nanocore | af0b876a436452a6e998fc622493aaa4553bcc53864d66a6a6d5d476a85902eb

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23-07-2024 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

962B35661C04B5BFF3E3504F9CD646A7.exe
Size

1.4MB
MD5

962b35661c04b5bff3e3504f9cd646a7
SHA1

1a1cd695804bd14e8e1ea64a21b2b81fe76baf6c
SHA256

af0b876a436452a6e998fc622493aaa4553bcc53864d66a6a6d5d476a85902eb
SHA512

a7b7fb2990abc7a73e0f5963c3ce72b1b18a37fb908ec069985bde616e7e8fcd75f288855ae33218e66b1483b7f2596bf4729e3cab9afb478fc37691488964ec
SSDEEP

24576:dngozf6mbIWaZWazVXOLJPqEXN9/uZteoFjqQOy:dnVD6mkWawkXmPqEXN9mZteuj5/

Score

10^/10

nanocore remcos newremotehost collection evasion execution keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

remcos

Botnet

NewRemoteHost

newnex.3utilities.com:8580

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-68D53E
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

nanocore

Version

1.2.2.0

newsddawork.3utilities.com:1620

maxlogs.webhop.me:1620

Mutex

1fa46b72-10f9-4da3-bc15-84dde165706d

Attributes

activate_away_mode
true
backup_connection_host
maxlogs.webhop.me
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2024-02-17T03:41:10.727034736Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
1620
default_group
NewBin
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
1fa46b72-10f9-4da3-bc15-84dde165706d
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
newsddawork.3utilities.com
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

Processes:

resource	yara_rule
behavioral2/memory/2040-98-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/4168-100-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/2572-106-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/4168-100-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/2040-98-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

4624 powershell.exe

pid	process
4624	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

962B35661C04B5BFF3E3504F9CD646A7.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	962B35661C04B5BFF3E3504F9CD646A7.exe

Executes dropped EXE 2 IoCs

Processes:

a.exea.exe

pid process

1364 a.exe
1500 a.exe

pid	process
1364	a.exe
1500	a.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegSvcs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UDP Service = "C:\\Program Files (x86)\\UDP Service\\udpsv.exe"	a.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

a.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

962B35661C04B5BFF3E3504F9CD646A7.exeRegSvcs.exea.exe

description	pid	process	target process
PID 2028 set thread context of 660	2028	962B35661C04B5BFF3E3504F9CD646A7.exe	RegSvcs.exe
PID 660 set thread context of 2040	660	RegSvcs.exe	RegSvcs.exe
PID 660 set thread context of 4168	660	RegSvcs.exe	RegSvcs.exe
PID 660 set thread context of 2572	660	RegSvcs.exe	RegSvcs.exe
PID 1364 set thread context of 1500	1364	a.exe	a.exe

Drops file in Program Files directory 2 IoCs

Processes:

a.exe

description	ioc	process
File created	C:\Program Files (x86)\UDP Service\udpsv.exe	a.exe
File opened for modification	C:\Program Files (x86)\UDP Service\udpsv.exe	a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

1832 schtasks.exe

pid	process
1832	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

962B35661C04B5BFF3E3504F9CD646A7.exepowershell.exeRegSvcs.exeRegSvcs.exea.exea.exe

pid	process
2028	962B35661C04B5BFF3E3504F9CD646A7.exe
2028	962B35661C04B5BFF3E3504F9CD646A7.exe
4624	powershell.exe
4624	powershell.exe
2040	RegSvcs.exe
2040	RegSvcs.exe
2572	RegSvcs.exe
2572	RegSvcs.exe
2040	RegSvcs.exe
2040	RegSvcs.exe
1364	a.exe
1364	a.exe
1500	a.exe
1500	a.exe
1500	a.exe
1500	a.exe
1500	a.exe
1500	a.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

a.exe

pid process

1500 a.exe
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

RegSvcs.exe

pid process

660 RegSvcs.exe
660 RegSvcs.exe
660 RegSvcs.exe
660 RegSvcs.exe
660 RegSvcs.exe
660 RegSvcs.exe
660 RegSvcs.exe

pid	process
1500	a.exe

pid	process
660	RegSvcs.exe
660	RegSvcs.exe
660	RegSvcs.exe
660	RegSvcs.exe
660	RegSvcs.exe
660	RegSvcs.exe
660	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

