nanocore | fe480193c8817ca0d9dd2cdd6b679175b55c4f12bf55478d775298093191f31e

Analysis

max time kernel
137s
max time network
148s
platform
windows7_x64
resource
win7v20210408
submitted
16-04-2021 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DHL AWB TRACKNG DETAIL.exe
Size

379KB
MD5

7936b78bca1d7e23aa203369563ef9e5
SHA1

ee99523f6456a4ba9d026ecee447116ac43f25ac
SHA256

4810afd49cb35f756bab13c854922461be237236e455f7d07b32517cbc95a9a6
SHA512

bc74f50c35f0007c7bd52b55a501992729fd96e29c8d2646843bd1ab7a20dfaf3d3582176a168ec2f38aab0b2fc9d13aa24745e0a6b24d207132519db5d727a8

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

dunga.duckdns.org:9087

Mutex

91b56d86-44e9-4ab8-b650-866edac2901e

Attributes

activate_away_mode
true
backup_connection_host
dunga.duckdns.org
backup_dns_server
dunga.duckdns.org
buffer_size
65535
build_time
2021-01-25T17:53:41.406526036Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
9087
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
91b56d86-44e9-4ab8-b650-866edac2901e
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
dunga.duckdns.org
primary_dns_server
dunga.duckdns.org
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Executes dropped EXE 3 IoCs

Processes:

nFhtcaDO0bKG3ig.exeCTS.exenFhtcaDO0bKG3ig.exe

pid process

1988 nFhtcaDO0bKG3ig.exe
2024 CTS.exe
1328 nFhtcaDO0bKG3ig.exe
Loads dropped DLL 3 IoCs

Processes:

DHL AWB TRACKNG DETAIL.exenFhtcaDO0bKG3ig.exe

pid process

1820 DHL AWB TRACKNG DETAIL.exe
1988 nFhtcaDO0bKG3ig.exe
1988 nFhtcaDO0bKG3ig.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1988	nFhtcaDO0bKG3ig.exe
2024	CTS.exe
1328	nFhtcaDO0bKG3ig.exe

pid	process
1820	DHL AWB TRACKNG DETAIL.exe
1988	nFhtcaDO0bKG3ig.exe
1988	nFhtcaDO0bKG3ig.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

DHL AWB TRACKNG DETAIL.exeCTS.exenFhtcaDO0bKG3ig.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	DHL AWB TRACKNG DETAIL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	DHL AWB TRACKNG DETAIL.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	CTS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Service = "C:\\Program Files (x86)\\DPI Service\\dpisv.exe"	nFhtcaDO0bKG3ig.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

nFhtcaDO0bKG3ig.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA nFhtcaDO0bKG3ig.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

nFhtcaDO0bKG3ig.exe

description pid process target process

PID 1988 set thread context of 1328 1988 nFhtcaDO0bKG3ig.exe nFhtcaDO0bKG3ig.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	nFhtcaDO0bKG3ig.exe

description	pid	process	target process
PID 1988 set thread context of 1328	1988	nFhtcaDO0bKG3ig.exe	nFhtcaDO0bKG3ig.exe

Drops file in Program Files directory 2 IoCs

Processes:

nFhtcaDO0bKG3ig.exe

description	ioc	process
File created	C:\Program Files (x86)\DPI Service\dpisv.exe	nFhtcaDO0bKG3ig.exe
File opened for modification	C:\Program Files (x86)\DPI Service\dpisv.exe	nFhtcaDO0bKG3ig.exe

Drops file in Windows directory 2 IoCs

Processes:

DHL AWB TRACKNG DETAIL.exeCTS.exe

description ioc process

File created C:\Windows\CTS.exe DHL AWB TRACKNG DETAIL.exe
File created C:\Windows\CTS.exe CTS.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\CTS.exe	DHL AWB TRACKNG DETAIL.exe
File created	C:\Windows\CTS.exe	CTS.exe

