danabot | 0ffb06b7e5f65c17f974e200c9acf13e2acc3bb2c2f5dc9b17f14018cf0f47c7

Analysis

max time kernel
119s
max time network
119s
platform
windows10_x64
resource
win10-en-20211208
submitted
20-12-2021 04:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6851ee86ef723624b9d8bb881188b745.exe
Size

5.4MB
MD5

6851ee86ef723624b9d8bb881188b745
SHA1

bd1354f4b1679b4b5aa79bb3af38d3e041ebd24c
SHA256

0ffb06b7e5f65c17f974e200c9acf13e2acc3bb2c2f5dc9b17f14018cf0f47c7
SHA512

24ca73eb150904362a14577bbbd88f585412f1b1e660631ae7614d80d0dbea58d877548d8f816e56d76933bdc8af734051183624e728b2653a59713f7e75c7fa

Score

10^/10

danabot 4 banker evasion themida trojan

Malware Config

Extracted

Family

danabot

Botnet

142.11.244.223:443

23.106.122.139:443

Attributes

embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\AXUVYY~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\AXUVYY~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\AXUVYY~1.DLL	DanabotLoader2021
behavioral2/memory/1596-156-0x0000000003FD0000-0x000000000424F000-memory.dmp	DanabotLoader2021

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

33 700 WScript.exe
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

edenic.exegodwitvp.exeaxuvyyghc.exeDpEditor.exe

pid process

2676 edenic.exe
3512 godwitvp.exe
868 axuvyyghc.exe
3160 DpEditor.exe

flow	pid	process
33	700	WScript.exe

pid	process
2676	edenic.exe
3512	godwitvp.exe
868	axuvyyghc.exe
3160	DpEditor.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

edenic.exegodwitvp.exeDpEditor.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	edenic.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	edenic.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	godwitvp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	godwitvp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DpEditor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DpEditor.exe

Loads dropped DLL 3 IoCs

Processes:

6851ee86ef723624b9d8bb881188b745.exerundll32.exe

pid process

2360 6851ee86ef723624b9d8bb881188b745.exe
1596 rundll32.exe
1596 rundll32.exe

pid	process
2360	6851ee86ef723624b9d8bb881188b745.exe
1596	rundll32.exe
1596	rundll32.exe

Themida packer 18 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\gustus\edenic.exe	themida
C:\Users\Admin\AppData\Local\Temp\gustus\edenic.exe	themida
C:\Users\Admin\AppData\Local\Temp\gustus\godwitvp.exe	themida
C:\Users\Admin\AppData\Local\Temp\gustus\godwitvp.exe	themida
behavioral2/memory/2676-122-0x0000000001120000-0x000000000180B000-memory.dmp	themida
behavioral2/memory/2676-123-0x0000000001120000-0x000000000180B000-memory.dmp	themida
behavioral2/memory/2676-124-0x0000000001120000-0x000000000180B000-memory.dmp	themida
behavioral2/memory/2676-125-0x0000000001120000-0x000000000180B000-memory.dmp	themida
behavioral2/memory/3512-127-0x00000000003F0000-0x0000000000ABD000-memory.dmp	themida
behavioral2/memory/3512-129-0x00000000003F0000-0x0000000000ABD000-memory.dmp	themida
behavioral2/memory/3512-130-0x00000000003F0000-0x0000000000ABD000-memory.dmp	themida
behavioral2/memory/3512-131-0x00000000003F0000-0x0000000000ABD000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
behavioral2/memory/3160-140-0x0000000000EF0000-0x00000000015DB000-memory.dmp	themida
behavioral2/memory/3160-141-0x0000000000EF0000-0x00000000015DB000-memory.dmp	themida
behavioral2/memory/3160-142-0x0000000000EF0000-0x00000000015DB000-memory.dmp	themida
behavioral2/memory/3160-143-0x0000000000EF0000-0x00000000015DB000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

godwitvp.exeDpEditor.exeedenic.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	godwitvp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DpEditor.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	edenic.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

edenic.exegodwitvp.exeDpEditor.exe

pid process

2676 edenic.exe
3512 godwitvp.exe
3160 DpEditor.exe

flow	ioc
8	ip-api.com

pid	process
2676	edenic.exe
3512	godwitvp.exe
3160	DpEditor.exe

Drops file in Program Files directory 3 IoCs

Processes:

6851ee86ef723624b9d8bb881188b745.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\acledit.dll	6851ee86ef723624b9d8bb881188b745.exe
File created	C:\Program Files (x86)\foler\olader\acppage.dll	6851ee86ef723624b9d8bb881188b745.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	6851ee86ef723624b9d8bb881188b745.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

godwitvp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	godwitvp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	godwitvp.exe

Modifies registry class 1 IoCs

Processes:

godwitvp.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings godwitvp.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