962B35661C04B5BFF3E3504F9CD646A7.exepowershell.exeRegSvcs.exea.exea.exe

description	pid	process
Token: SeDebugPrivilege	2028	962B35661C04B5BFF3E3504F9CD646A7.exe
Token: SeDebugPrivilege	4624	powershell.exe
Token: SeDebugPrivilege	2572	RegSvcs.exe
Token: SeDebugPrivilege	1364	a.exe
Token: SeDebugPrivilege	1500	a.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

660 RegSvcs.exe

pid	process
660	RegSvcs.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

962B35661C04B5BFF3E3504F9CD646A7.exeRegSvcs.exea.exe

description	pid	process	target process
PID 2028 wrote to memory of 4624	2028	962B35661C04B5BFF3E3504F9CD646A7.exe	powershell.exe
PID 2028 wrote to memory of 4624	2028	962B35661C04B5BFF3E3504F9CD646A7.exe	powershell.exe
PID 2028 wrote to memory of 4624	2028	962B35661C04B5BFF3E3504F9CD646A7.exe	powershell.exe
PID 2028 wrote to memory of 1832	2028	962B35661C04B5BFF3E3504F9CD646A7.exe	schtasks.exe
PID 2028 wrote to memory of 1832	2028	962B35661C04B5BFF3E3504F9CD646A7.exe	schtasks.exe
PID 2028 wrote to memory of 1832	2028	962B35661C04B5BFF3E3504F9CD646A7.exe	schtasks.exe
PID 2028 wrote to memory of 660	2028	962B35661C04B5BFF3E3504F9CD646A7.exe	RegSvcs.exe
PID 2028 wrote to memory of 660	2028	962B35661C04B5BFF3E3504F9CD646A7.exe	RegSvcs.exe
PID 2028 wrote to memory of 660	2028	962B35661C04B5BFF3E3504F9CD646A7.exe	RegSvcs.exe
PID 2028 wrote to memory of 660	2028	962B35661C04B5BFF3E3504F9CD646A7.exe	RegSvcs.exe
PID 2028 wrote to memory of 660	2028	962B35661C04B5BFF3E3504F9CD646A7.exe	RegSvcs.exe
PID 2028 wrote to memory of 660	2028	962B35661C04B5BFF3E3504F9CD646A7.exe	RegSvcs.exe
PID 2028 wrote to memory of 660	2028	962B35661C04B5BFF3E3504F9CD646A7.exe	RegSvcs.exe
PID 2028 wrote to memory of 660	2028	962B35661C04B5BFF3E3504F9CD646A7.exe	RegSvcs.exe
PID 2028 wrote to memory of 660	2028	962B35661C04B5BFF3E3504F9CD646A7.exe	RegSvcs.exe
PID 2028 wrote to memory of 660	2028	962B35661C04B5BFF3E3504F9CD646A7.exe	RegSvcs.exe
PID 2028 wrote to memory of 660	2028	962B35661C04B5BFF3E3504F9CD646A7.exe	RegSvcs.exe
PID 2028 wrote to memory of 660	2028	962B35661C04B5BFF3E3504F9CD646A7.exe	RegSvcs.exe
PID 660 wrote to memory of 2552	660	RegSvcs.exe	RegSvcs.exe
PID 660 wrote to memory of 2552	660	RegSvcs.exe	RegSvcs.exe
PID 660 wrote to memory of 2552	660	RegSvcs.exe	RegSvcs.exe
PID 660 wrote to memory of 2040	660	RegSvcs.exe	RegSvcs.exe
PID 660 wrote to memory of 2040	660	RegSvcs.exe	RegSvcs.exe
PID 660 wrote to memory of 2040	660	RegSvcs.exe	RegSvcs.exe
PID 660 wrote to memory of 2040	660	RegSvcs.exe	RegSvcs.exe
PID 660 wrote to memory of 1672	660	RegSvcs.exe	RegSvcs.exe
PID 660 wrote to memory of 1672	660	RegSvcs.exe	RegSvcs.exe
PID 660 wrote to memory of 1672	660	RegSvcs.exe	RegSvcs.exe
PID 660 wrote to memory of 4552	660	RegSvcs.exe	RegSvcs.exe
PID 660 wrote to memory of 4552	660	RegSvcs.exe	RegSvcs.exe
PID 660 wrote to memory of 4552	660	RegSvcs.exe	RegSvcs.exe
PID 660 wrote to memory of 3080	660	RegSvcs.exe	RegSvcs.exe
PID 660 wrote to memory of 3080	660	RegSvcs.exe	RegSvcs.exe
PID 660 wrote to memory of 3080	660	RegSvcs.exe	RegSvcs.exe
PID 660 wrote to memory of 4168	660	RegSvcs.exe	RegSvcs.exe
PID 660 wrote to memory of 4168	660	RegSvcs.exe	RegSvcs.exe
PID 660 wrote to memory of 4168	660	RegSvcs.exe	RegSvcs.exe
PID 660 wrote to memory of 4168	660	RegSvcs.exe	RegSvcs.exe
PID 660 wrote to memory of 2572	660	RegSvcs.exe	RegSvcs.exe
PID 660 wrote to memory of 2572	660	RegSvcs.exe	RegSvcs.exe
PID 660 wrote to memory of 2572	660	RegSvcs.exe	RegSvcs.exe
PID 660 wrote to memory of 2572	660	RegSvcs.exe	RegSvcs.exe
PID 660 wrote to memory of 1364	660	RegSvcs.exe	a.exe
PID 660 wrote to memory of 1364	660	RegSvcs.exe	a.exe
PID 660 wrote to memory of 1364	660	RegSvcs.exe	a.exe
PID 1364 wrote to memory of 1500	1364	a.exe	a.exe
PID 1364 wrote to memory of 1500	1364	a.exe	a.exe
PID 1364 wrote to memory of 1500	1364	a.exe	a.exe
PID 1364 wrote to memory of 1500	1364	a.exe	a.exe
PID 1364 wrote to memory of 1500	1364	a.exe	a.exe
PID 1364 wrote to memory of 1500	1364	a.exe	a.exe
PID 1364 wrote to memory of 1500	1364	a.exe	a.exe
PID 1364 wrote to memory of 1500	1364	a.exe	a.exe

