nanocore | 71d8447b0d646903db508314cdc59708855c914ec4a3a72d7f06f487177e11fc

Analysis

max time kernel
148s
max time network
155s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
05-10-2023 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71d8447b0d646903db508314cdc59708855c914ec4a3a72d7f06f487177e11fc.exe
Size

3.5MB
MD5

80225e6fc6a1c15d38a7c924641fdb84
SHA1

68fd0f6dd5cef4e94a2d745baa50d0d295b8acf9
SHA256

71d8447b0d646903db508314cdc59708855c914ec4a3a72d7f06f487177e11fc
SHA512

de2eb790e856a14be6905e8e0e8dd6fcf108bcd7effa5f749760272ef8fe88addcdc18336b8cb5b6eac24a9536d3559bb9f27e6bb50942840deb25e3df819952
SSDEEP

49152:MdqAeYMZsc+Jf+1Z1yDMj7z//DXhdDHGuYtwDNetxQmoDMBG:MQAeHZsc+Jf+1jIMjP9x9YSDNyxF

Score

10^/10

nanocore quasar warzonerat slave evasion infostealer keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

backupcraft.ddns.net:54984

127.0.0.1:54984

Mutex

96156e42-3e88-498a-83b0-34f138a87549

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65541
build_time
2023-06-29T18:37:26.433436736Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
54984
default_group
Default
enable_debug_mode
true
gc_threshold
1.0485763e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
96156e42-3e88-498a-83b0-34f138a87549
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
backupcraft.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

quasar

Version

1.4.1

Botnet

Slave

backupcraft.ddns.net:4782

Mutex

fbfe67fd-8086-4852-908c-75959d17c0c7

Attributes

encryption_key
6550C5FD133683B3330870C778B7DB73E923F472
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

warzonerat

supercraft123.serveminecraft.net:5200

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\systemq.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\systemq.exe	family_quasar
behavioral1/memory/1260-17-0x0000000000430000-0x0000000000754000-memory.dmp	family_quasar

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\wz_payload.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\wz_payload.exe	warzonerat
C:\Users\Admin\Documents\Documents:ApplicationData	warzonerat
C:\Users\Admin\Documents\svchost.exe	warzonerat
C:\Users\Admin\Documents\svchost.exe	warzonerat

Drops startup file 2 IoCs

Processes:

wz_payload.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	wz_payload.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	wz_payload.exe

Executes dropped EXE 4 IoCs

Processes:

nanocore_payload.exesystemq.exewz_payload.exesvchost.exe

pid process

3580 nanocore_payload.exe
1260 systemq.exe
4584 wz_payload.exe
1408 svchost.exe

pid	process
3580	nanocore_payload.exe
1260	systemq.exe
4584	wz_payload.exe
1408	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wz_payload.exenanocore_payload.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\Users\\Admin\\Documents\\svchost.exe"	wz_payload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UDP Monitor = "C:\\Program Files (x86)\\UDP Monitor\\udpmon.exe"	nanocore_payload.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

nanocore_payload.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA nanocore_payload.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	nanocore_payload.exe

Drops file in Program Files directory 2 IoCs

Processes:

nanocore_payload.exe

description	ioc	process
File created	C:\Program Files (x86)\UDP Monitor\udpmon.exe	nanocore_payload.exe
File opened for modification	C:\Program Files (x86)\UDP Monitor\udpmon.exe	nanocore_payload.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
NTFS ADS 1 IoCs