DpEditor.exe

pid process

3160 DpEditor.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

edenic.exegodwitvp.exeDpEditor.exe

pid process

2676 edenic.exe
2676 edenic.exe
3512 godwitvp.exe
3512 godwitvp.exe
3160 DpEditor.exe
3160 DpEditor.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings	godwitvp.exe

pid	process
3160	DpEditor.exe

pid	process
2676	edenic.exe
2676	edenic.exe
3512	godwitvp.exe
3512	godwitvp.exe
3160	DpEditor.exe
3160	DpEditor.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

6851ee86ef723624b9d8bb881188b745.exegodwitvp.exeedenic.exeaxuvyyghc.exe

description	pid	process	target process
PID 2360 wrote to memory of 2676	2360	6851ee86ef723624b9d8bb881188b745.exe	edenic.exe
PID 2360 wrote to memory of 2676	2360	6851ee86ef723624b9d8bb881188b745.exe	edenic.exe
PID 2360 wrote to memory of 2676	2360	6851ee86ef723624b9d8bb881188b745.exe	edenic.exe
PID 2360 wrote to memory of 3512	2360	6851ee86ef723624b9d8bb881188b745.exe	godwitvp.exe
PID 2360 wrote to memory of 3512	2360	6851ee86ef723624b9d8bb881188b745.exe	godwitvp.exe
PID 2360 wrote to memory of 3512	2360	6851ee86ef723624b9d8bb881188b745.exe	godwitvp.exe
PID 3512 wrote to memory of 868	3512	godwitvp.exe	axuvyyghc.exe
PID 3512 wrote to memory of 868	3512	godwitvp.exe	axuvyyghc.exe
PID 3512 wrote to memory of 868	3512	godwitvp.exe	axuvyyghc.exe
PID 3512 wrote to memory of 3644	3512	godwitvp.exe	WScript.exe
PID 3512 wrote to memory of 3644	3512	godwitvp.exe	WScript.exe
PID 3512 wrote to memory of 3644	3512	godwitvp.exe	WScript.exe
PID 2676 wrote to memory of 3160	2676	edenic.exe	DpEditor.exe
PID 2676 wrote to memory of 3160	2676	edenic.exe	DpEditor.exe
PID 2676 wrote to memory of 3160	2676	edenic.exe	DpEditor.exe
PID 3512 wrote to memory of 700	3512	godwitvp.exe	WScript.exe
PID 3512 wrote to memory of 700	3512	godwitvp.exe	WScript.exe
PID 3512 wrote to memory of 700	3512	godwitvp.exe	WScript.exe
PID 868 wrote to memory of 1596	868	axuvyyghc.exe	rundll32.exe
PID 868 wrote to memory of 1596	868	axuvyyghc.exe	rundll32.exe
PID 868 wrote to memory of 1596	868	axuvyyghc.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\6851ee86ef723624b9d8bb881188b745.exe
"C:\Users\Admin\AppData\Local\Temp\6851ee86ef723624b9d8bb881188b745.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2360

C:\Users\Admin\AppData\Local\Temp\gustus\edenic.exe
"C:\Users\Admin\AppData\Local\Temp\gustus\edenic.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2676

C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:3160

C:\Users\Admin\AppData\Local\Temp\gustus\godwitvp.exe
"C:\Users\Admin\AppData\Local\Temp\gustus\godwitvp.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3512

C:\Users\Admin\AppData\Local\Temp\axuvyyghc.exe
"C:\Users\Admin\AppData\Local\Temp\axuvyyghc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\AXUVYY~1.DLL,s C:\Users\Admin\AppData\Local\Temp\AXUVYY~1.EXE
4⤵
- Loads dropped DLL
PID:1596

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\obyalovbt.vbs"
3⤵
PID:3644

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\lfjfjmhdli.vbs"
3⤵
- Blocklisted process makes network request
PID:700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
d6ee9b2a32047b5ed8001017f0eb38fe

SHA1
ec9e6ff0e043233291ff3e876c8f10ff105297ce

SHA256
3cc4a17af573bbd1257f1ec1f19246e686027ceb82ccc7c9848cf531cb6ae9bf

SHA512
2960bf1aaf60f568d0e022c3de191935164ad9e40caa6579cccca575c6e45f60d999c50dc7d887003b9e71e0f3785013d00ec498a2de56521725485c38e72792

Download Submit
C:\Users\Admin\AppData\Local\Temp\AXUVYY~1.DLL
MD5
953511e25c13dd42164eee581b8d22d1

