isrstealer | 61eea36a4fe7a62d5e6c371d13c835f00ed1f96b9237b52f39be66707b558b48

Analysis

max time kernel
150s
max time network
162s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19-11-2022 08:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61eea36a4fe7a62d5e6c371d13c835f00ed1f96b9237b52f39be66707b558b48.exe
Size

939KB
MD5

4325caea282be99b605e26754c406830
SHA1

a0c95de32751cd5a4defb993a5f556f3544cb7e4
SHA256

61eea36a4fe7a62d5e6c371d13c835f00ed1f96b9237b52f39be66707b558b48
SHA512

19ab4631739af22256f00d3320dac7d864c68070c695788aeb419952c16af6a25daf40eaa060f1d0dee7df4f00e16a82e3b372e6adeaed98800b8ec50517a17b
SSDEEP

12288:NjYlUdVCU5S41Yd2Z+pW/qF9vUi/zr4e56K0AbDcZ2yGTNGNPG8OcXDyHVZgPKpv:jVG46PFFNnH4NPucYNaPVWVZXp/

Score

10^/10

isrstealer nanocore collection evasion keylogger persistence spyware stealer trojan upx

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

aje.ddns.net:9991

Mutex

d86cd23e-85c5-4bd1-aecb-b7be43080c66

Attributes

activate_away_mode
true
backup_connection_host
aje.ddns.net
backup_dns_server
buffer_size
65535
build_time
2015-03-10T13:36:53.354214636Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
true
connect_delay
4000
connection_port
9991
default_group
MILLI
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
d86cd23e-85c5-4bd1-aecb-b7be43080c66
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
aje.ddns.net
primary_dns_server
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 6 IoCs

resource	yara_rule
behavioral1/memory/1712-64-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1712-66-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1712-67-0x0000000000401180-mapping.dmp	family_isrstealer
behavioral1/memory/1712-77-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1712-107-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1712-117-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/628-113-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/628-114-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

Nirsoft 2 IoCs

resource	yara_rule
behavioral1/memory/628-113-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/628-114-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