Processes:

wz_payload.exe

description ioc process

File created C:\Users\Admin\Documents\Documents:ApplicationData wz_payload.exe

description	ioc	process
File created	C:\Users\Admin\Documents\Documents:ApplicationData	wz_payload.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

powershell.exenanocore_payload.exepowershell.exepowershell.exe

pid	process
3024	powershell.exe
3580	nanocore_payload.exe
3580	nanocore_payload.exe
3580	nanocore_payload.exe
3024	powershell.exe
3580	nanocore_payload.exe
3580	nanocore_payload.exe
3580	nanocore_payload.exe
3024	powershell.exe
1696	powershell.exe
1696	powershell.exe
1696	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

nanocore_payload.exe

pid process

3580 nanocore_payload.exe
Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

svchost.exe

pid process

1408 svchost.exe

pid	process
3580	nanocore_payload.exe

pid	process
1408	svchost.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

systemq.exepowershell.exenanocore_payload.exepowershell.exepowershell.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	1260	systemq.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	3580	nanocore_payload.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	5072	powershell.exe
Token: 33	5048	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5048	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

systemq.exe

pid process

1260 systemq.exe

pid	process
1260	systemq.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

71d8447b0d646903db508314cdc59708855c914ec4a3a72d7f06f487177e11fc.exewz_payload.exesvchost.exe

description	pid	process	target process
PID 4936 wrote to memory of 3024	4936	71d8447b0d646903db508314cdc59708855c914ec4a3a72d7f06f487177e11fc.exe	powershell.exe
PID 4936 wrote to memory of 3024	4936	71d8447b0d646903db508314cdc59708855c914ec4a3a72d7f06f487177e11fc.exe	powershell.exe
PID 4936 wrote to memory of 3024	4936	71d8447b0d646903db508314cdc59708855c914ec4a3a72d7f06f487177e11fc.exe	powershell.exe
PID 4936 wrote to memory of 3580	4936	71d8447b0d646903db508314cdc59708855c914ec4a3a72d7f06f487177e11fc.exe	nanocore_payload.exe
PID 4936 wrote to memory of 3580	4936	71d8447b0d646903db508314cdc59708855c914ec4a3a72d7f06f487177e11fc.exe	nanocore_payload.exe
PID 4936 wrote to memory of 3580	4936	71d8447b0d646903db508314cdc59708855c914ec4a3a72d7f06f487177e11fc.exe	nanocore_payload.exe
PID 4936 wrote to memory of 1260	4936	71d8447b0d646903db508314cdc59708855c914ec4a3a72d7f06f487177e11fc.exe	systemq.exe
PID 4936 wrote to memory of 1260	4936	71d8447b0d646903db508314cdc59708855c914ec4a3a72d7f06f487177e11fc.exe	systemq.exe
PID 4936 wrote to memory of 4584	4936	71d8447b0d646903db508314cdc59708855c914ec4a3a72d7f06f487177e11fc.exe	wz_payload.exe
PID 4936 wrote to memory of 4584	4936	71d8447b0d646903db508314cdc59708855c914ec4a3a72d7f06f487177e11fc.exe	wz_payload.exe
PID 4936 wrote to memory of 4584	4936	71d8447b0d646903db508314cdc59708855c914ec4a3a72d7f06f487177e11fc.exe	wz_payload.exe
PID 4584 wrote to memory of 1696	4584	wz_payload.exe	powershell.exe
PID 4584 wrote to memory of 1696	4584	wz_payload.exe	powershell.exe
PID 4584 wrote to memory of 1696	4584	wz_payload.exe	powershell.exe
PID 4584 wrote to memory of 1408	4584	wz_payload.exe	svchost.exe
PID 4584 wrote to memory of 1408	4584	wz_payload.exe	svchost.exe
PID 4584 wrote to memory of 1408	4584	wz_payload.exe	svchost.exe
PID 1408 wrote to memory of 5072	1408	svchost.exe	powershell.exe
PID 1408 wrote to memory of 5072	1408	svchost.exe	powershell.exe
PID 1408 wrote to memory of 5072	1408	svchost.exe	powershell.exe
PID 1408 wrote to memory of 2072	1408	svchost.exe	cmd.exe
PID 1408 wrote to memory of 2072	1408	svchost.exe	cmd.exe
PID 1408 wrote to memory of 2072	1408	svchost.exe	cmd.exe
PID 1408 wrote to memory of 2072	1408	svchost.exe	cmd.exe
PID 1408 wrote to memory of 2072	1408	svchost.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\71d8447b0d646903db508314cdc59708855c914ec4a3a72d7f06f487177e11fc.exe
"C:\Users\Admin\AppData\Local\Temp\71d8447b0d646903db508314cdc59708855c914ec4a3a72d7f06f487177e11fc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAagB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGMAcgB6ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGcAYwB0ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAegBxACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3024
- C:\Users\Admin\AppData\Local\Temp\nanocore_payload.exe
  "C:\Users\Admin\AppData\Local\Temp\nanocore_payload.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:3580
- C:\Users\Admin\AppData\Local\Temp\systemq.exe
  "C:\Users\Admin\AppData\Local\Temp\systemq.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1260
- C:\Users\Admin\AppData\Local\Temp\wz_payload.exe
  "C:\Users\Admin\AppData\Local\Temp\wz_payload.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:4584
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Add-MpPreference -ExclusionPath C:\
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1696
- - C:\Users\Admin\Documents\svchost.exe
    "C:\Users\Admin\Documents\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    - Suspicious use of WriteProcessMemory
    PID:1408
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath C:\
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5072
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2072