C:\Users\Admin\AppData\Local\Temp\962B35661C04B5BFF3E3504F9CD646A7.exe
"C:\Users\Admin\AppData\Local\Temp\962B35661C04B5BFF3E3504F9CD646A7.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\tPbnVzkURocjXA.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4624

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tPbnVzkURocjXA" /XML "C:\Users\Admin\AppData\Local\Temp\tmpED1F.tmp"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\Admin\AppData\Local\Temp\vxxzuiikwvvbsujofvrrbtkwhgrgobgkk"
3⤵
PID:2552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\Admin\AppData\Local\Temp\vxxzuiikwvvbsujofvrrbtkwhgrgobgkk"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\Admin\AppData\Local\Temp\yrcsu"
3⤵
PID:1672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\Admin\AppData\Local\Temp\yrcsu"
3⤵
PID:4552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\Admin\AppData\Local\Temp\yrcsu"
3⤵
PID:3080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\Admin\AppData\Local\Temp\yrcsu"
3⤵
- Accesses Microsoft Outlook accounts
PID:4168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\Admin\AppData\Local\Temp\ithkvkmf"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Users\Admin\AppData\Local\Temp\a.exe
"C:\Users\Admin\AppData\Local\Temp\a.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364

C:\Users\Admin\AppData\Local\Temp\a.exe
"C:\Users\Admin\AppData\Local\Temp\a.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
06aa01346610b670d975b263017028bb

SHA1
d0d122e5abffb8d8195c8d9b1a0d92999740e989

SHA256
dd7a56babf4007de5dc314ff46135a4c428a3e1a7d0e10517e38a93cf8958308

SHA512
cc053b57a51d7e300a82fe397e5c0a5ca5e4d58b5040aa61d328d8021718d5aa242f627c6621d2a28a4877a50124446d47712ddd7e96d301c21e19bcbbbfe5b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3iqdwdkw.c0o.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a.exe

