danabot | f055aaac2e4445e7dacf3fccbc3950eb6c44464d60625fa9476e9e4e5000d8f0

Analysis

max time kernel
157s
max time network
187s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 13:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f055aaac2e4445e7dacf3fccbc3950eb6c44464d60625fa9476e9e4e5000d8f0.exe
Size

4.0MB
MD5

4d1a5f5719f0b62562eb0d99f1a7baff
SHA1

7455d73ee12d1ac328f3aedaf2a0f61fd9d69b0d
SHA256

f055aaac2e4445e7dacf3fccbc3950eb6c44464d60625fa9476e9e4e5000d8f0
SHA512

220635c140c062a8265106cb245cfe16316ba592454a66ac8c00a923bd6ea0e0482fdd2b94a9f1f4104c1f318b544f006fc5374f767b2955def208d3e99e7c6e
SSDEEP

98304:MjK/i39kLrkjzYQ3mM1HXZ7sBHLJ868wOq8I9w1yPP7:MjCi39kPLQ3fpu+68JqdP7

Score

10^/10

danabot 3 banker collection discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1765

Botnet

79.124.78.236:443

134.119.186.199:443

192.236.162.42:443

134.119.186.198:443

Attributes

embedded_hash
82C66843DE542BC5CB88F713DE39B52B
type
main

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 4 IoCs

Processes:

RUNDLL32.EXE

flow pid process

19 4936 RUNDLL32.EXE
23 4936 RUNDLL32.EXE
24 4936 RUNDLL32.EXE
28 4936 RUNDLL32.EXE

flow	pid	process
19	4936	RUNDLL32.EXE
23	4936	RUNDLL32.EXE
24	4936	RUNDLL32.EXE
28	4936	RUNDLL32.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	RUNDLL32.EXE

Loads dropped DLL 3 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

pid process

4832 rundll32.exe
4832 rundll32.exe
4936 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4832	rundll32.exe
4832	rundll32.exe
4936	RUNDLL32.EXE

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RUNDLL32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4792 4180 WerFault.exe f055aaac2e4445e7dacf3fccbc3950eb6c44464d60625fa9476e9e4e5000d8f0.exe

pid	pid_target	process	target process
4792	4180	WerFault.exe	f055aaac2e4445e7dacf3fccbc3950eb6c44464d60625fa9476e9e4e5000d8f0.exe

Checks processor information in registry 2 TTPs 20 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXE

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exeRUNDLL32.EXEpowershell.exe

pid process

1660 powershell.exe
1660 powershell.exe
4936 RUNDLL32.EXE
4936 RUNDLL32.EXE
1720 powershell.exe
1720 powershell.exe

pid	process
1660	powershell.exe
1660	powershell.exe
4936	RUNDLL32.EXE
4936	RUNDLL32.EXE
1720	powershell.exe
1720	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

rundll32.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4832	rundll32.exe
Token: SeDebugPrivilege	4936	RUNDLL32.EXE
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

RUNDLL32.EXE

pid process

4936 RUNDLL32.EXE

pid	process
4936	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

f055aaac2e4445e7dacf3fccbc3950eb6c44464d60625fa9476e9e4e5000d8f0.exerundll32.exeRUNDLL32.EXEpowershell.exe

description	pid	process	target process
PID 4180 wrote to memory of 4832	4180	f055aaac2e4445e7dacf3fccbc3950eb6c44464d60625fa9476e9e4e5000d8f0.exe	rundll32.exe
PID 4180 wrote to memory of 4832	4180	f055aaac2e4445e7dacf3fccbc3950eb6c44464d60625fa9476e9e4e5000d8f0.exe	rundll32.exe
PID 4180 wrote to memory of 4832	4180	f055aaac2e4445e7dacf3fccbc3950eb6c44464d60625fa9476e9e4e5000d8f0.exe	rundll32.exe
PID 4832 wrote to memory of 4936	4832	rundll32.exe	RUNDLL32.EXE
PID 4832 wrote to memory of 4936	4832	rundll32.exe	RUNDLL32.EXE
PID 4832 wrote to memory of 4936	4832	rundll32.exe	RUNDLL32.EXE
PID 4936 wrote to memory of 1660	4936	RUNDLL32.EXE	powershell.exe
PID 4936 wrote to memory of 1660	4936	RUNDLL32.EXE	powershell.exe
PID 4936 wrote to memory of 1660	4936	RUNDLL32.EXE	powershell.exe
PID 4936 wrote to memory of 1720	4936	RUNDLL32.EXE	powershell.exe
PID 4936 wrote to memory of 1720	4936	RUNDLL32.EXE	powershell.exe
PID 4936 wrote to memory of 1720	4936	RUNDLL32.EXE	powershell.exe
PID 1720 wrote to memory of 2324	1720	powershell.exe	nslookup.exe
PID 1720 wrote to memory of 2324	1720	powershell.exe	nslookup.exe
PID 1720 wrote to memory of 2324	1720	powershell.exe	nslookup.exe
PID 4936 wrote to memory of 548	4936	RUNDLL32.EXE	schtasks.exe
PID 4936 wrote to memory of 548	4936	RUNDLL32.EXE	schtasks.exe
PID 4936 wrote to memory of 548	4936	RUNDLL32.EXE	schtasks.exe
PID 4936 wrote to memory of 2260	4936	RUNDLL32.EXE	schtasks.exe
PID 4936 wrote to memory of 2260	4936	RUNDLL32.EXE	schtasks.exe
PID 4936 wrote to memory of 2260	4936	RUNDLL32.EXE	schtasks.exe