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x408
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Media\2023-10-5_20.27.54_Program Manager.jpeg

Filesize
53KB

MD5
21d3118cc5ccf3d02be01536256ebdf9

SHA1
14371024a1f7f07e33651d61effbc8a59fb94863

SHA256
7001999e9375c6b2c51a3cbb55e4fcd3fe521c8781ba0c7f171b1e24521f60ea

SHA512
62c2f95d4bd3bed3e184a9e52bd3aa082ba61668fed0aee8c4c367d8d3123e125508608cb0da983c4bef0f5168aaa622a0940865b4c4a24fab1977f6b05f4660

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
42831ff3fd0caf0367d03aecee0ab834

SHA1
0ce5489a08a91c66b74eac7adbcdb58260cd9226

SHA256
5ea54b438c17552dd7b2eb5bcc03ff1dc5cab108839e6a749dd68bef6f09ef5e

SHA512
0b8bce022fe7f8a31b86585900ba43a15df8ba8915c4dc1951cecd06f4eccf5417578488548774f8f590544044403a4be612e052e5c2d6131d1fb1a73b554348

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
662e6edcb462070e9c7bf24e60d8e39a

SHA1
12d006d1cec82651252a7fa5ae75325217c38a8b

SHA256
843daca4641e4972eb948df019a04e0189f6929219b98c32fd1c18e393d5e781

SHA512
27772c9b26edc3f12f20c6ca33cd891d7ce71771c4f8374aea5c4690b19d9268952a3fc055a6ae86e06115e4bfe14c4893977f2bff418129f6a0ad7c593ca4f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4hmeizmg.lbv.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nanocore_payload.exe

Filesize
202KB

MD5
453bdc5af90ce17385bc4e0ca1cbe15d

SHA1
4047e7aea50df01ea1adf1d3c1354e3335e56429

SHA256
89e3d9bdab44323f4e95c7ed14859e36e87e39332b2c28c2038465eb1abbc602

SHA512
368c8374f7e1cbe351c952625ca43b541230edc14e8b9e3c3751fc126dc7507fd7260c523233ef8e82f2d7562ed0e03068d9158551069d8e70156610b60d58ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\nanocore_payload.exe

Filesize
202KB

MD5
453bdc5af90ce17385bc4e0ca1cbe15d

SHA1
4047e7aea50df01ea1adf1d3c1354e3335e56429

SHA256
89e3d9bdab44323f4e95c7ed14859e36e87e39332b2c28c2038465eb1abbc602

SHA512
368c8374f7e1cbe351c952625ca43b541230edc14e8b9e3c3751fc126dc7507fd7260c523233ef8e82f2d7562ed0e03068d9158551069d8e70156610b60d58ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\systemq.exe