Executes dropped EXE 3 IoCs

pid	Process
1608	DOC.exe
1036	DOC.exe
848	NcbService.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1012-72-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1012-76-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1012-78-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1012-80-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1012-104-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/628-108-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/628-112-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/628-113-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/628-114-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1940	61eea36a4fe7a62d5e6c371d13c835f00ed1f96b9237b52f39be66707b558b48.exe
1608	DOC.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Load = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\NcbService.exe"	NcbService.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DOC.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1940 set thread context of 1712	1940	61eea36a4fe7a62d5e6c371d13c835f00ed1f96b9237b52f39be66707b558b48.exe	28
PID 1712 set thread context of 1012	1712	vbc.exe	29
PID 1608 set thread context of 1036	1608	DOC.exe	31
PID 1712 set thread context of 628	1712	vbc.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1608	DOC.exe
848	NcbService.exe
1036	DOC.exe
1036	DOC.exe
1036	DOC.exe
1608	DOC.exe
848	NcbService.exe
1608	DOC.exe
848	NcbService.exe
1608	DOC.exe
848	NcbService.exe
1608	DOC.exe
848	NcbService.exe
1608	DOC.exe
848	NcbService.exe
1608	DOC.exe
848	NcbService.exe
1608	DOC.exe
848	NcbService.exe
1608	DOC.exe
848	NcbService.exe
1608	DOC.exe
848	NcbService.exe
1608	DOC.exe
848	NcbService.exe
1608	DOC.exe
848	NcbService.exe
1608	DOC.exe
848	NcbService.exe
1608	DOC.exe
848	NcbService.exe
1608	DOC.exe
848	NcbService.exe
1608	DOC.exe
848	NcbService.exe
1608	DOC.exe
848	NcbService.exe
1608	DOC.exe
848	NcbService.exe
1608	DOC.exe
848	NcbService.exe
1608	DOC.exe
848	NcbService.exe
1608	DOC.exe
848	NcbService.exe
1608	DOC.exe
848	NcbService.exe
1608	DOC.exe
848	NcbService.exe
1608	DOC.exe
848	NcbService.exe
1608	DOC.exe
848	NcbService.exe
1608	DOC.exe
848	NcbService.exe
1608	DOC.exe
848	NcbService.exe
1608	DOC.exe
848	NcbService.exe
1608	DOC.exe
848	NcbService.exe
1608	DOC.exe
848	NcbService.exe
1608	DOC.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1036	DOC.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1940	61eea36a4fe7a62d5e6c371d13c835f00ed1f96b9237b52f39be66707b558b48.exe
Token: SeDebugPrivilege	1608	DOC.exe
Token: SeDebugPrivilege	848	NcbService.exe
Token: SeDebugPrivilege	1036	DOC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1712	vbc.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 1608	1940	61eea36a4fe7a62d5e6c371d13c835f00ed1f96b9237b52f39be66707b558b48.exe	27
PID 1940 wrote to memory of 1608	1940	61eea36a4fe7a62d5e6c371d13c835f00ed1f96b9237b52f39be66707b558b48.exe	27
PID 1940 wrote to memory of 1608	1940	61eea36a4fe7a62d5e6c371d13c835f00ed1f96b9237b52f39be66707b558b48.exe	27
PID 1940 wrote to memory of 1608	1940	61eea36a4fe7a62d5e6c371d13c835f00ed1f96b9237b52f39be66707b558b48.exe	27
PID 1940 wrote to memory of 1712	1940	61eea36a4fe7a62d5e6c371d13c835f00ed1f96b9237b52f39be66707b558b48.exe	28
PID 1940 wrote to memory of 1712	1940	61eea36a4fe7a62d5e6c371d13c835f00ed1f96b9237b52f39be66707b558b48.exe	28
PID 1940 wrote to memory of 1712	1940	61eea36a4fe7a62d5e6c371d13c835f00ed1f96b9237b52f39be66707b558b48.exe	28
PID 1940 wrote to memory of 1712	1940	61eea36a4fe7a62d5e6c371d13c835f00ed1f96b9237b52f39be66707b558b48.exe	28
PID 1940 wrote to memory of 1712	1940	61eea36a4fe7a62d5e6c371d13c835f00ed1f96b9237b52f39be66707b558b48.exe	28
PID 1940 wrote to memory of 1712	1940	61eea36a4fe7a62d5e6c371d13c835f00ed1f96b9237b52f39be66707b558b48.exe	28
PID 1940 wrote to memory of 1712	1940	61eea36a4fe7a62d5e6c371d13c835f00ed1f96b9237b52f39be66707b558b48.exe	28
PID 1940 wrote to memory of 1712	1940	61eea36a4fe7a62d5e6c371d13c835f00ed1f96b9237b52f39be66707b558b48.exe	28
PID 1712 wrote to memory of 1012	1712	vbc.exe	29
PID 1712 wrote to memory of 1012	1712	vbc.exe	29
PID 1712 wrote to memory of 1012	1712	vbc.exe	29
PID 1712 wrote to memory of 1012	1712	vbc.exe	29
PID 1712 wrote to memory of 1012	1712	vbc.exe	29
PID 1712 wrote to memory of 1012	1712	vbc.exe	29
PID 1712 wrote to memory of 1012	1712	vbc.exe	29
PID 1712 wrote to memory of 1012	1712	vbc.exe	29
PID 1712 wrote to memory of 1012	1712	vbc.exe	29
PID 1608 wrote to memory of 1036	1608	DOC.exe	31
PID 1608 wrote to memory of 1036	1608	DOC.exe	31
PID 1608 wrote to memory of 1036	1608	DOC.exe	31
PID 1608 wrote to memory of 1036	1608	DOC.exe	31
PID 1608 wrote to memory of 1036	1608	DOC.exe	31
PID 1608 wrote to memory of 1036	1608	DOC.exe	31
PID 1608 wrote to memory of 1036	1608	DOC.exe	31
PID 1608 wrote to memory of 1036	1608	DOC.exe	31
PID 1608 wrote to memory of 1036	1608	DOC.exe	31
PID 1608 wrote to memory of 848	1608	DOC.exe	32
PID 1608 wrote to memory of 848	1608	DOC.exe	32
PID 1608 wrote to memory of 848	1608	DOC.exe	32
PID 1608 wrote to memory of 848	1608	DOC.exe	32
PID 1712 wrote to memory of 628	1712	vbc.exe	35
PID 1712 wrote to memory of 628	1712	vbc.exe	35
PID 1712 wrote to memory of 628	1712	vbc.exe	35
PID 1712 wrote to memory of 628	1712	vbc.exe	35
PID 1712 wrote to memory of 628	1712	vbc.exe	35
PID 1712 wrote to memory of 628	1712	vbc.exe	35
PID 1712 wrote to memory of 628	1712	vbc.exe	35
PID 1712 wrote to memory of 628	1712	vbc.exe	35
PID 1712 wrote to memory of 628	1712	vbc.exe	35

