000-memory.dmp

Filesize
64KB

Download
memory/1044-178-0x0000000007430000-0x0000000007440000-memory.dmp

Filesize
64KB

Download
memory/1044-179-0x0000000007430000-0x0000000007440000-memory.dmp

Filesize
64KB

Download
memory/1044-180-0x0000000007430000-0x0000000007440000-memory.dmp

Filesize
64KB

Download
memory/1044-181-0x0000000007430000-0x0000000007440000-memory.dmp

Filesize
64KB

Download
memory/1044-182-0x0000000007430000-0x0000000007440000-memory.dmp

Filesize
64KB

Download
memory/1044-149-0x0000000007430000-0x0000000007440000-memory.dmp

Filesize
64KB

Download
memory/1044-184-0x0000000007430000-0x0000000007440000-memory.dmp

Filesize
64KB

Download
memory/1044-185-0x0000000007430000-0x0000000007440000-memory.dmp

Filesize
64KB

Download
memory/1044-186-0x0000000007430000-0x0000000007440000-memory.dmp

Filesize
64KB

Download
memory/1044-187-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/1044-188-0x0000000002790000-0x00000000027A0000-memory.dmp

Filesize
64KB

Download
memory/1044-189-0x0000000002790000-0x00000000027A0000-memory.dmp

Filesize
64KB

Download
memory/1044-190-0x0000000002790000-0x00000000027A0000-memory.dmp

Filesize
64KB

Download
memory/1044-191-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/1044-192-0x0000000002790000-0x00000000027A0000-memory.dmp

Filesize
64KB

Download
memory/1044-193-0x0000000002790000-0x00000000027A0000-memory.dmp

Filesize
64KB

Download
memory/1044-194-0x0000000002790000-0x00000000027A0000-memory.dmp

Filesize
64KB

Download
memory/1460-197-0x00000000006C3000-0x00000000006D4000-memory.dmp

Filesize
68KB

Download
memory/1460-198-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1460-199-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/3148-205-0x0000000003E80000-0x00000000045A5000-memory.dmp

Filesize
7.1MB

Download
memory/3148-212-0x0000000003E80000-0x00000000045A5000-memory.dmp

Filesize
7.1MB

Download
memory/4352-200-0x0000000005690000-0x00000000057D0000-memory.dmp

Filesize
1.2MB

Download
memory/4352-168-0x0000000004EA0000-0x00000000055C5000-memory.dmp

Filesize
7.1MB

Download
memory/4352-167-0x0000000004EA0000-0x00000000055C5000-memory.dmp

Filesize
7.1MB

Download
memory/4352-139-0x0000000000000000-mapping.dmp

Download
memory/4352-201-0x0000000005690000-0x00000000057D0000-memory.dmp

Filesize
1.2MB

Download
memory/4352-169-0x0000000004EA0000-0x00000000055C5000-memory.dmp

Filesize
7.1MB

Download
memory/4716-211-0x0000000000000000-mapping.dmp

Download
memory/4716-215-0x0000000004890000-0x0000000004FB5000-memory.dmp

Filesize
7.1MB

Download
memory/4716-216-0x0000000004890000-0x0000000004FB5000-memory.dmp

Filesize
7.1MB

Download
memory/4824-132-0x00000000004F2000-0x0000000000502000-memory.dmp

Filesize
64KB

Download
memory/4824-135-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4824-134-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4824-133-0x00000000004B0000-0x00000000004B9000-memory.dmp

Filesize
36KB

Download
memory/5080-143-0x00000000023B0000-0x00000000024E0000-memory.dmp

Filesize
1.2MB

Download
memory/5080-142-0x0000000000888000-0x0000000000977000-memory.dmp

Filesize
956KB

Download
memory/5080-144-0x0000000000400000-0x0000000000540000-memory.dmp

Filesize
1.2MB

Download
memory/5080-136-0x0000000000000000-mapping.dmp

Download