outlook_office_path 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

outlook_win_path 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

C:\Users\Admin\AppData\Local\Temp\f055aaac2e4445e7dacf3fccbc3950eb6c44464d60625fa9476e9e4e5000d8f0.exe
"C:\Users\Admin\AppData\Local\Temp\f055aaac2e4445e7dacf3fccbc3950eb6c44464d60625fa9476e9e4e5000d8f0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4180

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\F055AA~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\F055AA~1.EXE
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4832

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\F055AA~1.DLL,gCxUfI1A
3⤵
- Blocklisted process makes network request
- Checks computer location settings
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4936

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp1F8E.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpB150.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
5⤵
PID:2324

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:548

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 536
2⤵
- Program crash
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4180 -ip 4180
1⤵
PID:1144

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
95201d9e44c732d9b261b4b334505d6b

SHA1
d5f3f499ef27920d8a614152191a7e0c2f9c0264

SHA256
baa9a89717f4013b2799bd06490c738246759ecdf7a3200406fad5a443e83669

SHA512
15ddf637b642144dca99e2794cb4ca4d1dfa9d682e7eb42075d9b269dd5a479b5ea86017db142b599a3f022ebb695baf3691305ab17009060b4f64ddd7254282

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
17KB

MD5
7fbe8ee49ad4372b16b333635a3cb260

SHA1
bd31a8fddcecce381105fe6034cd566f5d379253

SHA256
77426dd61f7cadb0bf54a73c2b3bc2df7d8a87b05c3bc321c57f6010b7b99918

SHA512
ee1e093270bab625e1107d70abfa08145130d393b1395364e793c1600a534888925549fb336d702dcf2e4dfb1c9c49b4c3893c390eeef0054e5aab124f56d4b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\F055AA~1.DLL
Filesize
3.8MB

MD5
0fa776ebc6c175716ddae5d5ce2a5894

SHA1
3dbb9ac31089481cdba10345889f73d9acb59a02

SHA256
fda53157a533ba28a067f49b29c517b1e7ac91cba890aa5bcb2ed245a036cdd7

SHA512
55d11b53fe9134bf8b43a017591a27bedb9d539c5bac03e93cd3cd4a8a96b3f7030b9ad9fec373a0cf6e88a0776f32a3c57388dcb6114e895733fd45a5922b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\F055AA~1.EXE.dll
Filesize
3.8MB

MD5
0fa776ebc6c175716ddae5d5ce2a5894

SHA1
3dbb9ac31089481cdba10345889f73d9acb59a02

SHA256
fda53157a533ba28a067f49b29c517b1e7ac91cba890aa5bcb2ed245a036cdd7

SHA512
55d11b53fe9134bf8b43a017591a27bedb9d539c5bac03e93cd3cd4a8a96b3f7030b9ad9fec373a0cf6e88a0776f32a3c57388dcb6114e895733fd45a5922b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\F055AA~1.EXE.dll
Filesize
3.8MB

MD5
0fa776ebc6c175716ddae5d5ce2a5894

SHA1
3dbb9ac31089481cdba10345889f73d9acb59a02

SHA256
fda53157a533ba28a067f49b29c517b1e7ac91cba890aa5bcb2ed245a036cdd7

SHA512
55d11b53fe9134bf8b43a017591a27bedb9d539c5bac03e93cd3cd4a8a96b3f7030b9ad9fec373a0cf6e88a0776f32a3c57388dcb6114e895733fd45a5922b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\F055AA~1.EXE.dll
Filesize
3.8MB