NSIS installer 10 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\nFhtcaDO0bKG3ig.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\nFhtcaDO0bKG3ig.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\nFhtcaDO0bKG3ig.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\nFhtcaDO0bKG3ig.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\nFhtcaDO0bKG3ig.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\nFhtcaDO0bKG3ig.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\nFhtcaDO0bKG3ig.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\nFhtcaDO0bKG3ig.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\nFhtcaDO0bKG3ig.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\nFhtcaDO0bKG3ig.exe	nsis_installer_2

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

564 schtasks.exe
856 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

nFhtcaDO0bKG3ig.exe

pid process

1328 nFhtcaDO0bKG3ig.exe
1328 nFhtcaDO0bKG3ig.exe
1328 nFhtcaDO0bKG3ig.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

nFhtcaDO0bKG3ig.exe

pid process

1328 nFhtcaDO0bKG3ig.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

nFhtcaDO0bKG3ig.exe

pid process

1988 nFhtcaDO0bKG3ig.exe

pid	process
564	schtasks.exe
856	schtasks.exe

pid	process
1328	nFhtcaDO0bKG3ig.exe
1328	nFhtcaDO0bKG3ig.exe
1328	nFhtcaDO0bKG3ig.exe

pid	process
1328	nFhtcaDO0bKG3ig.exe

pid	process
1988	nFhtcaDO0bKG3ig.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

DHL AWB TRACKNG DETAIL.exeCTS.exenFhtcaDO0bKG3ig.exe

description	pid	process
Token: SeDebugPrivilege	1820	DHL AWB TRACKNG DETAIL.exe
Token: SeDebugPrivilege	2024	CTS.exe
Token: SeDebugPrivilege	1328	nFhtcaDO0bKG3ig.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

DHL AWB TRACKNG DETAIL.exenFhtcaDO0bKG3ig.exenFhtcaDO0bKG3ig.exe

description	pid	process	target process
PID 1820 wrote to memory of 1988	1820	DHL AWB TRACKNG DETAIL.exe	nFhtcaDO0bKG3ig.exe
PID 1820 wrote to memory of 1988	1820	DHL AWB TRACKNG DETAIL.exe	nFhtcaDO0bKG3ig.exe
PID 1820 wrote to memory of 1988	1820	DHL AWB TRACKNG DETAIL.exe	nFhtcaDO0bKG3ig.exe
PID 1820 wrote to memory of 1988	1820	DHL AWB TRACKNG DETAIL.exe	nFhtcaDO0bKG3ig.exe
PID 1820 wrote to memory of 2024	1820	DHL AWB TRACKNG DETAIL.exe	CTS.exe
PID 1820 wrote to memory of 2024	1820	DHL AWB TRACKNG DETAIL.exe	CTS.exe
PID 1820 wrote to memory of 2024	1820	DHL AWB TRACKNG DETAIL.exe	CTS.exe
PID 1820 wrote to memory of 2024	1820	DHL AWB TRACKNG DETAIL.exe	CTS.exe
PID 1988 wrote to memory of 1328	1988	nFhtcaDO0bKG3ig.exe	nFhtcaDO0bKG3ig.exe
PID 1988 wrote to memory of 1328	1988	nFhtcaDO0bKG3ig.exe	nFhtcaDO0bKG3ig.exe
PID 1988 wrote to memory of 1328	1988	nFhtcaDO0bKG3ig.exe	nFhtcaDO0bKG3ig.exe
PID 1988 wrote to memory of 1328	1988	nFhtcaDO0bKG3ig.exe	nFhtcaDO0bKG3ig.exe
PID 1988 wrote to memory of 1328	1988	nFhtcaDO0bKG3ig.exe	nFhtcaDO0bKG3ig.exe
PID 1328 wrote to memory of 564	1328	nFhtcaDO0bKG3ig.exe	schtasks.exe
PID 1328 wrote to memory of 564	1328	nFhtcaDO0bKG3ig.exe	schtasks.exe
PID 1328 wrote to memory of 564	1328	nFhtcaDO0bKG3ig.exe	schtasks.exe
PID 1328 wrote to memory of 564	1328	nFhtcaDO0bKG3ig.exe	schtasks.exe
PID 1328 wrote to memory of 856	1328	nFhtcaDO0bKG3ig.exe	schtasks.exe
PID 1328 wrote to memory of 856	1328	nFhtcaDO0bKG3ig.exe	schtasks.exe
PID 1328 wrote to memory of 856	1328	nFhtcaDO0bKG3ig.exe	schtasks.exe
PID 1328 wrote to memory of 856	1328	nFhtcaDO0bKG3ig.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\DHL AWB TRACKNG DETAIL.exe
"C:\Users\Admin\AppData\Local\Temp\DHL AWB TRACKNG DETAIL.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820