Filesize
3.1MB

MD5
29853d6de2a6ea760788dbdbe601a4ab

SHA1
038ee578dca716ebb46d4a96105838d39122d7a0

SHA256
ad306c945a71d25faffefb7330f1563ceb100513a4c50fa29fb60b2d46fbd732

SHA512
a6c5822ac7899582b6f7b09670a4e8f0f7867d468aa0b321967ed25a8cea0c27e8357b81e3909b61f8ae70f69d4e50f2b68c31f64110c0e6a258efc39f2f9bf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\systemq.exe

Filesize
3.1MB

MD5
29853d6de2a6ea760788dbdbe601a4ab

SHA1
038ee578dca716ebb46d4a96105838d39122d7a0

SHA256
ad306c945a71d25faffefb7330f1563ceb100513a4c50fa29fb60b2d46fbd732

SHA512
a6c5822ac7899582b6f7b09670a4e8f0f7867d468aa0b321967ed25a8cea0c27e8357b81e3909b61f8ae70f69d4e50f2b68c31f64110c0e6a258efc39f2f9bf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\wz_payload.exe

Filesize
141KB

MD5
6dcd690c1dfe99f5ca7d7919dbc38295

SHA1
945aa4ef16fcddf718f06ef03fa00e1489f73d04

SHA256
ede6cba917445c8673017c2154e370a24fbc6a29c2c8e2d90e5a45d8624d837d

SHA512
1f2bbb98f2e439e4b09ba8e32053c212a747b58dac1eff4f2583d6a649d6974f5196876d7e8521717ab7932a84fe3882ac68c4d7ad7d193dc11022ecada584ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\wz_payload.exe

Filesize
141KB

MD5
6dcd690c1dfe99f5ca7d7919dbc38295

SHA1
945aa4ef16fcddf718f06ef03fa00e1489f73d04

SHA256
ede6cba917445c8673017c2154e370a24fbc6a29c2c8e2d90e5a45d8624d837d

SHA512
1f2bbb98f2e439e4b09ba8e32053c212a747b58dac1eff4f2583d6a649d6974f5196876d7e8521717ab7932a84fe3882ac68c4d7ad7d193dc11022ecada584ba

Download Submit
C:\Users\Admin\Documents\Documents:ApplicationData

Filesize
141KB

MD5
6dcd690c1dfe99f5ca7d7919dbc38295

SHA1
945aa4ef16fcddf718f06ef03fa00e1489f73d04

SHA256
ede6cba917445c8673017c2154e370a24fbc6a29c2c8e2d90e5a45d8624d837d

SHA512
1f2bbb98f2e439e4b09ba8e32053c212a747b58dac1eff4f2583d6a649d6974f5196876d7e8521717ab7932a84fe3882ac68c4d7ad7d193dc11022ecada584ba

Download Submit
C:\Users\Admin\Documents\svchost.exe

Filesize
141KB

MD5
6dcd690c1dfe99f5ca7d7919dbc38295

SHA1
945aa4ef16fcddf718f06ef03fa00e1489f73d04

SHA256
ede6cba917445c8673017c2154e370a24fbc6a29c2c8e2d90e5a45d8624d837d

SHA512
1f2bbb98f2e439e4b09ba8e32053c212a747b58dac1eff4f2583d6a649d6974f5196876d7e8521717ab7932a84fe3882ac68c4d7ad7d193dc11022ecada584ba

Download Submit
C:\Users\Admin\Documents\svchost.exe

Filesize
141KB

MD5
6dcd690c1dfe99f5ca7d7919dbc38295

SHA1
945aa4ef16fcddf718f06ef03fa00e1489f73d04

SHA256
ede6cba917445c8673017c2154e370a24fbc6a29c2c8e2d90e5a45d8624d837d

SHA512
1f2bbb98f2e439e4b09ba8e32053c212a747b58dac1eff4f2583d6a649d6974f5196876d7e8521717ab7932a84fe3882ac68c4d7ad7d193dc11022ecada584ba

