danabot | 152265b11b39688bfa5dd656dddacf87c01515f70f62aeb3b1406138a77986d5

Analysis

max time kernel
148s
max time network
157s
platform
windows10_x64
resource
win10v20210408
submitted
25-07-2021 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eufive_20210725-084051.exe
Size

1010KB
MD5

1c52aed4df30df05a45966183eeef3c2
SHA1

11f350112bdd668b11b2fb3849ef2b0c7c020bb4
SHA256

152265b11b39688bfa5dd656dddacf87c01515f70f62aeb3b1406138a77986d5
SHA512

7c30a710cdf9e7f7043b1e4a8a9c1af9e2c70570dd428691451f908b0f81f2f4c3c71f691a2174ba339b1b713baa3ace3f65820402a91225387923f848665ab6

Score

10^/10

danabot 15 banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1987

Botnet

192.52.166.169:443

173.254.204.95:443

192.52.167.45:443

Attributes

embedded_hash
D6A9A294BFDC6F13BFCC2AB0FA9B54B9

rsa_privkey.plain

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 10 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

flow	pid	process
14	3168	rundll32.exe
15	3472	RUNDLL32.EXE
17	3472	RUNDLL32.EXE
18	3472	RUNDLL32.EXE
21	3472	RUNDLL32.EXE
22	3472	RUNDLL32.EXE
23	3472	RUNDLL32.EXE
24	3472	RUNDLL32.EXE
25	3472	RUNDLL32.EXE
26	3472	RUNDLL32.EXE

Loads dropped DLL 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

pid process

3168 rundll32.exe
3472 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

RUNDLL32.EXE

description pid process target process

PID 3472 set thread context of 2088 3472 RUNDLL32.EXE rundll32.exe
Drops file in Program Files directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\PROGRA~3\zzdffmctfndsm.tmp rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3168	rundll32.exe
3472	RUNDLL32.EXE

description	pid	process	target process
PID 3472 set thread context of 2088	3472	RUNDLL32.EXE	rundll32.exe

description	ioc	process
File created	C:\PROGRA~3\zzdffmctfndsm.tmp	rundll32.exe

Checks processor information in registry 2 TTPs 23 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	RUNDLL32.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

RUNDLL32.EXE

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3BE6842375B72790BAF6B4E78EC715CFAD797A67\Blob = 0300000001000000140000003be6842375b72790baf6b4e78ec715cfad797a6720000000010000006d02000030820269308201d2a00302010202083d99fcf06cabac71300d06092a864886f70d01010b050030513133303106035504030c2a4d693763726f736f66742041757468656e7469636f646528746d2920526f6f7420417574686f72697479310d300b060355040a0c044d534654310b3009060355040613025553301e170d3139303732363130333431305a170d3233303732353130333431305a30513133303106035504030c2a4d693763726f736f66742041757468656e7469636f646528746d2920526f6f7420417574686f72697479310d300b060355040a0c044d534654310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100d8e54d16eb8185fa6eb0e3952b57affb61b0b16525a046beed4b1f6467da465153ea0425ca1f71b2e2b1781e0d5e821dc87c62762dd93d0f8190ffebb3ffc919621c779e428488c1e41d838001b38b490a5c84d7f7fb9075e9b0f5ee41d40be5ec1e2864cdcb66bd5c3883e6c11185930e3dfdf1dd1c2a84dd426d479b2993090203010001a34a3048300f0603551d130101ff040530030101ff30350603551d11042e302c822a4d693763726f736f66742041757468656e7469636f646528746d2920526f6f7420417574686f72697479300d06092a864886f70d01010b05000381810063b39691ed6b9af1130c542da4d4196920bf304b16c68e28077bb2018e5c20db2a02fce5c3cfbf33abd551b9702d911d83e5b5e3100f0aa3b3e8dd9e7db2ca56d561dcc8c8ee22529956a625191505c595cafae1f701b1d393ec06e9ccbe3992dad806344566c3164023bac6a4e4d6cf37094638650f0a66a6b8ea72cab53fb8	RUNDLL32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3BE6842375B72790BAF6B4E78EC715CFAD797A67	RUNDLL32.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

RUNDLL32.EXEpowershell.exepowershell.exe

pid	process
3472	RUNDLL32.EXE
3472	RUNDLL32.EXE
3472	RUNDLL32.EXE
3472	RUNDLL32.EXE
3472	RUNDLL32.EXE
3472	RUNDLL32.EXE
3472	RUNDLL32.EXE
3472	RUNDLL32.EXE
3832	powershell.exe
3832	powershell.exe
3832	powershell.exe
3472	RUNDLL32.EXE
3472	RUNDLL32.EXE
3804	powershell.exe
3804	powershell.exe
3804	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

RUNDLL32.EXEpowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3472 RUNDLL32.EXE
Token: SeDebugPrivilege 3832 powershell.exe
Token: SeDebugPrivilege 3804 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

