danabot | b9267b00e92e7d70cfc6ad95cba0fd1c324ad61e66af3472cf61fa1bf40c5a62

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2024 15:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

749a4eb97367f1aa0565c1454daae1ba_JaffaCakes118.exe
Size

4.0MB
MD5

749a4eb97367f1aa0565c1454daae1ba
SHA1

f7823776d4bb2da0112549785acabf0cfaeaea39
SHA256

b9267b00e92e7d70cfc6ad95cba0fd1c324ad61e66af3472cf61fa1bf40c5a62
SHA512

46d23870fff00e5d278830b0a5759a61ca38f5b15b4b4474afe9cd58d4a1035623bd055799154b7f931eae3c2b41632a7b71b297dec3363a364402648394f1ee
SSDEEP

98304:FjaimLAtiy6nOJj06feD0EMBeATxaoFHTG:FRCKX6Ol0oBEMcaxaIz

Score

10^/10

danabot 3 banker collection credential_access discovery execution spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1765

Botnet

192.236.192.241:443

134.119.186.198:443

104.168.156.222:443

167.114.188.34:443

Attributes

embedded_hash
82C66843DE542BC5CB88F713DE39B52B
type
main

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Blocklisted process makes network request 4 IoCs

Processes:

RUNDLL32.EXE

flow	pid	Process
24	3084	RUNDLL32.EXE
30	3084	RUNDLL32.EXE
43	3084	RUNDLL32.EXE
44	3084	RUNDLL32.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXE

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	RUNDLL32.EXE

Loads dropped DLL 4 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

pid	Process
112	rundll32.exe
112	rundll32.exe
3084	RUNDLL32.EXE
3084	RUNDLL32.EXE

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

RUNDLL32.EXE

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RUNDLL32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

RUNDLL32.EXE

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RUNDLL32.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exe

pid	Process
2900	powershell.exe
4608	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
3724	4804	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.exepowershell.exenslookup.exeschtasks.exeschtasks.exe749a4eb97367f1aa0565c1454daae1ba_JaffaCakes118.exerundll32.exeRUNDLL32.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	749a4eb97367f1aa0565c1454daae1ba_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RUNDLL32.EXE

Checks processor information in registry 2 TTPs 17 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXE

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exeRUNDLL32.EXEpowershell.exe

pid	Process
2900	powershell.exe
2900	powershell.exe
3084	RUNDLL32.EXE
3084	RUNDLL32.EXE
4608	powershell.exe
4608	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

rundll32.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	112	rundll32.exe
Token: SeDebugPrivilege	3084	RUNDLL32.EXE
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	4608	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

RUNDLL32.EXE

pid	Process
3084	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

749a4eb97367f1aa0565c1454daae1ba_JaffaCakes118.exerundll32.exeRUNDLL32.EXEpowershell.exe

description	pid	Process	procid_target
PID 4804 wrote to memory of 112	4804	749a4eb97367f1aa0565c1454daae1ba_JaffaCakes118.exe	87
PID 4804 wrote to memory of 112	4804	749a4eb97367f1aa0565c1454daae1ba_JaffaCakes118.exe	87
PID 4804 wrote to memory of 112	4804	749a4eb97367f1aa0565c1454daae1ba_JaffaCakes118.exe	87
PID 112 wrote to memory of 3084	112	rundll32.exe	91
PID 112 wrote to memory of 3084	112	rundll32.exe	91
PID 112 wrote to memory of 3084	112	rundll32.exe	91
PID 3084 wrote to memory of 2900	3084	RUNDLL32.EXE	92
PID 3084 wrote to memory of 2900	3084	RUNDLL32.EXE	92
PID 3084 wrote to memory of 2900	3084	RUNDLL32.EXE	92
PID 3084 wrote to memory of 4608	3084	RUNDLL32.EXE	98
PID 3084 wrote to memory of 4608	3084	RUNDLL32.EXE	98
PID 3084 wrote to memory of 4608	3084	RUNDLL32.EXE	98
PID 4608 wrote to memory of 2056	4608	powershell.exe	100
PID 4608 wrote to memory of 2056	4608	powershell.exe	100
PID 4608 wrote to memory of 2056	4608	powershell.exe	100
PID 3084 wrote to memory of 1472	3084	RUNDLL32.EXE	101
PID 3084 wrote to memory of 1472	3084	RUNDLL32.EXE	101
PID 3084 wrote to memory of 1472	3084	RUNDLL32.EXE	101
PID 3084 wrote to memory of 1212	3084	RUNDLL32.EXE	104
PID 3084 wrote to memory of 1212	3084	RUNDLL32.EXE	104
PID 3084 wrote to memory of 1212	3084	RUNDLL32.EXE	104

