danabot | 0724a4302ad37929cb58cc90dad7c90459df4eba0bccbfb4008965d917a55209

Analysis

max time kernel
150s
max time network
141s
platform
windows10_x64
resource
win10-en-20211208
submitted
21-12-2021 04:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e946313323a4fab93d139a9e3861e5ef.exe
Size

5.4MB
MD5

e946313323a4fab93d139a9e3861e5ef
SHA1

19c67ccdfbfc3971d31b5827f185009976072936
SHA256

0724a4302ad37929cb58cc90dad7c90459df4eba0bccbfb4008965d917a55209
SHA512

a85beddb32dbd48b802387b32a856f4fcb91916fcbc099e279c706e9ac553e75e34370a511720c9eee77f436922de71a68e746a5ed002282e13e44a1165b8ed0

Score

10^/10

danabot 4 banker evasion themida trojan

Malware Config

Extracted

Family

danabot

Botnet

142.11.244.223:443

23.106.122.139:443

Attributes

embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\BIWOLP~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\BIWOLP~1.DLL	DanabotLoader2021

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

29 1100 WScript.exe
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

napaea.exeoutwitvp.exebiwolphc.exeDpEditor.exe

pid process

1060 napaea.exe
2756 outwitvp.exe
3564 biwolphc.exe
1940 DpEditor.exe

flow	pid	process
29	1100	WScript.exe

pid	process
1060	napaea.exe
2756	outwitvp.exe
3564	biwolphc.exe
1940	DpEditor.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

DpEditor.exenapaea.exeoutwitvp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DpEditor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	napaea.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	napaea.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	outwitvp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	outwitvp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DpEditor.exe

Loads dropped DLL 2 IoCs

Processes:

e946313323a4fab93d139a9e3861e5ef.exerundll32.exe

pid process

2800 e946313323a4fab93d139a9e3861e5ef.exe
2352 rundll32.exe

pid	process
2800	e946313323a4fab93d139a9e3861e5ef.exe
2352	rundll32.exe

Themida packer 18 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\patwin\napaea.exe	themida
C:\Users\Admin\AppData\Local\Temp\patwin\napaea.exe	themida
C:\Users\Admin\AppData\Local\Temp\patwin\outwitvp.exe	themida
C:\Users\Admin\AppData\Local\Temp\patwin\outwitvp.exe	themida
behavioral2/memory/1060-122-0x0000000000360000-0x0000000000A36000-memory.dmp	themida
behavioral2/memory/1060-123-0x0000000000360000-0x0000000000A36000-memory.dmp	themida
behavioral2/memory/1060-125-0x0000000000360000-0x0000000000A36000-memory.dmp	themida
behavioral2/memory/2756-126-0x0000000000D60000-0x0000000001441000-memory.dmp	themida
behavioral2/memory/2756-124-0x0000000000D60000-0x0000000001441000-memory.dmp	themida
behavioral2/memory/2756-128-0x0000000000D60000-0x0000000001441000-memory.dmp	themida
behavioral2/memory/2756-130-0x0000000000D60000-0x0000000001441000-memory.dmp	themida
behavioral2/memory/1060-127-0x0000000000360000-0x0000000000A36000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
behavioral2/memory/1940-143-0x0000000000020000-0x00000000006F6000-memory.dmp	themida
behavioral2/memory/1940-144-0x0000000000020000-0x00000000006F6000-memory.dmp	themida
behavioral2/memory/1940-145-0x0000000000020000-0x00000000006F6000-memory.dmp	themida
behavioral2/memory/1940-146-0x0000000000020000-0x00000000006F6000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

napaea.exeoutwitvp.exeDpEditor.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	napaea.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	outwitvp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DpEditor.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

napaea.exeoutwitvp.exeDpEditor.exe

pid process

1060 napaea.exe
2756 outwitvp.exe
1940 DpEditor.exe

flow	ioc
10	ip-api.com

pid	process
1060	napaea.exe
2756	outwitvp.exe
1940	DpEditor.exe

Drops file in Program Files directory 3 IoCs

Processes:

e946313323a4fab93d139a9e3861e5ef.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	e946313323a4fab93d139a9e3861e5ef.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	e946313323a4fab93d139a9e3861e5ef.exe
File created	C:\Program Files (x86)\foler\olader\acppage.dll	e946313323a4fab93d139a9e3861e5ef.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

outwitvp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	outwitvp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	outwitvp.exe

Modifies registry class 1 IoCs

Processes:

outwitvp.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings outwitvp.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

