nanocore | 4582ac75eb6eb3b296e953f5b8d61ad638f765d474d3e2c14c6f3c07dbb219f0

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7v20210410
submitted
04-06-2021 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

afo.docx
Size

10KB
MD5

92bd8363f47010e0cd7cc0a4a932b732
SHA1

6707bea3df95c553ea883a5370b600543779782d
SHA256

4582ac75eb6eb3b296e953f5b8d61ad638f765d474d3e2c14c6f3c07dbb219f0
SHA512

b0af15ad466a974272fb2fc1401b6c6ed9b12af91f3aa63f74cb580a19a68c7191028cbe9091f0b27bde889b7f883cc7ccff5fdade128e782d24efb1cb5944f3

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

ararat.mangospot.net:7747

185.140.53.216:7747

Mutex

47ef45f5-c3cd-4adc-a596-91dff13978e9

Attributes

activate_away_mode
true
backup_connection_host
185.140.53.216
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-03-12T19:06:58.915943136Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
7747
default_group
ArArAt
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
47ef45f5-c3cd-4adc-a596-91dff13978e9
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
ararat.mangospot.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

13 800 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

vbc.exevbc.exe

pid process

1224 vbc.exe
1636 vbc.exe

flow	pid	process
13	800	EQNEDT32.EXE

pid	process
1224	vbc.exe
1636	vbc.exe

Abuses OpenXML format to download file from external location 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Office\Common\Offline\Files\http://bit.do/fQXx3	WINWORD.EXE

Loads dropped DLL 4 IoCs

Processes:

EQNEDT32.EXE

pid process

800 EQNEDT32.EXE
800 EQNEDT32.EXE
800 EQNEDT32.EXE
800 EQNEDT32.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
800	EQNEDT32.EXE
800	EQNEDT32.EXE
800	EQNEDT32.EXE
800	EQNEDT32.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LAN Host = "C:\\Program Files (x86)\\LAN Host\\lanhost.exe"	vbc.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

vbc.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vbc.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

vbc.exe

description pid process target process

PID 1224 set thread context of 1636 1224 vbc.exe vbc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vbc.exe

description	pid	process	target process
PID 1224 set thread context of 1636	1224	vbc.exe	vbc.exe

Drops file in Program Files directory 2 IoCs

Processes:

vbc.exe

description	ioc	process
File created	C:\Program Files (x86)\LAN Host\lanhost.exe	vbc.exe
File opened for modification	C:\Program Files (x86)\LAN Host\lanhost.exe	vbc.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1792 schtasks.exe
1828 schtasks.exe
2004 schtasks.exe
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

800 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1792	schtasks.exe
1828	schtasks.exe
2004	schtasks.exe

pid	process
800	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1116 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

vbc.exe

pid process

1636 vbc.exe
1636 vbc.exe
1636 vbc.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vbc.exe

pid process

1636 vbc.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

WINWORD.EXEvbc.exe

description pid process

Token: SeShutdownPrivilege 1116 WINWORD.EXE
Token: SeDebugPrivilege 1636 vbc.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1116 WINWORD.EXE
1116 WINWORD.EXE

pid	process
1116	WINWORD.EXE

pid	process
1636	vbc.exe
1636	vbc.exe
1636	vbc.exe

pid	process
1636	vbc.exe

description	pid	process
Token: SeShutdownPrivilege	1116	WINWORD.EXE
Token: SeDebugPrivilege	1636	vbc.exe