SHA1
7cc3835aba8bffeefc2a3543771f612b9df10a45

SHA256
265ec090b8e7ff8f265a4c6408913bd0e26cda3d24a281a0fdf5e15573da4997

SHA512
9547135071da205cb5e06db6cfea0ef3d36c685bedded98718ad564bfa4d980159fb808fecf919037bde2a98ea466981d9992e4ccbafe3df1b5309d26a7810d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\axuvyyghc.exe
MD5
5e6f48e80a2bb43b29d4745359f8b604

SHA1
ad02a52026dc381b1993aa127ae245fe6fba639e

SHA256
af6d253636a1e3bc1da6d81a834a5fa234e451ef55b7d880a750714333eeaa7a

SHA512
9aa50e13247a5135c365a311a3a186f77681eb7fb5324b5c0d0495b6da84da91d79a458d33fbf4dc92c00d6718b9a5f5d3717e25ed71f650cc1501064fc39a0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\axuvyyghc.exe
MD5
5e6f48e80a2bb43b29d4745359f8b604

SHA1
ad02a52026dc381b1993aa127ae245fe6fba639e

SHA256
af6d253636a1e3bc1da6d81a834a5fa234e451ef55b7d880a750714333eeaa7a

SHA512
9aa50e13247a5135c365a311a3a186f77681eb7fb5324b5c0d0495b6da84da91d79a458d33fbf4dc92c00d6718b9a5f5d3717e25ed71f650cc1501064fc39a0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gustus\edenic.exe
MD5
c9bdb6ed5eb6da1c74b956937bbd31b4

SHA1
a9c6389196fa0c28b91b1802758981feee113031

SHA256
31eb4eec08c93c2770affd600e010182855e63322fba278afede89816faff6aa

SHA512
496657b02941e8548c397f9b59eeaa2671fa7921ac052d1b336147b881975bc47861da7a6c16c3a53e759704300cd66ce31ae1a3b286875bf5e563aa9a697295

Download Submit
C:\Users\Admin\AppData\Local\Temp\gustus\edenic.exe
MD5
c9bdb6ed5eb6da1c74b956937bbd31b4

SHA1
a9c6389196fa0c28b91b1802758981feee113031

SHA256
31eb4eec08c93c2770affd600e010182855e63322fba278afede89816faff6aa

SHA512
496657b02941e8548c397f9b59eeaa2671fa7921ac052d1b336147b881975bc47861da7a6c16c3a53e759704300cd66ce31ae1a3b286875bf5e563aa9a697295

Download Submit
C:\Users\Admin\AppData\Local\Temp\gustus\godwitvp.exe
MD5
adca6cddf728ac19287c8da0690ce78e

SHA1
3bc43b39ac78d1edebf83ae6a95108b95acdb439

SHA256
7aaf99f9ad42337851b40596faf2241ae2957048c2862aad402320312536c6d7

SHA512
81dcd61505a0ced122e7b0ca12dd3520a475025643c8ca109edfd13fd017740c7ad32f854c87ea87c3eabadc780c3c4b041b247888aa7f22ffd5714be4051140

Download Submit
C:\Users\Admin\AppData\Local\Temp\gustus\godwitvp.exe
MD5
adca6cddf728ac19287c8da0690ce78e

SHA1
3bc43b39ac78d1edebf83ae6a95108b95acdb439

SHA256
7aaf99f9ad42337851b40596faf2241ae2957048c2862aad402320312536c6d7

SHA512
81dcd61505a0ced122e7b0ca12dd3520a475025643c8ca109edfd13fd017740c7ad32f854c87ea87c3eabadc780c3c4b041b247888aa7f22ffd5714be4051140

Download Submit
C:\Users\Admin\AppData\Local\Temp\lfjfjmhdli.vbs
MD5
eccde4d25a51e6987ac7be0773723f5e

SHA1
0c5d2c21e7cf9e4b65bd67f3331e5558344a303b

SHA256
945054a9a4e76f433afe0eafdd4c5e9065e0e6ccc763486c7b3730316a934506

SHA512
81a623e3d04cb7e34c29372be55bee978ee8f67ee1898f7563f2190792a54b655b294f62e4b229ad15e36098e310c95606e592075887855692b75f942cddff80

Download Submit
C:\Users\Admin\AppData\Local\Temp\obyalovbt.vbs
MD5
82764bbf6e25db800dfcc3c1c3cca247

SHA1
46ac0a63852ca7f1864f3463eff5b68f52b1fe19

SHA256
b088bb35b016f896803d933190ffc614e61e5b512e1a294a0b33d3af3d286e4b

SHA512
cc9bea32fd3864fc55ef35de0b8498315da0353b76569756c4dcafa5c53a99bd51dbe8d61d4ea06e55793a58298707bac70fef2d89dc5988ae3134f4a0a05414

Download Submit
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
MD5
c9bdb6ed5eb6da1c74b956937bbd31b4