C:\Users\Admin\AppData\Local\Temp\nFhtcaDO0bKG3ig.exe
C:\Users\Admin\AppData\Local\Temp\nFhtcaDO0bKG3ig.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1988

C:\Users\Admin\AppData\Local\Temp\nFhtcaDO0bKG3ig.exe
C:\Users\Admin\AppData\Local\Temp\nFhtcaDO0bKG3ig.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1328

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DPI Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7FCA.tmp"
4⤵
- Creates scheduled task(s)
PID:564

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DPI Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8180.tmp"
4⤵
- Creates scheduled task(s)
PID:856

C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nFhtcaDO0bKG3ig.exe

MD5
ad87becb87d4e0d8b6e026219159e9ee

SHA1
b800f8be72d8cfd4710d2fe1947a3abc88489b19

SHA256
29cb152e132ba4da36eeda013e0f55845422246db700b7fabfdda1e49b71b464

SHA512
3adea41b7ec89df5b3ac28beb0e20654a9a0ed26d75916cdd729b4d38e9ded644bce053860670b5120e1fde6814972ecc3f4744e9d563ea2f044bcfd8aa3f3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nFhtcaDO0bKG3ig.exe

MD5
ad87becb87d4e0d8b6e026219159e9ee

SHA1
b800f8be72d8cfd4710d2fe1947a3abc88489b19

SHA256
29cb152e132ba4da36eeda013e0f55845422246db700b7fabfdda1e49b71b464

SHA512
3adea41b7ec89df5b3ac28beb0e20654a9a0ed26d75916cdd729b4d38e9ded644bce053860670b5120e1fde6814972ecc3f4744e9d563ea2f044bcfd8aa3f3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nFhtcaDO0bKG3ig.exe

MD5
ad87becb87d4e0d8b6e026219159e9ee

SHA1
b800f8be72d8cfd4710d2fe1947a3abc88489b19

SHA256
29cb152e132ba4da36eeda013e0f55845422246db700b7fabfdda1e49b71b464

SHA512
3adea41b7ec89df5b3ac28beb0e20654a9a0ed26d75916cdd729b4d38e9ded644bce053860670b5120e1fde6814972ecc3f4744e9d563ea2f044bcfd8aa3f3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7FCA.tmp

MD5
b655b02c24afc595f065b43e30c33e37

SHA1
3553b4addff24e106e3efe8174e81ed5d85e8a02

SHA256
bd6925b8c6389d64cc2a1168db66b783bdc564e683df6685dc793a896d5ef4ce

SHA512
7f8edd259a02af4bb05ce761db2d84fddc706a300318864f8d74800b217f71f6dc4455ac25e468a78a39066c58233d3a34da8422f457c79fd780b5cd47558723

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8180.tmp

MD5
a9af285136db016a568e4a53208f21d0

SHA1
e1afef2b7ee8ae945353315daa19a15574b435b7

SHA256
7dce876e35550f4a5b8ce8a8bbab3b0ccd7c5b8660f9db4b832466b77e3a8b7c

SHA512
80a1f5e463a87cddc0f66336e2dc4262daf98984c6f6c662c3615d615ebe7c58677c3d694edb3bd7816ccee969aae967c7efe8526ba423f274ac1210c0c8bd6e

Download Submit
C:\Windows\CTS.exe

MD5
9471f0a5c13a6d9b41f142d876b46d86

SHA1
df13ce5f8351670562e1a312daad44783d2fa547

SHA256
a7d8a643f929a3d92bea8e707b6943a0b45e11731a9f29fb1c942bb4b3aff4a1

SHA512
34579c1b9eea8181fa7bf8e5ca5d7fd687395104aa9fe7f5f38e55f024e6b08e595bd896d76f5485bf72defb140a3d13bab7d84b1ad481f66860e51493db8c85