Download Submit
memory/1260-85-0x000000001B410000-0x000000001B420000-memory.dmp

Filesize
64KB

Download
memory/1260-28-0x00007FFCC5720000-0x00007FFCC610C000-memory.dmp

Filesize
9.9MB

Download
memory/1260-80-0x000000001B820000-0x000000001B832000-memory.dmp

Filesize
72KB

Download
memory/1260-24-0x000000001B410000-0x000000001B420000-memory.dmp

Filesize
64KB

Download
memory/1260-82-0x000000001B880000-0x000000001B8BE000-memory.dmp

Filesize
248KB

Download
memory/1260-98-0x00007FFCC5720000-0x00007FFCC610C000-memory.dmp

Filesize
9.9MB

Download
memory/1260-17-0x0000000000430000-0x0000000000754000-memory.dmp

Filesize
3.1MB

Download
memory/1260-41-0x000000001B8E0000-0x000000001B992000-memory.dmp

Filesize
712KB

Download
memory/1260-40-0x000000001B3C0000-0x000000001B410000-memory.dmp

Filesize
320KB

Download
memory/1696-387-0x000000007E6A0000-0x000000007E6B0000-memory.dmp

Filesize
64KB

Download
memory/1696-262-0x0000000007180000-0x0000000007190000-memory.dmp

Filesize
64KB

Download
memory/1696-254-0x0000000071E10000-0x00000000724FE000-memory.dmp

Filesize
6.9MB

Download
memory/1696-256-0x0000000007180000-0x0000000007190000-memory.dmp

Filesize
64KB

Download
memory/1696-54-0x0000000071E10000-0x00000000724FE000-memory.dmp

Filesize
6.9MB

Download
memory/1696-55-0x0000000007180000-0x0000000007190000-memory.dmp

Filesize
64KB

Download
memory/1696-56-0x0000000007180000-0x0000000007190000-memory.dmp

Filesize
64KB

Download
memory/1696-119-0x0000000007180000-0x0000000007190000-memory.dmp

Filesize
64KB

Download
memory/1696-452-0x0000000007180000-0x0000000007190000-memory.dmp

Filesize
64KB

Download
memory/1696-101-0x0000000072CF0000-0x0000000072D3B000-memory.dmp

Filesize
300KB

Download
memory/1696-738-0x0000000071E10000-0x00000000724FE000-memory.dmp

Filesize
6.9MB

Download
memory/1696-102-0x000000007E6A0000-0x000000007E6B0000-memory.dmp

Filesize
64KB

Download
memory/1696-646-0x00000000071E0000-0x00000000071FA000-memory.dmp

Filesize
104KB

Download
memory/1696-665-0x00000000071D0000-0x00000000071D8000-memory.dmp

Filesize
32KB

Download
memory/2072-448-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/3024-84-0x0000000072CF0000-0x0000000072D3B000-memory.dmp

