danabot | a486e98ea8d025f3510f79b22f56e344f18c29a64a21b15cd1b3caa2721bf554

Analysis

max time kernel
154s
max time network
139s
platform
windows10_x64
resource
win10-en-20211014
submitted
04-12-2021 07:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6313fcca4988a89b15e1e68b7c9ee96e.exe
Size

5.4MB
MD5

6313fcca4988a89b15e1e68b7c9ee96e
SHA1

a53ce6d8455d9f0cea51c0863425532f96d3250d
SHA256

a486e98ea8d025f3510f79b22f56e344f18c29a64a21b15cd1b3caa2721bf554
SHA512

c13536c79b25b0b048fa255f7dffccb10b1d4c9515c303095d1787021fc51c37464dadddaf30f5c6d01859316447ff874e114a8025e4389237cf704dcb616398

Score

10^/10

danabot banker evasion themida trojan

Malware Config

Extracted

Family

danabot

142.11.244.223:443

23.106.122.139:443

Attributes

embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\QEYSAR~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\QEYSAR~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\QEYSAR~1.DLL	DanabotLoader2021
behavioral2/memory/2340-156-0x00000000047B0000-0x0000000004A2D000-memory.dmp	DanabotLoader2021

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

30 1256 WScript.exe
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

orchic.exequothavp.exeqeysarbeam.exeDpEditor.exe

pid process

4052 orchic.exe
988 quothavp.exe
2124 qeysarbeam.exe
1832 DpEditor.exe

flow	pid	process
30	1256	WScript.exe

pid	process
4052	orchic.exe
988	quothavp.exe
2124	qeysarbeam.exe
1832	DpEditor.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

quothavp.exeDpEditor.exeorchic.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	quothavp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	quothavp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DpEditor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DpEditor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	orchic.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	orchic.exe

Loads dropped DLL 3 IoCs

Processes:

6313fcca4988a89b15e1e68b7c9ee96e.exerundll32.exe

pid process

3556 6313fcca4988a89b15e1e68b7c9ee96e.exe
2340 rundll32.exe
2340 rundll32.exe

pid	process
3556	6313fcca4988a89b15e1e68b7c9ee96e.exe
2340	rundll32.exe
2340	rundll32.exe

Themida packer 18 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\shovel\orchic.exe	themida
C:\Users\Admin\AppData\Local\Temp\shovel\orchic.exe	themida
C:\Users\Admin\AppData\Local\Temp\shovel\quothavp.exe	themida
C:\Users\Admin\AppData\Local\Temp\shovel\quothavp.exe	themida
behavioral2/memory/4052-123-0x0000000000AB0000-0x000000000119A000-memory.dmp	themida
behavioral2/memory/4052-124-0x0000000000AB0000-0x000000000119A000-memory.dmp	themida
behavioral2/memory/4052-125-0x0000000000AB0000-0x000000000119A000-memory.dmp	themida
behavioral2/memory/4052-126-0x0000000000AB0000-0x000000000119A000-memory.dmp	themida
behavioral2/memory/988-127-0x0000000001320000-0x00000000019FE000-memory.dmp	themida
behavioral2/memory/988-128-0x0000000001320000-0x00000000019FE000-memory.dmp	themida
behavioral2/memory/988-130-0x0000000001320000-0x00000000019FE000-memory.dmp	themida
behavioral2/memory/988-131-0x0000000001320000-0x00000000019FE000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
behavioral2/memory/1832-142-0x00000000013B0000-0x0000000001A9A000-memory.dmp	themida
behavioral2/memory/1832-140-0x00000000013B0000-0x0000000001A9A000-memory.dmp	themida
behavioral2/memory/1832-143-0x00000000013B0000-0x0000000001A9A000-memory.dmp	themida
behavioral2/memory/1832-144-0x00000000013B0000-0x0000000001A9A000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

DpEditor.exeorchic.exequothavp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DpEditor.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	orchic.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	quothavp.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

orchic.exequothavp.exeDpEditor.exe

pid process

4052 orchic.exe
988 quothavp.exe
1832 DpEditor.exe

flow	ioc
8	ip-api.com

pid	process
4052	orchic.exe
988	quothavp.exe
1832	DpEditor.exe

Drops file in Program Files directory 3 IoCs

Processes:

6313fcca4988a89b15e1e68b7c9ee96e.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\acppage.dll	6313fcca4988a89b15e1e68b7c9ee96e.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	6313fcca4988a89b15e1e68b7c9ee96e.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	6313fcca4988a89b15e1e68b7c9ee96e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

quothavp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	quothavp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	quothavp.exe