MD5
0fa776ebc6c175716ddae5d5ce2a5894

SHA1
3dbb9ac31089481cdba10345889f73d9acb59a02

SHA256
fda53157a533ba28a067f49b29c517b1e7ac91cba890aa5bcb2ed245a036cdd7

SHA512
55d11b53fe9134bf8b43a017591a27bedb9d539c5bac03e93cd3cd4a8a96b3f7030b9ad9fec373a0cf6e88a0776f32a3c57388dcb6114e895733fd45a5922b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1F8E.tmp.ps1
Filesize
261B

MD5
fc8f9131f87304dc8ad086de79e83429

SHA1
a0a1531b50435afffc90127da6e4a8ee2cb39e19

SHA256
ca8ed0a8c02249104596bb6a96b2841040cf3d12b995685a134d81deb1d406ea

SHA512
bdcf98a41c0c3fb5bdef645c5bb60fa135c551891570003de4be38ea89a8b413b59801327cc7edae2ea6a0fd683f746eda455bb038abad2e41d0e032093696fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1F8F.tmp
Filesize
1KB

MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB150.tmp.ps1
Filesize
80B

MD5
ad92feb595879e782f7bf4ec052607df

SHA1
f9775ba1b8af5798c38ad9fd9d4efeb28d1fa6f9

SHA256
ced9c61b787319b1fcbb1fd908c0babb260bb0201861a0bede6aae8ce41e4515

SHA512
62204707c6bb1910003cc9037c0f4fffd2f2e5ce557d429436f9886663a9884a4d57aa7618aae8b02f46a52d6efd5c895a008eb1f874c3b06a0ae58dbde942a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB151.tmp
Filesize
86B

MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
memory/548-169-0x0000000000000000-mapping.dmp

Download
memory/1660-161-0x00000000069F0000-0x0000000006A0A000-memory.dmp

Filesize
104KB

Download
memory/1660-156-0x00000000065B0000-0x00000000065CE000-memory.dmp

Filesize
120KB

Download
memory/1660-162-0x00000000069D0000-0x00000000069D8000-memory.dmp

Filesize
32KB

Download
memory/1660-160-0x0000000007F10000-0x000000000858A000-memory.dmp

Filesize
6.5MB

Download
memory/1660-149-0x0000000000000000-mapping.dmp

Download
memory/1660-159-0x00000000068A0000-0x00000000068AA000-memory.dmp

Filesize
40KB

Download
memory/1660-151-0x0000000004FE0000-0x0000000005016000-memory.dmp

Filesize
216KB

Download
memory/1660-152-0x0000000005680000-0x0000000005CA8000-memory.dmp

Filesize
6.2MB

Download
memory/1660-153-0x0000000005620000-0x0000000005642000-memory.dmp

Filesize
136KB

Download
memory/1660-154-0x0000000005F20000-0x0000000005F86000-memory.dmp

Filesize
408KB

Download
memory/1660-155-0x0000000005F90000-0x0000000005FF6000-memory.dmp

Filesize
408KB

Download
memory/1720-164-0x0000000000000000-mapping.dmp

Download
memory/2260-170-0x0000000000000000-mapping.dmp

Download
memory/2324-167-0x0000000000000000-mapping.dmp

Download
memory/4180-133-0x0000000002C30000-0x000000000300F000-memory.dmp

Filesize
3.9MB

Download
memory/4180-134-0x0000000000400000-0x0000000000C49000-memory.dmp

Filesize
8.3MB

Download
memory/4180-132-0x000000000285F000-0x0000000002C2B000-memory.dmp

Filesize
3.8MB

Download
memory/4180-147-0x0000000000400000-0x0000000000C49000-memory.dmp

Filesize
8.3MB

Download
memory/4832-135-0x0000000000000000-mapping.dmp

Download
memory/4832-139-0x00000000023E0000-0x00000000027AD000-memory.dmp

Filesize
3.8MB

Download
memory/4832-140-0x0000000002BF0000-0x0000000003252000-memory.dmp

Filesize
6.4MB

Download
memory/4832-143-0x0000000002BF0000-0x0000000003252000-memory.dmp

Filesize
6.4MB

Download
memory/4936-144-0x00000000031C0000-0x0000000003822000-memory.dmp

Filesize
6.4MB

Download
memory/4936-157-0x00000000031C0000-0x0000000003822000-memory.dmp

Filesize
6.4MB

Download
memory/4936-148-0x00000000031C0000-0x0000000003822000-memory.dmp

Filesize
6.4MB

Download
memory/4936-141-0x0000000000000000-mapping.dmp

Download