Download Submit
C:\Windows\CTS.exe

MD5
9471f0a5c13a6d9b41f142d876b46d86

SHA1
df13ce5f8351670562e1a312daad44783d2fa547

SHA256
a7d8a643f929a3d92bea8e707b6943a0b45e11731a9f29fb1c942bb4b3aff4a1

SHA512
34579c1b9eea8181fa7bf8e5ca5d7fd687395104aa9fe7f5f38e55f024e6b08e595bd896d76f5485bf72defb140a3d13bab7d84b1ad481f66860e51493db8c85

Download Submit
\Users\Admin\AppData\Local\Temp\nFhtcaDO0bKG3ig.exe

MD5
ad87becb87d4e0d8b6e026219159e9ee

SHA1
b800f8be72d8cfd4710d2fe1947a3abc88489b19

SHA256
29cb152e132ba4da36eeda013e0f55845422246db700b7fabfdda1e49b71b464

SHA512
3adea41b7ec89df5b3ac28beb0e20654a9a0ed26d75916cdd729b4d38e9ded644bce053860670b5120e1fde6814972ecc3f4744e9d563ea2f044bcfd8aa3f3a2

Download Submit
\Users\Admin\AppData\Local\Temp\nFhtcaDO0bKG3ig.exe

MD5
ad87becb87d4e0d8b6e026219159e9ee

SHA1
b800f8be72d8cfd4710d2fe1947a3abc88489b19

SHA256
29cb152e132ba4da36eeda013e0f55845422246db700b7fabfdda1e49b71b464

SHA512
3adea41b7ec89df5b3ac28beb0e20654a9a0ed26d75916cdd729b4d38e9ded644bce053860670b5120e1fde6814972ecc3f4744e9d563ea2f044bcfd8aa3f3a2

Download Submit
\Users\Admin\AppData\Local\Temp\nss698E.tmp\lzif.dll

MD5
dd633261c7161397c1b12fdecc998ca6

SHA1
c8cd6e6887d98e9a002524060811f1c4d77d7df4

SHA256
ba421cfcb6fef46bd0f3a24ef4640a1c844bfede46642c2a4c7552ecb5f38358

SHA512
c51aa33de9a73af3daeb380a1b36fe8bce849ade2c5f187cccf41e2cf150e179274d6a0aa854f38f005c5ce660a97592fe68d7ebf3c2731713133f0ec2a8de94

Download Submit
memory/564-82-0x0000000000000000-mapping.dmp

Download
memory/856-84-0x0000000000000000-mapping.dmp

Download
memory/1328-81-0x0000000004594000-0x0000000004595000-memory.dmp

Filesize
4KB

Download
memory/1328-70-0x000000000040188B-mapping.dmp

Download
memory/1328-76-0x0000000004460000-0x0000000004493000-memory.dmp

Filesize
204KB

Download
memory/1328-78-0x0000000004591000-0x0000000004592000-memory.dmp

Filesize
4KB

Download
memory/1328-79-0x0000000004592000-0x0000000004593000-memory.dmp

Filesize
4KB

Download
memory/1328-80-0x0000000004593000-0x0000000004594000-memory.dmp

Filesize
4KB

Download
memory/1328-88-0x0000000004570000-0x0000000004573000-memory.dmp

Filesize
12KB

Download
memory/1328-75-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1328-87-0x0000000004F80000-0x0000000004F99000-memory.dmp

Filesize
100KB

Download
memory/1328-86-0x0000000004560000-0x0000000004565000-memory.dmp

Filesize
20KB

Download
memory/1988-61-0x0000000000000000-mapping.dmp

Download
memory/1988-63-0x0000000076641000-0x0000000076643000-memory.dmp

Filesize
8KB

Download
memory/1988-73-0x00000000024B0000-0x00000000030FA000-memory.dmp

Filesize
12.3MB

Download
memory/2024-64-0x0000000000000000-mapping.dmp

Download