RUNDLL32.EXE

pid process

3472 RUNDLL32.EXE

description	pid	process
Token: SeDebugPrivilege	3472	RUNDLL32.EXE
Token: SeDebugPrivilege	3832	powershell.exe
Token: SeDebugPrivilege	3804	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

eufive_20210725-084051.exerundll32.exeRUNDLL32.EXEpowershell.exe

description	pid	process	target process
PID 992 wrote to memory of 3168	992	eufive_20210725-084051.exe	rundll32.exe
PID 992 wrote to memory of 3168	992	eufive_20210725-084051.exe	rundll32.exe
PID 992 wrote to memory of 3168	992	eufive_20210725-084051.exe	rundll32.exe
PID 3168 wrote to memory of 3472	3168	rundll32.exe	RUNDLL32.EXE
PID 3168 wrote to memory of 3472	3168	rundll32.exe	RUNDLL32.EXE
PID 3168 wrote to memory of 3472	3168	rundll32.exe	RUNDLL32.EXE
PID 3472 wrote to memory of 2088	3472	RUNDLL32.EXE	rundll32.exe
PID 3472 wrote to memory of 2088	3472	RUNDLL32.EXE	rundll32.exe
PID 3472 wrote to memory of 2088	3472	RUNDLL32.EXE	rundll32.exe
PID 3472 wrote to memory of 3832	3472	RUNDLL32.EXE	powershell.exe
PID 3472 wrote to memory of 3832	3472	RUNDLL32.EXE	powershell.exe
PID 3472 wrote to memory of 3832	3472	RUNDLL32.EXE	powershell.exe
PID 3472 wrote to memory of 3804	3472	RUNDLL32.EXE	powershell.exe
PID 3472 wrote to memory of 3804	3472	RUNDLL32.EXE	powershell.exe
PID 3472 wrote to memory of 3804	3472	RUNDLL32.EXE	powershell.exe
PID 3804 wrote to memory of 2796	3804	powershell.exe	nslookup.exe
PID 3804 wrote to memory of 2796	3804	powershell.exe	nslookup.exe
PID 3804 wrote to memory of 2796	3804	powershell.exe	nslookup.exe
PID 3472 wrote to memory of 1532	3472	RUNDLL32.EXE	schtasks.exe
PID 3472 wrote to memory of 1532	3472	RUNDLL32.EXE	schtasks.exe
PID 3472 wrote to memory of 1532	3472	RUNDLL32.EXE	schtasks.exe
PID 3472 wrote to memory of 3796	3472	RUNDLL32.EXE	schtasks.exe
PID 3472 wrote to memory of 3796	3472	RUNDLL32.EXE	schtasks.exe
PID 3472 wrote to memory of 3796	3472	RUNDLL32.EXE	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\eufive_20210725-084051.exe
"C:\Users\Admin\AppData\Local\Temp\eufive_20210725-084051.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\EUFIVE~1.TMP,S C:\Users\Admin\AppData\Local\Temp\EUFIVE~1.EXE
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3168

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\EUFIVE~1.TMP,NgktRXRv
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3472

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 17894
4⤵
PID:2088

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpE0CC.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3832

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp53E.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3804

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
5⤵
PID:2796

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:1532

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:3796

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\zzdffmctfndsm.tmp
MD5
5736ad016acd8463723ee3f65744b548

SHA1
7fbe23ca7cdf7d08f3f6cef868965fdb84353289

SHA256
5277b678ddeacf11052e73771826607b8865f217b2ce288a78cdaff546dbce27

SHA512
bae4d20523ad332e5946f0366b31aaa1224a036c01f60977c065a64d2a146d00dd9c036e2d2eb8b562689d7679f89937e104323a48aa0fb838c0a46af44019b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
47eebe401625bbc55e75dbfb72e9e89a

SHA1
db3b2135942d2532c59b9788253638eb77e5995e

SHA256
f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3

SHA512
590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4c54c827979ad2100385baf843415c70

SHA1
66abca81487120fdf0590e825e20d7511506a9ad

SHA256
a89aa7120a041ee274f8772caf81fed63c13dc6f7f3b604cda3f22c35be82b24

SHA512
21b1a5d1378dffa3bbb3417bba72459e0c41d5b75dd9f4f2582feedccf6339de108bef32da562acaf7c2b1953e8e061675b700e95ac42779554bbfe5662af121

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUFIVE~1.TMP
MD5
c6a1acce3f89edea61b44ecf55dbc003

SHA1
c5f07041f44922269d6b343f67683d9d343bda46

SHA256
0abf70595efc6d1013e0edc1cc6208df3291db180a41814b367bda9b2f741441

SHA512
1d43df1ca71689e4c56b9c6292ccf75165c0724ebc82483d65eda8d4534e15964d53dc99158172457962e2a4850f58b58509bab0d7233d5002d850cd746b1843

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp53E.tmp.ps1
MD5
34dc836c69cd3354ee0bdef4709a9183

SHA1
94f14f53b2fda516c4d844be689ff78613969963

SHA256
38d26c88f68686d840b74c167c8dad494dd3d20682b98f4fab1cd7b76263aa11

SHA512
53e3c9df45100db37265aae26d2cce05fbb48aaae19b83b7c4b5fdcbdcf3b734df697c144c2c8f20efb4248ba8de42a35cfdf9983711bf8220e1e7c6f28936c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp53F.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE0CC.tmp.ps1
MD5
5d465c82b52eabc9978afbb0d3f121d6