Modifies registry class 1 IoCs

Processes:

quothavp.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings quothavp.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

DpEditor.exe

pid process

1832 DpEditor.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

orchic.exequothavp.exeDpEditor.exe

pid process

4052 orchic.exe
4052 orchic.exe
988 quothavp.exe
988 quothavp.exe
1832 DpEditor.exe
1832 DpEditor.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings	quothavp.exe

pid	process
1832	DpEditor.exe

pid	process
4052	orchic.exe
4052	orchic.exe
988	quothavp.exe
988	quothavp.exe
1832	DpEditor.exe
1832	DpEditor.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

6313fcca4988a89b15e1e68b7c9ee96e.exequothavp.exeorchic.exeqeysarbeam.exe

description	pid	process	target process
PID 3556 wrote to memory of 4052	3556	6313fcca4988a89b15e1e68b7c9ee96e.exe	orchic.exe
PID 3556 wrote to memory of 4052	3556	6313fcca4988a89b15e1e68b7c9ee96e.exe	orchic.exe
PID 3556 wrote to memory of 4052	3556	6313fcca4988a89b15e1e68b7c9ee96e.exe	orchic.exe
PID 3556 wrote to memory of 988	3556	6313fcca4988a89b15e1e68b7c9ee96e.exe	quothavp.exe
PID 3556 wrote to memory of 988	3556	6313fcca4988a89b15e1e68b7c9ee96e.exe	quothavp.exe
PID 3556 wrote to memory of 988	3556	6313fcca4988a89b15e1e68b7c9ee96e.exe	quothavp.exe
PID 988 wrote to memory of 2124	988	quothavp.exe	qeysarbeam.exe
PID 988 wrote to memory of 2124	988	quothavp.exe	qeysarbeam.exe
PID 988 wrote to memory of 2124	988	quothavp.exe	qeysarbeam.exe
PID 988 wrote to memory of 3736	988	quothavp.exe	WScript.exe
PID 988 wrote to memory of 3736	988	quothavp.exe	WScript.exe
PID 988 wrote to memory of 3736	988	quothavp.exe	WScript.exe
PID 4052 wrote to memory of 1832	4052	orchic.exe	DpEditor.exe
PID 4052 wrote to memory of 1832	4052	orchic.exe	DpEditor.exe
PID 4052 wrote to memory of 1832	4052	orchic.exe	DpEditor.exe
PID 988 wrote to memory of 1256	988	quothavp.exe	WScript.exe
PID 988 wrote to memory of 1256	988	quothavp.exe	WScript.exe
PID 988 wrote to memory of 1256	988	quothavp.exe	WScript.exe
PID 2124 wrote to memory of 2340	2124	qeysarbeam.exe	rundll32.exe
PID 2124 wrote to memory of 2340	2124	qeysarbeam.exe	rundll32.exe
PID 2124 wrote to memory of 2340	2124	qeysarbeam.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\6313fcca4988a89b15e1e68b7c9ee96e.exe
"C:\Users\Admin\AppData\Local\Temp\6313fcca4988a89b15e1e68b7c9ee96e.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3556

C:\Users\Admin\AppData\Local\Temp\shovel\orchic.exe
"C:\Users\Admin\AppData\Local\Temp\shovel\orchic.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4052

C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:1832

C:\Users\Admin\AppData\Local\Temp\shovel\quothavp.exe
"C:\Users\Admin\AppData\Local\Temp\shovel\quothavp.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:988

C:\Users\Admin\AppData\Local\Temp\qeysarbeam.exe
"C:\Users\Admin\AppData\Local\Temp\qeysarbeam.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\QEYSAR~1.DLL,s C:\Users\Admin\AppData\Local\Temp\QEYSAR~1.EXE
4⤵
- Loads dropped DLL
PID:2340

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ltudisaf.vbs"
3⤵
PID:3736

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yvomqnau.vbs"
3⤵
- Blocklisted process makes network request
PID:1256

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
99a5a8fb6873e1a558dad8c460a256a0

SHA1
ae6919cce8cfe07d6a829caa1c9f9e6b63174862

SHA256
820cdfb9cb2a1ce4728f595c7742dcbdb8984f74389b9e190004c2df211f3df4

SHA512
a489a3615c25f05497726989d7956d37100420c90d2412dba8cc4e15b335ef00c526f47c77179d6aecdb611b7e0f34bdbb03104ec683e15e393039e7dd96c41d

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEYSAR~1.DLL
MD5
da86d0ac367a22994d23ad3e669af8fe