DpEditor.exe

pid process

1940 DpEditor.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

napaea.exeoutwitvp.exeDpEditor.exe

pid process

1060 napaea.exe
1060 napaea.exe
2756 outwitvp.exe
2756 outwitvp.exe
1940 DpEditor.exe
1940 DpEditor.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings	outwitvp.exe

pid	process
1940	DpEditor.exe

pid	process
1060	napaea.exe
1060	napaea.exe
2756	outwitvp.exe
2756	outwitvp.exe
1940	DpEditor.exe
1940	DpEditor.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

e946313323a4fab93d139a9e3861e5ef.exeoutwitvp.exenapaea.exebiwolphc.exe

description	pid	process	target process
PID 2800 wrote to memory of 1060	2800	e946313323a4fab93d139a9e3861e5ef.exe	napaea.exe
PID 2800 wrote to memory of 1060	2800	e946313323a4fab93d139a9e3861e5ef.exe	napaea.exe
PID 2800 wrote to memory of 1060	2800	e946313323a4fab93d139a9e3861e5ef.exe	napaea.exe
PID 2800 wrote to memory of 2756	2800	e946313323a4fab93d139a9e3861e5ef.exe	outwitvp.exe
PID 2800 wrote to memory of 2756	2800	e946313323a4fab93d139a9e3861e5ef.exe	outwitvp.exe
PID 2800 wrote to memory of 2756	2800	e946313323a4fab93d139a9e3861e5ef.exe	outwitvp.exe
PID 2756 wrote to memory of 3564	2756	outwitvp.exe	biwolphc.exe
PID 2756 wrote to memory of 3564	2756	outwitvp.exe	biwolphc.exe
PID 2756 wrote to memory of 3564	2756	outwitvp.exe	biwolphc.exe
PID 2756 wrote to memory of 3792	2756	outwitvp.exe	WScript.exe
PID 2756 wrote to memory of 3792	2756	outwitvp.exe	WScript.exe
PID 2756 wrote to memory of 3792	2756	outwitvp.exe	WScript.exe
PID 1060 wrote to memory of 1940	1060	napaea.exe	DpEditor.exe
PID 1060 wrote to memory of 1940	1060	napaea.exe	DpEditor.exe
PID 1060 wrote to memory of 1940	1060	napaea.exe	DpEditor.exe
PID 2756 wrote to memory of 1100	2756	outwitvp.exe	WScript.exe
PID 2756 wrote to memory of 1100	2756	outwitvp.exe	WScript.exe
PID 2756 wrote to memory of 1100	2756	outwitvp.exe	WScript.exe
PID 3564 wrote to memory of 2352	3564	biwolphc.exe	rundll32.exe
PID 3564 wrote to memory of 2352	3564	biwolphc.exe	rundll32.exe
PID 3564 wrote to memory of 2352	3564	biwolphc.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\e946313323a4fab93d139a9e3861e5ef.exe
"C:\Users\Admin\AppData\Local\Temp\e946313323a4fab93d139a9e3861e5ef.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Users\Admin\AppData\Local\Temp\patwin\napaea.exe
  "C:\Users\Admin\AppData\Local\Temp\patwin\napaea.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1060
- - C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
    "C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    PID:1940
- C:\Users\Admin\AppData\Local\Temp\patwin\outwitvp.exe
  "C:\Users\Admin\AppData\Local\Temp\patwin\outwitvp.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Users\Admin\AppData\Local\Temp\biwolphc.exe
    "C:\Users\Admin\AppData\Local\Temp\biwolphc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3564
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\BIWOLP~1.DLL,s C:\Users\Admin\AppData\Local\Temp\biwolphc.exe
      4⤵
      Loads dropped DLL
      PID:2352
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ntvfjryqgw.vbs"
    3⤵
    PID:3792
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\iseerbvujlr.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:1100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5
1ea10f02f4d0d99b66cadb648fa57512

SHA1
196dd5d28ee4c6cc7319a64c33fbb67b6d1d65b4

SHA256
5c29c5aee99f59455ed6424e7199b7b6880d5c394619c65d27a34f8ec5300df2

SHA512
230433c205c14fae1ea86267abfdd2f609cf7a1afc9c01d147d5928c02baf4f1098605ecb8927790fce6aa04509f4548b6e22c5b4c52df900276ae84cd25a681