outlook_office_path 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

outlook_win_path 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

C:\Users\Admin\AppData\Local\Temp\749a4eb97367f1aa0565c1454daae1ba_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\749a4eb97367f1aa0565c1454daae1ba_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\749A4E~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\749A4E~1.EXE
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:112
- - C:\Windows\SysWOW64\RUNDLL32.EXE
    C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\749A4E~1.DLL,WDoefDYWAyD3
    3⤵
    - Blocklisted process makes network request
    - Checks computer location settings
    - Loads dropped DLL
    - Accesses Microsoft Outlook accounts
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    - outlook_office_path
    - outlook_win_path
    PID:3084
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpDC18.tmp.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2900
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpEB5C.tmp.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4608
    - - C:\Windows\SysWOW64\nslookup.exe
        
        "C:\Windows\system32\nslookup.exe" -type=any localhost
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2056
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
      4⤵
      System Location Discovery: System Language Discovery
      PID:1472
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
      4⤵
      System Location Discovery: System Language Discovery
      PID:1212
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 528
  2⤵
  - Program crash
  PID:3724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4804 -ip 4804
1⤵
PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6ad58b45ba900fe2b784c35fe1ddd496

SHA1
7701cf4dfebc92b77e3d16a4094dac0def34f13a

SHA256
139a32ad96800367dc709be507e2b78e667610000be7c68f94c174e6fa60f84f

SHA512
168f58da543d5c3a645c9a51916528c8e291f0f49069fb8567328e6960874a97026839a31a3505bcd1cc26320a477fbd095406ff3e12c4419c5429b729cd9c1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
064bc7b77b24ac18f23a6c844befd88a

SHA1
1dfb19564c744963f8d4d574871e34768e4ceab2

SHA256
5d84cd31b3602f56267b2f3e7ac9999e124b2cb97514457d74634a1366588e92

SHA512
f3876865e4d298bf29eb7bf46b62fa2ee371650593fcd8cffa925a23b25dc6ccb44075c363669abf01d8e6628ca421a24d46f6585c1b3452b43fd68c5c78b5ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\240638984.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\749A4E~1.DLL

Filesize
3.8MB

MD5
9c52ec98ac0e9e6fa4cc47a75874587e

SHA1
6bc94c984e6908ecf1e339642172519c82c6a30e

SHA256
9fc9d28077290d908516a0fb27bbd7361e7b8ec842e3451a9985697d54b31608

SHA512
6bb9b55dc1b7271cb6490db2093e94d2d63b6bb571be9670957f4e673d8d660bc540bf58ef87906e0f6cbfbd5f2939055b4ec2414d1e7ee6434c406d98b7ee75

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fjvdfszxjucsg.tmp

Filesize
2KB

MD5
46b9547a38ae63936e244ce0c2cf0c57

SHA1
fcec1a9af502f76af8d9ecde865794be6a58281e

SHA256
f839fe0444dd222c391885610397cc66e587370dc0b4656f84406ab22fddb036

SHA512
fc9e502cb2361b128c8cdba3085c74465531e23294e46d3136929d9db0bc7c5b20f2e6ef8d2dd6823e7142797be77992ef60c98bb1bc2e22c5f71b8bc9f0fcf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_entyb14b.wn1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDC18.tmp.ps1

Filesize
261B

MD5
4eb968ee10041e085cac98f39a7be6da

SHA1
93309131c2ad366b441b94a205bd483c1e1f190b

SHA256
1cda51218bcfadff64c849bf31205b53f9d9d0377d7c402b473584e5205aaaa2

SHA512
16c05dc45c5261f7a1e2a5404c7d11f2e219448a1cd034008729cfbce6a195340cf697e8edf5089129300a481525d4fcccc1f23a220edf1c9fc3e0ab35c6d901

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDC19.tmp

Filesize
1KB

MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEB5C.tmp.ps1

Filesize
80B

MD5
967be769a09f88105142bd6af149a822

SHA1
e8cbdc2c598e63cea35257e4151eb66ac5ef27c1

SHA256
94a393787da2a6e8a0198051f2f3f137878a9967a4be2ed2bb086021d8175e22

SHA512
2c282a90b6670197293c258e47a837f37d5eec8e01a17aaf9adc822ef8ec9600ad9a0dfca4638f8407e080a1d76622e45df34ac8ad6e58f8d9df31027cd6396a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEB5D.tmp

