danabot | f657d6f8f072dcf10f48e03b3b813cb9ab9c4b975dec12e9db8da868d3e50ab9

Analysis

max time kernel
123s
max time network
141s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
21-12-2022 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f657d6f8f072dcf10f48e03b3b813cb9ab9c4b975dec12e9db8da868d3e50ab9.exe
Size

1.1MB
MD5

7e9ce657b646e0ecff706bf6680061f0
SHA1

8f576b573c55ba4b3a36b495e9ab0361270b0fd7
SHA256

f657d6f8f072dcf10f48e03b3b813cb9ab9c4b975dec12e9db8da868d3e50ab9
SHA512

360890279533d6ad72f3640c31d7b7b69e5189ea65ca802e6855d6f874005838282b1caf0dde21ebcacc185d8db3229cf3c7fd4414a30660176ad4a6d352361d
SSDEEP

24576:Hm7gvwjPpB5kd+TgBnFm4gi1pZzgBOkYFpfISXPvuLP:G0veRM4EBnF2ih7JpfIgPvuj

Score

10^/10

danabot banker discovery persistence trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

1 4888 rundll32.exe
2 4888 rundll32.exe
11 4888 rundll32.exe

flow	pid	process
1	4888	rundll32.exe
2	4888	rundll32.exe
11	4888	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Viewer.\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Viewer..dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Viewer.\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4888 rundll32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 4888 set thread context of 4876 4888 rundll32.exe rundll32.exe

pid	process
4888	rundll32.exe

description	pid	process	target process
PID 4888 set thread context of 4876	4888	rundll32.exe	rundll32.exe

Drops file in Program Files directory 12 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Search.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-hover.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Click on 'Change' to select default PDF handler.pdf	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\back-arrow-hover.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AXE8SharedExpat.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\email_initiator.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AXE8SharedExpat.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Search.api	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\email_initiator.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Viewer..dll	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 22 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe

Modifies registry class 24 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000095551308100054656d7000003a0009000400efbe2155a884955513082e00000000000000000000000000000000000000000000000000f9e04b00540065006d007000000014000000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 4888 rundll32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

4876 rundll32.exe

description	pid	process
Token: SeDebugPrivilege	4888	rundll32.exe

pid	process
4876	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

f657d6f8f072dcf10f48e03b3b813cb9ab9c4b975dec12e9db8da868d3e50ab9.exerundll32.exe

description	pid	process	target process
PID 2492 wrote to memory of 4888	2492	f657d6f8f072dcf10f48e03b3b813cb9ab9c4b975dec12e9db8da868d3e50ab9.exe	rundll32.exe
PID 2492 wrote to memory of 4888	2492	f657d6f8f072dcf10f48e03b3b813cb9ab9c4b975dec12e9db8da868d3e50ab9.exe	rundll32.exe
PID 2492 wrote to memory of 4888	2492	f657d6f8f072dcf10f48e03b3b813cb9ab9c4b975dec12e9db8da868d3e50ab9.exe	rundll32.exe
PID 4888 wrote to memory of 4876	4888	rundll32.exe	rundll32.exe
PID 4888 wrote to memory of 4876	4888	rundll32.exe	rundll32.exe
PID 4888 wrote to memory of 4876	4888	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\f657d6f8f072dcf10f48e03b3b813cb9ab9c4b975dec12e9db8da868d3e50ab9.exe
"C:\Users\Admin\AppData\Local\Temp\f657d6f8f072dcf10f48e03b3b813cb9ab9c4b975dec12e9db8da868d3e50ab9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2492

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4888

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14138
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4876

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2308

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4808

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5040

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
PID:3996

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\viewer..dll",MQ0kajM1Sw==
2⤵
PID:1000

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\122__Connections_Cellular_Vodafone Fiji (Fiji)_i1$(__MVID)@WAP.provxml
Filesize
734B

MD5
dbfd18aa1b029bff0ba05f3772390eeb

SHA1
e3a603b58ea1165d94809b25abcfd2305901718f

SHA256
9c9078c15304bd6219712961ebc0e05619c7a432d1ff9a6aaaf922f000298eb8

SHA512
112f1fbb388796ac4b9b90bb47daf9b896078db49a42b090b39cb67f8a7397d95af52d8692ff12ce9eedc1d628f4e62d357d23e98151cd4298a4b2a9243c8782

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\163__Connections_Cellular_Orange Caraïbe (France)_i0$(__MVID)@WAP.provxml
Filesize
851B

MD5
78a0679c4d8c668f0b1f4f3b6028eb74

SHA1
e4071ffb1fb9c3467945d23b4507b6ebfb8e48d5

SHA256
af46cfb779a7de898e5a39c9a1fdf6be3d36789b3f939bb85c2cef1600f52ec1

SHA512
848f1e7c660cc7614840cf233022b687a727374b68934d5d1afca6f5eaa58f4b298866dc295a665a7075dcb6f28d91c29f0367b94c74d3ab9d8a6713dc5d6fac

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\C2RManifest.excelmui.msi.16.en-us.xml
Filesize
39KB

MD5
93b791b81e660e839ef91e881d0d40ba

SHA1
f28bf43cb01d5d6f0714b40c0183c0f920704b7a

SHA256
94e7e8449e52aa41decd74e1fa8bc6d688a1fc1e6dcbd015ff19ece64dedfe32

SHA512
3bfff8518d32d599f29c254b9f1de7337d49aa027ff0c0c3345698695a87ddc145c13855e7a7a434f7d29eaa60ce44161b47e40a95df8c54c686dadaf894ec63