Filesize
623KB

MD5
7166bb20971fd3ea0214675b80d6dce2

SHA1
c6bb92b860375a05a54465b9a2b53c4210d88042

SHA256
b6fcf56c757a74ebf781c794d629965dc94bc256ebeb502c2a948681789d5044

SHA512
0b3e8569c171f1f95e3c5ad724ee02cb81c8c0af3a384058de9578930fd56dcf00e92f76818501537d91aa8d905375a8f179224ce08b4917989622901a97eb64

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpED1F.tmp

Filesize
1KB

MD5
b579d2068da768b020203fe334563fa5

SHA1
08857f6065da81f7eac97ed68e192708d317a453

SHA256
a061eb5952bd0ac15fe69f72bd2e77ad1f055f7a9c8d3aa75460fc27e61ba34f

SHA512
8a3021e73884649017dce328a30984fb854429ed192b4eb7b137c8cbdf24b4c01a536c1d90c77d2d9265aed444c7ad2a9385c76121983cc4da9ab148a812c95f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vxxzuiikwvvbsujofvrrbtkwhgrgobgkk

Filesize
4KB

MD5
71e3611290752b1a114e303d84e3987f

SHA1
210794023f369235615743c802fce5055961ee6e

SHA256
5163d0e849d5d39f1e8beb9d13beea8240d532dff6f28433522148628007af06

SHA512
d0235dd58f9038009e44c4847535f2bb652f093418fdfd890c01b4b9d8981df3a31e4a89f9099c226becbfe8541015d60f6b852165241d08cb8795d93dd2eb09

Download Submit
memory/660-133-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/660-43-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/660-74-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/660-134-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/660-135-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/660-64-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/660-190-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/660-62-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/660-93-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/660-189-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/660-182-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/660-92-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/660-21-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/660-27-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/660-181-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/660-174-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/660-32-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/660-128-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/660-61-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/660-70-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/660-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/660-23-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/660-31-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/660-173-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/660-114-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/660-113-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/660-46-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/660-47-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/660-112-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/660-109-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/660-59-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1364-138-0x00000000064F0000-0x000000000656A000-memory.dmp

Filesize
488KB

Download
memory/1364-127-0x0000000000940000-0x00000000009E0000-memory.dmp

Filesize
640KB

Download
memory/1364-129-0x0000000006920000-0x00000000069B8000-memory.dmp

Filesize
608KB

Download
memory/1364-130-0x00000000057D0000-0x00000000057E4000-memory.dmp

Filesize
80KB

Download
memory/1364-136-0x00000000064B0000-0x00000000064BA000-memory.dmp

Filesize
40KB

Download
memory/1364-137-0x00000000064C0000-0x00000000064CE000-memory.dmp

Filesize
56KB

Download
memory/1500-156-0x0000000006A40000-0x0000000006A54000-memory.dmp

Filesize
80KB

Download
memory/1500-160-0x0000000006AA0000-0x0000000006ACE000-memory.dmp

Filesize
184KB

Download
memory/1500-154-0x0000000006A20000-0x0000000006A2C000-memory.dmp

Filesize
48KB

Download
memory/1500-153-0x0000000006A10000-0x0000000006A22000-memory.dmp

Filesize
72KB

Download
memory/1500-152-0x0000000006A00000-0x0000000006A0E000-memory.dmp

Filesize
56KB

Download
memory/1500-157-0x0000000006A50000-0x0000000006A60000-memory.dmp

Filesize
64KB

Download
memory/1500-151-0x00000000069D0000-0x00000000069EA000-memory.dmp

Filesize
104KB

Download
memory/1500-150-0x00000000069C0000-0x00000000069D2000-memory.dmp

Filesize
72KB

Download
memory/1500-146-0x0000000005930000-0x000000000593A000-memory.dmp

Filesize
40KB

Download
memory/1500-145-0x0000000005640000-0x000000000565E000-memory.dmp

Filesize
120KB

Download
memory/1500-144-0x00000000053F0000-0x00000000053FA000-memory.dmp

Filesize
40KB

Download
memory/1500-139-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1500-158-0x0000000006A70000-0x0000000006A84000-memory.dmp