C:\Users\Admin\AppData\Local\Temp\61eea36a4fe7a62d5e6c371d13c835f00ed1f96b9237b52f39be66707b558b48.exe
"C:\Users\Admin\AppData\Local\Temp\61eea36a4fe7a62d5e6c371d13c835f00ed1f96b9237b52f39be66707b558b48.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Users\Admin\Desktop\DOC.exe
  "C:\Users\Admin\Desktop\DOC.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Users\Admin\Desktop\DOC.exe
    "C:\Users\Admin\Desktop\DOC.exe"
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1036
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\NcbService.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\NcbService.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:848
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\s73i1EOzdM.ini"
    3⤵
    PID:1012
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\p0mVQjFMES.ini"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\s73i1EOzdM.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\BthHFSrv.exe

Filesize
939KB

MD5
4325caea282be99b605e26754c406830

SHA1
a0c95de32751cd5a4defb993a5f556f3544cb7e4

SHA256
61eea36a4fe7a62d5e6c371d13c835f00ed1f96b9237b52f39be66707b558b48

SHA512
19ab4631739af22256f00d3320dac7d864c68070c695788aeb419952c16af6a25daf40eaa060f1d0dee7df4f00e16a82e3b372e6adeaed98800b8ec50517a17b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\NcbService.exe

Filesize
9KB

MD5
48628262e75352bc581317d1a6c3a96d

SHA1
fb09a89eb6e51aac584b3866f6be347e32c8651e

SHA256
572f5216d3428ab7bdceb4761d7144bf9754f0b37dcad1f5c649b7220d464da8

SHA512
4278fb2ce5523e2cc791c775886c8b0c0ed2417bb12f55445f61cd6520559ba2a929009b591aaafdb207e340bc63fecd8b33c10fe30f2d14d48e4c655f82aaf8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\NcbService.exe

Filesize
9KB

MD5
48628262e75352bc581317d1a6c3a96d

SHA1
fb09a89eb6e51aac584b3866f6be347e32c8651e

SHA256
572f5216d3428ab7bdceb4761d7144bf9754f0b37dcad1f5c649b7220d464da8

SHA512
4278fb2ce5523e2cc791c775886c8b0c0ed2417bb12f55445f61cd6520559ba2a929009b591aaafdb207e340bc63fecd8b33c10fe30f2d14d48e4c655f82aaf8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\NcbService.exe

Filesize
9KB

MD5
48628262e75352bc581317d1a6c3a96d

SHA1
fb09a89eb6e51aac584b3866f6be347e32c8651e

SHA256
572f5216d3428ab7bdceb4761d7144bf9754f0b37dcad1f5c649b7220d464da8

SHA512
4278fb2ce5523e2cc791c775886c8b0c0ed2417bb12f55445f61cd6520559ba2a929009b591aaafdb207e340bc63fecd8b33c10fe30f2d14d48e4c655f82aaf8