Filesize
300KB

Download
memory/3024-39-0x0000000008920000-0x0000000008996000-memory.dmp

Filesize
472KB

Download
memory/3024-86-0x00000000070E0000-0x00000000070F0000-memory.dmp

Filesize
64KB

Download
memory/3024-89-0x000000007F0B0000-0x000000007F0C0000-memory.dmp

Filesize
64KB

Download
memory/3024-93-0x00000000099E0000-0x0000000009A85000-memory.dmp

Filesize
660KB

Download
memory/3024-81-0x0000000009970000-0x00000000099A3000-memory.dmp

Filesize
204KB

Download
memory/3024-100-0x00000000070E0000-0x00000000070F0000-memory.dmp

Filesize
64KB

Download
memory/3024-99-0x00000000070E0000-0x00000000070F0000-memory.dmp

Filesize
64KB

Download
memory/3024-103-0x0000000009D50000-0x0000000009DE4000-memory.dmp

Filesize
592KB

Download
memory/3024-18-0x0000000071E10000-0x00000000724FE000-memory.dmp

Filesize
6.9MB

Download
memory/3024-19-0x0000000007130000-0x0000000007166000-memory.dmp

Filesize
216KB

Download
memory/3024-87-0x0000000009950000-0x000000000996E000-memory.dmp

Filesize
120KB

Download
memory/3024-71-0x0000000071E10000-0x00000000724FE000-memory.dmp

Filesize
6.9MB

Download
memory/3024-31-0x0000000007EE0000-0x0000000007F46000-memory.dmp

Filesize
408KB

Download
memory/3024-37-0x0000000008630000-0x000000000867B000-memory.dmp

Filesize
300KB

Download
memory/3024-35-0x0000000007EC0000-0x0000000007EDC000-memory.dmp

Filesize
112KB

Download
memory/3024-751-0x0000000071E10000-0x00000000724FE000-memory.dmp

Filesize
6.9MB

Download
memory/3024-33-0x0000000008160000-0x00000000084B0000-memory.dmp

Filesize
3.3MB

Download
memory/3024-21-0x00000000077A0000-0x0000000007DC8000-memory.dmp

Filesize
6.2MB

Download
memory/3024-25-0x00000000070E0000-0x00000000070F0000-memory.dmp

Filesize
64KB

Download
memory/3024-32-0x0000000008050000-0x00000000080B6000-memory.dmp

Filesize
408KB

Download
memory/3024-318-0x000000007F0B0000-0x000000007F0C0000-memory.dmp

Filesize
64KB

Download
memory/3024-364-0x00000000070E0000-0x00000000070F0000-memory.dmp

Filesize
64KB

Download
memory/3024-29-0x00000000070E0000-0x00000000070F0000-memory.dmp

Filesize
64KB

Download
memory/3024-30-0x0000000007E40000-0x0000000007E62000-memory.dmp

Filesize
136KB

Download
memory/3580-72-0x0000000072500000-0x0000000072AB0000-memory.dmp

Filesize
5.7MB

Download
memory/3580-23-0x0000000072500000-0x0000000072AB0000-memory.dmp

Filesize
5.7MB

Download
memory/3580-83-0x0000000072500000-0x0000000072AB0000-memory.dmp

Filesize
5.7MB

Download
memory/3580-79-0x0000000000F80000-0x0000000000F90000-memory.dmp

Filesize
64KB

Download
memory/3580-20-0x0000000072500000-0x0000000072AB0000-memory.dmp

Filesize
5.7MB

Download
memory/3580-22-0x0000000000F80000-0x0000000000F90000-memory.dmp

Filesize
64KB

Download
memory/5072-257-0x0000000006E20000-0x0000000006E30000-memory.dmp

Filesize
64KB

Download
memory/5072-647-0x0000000071E10000-0x00000000724FE000-memory.dmp

Filesize
6.9MB

Download
memory/5072-735-0x0000000006E20000-0x0000000006E30000-memory.dmp

Filesize
64KB

Download
memory/5072-739-0x0000000006E20000-0x0000000006E30000-memory.dmp

Filesize
64KB

Download
memory/5072-258-0x0000000006E20000-0x0000000006E30000-memory.dmp

Filesize
64KB

Download
memory/5072-449-0x0000000006E20000-0x0000000006E30000-memory.dmp

Filesize
64KB

Download
memory/5072-255-0x0000000071E10000-0x00000000724FE000-memory.dmp

Filesize
6.9MB

Download
memory/5072-389-0x000000007E8E0000-0x000000007E8F0000-memory.dmp

Filesize
64KB

Download
memory/5072-797-0x0000000071E10000-0x00000000724FE000-memory.dmp

Filesize
6.9MB

Download
memory/5072-388-0x0000000072CF0000-0x0000000072D3B000-memory.dmp

Filesize
300KB

Download