nanocore | e11f59ce9dae9fcff7ff4c8d3d119dd663a1918d084f8cda7b30c474cd141642

Analysis

max time kernel
127s
max time network
134s
platform
windows7_x64
resource
win7v20201028
submitted
25-11-2020 17:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e77f5e642756206d8f21e0230a134040.rtf
Size

13KB
MD5

e77f5e642756206d8f21e0230a134040
SHA1

d4b3eb5fe7af003da6141a57cb641bd960506a70
SHA256

e11f59ce9dae9fcff7ff4c8d3d119dd663a1918d084f8cda7b30c474cd141642
SHA512

75c1c081adcb5115580c52daeaa9af08fd7d7b8a9d8ec29fb19f9c3efb5543af3acf0e0ba54fe4832cc5d4a5b1efa73f042b3ac5d90f34b6555bf17dc4c1b9bc

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu:2017

Mutex

3a9317bb-f4c9-498b-9bcd-6f676b5f42c8

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-08-09T22:17:26.589249336Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
2017
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
3a9317bb-f4c9-498b-9bcd-6f676b5f42c8
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Blacklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

7 1904 EQNEDT32.EXE
Executes dropped EXE 3 IoCs

Processes:

vbc.exevbc.exevbc.exe

pid process

724 vbc.exe
928 vbc.exe
1480 vbc.exe
Loads dropped DLL 4 IoCs

Processes:

EQNEDT32.EXE

pid process

1904 EQNEDT32.EXE
1904 EQNEDT32.EXE
1904 EQNEDT32.EXE
1904 EQNEDT32.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

flow	pid	process
7	1904	EQNEDT32.EXE

pid	process
724	vbc.exe
928	vbc.exe
1480	vbc.exe

pid	process
1904	EQNEDT32.EXE
1904	EQNEDT32.EXE
1904	EQNEDT32.EXE
1904	EQNEDT32.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NTFS Manager = "C:\\Program Files (x86)\\NTFS Manager\\ntfsmgr.exe"	vbc.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

vbc.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vbc.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

vbc.exe

description pid process target process

PID 724 set thread context of 1480 724 vbc.exe vbc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vbc.exe

description	pid	process	target process
PID 724 set thread context of 1480	724	vbc.exe	vbc.exe

Drops file in Program Files directory 2 IoCs

Processes:

vbc.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\NTFS Manager\ntfsmgr.exe	vbc.exe
File created	C:\Program Files (x86)\NTFS Manager\ntfsmgr.exe	vbc.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1212 schtasks.exe
1996 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

316 timeout.exe
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1904 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1212	schtasks.exe
1996	schtasks.exe

pid	process
316	timeout.exe

pid	process
1904	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1640 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

vbc.exevbc.exe

pid process

724 vbc.exe
724 vbc.exe
1480 vbc.exe
1480 vbc.exe
1480 vbc.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vbc.exe

pid process

1480 vbc.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

vbc.exevbc.exe

description pid process

Token: SeDebugPrivilege 724 vbc.exe
Token: SeDebugPrivilege 1480 vbc.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1640 WINWORD.EXE
1640 WINWORD.EXE

pid	process
1640	WINWORD.EXE

pid	process
724	vbc.exe
724	vbc.exe
1480	vbc.exe
1480	vbc.exe
1480	vbc.exe

pid	process
1480	vbc.exe

description	pid	process
Token: SeDebugPrivilege	724	vbc.exe
Token: SeDebugPrivilege	1480	vbc.exe