Download Submit
C:\Users\Admin\AppData\Local\Temp\BIWOLP~1.DLL

MD5
eb37c6b1c8b54e0cce7957a85b3a17c4

SHA1
d89d917f0483fc8a8c813d29aefec853d992e602

SHA256
04da92680369c28ff5a3825f3d331b9baab953f62e601b7fcdb32157552eaa13

SHA512
eaaf62a6faeae5debdead9df69a6f6b9f676f3c23afc2c62e1e460aca7cbba0266d1b39d72a2bfd21567e410f9abe841d2d50bed1f467cc5d690e47bbc5d794d

Download Submit
C:\Users\Admin\AppData\Local\Temp\biwolphc.exe

MD5
a2f9905c597b6dadfacf0a1eacb767d9

SHA1
cc4fc6fb47e604d371fe7854789854bc5e3da34b

SHA256
076a693bd61876d48674cdcc553871efa2fb5310358bcb36068c3c5a9ea20d94

SHA512
8090e586a1568585ec9204f2e8e4dca19a72fe1f5061e41aa42ab040a929d7f14f253c85ba4eab1ac2c8bd8faf21422c63e37651935b538bed193c895951eac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\biwolphc.exe

MD5
a2f9905c597b6dadfacf0a1eacb767d9

SHA1
cc4fc6fb47e604d371fe7854789854bc5e3da34b

SHA256
076a693bd61876d48674cdcc553871efa2fb5310358bcb36068c3c5a9ea20d94

SHA512
8090e586a1568585ec9204f2e8e4dca19a72fe1f5061e41aa42ab040a929d7f14f253c85ba4eab1ac2c8bd8faf21422c63e37651935b538bed193c895951eac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\iseerbvujlr.vbs

MD5
1177b841475ff4dcb0b3f825843a3147

SHA1
0c04a4b21d27182919fbe053d3b5e2d6804e5319

SHA256
d371a3ad527f2eabf108ffe89a185f31931dfbffefd947ab95d7ba570bde7405

SHA512
94f1ad8d9a3b8987dcee4d241b114717a36177c5a11c28018c255c7fd9e69e3217e6777d8dc0b294fb0bbf6062f07cf00869b83ee74b8b4a7bab7ab24be3f4d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntvfjryqgw.vbs

MD5
d85b674021e91c6549d1dba46b8a7123

SHA1
9c06890f8f3fff6b6ff12d495fc0e153d9aed7fb

SHA256
f994809cd97ea3650c2c9b8365d1018a80a48a4003be5a68d39d4724a6e1f2ce

SHA512
cb02aa7a77e8a74cb162d2031a0d2df348e9f3a3df3f2e895cdbe18cc4b36c3506acd088af3326144dec34965bc7c1f85c8e37e1661a9d7c0876254e8d33035c

Download Submit
C:\Users\Admin\AppData\Local\Temp\patwin\napaea.exe

MD5
75182fea96cd2dea68a23d360fb647c8

SHA1
992c5fe1ac704528a505bb42162a421e3d29b7cb

SHA256
3eca25c6a211415959e59d89e6f8c6a9b1d1c45bfbb9ce8bfc133c66958dc97c

SHA512
649aa18d4303f42fb9b8dc90994f8d40aa45a07f2842edfce1a389c0f1c2510f7828b233b7205e2171e8a147eed7c3a18efd162e060c83ad1f0fbbd3f4a56ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\patwin\napaea.exe

MD5
75182fea96cd2dea68a23d360fb647c8

SHA1
992c5fe1ac704528a505bb42162a421e3d29b7cb

SHA256
3eca25c6a211415959e59d89e6f8c6a9b1d1c45bfbb9ce8bfc133c66958dc97c

SHA512
649aa18d4303f42fb9b8dc90994f8d40aa45a07f2842edfce1a389c0f1c2510f7828b233b7205e2171e8a147eed7c3a18efd162e060c83ad1f0fbbd3f4a56ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\patwin\outwitvp.exe

MD5
948b5f54439e4bcfd1c17cb9ae8d1ed3

SHA1
e7236e3cb35a7c9caace5aa7f570dbb2311ba736

SHA256
ee2955c290f9dc1a8026adcced932aaab678f5227f54fddf6a018fc81f7b01de

SHA512
e6fa55501c1f151780d81ccf2db1dcb17953c89fb6fe3b577f9d751c09bd42dc5924ff09e69843fb50f64f96b34d743d6ef1e2c02059b1efd8854ecdbfc40adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\patwin\outwitvp.exe