Filesize
80KB

Download
memory/1500-155-0x0000000006A30000-0x0000000006A3E000-memory.dmp

Filesize
56KB

Download
memory/1500-159-0x0000000006A90000-0x0000000006A9E000-memory.dmp

Filesize
56KB

Download
memory/1500-161-0x0000000006AE0000-0x0000000006AF4000-memory.dmp

Filesize
80KB

Download
memory/2028-4-0x0000000005170000-0x00000000054C4000-memory.dmp

Filesize
3.3MB

Download
memory/2028-2-0x00000000054D0000-0x0000000005A74000-memory.dmp

Filesize
5.6MB

Download
memory/2028-7-0x0000000007E10000-0x0000000007E2A000-memory.dmp

Filesize
104KB

Download
memory/2028-8-0x0000000006590000-0x000000000659E000-memory.dmp

Filesize
56KB

Download
memory/2028-9-0x0000000006680000-0x0000000006760000-memory.dmp

Filesize
896KB

Download
memory/2028-0-0x000000007448E000-0x000000007448F000-memory.dmp

Filesize
4KB

Download
memory/2028-3-0x0000000004FD0000-0x0000000005062000-memory.dmp

Filesize
584KB

Download
memory/2028-1-0x0000000000480000-0x00000000005E2000-memory.dmp

Filesize
1.4MB

Download
memory/2028-10-0x0000000006800000-0x000000000689C000-memory.dmp

Filesize
624KB

Download
memory/2028-5-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/2028-6-0x0000000005AB0000-0x0000000005ABA000-memory.dmp

Filesize
40KB

Download
memory/2028-33-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/2040-95-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2040-96-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2040-98-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2572-104-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2572-105-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2572-106-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4168-100-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4168-97-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4168-99-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4624-44-0x0000000006790000-0x00000000067AE000-memory.dmp

Filesize
120KB

Download
memory/4624-20-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/4624-18-0x0000000005840000-0x0000000005E68000-memory.dmp

Filesize
6.2MB

Download
memory/4624-82-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/4624-78-0x0000000007DD0000-0x0000000007DD8000-memory.dmp

Filesize
32KB

Download
memory/4624-77-0x0000000007DF0000-0x0000000007E0A000-memory.dmp

Filesize
104KB

Download
memory/4624-76-0x0000000007CF0000-0x0000000007D04000-memory.dmp

Filesize
80KB

Download
memory/4624-75-0x0000000007CE0000-0x0000000007CEE000-memory.dmp

Filesize
56KB

Download
memory/4624-73-0x0000000007CB0000-0x0000000007CC1000-memory.dmp

Filesize
68KB

Download
memory/4624-72-0x0000000007D30000-0x0000000007DC6000-memory.dmp

Filesize
600KB

Download
memory/4624-71-0x0000000007B30000-0x0000000007B3A000-memory.dmp

Filesize
40KB

Download
memory/4624-68-0x0000000007AB0000-0x0000000007ACA000-memory.dmp

Filesize
104KB

Download
memory/4624-67-0x0000000008100000-0x000000000877A000-memory.dmp

Filesize
6.5MB

Download
memory/4624-66-0x0000000007760000-0x0000000007803000-memory.dmp

Filesize
652KB

Download
memory/4624-60-0x0000000006D40000-0x0000000006D5E000-memory.dmp

Filesize
120KB

Download
memory/4624-49-0x0000000072F30000-0x0000000072F7C000-memory.dmp

Filesize
304KB

Download
memory/4624-48-0x0000000006D60000-0x0000000006D92000-memory.dmp

Filesize
200KB

Download
memory/4624-22-0x00000000056D0000-0x00000000056F2000-memory.dmp

Filesize
136KB

Download
memory/4624-45-0x00000000067D0000-0x000000000681C000-memory.dmp

Filesize
304KB

Download
memory/4624-25-0x0000000005770000-0x00000000057D6000-memory.dmp

Filesize
408KB

Download
memory/4624-26-0x0000000005EE0000-0x0000000005F46000-memory.dmp

Filesize
408KB

Download
memory/4624-19-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/4624-17-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/4624-15-0x00000000051D0000-0x0000000005206000-memory.dmp

Filesize
216KB

Download