SHA1
b13845b487d6e6591227684aa436747d70dde852

SHA256
41a4f423c3c7c78ac704123a96eacd3b95241d4a6f5176f9f3cb0672a6b2be6a

SHA512
00408ba3301e6ce07cbb623028234602a263a8857b66391abb1d56643b72b56fcf8f67323112876c764e451ddd8bebbff6042b287f96e490194b5879f90ee45e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ltudisaf.vbs
MD5
0973c3953c88923b4a3c6401fd1643b8

SHA1
6e6c1d7dbf039d5438195fae347c1aefdbca02e3

SHA256
c7003123df63868cdf406bc05b763592768d91ed19afdd88b38765b0c9124bbb

SHA512
199cc6d2a28598fc30b90685ee6a64cd98cd8c46588e9c8b2d5f3c718f0818ea21f88f4f1aaf9a9bd4541e83c19967863f2303e2920d0122af8127841744ece1

Download Submit
C:\Users\Admin\AppData\Local\Temp\qeysarbeam.exe
MD5
3c55016b9594fc1aeb69976466528bae

SHA1
b21c915d9f85036cf23059a12810fe8014f3c8b3

SHA256
af4df125c8018d224c5964778c863e2dd0449efb11d8b59a2fcae12f043111d0

SHA512
bb542883f49be855f5e82e45c047baac9f1c31dd4cb367e3c223a63c4eb8898c05ea7606e5397efc40e5a7e03215579c94c1580da83d94e396a96563222924cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\qeysarbeam.exe
MD5
3c55016b9594fc1aeb69976466528bae

SHA1
b21c915d9f85036cf23059a12810fe8014f3c8b3

SHA256
af4df125c8018d224c5964778c863e2dd0449efb11d8b59a2fcae12f043111d0

SHA512
bb542883f49be855f5e82e45c047baac9f1c31dd4cb367e3c223a63c4eb8898c05ea7606e5397efc40e5a7e03215579c94c1580da83d94e396a96563222924cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\shovel\orchic.exe
MD5
2eb04ff3566639089f24cb4e87b1c789

SHA1
1ae976819149068108dcf192b1bfab6e248e5927

SHA256
7dba73da4149fdda472df8f67f779589e77a8d65a3d6ec30b673a3f3d8608d08

SHA512
f0d36e0533678cfac027a085b45e9f8ea87246fe34be9ab52586ec560edc2333ca5d5b4642051512785a5028e21e9254292fce7d0c16f9de753729a2fe40416b

Download Submit
C:\Users\Admin\AppData\Local\Temp\shovel\orchic.exe
MD5
2eb04ff3566639089f24cb4e87b1c789

SHA1
1ae976819149068108dcf192b1bfab6e248e5927

SHA256
7dba73da4149fdda472df8f67f779589e77a8d65a3d6ec30b673a3f3d8608d08

SHA512
f0d36e0533678cfac027a085b45e9f8ea87246fe34be9ab52586ec560edc2333ca5d5b4642051512785a5028e21e9254292fce7d0c16f9de753729a2fe40416b

Download Submit
C:\Users\Admin\AppData\Local\Temp\shovel\quothavp.exe
MD5
745ba11a8c55465bd8f91325543fe28a

SHA1
25c57c81189f6763615c45735402f5a7a221289e

SHA256
f2cf231fdb42806b43ccaee4e123cf74012b860411e56b534c59bb860852ff37

SHA512
36bdd6297510d789b704183dc83a9d041e29a96fe654f25875bba21319dd09855f40d2e9c72f6e83f868b10dca833add11d73bfa4e0186fdb935aaa9159d04ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\shovel\quothavp.exe
MD5
745ba11a8c55465bd8f91325543fe28a

SHA1
25c57c81189f6763615c45735402f5a7a221289e

SHA256
f2cf231fdb42806b43ccaee4e123cf74012b860411e56b534c59bb860852ff37

SHA512
36bdd6297510d789b704183dc83a9d041e29a96fe654f25875bba21319dd09855f40d2e9c72f6e83f868b10dca833add11d73bfa4e0186fdb935aaa9159d04ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\yvomqnau.vbs
MD5
5bb87c3110857c4e59fea15ca3ae3c52

SHA1
5cccb3decf7601b8fe59d6b58e6b429c9f33c920

SHA256
b997b798f180c4516594fb37ef37fc83d82b3cbf7b891544b50769249d53c98f

SHA512
3d1e38d68e1d512b78647b0e36bcd0ef492ac1b8e490999b5a7e095e8293ea8c4421103b402da126a074aefee38916f48a39047953f206002054e149192829df