Filesize
86B

MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
memory/112-15-0x0000000002910000-0x0000000002F72000-memory.dmp

Filesize
6.4MB

Download
memory/112-11-0x0000000002910000-0x0000000002F72000-memory.dmp

Filesize
6.4MB

Download
memory/112-10-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/112-9-0x0000000002910000-0x0000000002F72000-memory.dmp

Filesize
6.4MB

Download
memory/112-8-0x0000000001FC0000-0x000000000238D000-memory.dmp

Filesize
3.8MB

Download
memory/2900-80-0x0000000006D50000-0x0000000006D58000-memory.dmp

Filesize
32KB

Download
memory/2900-77-0x0000000005EB0000-0x0000000005EBA000-memory.dmp

Filesize
40KB

Download
memory/2900-79-0x00000000060E0000-0x00000000060FA000-memory.dmp

Filesize
104KB

Download
memory/2900-78-0x00000000073D0000-0x0000000007A4A000-memory.dmp

Filesize
6.5MB

Download
memory/2900-75-0x0000000005BC0000-0x0000000005C0C000-memory.dmp

Filesize
304KB

Download
memory/2900-59-0x0000000002290000-0x00000000022C6000-memory.dmp

Filesize
216KB

Download
memory/2900-60-0x0000000004CF0000-0x0000000005318000-memory.dmp

Filesize
6.2MB

Download
memory/2900-61-0x0000000005350000-0x0000000005372000-memory.dmp

Filesize
136KB

Download
memory/2900-63-0x0000000005560000-0x00000000055C6000-memory.dmp

Filesize
408KB

Download
memory/2900-62-0x00000000054F0000-0x0000000005556000-memory.dmp

Filesize
408KB

Download
memory/2900-74-0x0000000005B80000-0x0000000005B9E000-memory.dmp

Filesize
120KB

Download
memory/2900-73-0x00000000055D0000-0x0000000005924000-memory.dmp

Filesize
3.3MB

Download
memory/3084-16-0x0000000002BA0000-0x0000000003202000-memory.dmp

Filesize
6.4MB

Download
memory/3084-14-0x0000000002350000-0x000000000271D000-memory.dmp

Filesize
3.8MB

Download
memory/3084-17-0x0000000003420000-0x0000000003421000-memory.dmp

Filesize
4KB

Download
memory/3084-21-0x0000000002BA0000-0x0000000003202000-memory.dmp

Filesize
6.4MB

Download
memory/3084-22-0x0000000002BA0000-0x0000000003202000-memory.dmp

Filesize
6.4MB

Download
memory/3084-126-0x0000000002BA0000-0x0000000003202000-memory.dmp

Filesize
6.4MB

Download
memory/3084-125-0x0000000002BA0000-0x0000000003202000-memory.dmp

Filesize
6.4MB

Download
memory/3084-109-0x0000000002350000-0x000000000271D000-memory.dmp

Filesize
3.8MB

Download
memory/3084-24-0x0000000002BA0000-0x0000000003202000-memory.dmp

Filesize
6.4MB

Download
memory/3084-23-0x0000000002BA0000-0x0000000003202000-memory.dmp

Filesize
6.4MB

Download
memory/4608-100-0x0000000005640000-0x0000000005994000-memory.dmp

Filesize
3.3MB

Download
memory/4608-102-0x0000000005C20000-0x0000000005C6C000-memory.dmp

Filesize
304KB

Download
memory/4804-19-0x0000000001600000-0x00000000019DF000-memory.dmp

Filesize
3.9MB

Download
memory/4804-3-0x0000000000400000-0x00000000007EB000-memory.dmp

Filesize
3.9MB

Download
memory/4804-2-0x0000000001600000-0x00000000019DF000-memory.dmp

Filesize
3.9MB

Download
memory/4804-20-0x0000000000400000-0x00000000007EB000-memory.dmp

Filesize
3.9MB

Download
memory/4804-1-0x0000000001230000-0x0000000001600000-memory.dmp

Filesize
3.8MB

Download
memory/4804-18-0x0000000000400000-0x0000000000C8B000-memory.dmp

Filesize
8.5MB

Download