SHA1
a9c6389196fa0c28b91b1802758981feee113031

SHA256
31eb4eec08c93c2770affd600e010182855e63322fba278afede89816faff6aa

SHA512
496657b02941e8548c397f9b59eeaa2671fa7921ac052d1b336147b881975bc47861da7a6c16c3a53e759704300cd66ce31ae1a3b286875bf5e563aa9a697295

Download Submit
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
MD5
c9bdb6ed5eb6da1c74b956937bbd31b4

SHA1
a9c6389196fa0c28b91b1802758981feee113031

SHA256
31eb4eec08c93c2770affd600e010182855e63322fba278afede89816faff6aa

SHA512
496657b02941e8548c397f9b59eeaa2671fa7921ac052d1b336147b881975bc47861da7a6c16c3a53e759704300cd66ce31ae1a3b286875bf5e563aa9a697295

Download Submit
\Users\Admin\AppData\Local\Temp\AXUVYY~1.DLL
MD5
953511e25c13dd42164eee581b8d22d1

SHA1
7cc3835aba8bffeefc2a3543771f612b9df10a45

SHA256
265ec090b8e7ff8f265a4c6408913bd0e26cda3d24a281a0fdf5e15573da4997

SHA512
9547135071da205cb5e06db6cfea0ef3d36c685bedded98718ad564bfa4d980159fb808fecf919037bde2a98ea466981d9992e4ccbafe3df1b5309d26a7810d9

Download Submit
\Users\Admin\AppData\Local\Temp\AXUVYY~1.DLL
MD5
953511e25c13dd42164eee581b8d22d1

SHA1
7cc3835aba8bffeefc2a3543771f612b9df10a45

SHA256
265ec090b8e7ff8f265a4c6408913bd0e26cda3d24a281a0fdf5e15573da4997

SHA512
9547135071da205cb5e06db6cfea0ef3d36c685bedded98718ad564bfa4d980159fb808fecf919037bde2a98ea466981d9992e4ccbafe3df1b5309d26a7810d9

Download Submit
\Users\Admin\AppData\Local\Temp\nszCEFA.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/700-148-0x0000000000000000-mapping.dmp

Download
memory/868-147-0x0000000000400000-0x0000000000653000-memory.dmp

Filesize
2.3MB

Download
memory/868-132-0x0000000000000000-mapping.dmp

Download
memory/868-146-0x0000000002430000-0x00000000025D6000-memory.dmp

Filesize
1.6MB

Download
memory/868-145-0x0000000002298000-0x0000000002428000-memory.dmp

Filesize
1.6MB

Download
memory/1596-152-0x0000000000000000-mapping.dmp

Download
memory/1596-156-0x0000000003FD0000-0x000000000424F000-memory.dmp

Filesize
2.5MB

Download
memory/2676-125-0x0000000001120000-0x000000000180B000-memory.dmp

Filesize
6.9MB

Download
memory/2676-126-0x0000000077930000-0x0000000077ABE000-memory.dmp

Filesize
1.6MB

Download
memory/2676-116-0x0000000000000000-mapping.dmp

Download
memory/2676-122-0x0000000001120000-0x000000000180B000-memory.dmp

Filesize
6.9MB

Download
memory/2676-123-0x0000000001120000-0x000000000180B000-memory.dmp

Filesize
6.9MB

Download
memory/2676-124-0x0000000001120000-0x000000000180B000-memory.dmp

Filesize
6.9MB

Download
memory/3160-140-0x0000000000EF0000-0x00000000015DB000-memory.dmp

Filesize
6.9MB

Download
memory/3160-141-0x0000000000EF0000-0x00000000015DB000-memory.dmp

Filesize
6.9MB

Download
memory/3160-142-0x0000000000EF0000-0x00000000015DB000-memory.dmp

Filesize
6.9MB

Download
memory/3160-143-0x0000000000EF0000-0x00000000015DB000-memory.dmp

Filesize
6.9MB

Download
memory/3160-144-0x0000000077930000-0x0000000077ABE000-memory.dmp

Filesize
1.6MB

Download
memory/3160-137-0x0000000000000000-mapping.dmp

Download
memory/3512-130-0x00000000003F0000-0x0000000000ABD000-memory.dmp

Filesize
6.8MB

Download
memory/3512-127-0x00000000003F0000-0x0000000000ABD000-memory.dmp

Filesize
6.8MB

Download
memory/3512-128-0x0000000077930000-0x0000000077ABE000-memory.dmp

Filesize
1.6MB

Download
memory/3512-129-0x00000000003F0000-0x0000000000ABD000-memory.dmp

Filesize
6.8MB

Download
memory/3512-131-0x00000000003F0000-0x0000000000ABD000-memory.dmp

Filesize
6.8MB

Download
memory/3512-119-0x0000000000000000-mapping.dmp

Download
memory/3644-135-0x0000000000000000-mapping.dmp

Download