Download Submit
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
MD5
2eb04ff3566639089f24cb4e87b1c789

SHA1
1ae976819149068108dcf192b1bfab6e248e5927

SHA256
7dba73da4149fdda472df8f67f779589e77a8d65a3d6ec30b673a3f3d8608d08

SHA512
f0d36e0533678cfac027a085b45e9f8ea87246fe34be9ab52586ec560edc2333ca5d5b4642051512785a5028e21e9254292fce7d0c16f9de753729a2fe40416b

Download Submit
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
MD5
2eb04ff3566639089f24cb4e87b1c789

SHA1
1ae976819149068108dcf192b1bfab6e248e5927

SHA256
7dba73da4149fdda472df8f67f779589e77a8d65a3d6ec30b673a3f3d8608d08

SHA512
f0d36e0533678cfac027a085b45e9f8ea87246fe34be9ab52586ec560edc2333ca5d5b4642051512785a5028e21e9254292fce7d0c16f9de753729a2fe40416b

Download Submit
\Users\Admin\AppData\Local\Temp\QEYSAR~1.DLL
MD5
da86d0ac367a22994d23ad3e669af8fe

SHA1
b13845b487d6e6591227684aa436747d70dde852

SHA256
41a4f423c3c7c78ac704123a96eacd3b95241d4a6f5176f9f3cb0672a6b2be6a

SHA512
00408ba3301e6ce07cbb623028234602a263a8857b66391abb1d56643b72b56fcf8f67323112876c764e451ddd8bebbff6042b287f96e490194b5879f90ee45e

Download Submit
\Users\Admin\AppData\Local\Temp\QEYSAR~1.DLL
MD5
da86d0ac367a22994d23ad3e669af8fe

SHA1
b13845b487d6e6591227684aa436747d70dde852

SHA256
41a4f423c3c7c78ac704123a96eacd3b95241d4a6f5176f9f3cb0672a6b2be6a

SHA512
00408ba3301e6ce07cbb623028234602a263a8857b66391abb1d56643b72b56fcf8f67323112876c764e451ddd8bebbff6042b287f96e490194b5879f90ee45e

Download Submit
\Users\Admin\AppData\Local\Temp\nszE783.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/988-120-0x0000000000000000-mapping.dmp

Download
memory/988-131-0x0000000001320000-0x00000000019FE000-memory.dmp

Filesize
6.9MB

Download
memory/988-129-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/988-128-0x0000000001320000-0x00000000019FE000-memory.dmp

Filesize
6.9MB

Download
memory/988-127-0x0000000001320000-0x00000000019FE000-memory.dmp

Filesize
6.9MB

Download
memory/988-130-0x0000000001320000-0x00000000019FE000-memory.dmp

Filesize
6.9MB

Download
memory/1256-148-0x0000000000000000-mapping.dmp

Download
memory/1832-141-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/1832-137-0x0000000000000000-mapping.dmp

Download
memory/1832-142-0x00000000013B0000-0x0000000001A9A000-memory.dmp

Filesize
6.9MB

Download
memory/1832-140-0x00000000013B0000-0x0000000001A9A000-memory.dmp

Filesize
6.9MB

Download
memory/1832-143-0x00000000013B0000-0x0000000001A9A000-memory.dmp

Filesize
6.9MB

Download
memory/1832-144-0x00000000013B0000-0x0000000001A9A000-memory.dmp

Filesize
6.9MB

Download
memory/2124-145-0x000000000233E000-0x00000000024CE000-memory.dmp

Filesize
1.6MB

Download
memory/2124-146-0x00000000024D0000-0x0000000002677000-memory.dmp

Filesize
1.7MB

Download
memory/2124-147-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2124-132-0x0000000000000000-mapping.dmp

Download
memory/2340-152-0x0000000000000000-mapping.dmp

Download
memory/2340-156-0x00000000047B0000-0x0000000004A2D000-memory.dmp

Filesize
2.5MB

Download
memory/3736-135-0x0000000000000000-mapping.dmp

Download
memory/4052-126-0x0000000000AB0000-0x000000000119A000-memory.dmp

Filesize
6.9MB

Download
memory/4052-125-0x0000000000AB0000-0x000000000119A000-memory.dmp

Filesize
6.9MB

Download
memory/4052-124-0x0000000000AB0000-0x000000000119A000-memory.dmp

Filesize
6.9MB

Download
memory/4052-123-0x0000000000AB0000-0x000000000119A000-memory.dmp

Filesize
6.9MB

Download
memory/4052-119-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/4052-116-0x0000000000000000-mapping.dmp

Download