MD5
948b5f54439e4bcfd1c17cb9ae8d1ed3

SHA1
e7236e3cb35a7c9caace5aa7f570dbb2311ba736

SHA256
ee2955c290f9dc1a8026adcced932aaab678f5227f54fddf6a018fc81f7b01de

SHA512
e6fa55501c1f151780d81ccf2db1dcb17953c89fb6fe3b577f9d751c09bd42dc5924ff09e69843fb50f64f96b34d743d6ef1e2c02059b1efd8854ecdbfc40adf

Download Submit
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe

MD5
75182fea96cd2dea68a23d360fb647c8

SHA1
992c5fe1ac704528a505bb42162a421e3d29b7cb

SHA256
3eca25c6a211415959e59d89e6f8c6a9b1d1c45bfbb9ce8bfc133c66958dc97c

SHA512
649aa18d4303f42fb9b8dc90994f8d40aa45a07f2842edfce1a389c0f1c2510f7828b233b7205e2171e8a147eed7c3a18efd162e060c83ad1f0fbbd3f4a56ec0

Download Submit
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe

MD5
75182fea96cd2dea68a23d360fb647c8

SHA1
992c5fe1ac704528a505bb42162a421e3d29b7cb

SHA256
3eca25c6a211415959e59d89e6f8c6a9b1d1c45bfbb9ce8bfc133c66958dc97c

SHA512
649aa18d4303f42fb9b8dc90994f8d40aa45a07f2842edfce1a389c0f1c2510f7828b233b7205e2171e8a147eed7c3a18efd162e060c83ad1f0fbbd3f4a56ec0

Download Submit
\Users\Admin\AppData\Local\Temp\BIWOLP~1.DLL

MD5
eb37c6b1c8b54e0cce7957a85b3a17c4

SHA1
d89d917f0483fc8a8c813d29aefec853d992e602

SHA256
04da92680369c28ff5a3825f3d331b9baab953f62e601b7fcdb32157552eaa13

SHA512
eaaf62a6faeae5debdead9df69a6f6b9f676f3c23afc2c62e1e460aca7cbba0266d1b39d72a2bfd21567e410f9abe841d2d50bed1f467cc5d690e47bbc5d794d

Download Submit
\Users\Admin\AppData\Local\Temp\nsr39D9.tmp\UAC.dll

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/1060-127-0x0000000000360000-0x0000000000A36000-memory.dmp

Filesize
6.8MB

Download
memory/1060-129-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1060-122-0x0000000000360000-0x0000000000A36000-memory.dmp

Filesize
6.8MB

Download
memory/1060-125-0x0000000000360000-0x0000000000A36000-memory.dmp

Filesize
6.8MB

Download
memory/1060-116-0x0000000000000000-mapping.dmp

Download
memory/1060-123-0x0000000000360000-0x0000000000A36000-memory.dmp

Filesize
6.8MB

Download
memory/1100-148-0x0000000000000000-mapping.dmp

Download
memory/1940-147-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1940-146-0x0000000000020000-0x00000000006F6000-memory.dmp

Filesize
6.8MB

Download
memory/1940-145-0x0000000000020000-0x00000000006F6000-memory.dmp

Filesize
6.8MB

Download
memory/1940-144-0x0000000000020000-0x00000000006F6000-memory.dmp

Filesize
6.8MB

Download
memory/1940-140-0x0000000000000000-mapping.dmp

Download
memory/1940-143-0x0000000000020000-0x00000000006F6000-memory.dmp

Filesize
6.8MB

Download
memory/2352-152-0x0000000000000000-mapping.dmp

Download
memory/2756-126-0x0000000000D60000-0x0000000001441000-memory.dmp

Filesize
6.9MB

Download
memory/2756-131-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/2756-130-0x0000000000D60000-0x0000000001441000-memory.dmp

Filesize
6.9MB

Download
memory/2756-128-0x0000000000D60000-0x0000000001441000-memory.dmp

Filesize
6.9MB

Download
memory/2756-124-0x0000000000D60000-0x0000000001441000-memory.dmp

Filesize
6.9MB

Download
memory/2756-119-0x0000000000000000-mapping.dmp

Download
memory/3564-139-0x0000000000400000-0x000000000099B000-memory.dmp

Filesize
5.6MB

Download
memory/3564-137-0x0000000001090000-0x000000000121D000-memory.dmp

Filesize
1.6MB

Download
memory/3564-138-0x0000000001220000-0x00000000013C3000-memory.dmp

Filesize
1.6MB

Download
memory/3564-132-0x0000000000000000-mapping.dmp

Download
memory/3792-135-0x0000000000000000-mapping.dmp

Download