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp
Filesize
2.3MB

MD5
bfdd5d62c8f587f73aed406c3495e541

SHA1
56dbdaae7297e3dc777510586e712f73699b7839

SHA256
4e6d9a31f0db1f486b55c574af3bcded625da749801d30b0cdb235daf0c91c41

SHA512
ed20207fbf52d595aa7ef98fcae4d7ce83c9709391eb0cb17984e042fd4e49f7e381471df97ab129e921535339c91c91e95a287a73972cc6334b39eeb486cd7c

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\RunTime.xml
Filesize
258B

MD5
a6ce910db1d3e86a0e505f23b5f524bb

SHA1
eb45b98744431813ac5223d31709a73c9c158012

SHA256
db298408ae34693d9ffbcb1595920503853c89e2f66b0e58f9675dc4b127e58c

SHA512
f21e3db718c81f23b5c20f627309ee495af87e39a9449767bd926a78be897435c8af693bc7aa7c29d62ba8bec55a1dee1264312e8faee5cda3beca62172d6aa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\viewer..dll
Filesize
797KB

MD5
f45720b4d72d06769f91dd8d5f891542

SHA1
4f064a805b4f40a732fe81ed2a6e2dd59f62a021

SHA256
6313d45d390b8babdb309289e9d80a910ce137bfa2051fa47acb1d0ced087ab5

SHA512
c41577c69fffff0dca153220788d427e4688f269ec901b21b9a894e14fd48be6a05253f749193a4efe7c2924c4656db37937b21a0f0d5c7b212d5baf363c8469

Download Submit
\Program Files (x86)\WindowsPowerShell\Modules\Viewer..dll
Filesize
797KB

MD5
f45720b4d72d06769f91dd8d5f891542

SHA1
4f064a805b4f40a732fe81ed2a6e2dd59f62a021

SHA256
6313d45d390b8babdb309289e9d80a910ce137bfa2051fa47acb1d0ced087ab5

SHA512
c41577c69fffff0dca153220788d427e4688f269ec901b21b9a894e14fd48be6a05253f749193a4efe7c2924c4656db37937b21a0f0d5c7b212d5baf363c8469

Download Submit
\Program Files (x86)\WindowsPowerShell\Modules\Viewer..dll
Filesize
797KB

MD5
f45720b4d72d06769f91dd8d5f891542

SHA1
4f064a805b4f40a732fe81ed2a6e2dd59f62a021

SHA256
6313d45d390b8babdb309289e9d80a910ce137bfa2051fa47acb1d0ced087ab5

SHA512
c41577c69fffff0dca153220788d427e4688f269ec901b21b9a894e14fd48be6a05253f749193a4efe7c2924c4656db37937b21a0f0d5c7b212d5baf363c8469

Download Submit
\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
memory/1000-381-0x0000000000000000-mapping.dmp

Download
memory/1000-458-0x0000000005E00000-0x0000000006525000-memory.dmp

Filesize
7.1MB

Download
memory/1000-477-0x0000000005E00000-0x0000000006525000-memory.dmp

Filesize
7.1MB

Download
memory/2308-460-0x0000000000000000-mapping.dmp

Download
memory/2492-137-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-160-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-135-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-138-0x00000000008A0000-0x000000000099B000-memory.dmp

Filesize
1004KB

Download
memory/2492-140-0x00000000024B0000-0x00000000025E0000-memory.dmp

Filesize
1.2MB

Download
memory/2492-139-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-141-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-143-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-144-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-146-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-145-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-142-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-148-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-147-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-150-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-149-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-151-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-152-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-153-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-154-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-155-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-157-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-156-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-158-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-159-0x0000000000400000-0x0000000000540000-memory.dmp

Filesize
1.2MB

Download
memory/2492-136-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-162-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-163-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-164-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-161-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-121-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-120-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-168-0x00000000024B0000-0x00000000025E0000-memory.dmp

Filesize
1.2MB

Download
memory/2492-122-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-134-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-133-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-132-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-131-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-123-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-170-0x0000000000400000-0x0000000000540000-memory.dmp

Filesize
1.2MB

Download
memory/2492-130-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-129-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-128-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-126-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-125-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-124-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/3996-384-0x00000000057F0000-0x0000000005F15000-memory.dmp

Filesize
7.1MB

Download
memory/3996-505-0x00000000057F0000-0x0000000005F15000-memory.dmp

Filesize
7.1MB

Download
memory/4808-487-0x0000000000000000-mapping.dmp

Download
memory/4876-284-0x000001EAF0960000-0x000001EAF0B8A000-memory.dmp

Filesize
2.2MB

Download
memory/4876-283-0x0000000000480000-0x0000000000699000-memory.dmp

Filesize
2.1MB

Download
memory/4876-277-0x00007FF76CFF5FD0-mapping.dmp

Download
memory/4888-167-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-190-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-188-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-185-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-189-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-187-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-268-0x0000000007320000-0x0000000007A45000-memory.dmp

Filesize
7.1MB

Download
memory/4888-186-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-282-0x0000000006FB9000-0x0000000006FBB000-memory.dmp

Filesize
8KB

Download
memory/4888-177-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-180-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-285-0x0000000007320000-0x0000000007A45000-memory.dmp

Filesize
7.1MB

Download
memory/4888-182-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-184-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-183-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-181-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-179-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-178-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-166-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-169-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-175-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-176-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-174-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-172-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-173-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-171-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-165-0x0000000000000000-mapping.dmp

Download