Download Submit
C:\Users\Admin\Desktop\DOC.exe

Filesize
432KB

MD5
f911d515cab24e5e3301a82d4b380054

SHA1
c0bf9ca5fb68b2fe480d79c1f7df661911a6a40c

SHA256
1850c85ee0a0adc587166ec9e41d01bc0363f4442c0c1e99ebe553b091dccc4f

SHA512
89ba790e8e79d0b484f1f8f425986497cac8756da752e25cbed9bceeb4dc8dd4e9f94593e00fb3dfb26b4330830d07fc3db3d7cc6c2a0ece44144da0a3ef5a88

Download Submit
C:\Users\Admin\Desktop\DOC.exe

Filesize
432KB

MD5
f911d515cab24e5e3301a82d4b380054

SHA1
c0bf9ca5fb68b2fe480d79c1f7df661911a6a40c

SHA256
1850c85ee0a0adc587166ec9e41d01bc0363f4442c0c1e99ebe553b091dccc4f

SHA512
89ba790e8e79d0b484f1f8f425986497cac8756da752e25cbed9bceeb4dc8dd4e9f94593e00fb3dfb26b4330830d07fc3db3d7cc6c2a0ece44144da0a3ef5a88

Download Submit
C:\Users\Admin\Desktop\DOC.exe

Filesize
432KB

MD5
f911d515cab24e5e3301a82d4b380054

SHA1
c0bf9ca5fb68b2fe480d79c1f7df661911a6a40c

SHA256
1850c85ee0a0adc587166ec9e41d01bc0363f4442c0c1e99ebe553b091dccc4f

SHA512
89ba790e8e79d0b484f1f8f425986497cac8756da752e25cbed9bceeb4dc8dd4e9f94593e00fb3dfb26b4330830d07fc3db3d7cc6c2a0ece44144da0a3ef5a88

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\NcbService.exe

Filesize
9KB

MD5
48628262e75352bc581317d1a6c3a96d

SHA1
fb09a89eb6e51aac584b3866f6be347e32c8651e

SHA256
572f5216d3428ab7bdceb4761d7144bf9754f0b37dcad1f5c649b7220d464da8

SHA512
4278fb2ce5523e2cc791c775886c8b0c0ed2417bb12f55445f61cd6520559ba2a929009b591aaafdb207e340bc63fecd8b33c10fe30f2d14d48e4c655f82aaf8

Download Submit
\Users\Admin\Desktop\DOC.exe

Filesize
432KB

MD5
f911d515cab24e5e3301a82d4b380054

SHA1
c0bf9ca5fb68b2fe480d79c1f7df661911a6a40c

SHA256
1850c85ee0a0adc587166ec9e41d01bc0363f4442c0c1e99ebe553b091dccc4f

SHA512
89ba790e8e79d0b484f1f8f425986497cac8756da752e25cbed9bceeb4dc8dd4e9f94593e00fb3dfb26b4330830d07fc3db3d7cc6c2a0ece44144da0a3ef5a88

Download Submit
memory/628-113-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/628-112-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/628-108-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/628-114-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/848-103-0x00000000740B0000-0x000000007465B000-memory.dmp

Filesize
5.7MB

Download
memory/848-118-0x00000000740B0000-0x000000007465B000-memory.dmp

Filesize
5.7MB

Download
memory/1012-104-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1012-80-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1012-72-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1012-76-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1012-78-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1036-89-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1036-87-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1036-116-0x00000000740B0000-0x000000007465B000-memory.dmp

Filesize
5.7MB

Download
memory/1036-93-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1036-95-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1036-86-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1036-84-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1036-83-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1036-102-0x00000000740B0000-0x000000007465B000-memory.dmp

Filesize
5.7MB

Download
memory/1608-79-0x00000000740B0000-0x000000007465B000-memory.dmp

Filesize
5.7MB

Download
memory/1608-115-0x00000000740B0000-0x000000007465B000-memory.dmp

Filesize
5.7MB

Download
memory/1712-64-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1712-107-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1712-66-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1712-62-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1712-61-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1712-117-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1712-77-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1940-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/1940-70-0x00000000740B0000-0x000000007465B000-memory.dmp

Filesize
5.7MB

Download
memory/1940-55-0x00000000740B0000-0x000000007465B000-memory.dmp

Filesize
5.7MB

Download