pid	process
1116	WINWORD.EXE
1116	WINWORD.EXE

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEvbc.exevbc.exe

description	pid	process	target process
PID 800 wrote to memory of 1224	800	EQNEDT32.EXE	vbc.exe
PID 800 wrote to memory of 1224	800	EQNEDT32.EXE	vbc.exe
PID 800 wrote to memory of 1224	800	EQNEDT32.EXE	vbc.exe
PID 800 wrote to memory of 1224	800	EQNEDT32.EXE	vbc.exe
PID 1116 wrote to memory of 276	1116	WINWORD.EXE	splwow64.exe
PID 1116 wrote to memory of 276	1116	WINWORD.EXE	splwow64.exe
PID 1116 wrote to memory of 276	1116	WINWORD.EXE	splwow64.exe
PID 1116 wrote to memory of 276	1116	WINWORD.EXE	splwow64.exe
PID 1224 wrote to memory of 1792	1224	vbc.exe	schtasks.exe
PID 1224 wrote to memory of 1792	1224	vbc.exe	schtasks.exe
PID 1224 wrote to memory of 1792	1224	vbc.exe	schtasks.exe
PID 1224 wrote to memory of 1792	1224	vbc.exe	schtasks.exe
PID 1224 wrote to memory of 1636	1224	vbc.exe	vbc.exe
PID 1224 wrote to memory of 1636	1224	vbc.exe	vbc.exe
PID 1224 wrote to memory of 1636	1224	vbc.exe	vbc.exe
PID 1224 wrote to memory of 1636	1224	vbc.exe	vbc.exe
PID 1224 wrote to memory of 1636	1224	vbc.exe	vbc.exe
PID 1224 wrote to memory of 1636	1224	vbc.exe	vbc.exe
PID 1224 wrote to memory of 1636	1224	vbc.exe	vbc.exe
PID 1224 wrote to memory of 1636	1224	vbc.exe	vbc.exe
PID 1224 wrote to memory of 1636	1224	vbc.exe	vbc.exe
PID 1636 wrote to memory of 1828	1636	vbc.exe	schtasks.exe
PID 1636 wrote to memory of 1828	1636	vbc.exe	schtasks.exe
PID 1636 wrote to memory of 1828	1636	vbc.exe	schtasks.exe
PID 1636 wrote to memory of 1828	1636	vbc.exe	schtasks.exe
PID 1636 wrote to memory of 2004	1636	vbc.exe	schtasks.exe
PID 1636 wrote to memory of 2004	1636	vbc.exe	schtasks.exe
PID 1636 wrote to memory of 2004	1636	vbc.exe	schtasks.exe
PID 1636 wrote to memory of 2004	1636	vbc.exe	schtasks.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\afo.docx"
1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:276

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:800

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LjgpLCY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE39B.tmp"
3⤵
- Creates scheduled task(s)
PID:1792

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "LAN Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmpE62A.tmp"
4⤵
- Creates scheduled task(s)
PID:1828

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "LAN Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpE6A8.tmp"
4⤵
- Creates scheduled task(s)
PID:2004

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Exploitation for Client Execution

T1203

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE39B.tmp
MD5
c5cef72a128ffe589adce13a5499d605

SHA1
80d0bdd2f708ac579f35e4f8dcc6373afd77d018

SHA256
0a831d66bd07d614eae3957e18e0c85ac634c1839a9217192c3ce5c2fca7debe

SHA512
e7b24b7daff12a057858aae74b7aed8f31ac03b24ea831fc6e3d50cb281d73fd0e26b58e2cf6b3286276fb0b4cb032db71cd8a62b416f9e483eb770f2998ef96

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE62A.tmp
MD5
deb609c2718f3cdffec272701c7cbefa

SHA1
41371e8823d438d91ecf9a84738fd179204353df

SHA256
331ff9d8f5a059660b5e9f4141cecd44b42b2a066f1053f59f87b5c1e5ec6ec4

SHA512
9f976c70e4c3e11674f122f29585169bbb9ce8e0cddbbc1d1705169b1b36175e17ab4986753d62f7e9e84d80a9a3077626e22ab7ee26b2b1f2dd2a9b4734385f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE6A8.tmp
MD5
54865f98871478b2b88b7f8aa6100915

SHA1
6f8667f1ce25cebee2a7b460668736ff6bcfac54

SHA256
287f7b4372926ff59bb9a14bdfc00ad63f92af8efdb2e14f6f6baf31878fd44e

SHA512
caba0bd0cb0eda0710291f9754cfdef1a3d8fdb8b6d07f5d3e4d1e7b09c87f37032287ddef0a75485d6e685afa3510ee64453662e6c8d223ae171b392b58e493

Download Submit
C:\Users\Public\vbc.exe
MD5
f6dccd16da5a8415c2f64ad72aa76068

SHA1
b180d21b28512bacdff7bf680cad8326939fa316

SHA256
549102148f7e484426b9293dc3d357f30d9d3afe0c9b6cfb3e28096a979eeea7

SHA512
94d968c4639e86ea7e6fcf144eaa5d0759db5347e138cc783f94a830872644129842a4e3ef607677f95151d6b58d216f91ef4e99c3c2b74ea1e2be6454ebf9be

Download Submit
C:\Users\Public\vbc.exe
MD5
f6dccd16da5a8415c2f64ad72aa76068

SHA1
b180d21b28512bacdff7bf680cad8326939fa316

SHA256
549102148f7e484426b9293dc3d357f30d9d3afe0c9b6cfb3e28096a979eeea7

SHA512
94d968c4639e86ea7e6fcf144eaa5d0759db5347e138cc783f94a830872644129842a4e3ef607677f95151d6b58d216f91ef4e99c3c2b74ea1e2be6454ebf9be