pid	process
1640	WINWORD.EXE
1640	WINWORD.EXE

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

EQNEDT32.EXEvbc.exevbc.exe

description	pid	process	target process
PID 1904 wrote to memory of 724	1904	EQNEDT32.EXE	vbc.exe
PID 1904 wrote to memory of 724	1904	EQNEDT32.EXE	vbc.exe
PID 1904 wrote to memory of 724	1904	EQNEDT32.EXE	vbc.exe
PID 1904 wrote to memory of 724	1904	EQNEDT32.EXE	vbc.exe
PID 724 wrote to memory of 316	724	vbc.exe	timeout.exe
PID 724 wrote to memory of 316	724	vbc.exe	timeout.exe
PID 724 wrote to memory of 316	724	vbc.exe	timeout.exe
PID 724 wrote to memory of 316	724	vbc.exe	timeout.exe
PID 724 wrote to memory of 928	724	vbc.exe	vbc.exe
PID 724 wrote to memory of 928	724	vbc.exe	vbc.exe
PID 724 wrote to memory of 928	724	vbc.exe	vbc.exe
PID 724 wrote to memory of 928	724	vbc.exe	vbc.exe
PID 724 wrote to memory of 1480	724	vbc.exe	vbc.exe
PID 724 wrote to memory of 1480	724	vbc.exe	vbc.exe
PID 724 wrote to memory of 1480	724	vbc.exe	vbc.exe
PID 724 wrote to memory of 1480	724	vbc.exe	vbc.exe
PID 724 wrote to memory of 1480	724	vbc.exe	vbc.exe
PID 724 wrote to memory of 1480	724	vbc.exe	vbc.exe
PID 724 wrote to memory of 1480	724	vbc.exe	vbc.exe
PID 724 wrote to memory of 1480	724	vbc.exe	vbc.exe
PID 724 wrote to memory of 1480	724	vbc.exe	vbc.exe
PID 1480 wrote to memory of 1212	1480	vbc.exe	schtasks.exe
PID 1480 wrote to memory of 1212	1480	vbc.exe	schtasks.exe
PID 1480 wrote to memory of 1212	1480	vbc.exe	schtasks.exe
PID 1480 wrote to memory of 1212	1480	vbc.exe	schtasks.exe
PID 1480 wrote to memory of 1996	1480	vbc.exe	schtasks.exe
PID 1480 wrote to memory of 1996	1480	vbc.exe	schtasks.exe
PID 1480 wrote to memory of 1996	1480	vbc.exe	schtasks.exe
PID 1480 wrote to memory of 1996	1480	vbc.exe	schtasks.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e77f5e642756206d8f21e0230a134040.rtf"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1640

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blacklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1904

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:724

C:\Windows\SysWOW64\timeout.exe
timeout 18
3⤵
- Delays execution with timeout.exe
PID:316

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:928

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "NTFS Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpF805.tmp"
4⤵
- Creates scheduled task(s)
PID:1212

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "NTFS Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpF94E.tmp"
4⤵
- Creates scheduled task(s)
PID:1996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Exploitation for Client Execution

T1203

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF805.tmp
MD5
deb609c2718f3cdffec272701c7cbefa

SHA1
41371e8823d438d91ecf9a84738fd179204353df

SHA256
331ff9d8f5a059660b5e9f4141cecd44b42b2a066f1053f59f87b5c1e5ec6ec4

SHA512
9f976c70e4c3e11674f122f29585169bbb9ce8e0cddbbc1d1705169b1b36175e17ab4986753d62f7e9e84d80a9a3077626e22ab7ee26b2b1f2dd2a9b4734385f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF94E.tmp
MD5
41808f05a9aa523d0ef506d4993f1d6c

SHA1
5a228145decf63ebbbd673c9b7c08a86236a22d4

SHA256
f76bd5da395a725b5998efab9a5d3160657cf2d44a8be83fa24af6ba29acf731

SHA512
7cf71f8fd8dccaa8cf2c724afca3178be8b7a6e0cc6e4b44990e96413bd0dac8248e2bcfa1bb82da05efb6c4b46649722c20ce14cf4a44f1720e18732bd9246e

Download Submit
C:\Users\Public\vbc.exe
MD5
181a6a0a18b62c9cf11f133506f1e506

SHA1
67aff0f365997fe49271b6b41bf6bf0d308a7e7a

SHA256
d38570100d5c3b98b9a28e5dc06090d561f288991ceca12201f374207a005343

SHA512
a25db459d44122aabec22777ddbad09f5108737281aafd104511231b4d8771f6aa9a0ed15e92439e84e57acec82184f1ccaa06e302f87f979feded130cafc4d3

Download Submit
C:\Users\Public\vbc.exe
MD5
181a6a0a18b62c9cf11f133506f1e506

SHA1
67aff0f365997fe49271b6b41bf6bf0d308a7e7a

SHA256
d38570100d5c3b98b9a28e5dc06090d561f288991ceca12201f374207a005343

SHA512
a25db459d44122aabec22777ddbad09f5108737281aafd104511231b4d8771f6aa9a0ed15e92439e84e57acec82184f1ccaa06e302f87f979feded130cafc4d3