SHA1
a7a5a4616276edd4863cacb3a3f359d12e5e48ec

SHA256
5ba0b0d140f502fb0583c8f32198de906e5f641a0c16b5f5575aaf81dbf617ea

SHA512
854d07390a24ea9e3f596bd1292710e2a46164a9044a601f649f3fc974ab86a139e4b4f9e88494455f7ae818e818393aa881b711d671aed18ecb46f183458e42

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE0CD.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
\Users\Admin\AppData\Local\Temp\EUFIVE~1.TMP
MD5
c6a1acce3f89edea61b44ecf55dbc003

SHA1
c5f07041f44922269d6b343f67683d9d343bda46

SHA256
0abf70595efc6d1013e0edc1cc6208df3291db180a41814b367bda9b2f741441

SHA512
1d43df1ca71689e4c56b9c6292ccf75165c0724ebc82483d65eda8d4534e15964d53dc99158172457962e2a4850f58b58509bab0d7233d5002d850cd746b1843

Download Submit
\Users\Admin\AppData\Local\Temp\EUFIVE~1.TMP
MD5
c6a1acce3f89edea61b44ecf55dbc003

SHA1
c5f07041f44922269d6b343f67683d9d343bda46

SHA256
0abf70595efc6d1013e0edc1cc6208df3291db180a41814b367bda9b2f741441

SHA512
1d43df1ca71689e4c56b9c6292ccf75165c0724ebc82483d65eda8d4534e15964d53dc99158172457962e2a4850f58b58509bab0d7233d5002d850cd746b1843

Download Submit
memory/1532-193-0x0000000000000000-mapping.dmp

Download
memory/2088-138-0x0000000000130000-0x00000000002D0000-memory.dmp

Filesize
1.6MB

Download
memory/2088-139-0x0000027A47420000-0x0000027A475D1000-memory.dmp

Filesize
1.7MB

Download
memory/2088-134-0x00007FF6D48A5FD0-mapping.dmp

Download
memory/2796-189-0x0000000000000000-mapping.dmp

Download
memory/3168-114-0x0000000000000000-mapping.dmp

Download
memory/3168-126-0x0000000004AB0000-0x0000000005D46000-memory.dmp

Filesize
18.6MB

Download
memory/3472-137-0x00000000066D0000-0x00000000066D1000-memory.dmp

Filesize
4KB

Download
memory/3472-133-0x0000000004D20000-0x0000000005FB6000-memory.dmp

Filesize
18.6MB

Download
memory/3472-123-0x0000000000000000-mapping.dmp

Download
memory/3796-194-0x0000000000000000-mapping.dmp

Download
memory/3804-173-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/3804-166-0x0000000000000000-mapping.dmp

Download
memory/3804-192-0x0000000000C83000-0x0000000000C84000-memory.dmp

Filesize
4KB

Download
memory/3804-180-0x0000000007DD0000-0x0000000007DD1000-memory.dmp

Filesize
4KB

Download
memory/3804-177-0x0000000007530000-0x0000000007531000-memory.dmp

Filesize
4KB

Download
memory/3804-174-0x0000000000C82000-0x0000000000C83000-memory.dmp

Filesize
4KB

Download
memory/3832-161-0x0000000008960000-0x0000000008961000-memory.dmp

Filesize
4KB

Download
memory/3832-147-0x0000000006B60000-0x0000000006B61000-memory.dmp

Filesize
4KB

Download
memory/3832-150-0x0000000007480000-0x0000000007481000-memory.dmp

Filesize
4KB

Download
memory/3832-165-0x0000000000DB3000-0x0000000000DB4000-memory.dmp

Filesize
4KB

Download
memory/3832-152-0x0000000007D40000-0x0000000007D41000-memory.dmp

Filesize
4KB

Download
memory/3832-149-0x0000000006C00000-0x0000000006C01000-memory.dmp

Filesize
4KB

Download
memory/3832-148-0x0000000007410000-0x0000000007411000-memory.dmp

Filesize
4KB

Download
memory/3832-160-0x00000000093D0000-0x00000000093D1000-memory.dmp

Filesize
4KB

Download
memory/3832-155-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

Filesize
4KB

Download
memory/3832-162-0x0000000007DB0000-0x0000000007DB1000-memory.dmp

Filesize
4KB

Download
memory/3832-151-0x00000000077F0000-0x00000000077F1000-memory.dmp

Filesize
4KB

Download
memory/3832-145-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/3832-146-0x0000000000DB2000-0x0000000000DB3000-memory.dmp

Filesize
4KB

Download
memory/3832-144-0x0000000006DE0000-0x0000000006DE1000-memory.dmp

Filesize
4KB

Download
memory/3832-153-0x0000000007C00000-0x0000000007C01000-memory.dmp

Filesize
4KB

Download
memory/3832-143-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/3832-140-0x0000000000000000-mapping.dmp

Download