Download Submit
C:\Users\Public\vbc.exe
MD5
f6dccd16da5a8415c2f64ad72aa76068

SHA1
b180d21b28512bacdff7bf680cad8326939fa316

SHA256
549102148f7e484426b9293dc3d357f30d9d3afe0c9b6cfb3e28096a979eeea7

SHA512
94d968c4639e86ea7e6fcf144eaa5d0759db5347e138cc783f94a830872644129842a4e3ef607677f95151d6b58d216f91ef4e99c3c2b74ea1e2be6454ebf9be

Download Submit
\Users\Public\vbc.exe
MD5
f6dccd16da5a8415c2f64ad72aa76068

SHA1
b180d21b28512bacdff7bf680cad8326939fa316

SHA256
549102148f7e484426b9293dc3d357f30d9d3afe0c9b6cfb3e28096a979eeea7

SHA512
94d968c4639e86ea7e6fcf144eaa5d0759db5347e138cc783f94a830872644129842a4e3ef607677f95151d6b58d216f91ef4e99c3c2b74ea1e2be6454ebf9be

Download Submit
\Users\Public\vbc.exe
MD5
f6dccd16da5a8415c2f64ad72aa76068

SHA1
b180d21b28512bacdff7bf680cad8326939fa316

SHA256
549102148f7e484426b9293dc3d357f30d9d3afe0c9b6cfb3e28096a979eeea7

SHA512
94d968c4639e86ea7e6fcf144eaa5d0759db5347e138cc783f94a830872644129842a4e3ef607677f95151d6b58d216f91ef4e99c3c2b74ea1e2be6454ebf9be

Download Submit
\Users\Public\vbc.exe
MD5
f6dccd16da5a8415c2f64ad72aa76068

SHA1
b180d21b28512bacdff7bf680cad8326939fa316

SHA256
549102148f7e484426b9293dc3d357f30d9d3afe0c9b6cfb3e28096a979eeea7

SHA512
94d968c4639e86ea7e6fcf144eaa5d0759db5347e138cc783f94a830872644129842a4e3ef607677f95151d6b58d216f91ef4e99c3c2b74ea1e2be6454ebf9be

Download Submit
\Users\Public\vbc.exe
MD5
f6dccd16da5a8415c2f64ad72aa76068

SHA1
b180d21b28512bacdff7bf680cad8326939fa316

SHA256
549102148f7e484426b9293dc3d357f30d9d3afe0c9b6cfb3e28096a979eeea7

SHA512
94d968c4639e86ea7e6fcf144eaa5d0759db5347e138cc783f94a830872644129842a4e3ef607677f95151d6b58d216f91ef4e99c3c2b74ea1e2be6454ebf9be

Download Submit
memory/276-73-0x000007FEFC301000-0x000007FEFC303000-memory.dmp

Filesize
8KB

Download
memory/276-72-0x0000000000000000-mapping.dmp

Download
memory/800-62-0x00000000767B1000-0x00000000767B3000-memory.dmp

Filesize
8KB

Download
memory/1116-76-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1116-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1116-60-0x0000000070881000-0x0000000070883000-memory.dmp

Filesize
8KB

Download
memory/1116-59-0x0000000072E01000-0x0000000072E04000-memory.dmp

Filesize
12KB

Download
memory/1224-78-0x0000000000BD0000-0x0000000000C0C000-memory.dmp

Filesize
240KB

Download
memory/1224-74-0x0000000000510000-0x0000000000524000-memory.dmp

Filesize
80KB

Download
memory/1224-75-0x0000000001270000-0x0000000001271000-memory.dmp

Filesize
4KB

Download
memory/1224-70-0x0000000001300000-0x0000000001301000-memory.dmp

Filesize
4KB

Download
memory/1224-67-0x0000000000000000-mapping.dmp

Download
memory/1224-77-0x00000000050F0000-0x0000000005170000-memory.dmp

Filesize
512KB

Download
memory/1636-84-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1636-81-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1636-82-0x000000000041E792-mapping.dmp

Download
memory/1636-90-0x00000000003D0000-0x00000000003D5000-memory.dmp

Filesize
20KB

Download
memory/1636-91-0x0000000000440000-0x0000000000459000-memory.dmp

Filesize
100KB

Download
memory/1636-92-0x00000000003F0000-0x00000000003F3000-memory.dmp

Filesize
12KB

Download
memory/1636-93-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/1792-79-0x0000000000000000-mapping.dmp

Download
memory/1828-86-0x0000000000000000-mapping.dmp

Download
memory/2004-88-0x0000000000000000-mapping.dmp

Download