Download Submit
C:\Users\Public\vbc.exe
MD5
181a6a0a18b62c9cf11f133506f1e506

SHA1
67aff0f365997fe49271b6b41bf6bf0d308a7e7a

SHA256
d38570100d5c3b98b9a28e5dc06090d561f288991ceca12201f374207a005343

SHA512
a25db459d44122aabec22777ddbad09f5108737281aafd104511231b4d8771f6aa9a0ed15e92439e84e57acec82184f1ccaa06e302f87f979feded130cafc4d3

Download Submit
C:\Users\Public\vbc.exe
MD5
181a6a0a18b62c9cf11f133506f1e506

SHA1
67aff0f365997fe49271b6b41bf6bf0d308a7e7a

SHA256
d38570100d5c3b98b9a28e5dc06090d561f288991ceca12201f374207a005343

SHA512
a25db459d44122aabec22777ddbad09f5108737281aafd104511231b4d8771f6aa9a0ed15e92439e84e57acec82184f1ccaa06e302f87f979feded130cafc4d3

Download Submit
\Users\Public\vbc.exe
MD5
181a6a0a18b62c9cf11f133506f1e506

SHA1
67aff0f365997fe49271b6b41bf6bf0d308a7e7a

SHA256
d38570100d5c3b98b9a28e5dc06090d561f288991ceca12201f374207a005343

SHA512
a25db459d44122aabec22777ddbad09f5108737281aafd104511231b4d8771f6aa9a0ed15e92439e84e57acec82184f1ccaa06e302f87f979feded130cafc4d3

Download Submit
\Users\Public\vbc.exe
MD5
181a6a0a18b62c9cf11f133506f1e506

SHA1
67aff0f365997fe49271b6b41bf6bf0d308a7e7a

SHA256
d38570100d5c3b98b9a28e5dc06090d561f288991ceca12201f374207a005343

SHA512
a25db459d44122aabec22777ddbad09f5108737281aafd104511231b4d8771f6aa9a0ed15e92439e84e57acec82184f1ccaa06e302f87f979feded130cafc4d3

Download Submit
\Users\Public\vbc.exe
MD5
181a6a0a18b62c9cf11f133506f1e506

SHA1
67aff0f365997fe49271b6b41bf6bf0d308a7e7a

SHA256
d38570100d5c3b98b9a28e5dc06090d561f288991ceca12201f374207a005343

SHA512
a25db459d44122aabec22777ddbad09f5108737281aafd104511231b4d8771f6aa9a0ed15e92439e84e57acec82184f1ccaa06e302f87f979feded130cafc4d3

Download Submit
\Users\Public\vbc.exe
MD5
181a6a0a18b62c9cf11f133506f1e506

SHA1
67aff0f365997fe49271b6b41bf6bf0d308a7e7a

SHA256
d38570100d5c3b98b9a28e5dc06090d561f288991ceca12201f374207a005343

SHA512
a25db459d44122aabec22777ddbad09f5108737281aafd104511231b4d8771f6aa9a0ed15e92439e84e57acec82184f1ccaa06e302f87f979feded130cafc4d3

Download Submit
memory/316-10-0x0000000000000000-mapping.dmp

Download
memory/724-8-0x000000006B8B0000-0x000000006BF9E000-memory.dmp

Filesize
6.9MB

Download
memory/724-5-0x0000000000000000-mapping.dmp

Download
memory/724-11-0x0000000000720000-0x0000000000761000-memory.dmp

Filesize
260KB

Download
memory/724-9-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1212-21-0x0000000000000000-mapping.dmp

Download
memory/1220-0-0x000007FEF8800000-0x000007FEF8A7A000-memory.dmp

Filesize
2.5MB

Download
memory/1480-16-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1480-17-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1480-18-0x000000006B8B0000-0x000000006BF9E000-memory.dmp

Filesize
6.9MB

Download
memory/1480-14-0x000000000041E792-mapping.dmp

Download
memory/1480-13-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1480-25-0x0000000000530000-0x0000000000535000-memory.dmp

Filesize
20KB

Download
memory/1480-26-0x0000000000580000-0x0000000000599000-memory.dmp

Filesize
100KB

Download
memory/1480-27-0x00000000005A0000-0x00000000005A3000-memory.dmp

Filesize
12KB

Download
memory/1996-23-0x0000000000000000-mapping.dmp

Download