Overview

overview

10

Static

static

1

hesaphareketi-01.exe

windows7-x64

10

hesaphareketi-01.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    02-10-2023 16:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    hesaphareketi-01.exe

  • Size

    731KB

  • MD5

    3024f8b8500d2629b5d934d0ef334efb

  • SHA1

    d2013e0488e50fe9039986129e46725c2353e0a7

  • SHA256

    12a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31

  • SHA512

    b8ca6e76ebfd879d3f5643caa614d57fb7d57e5a95d79aecea2bdbd71bbed366b72a59a12b96b6f84e988c45e15e1c3369fd01418972e0aed7dba65ee2a4a998

  • SSDEEP

    12288:JqH3dU+ta6byR6WYlvZja6+hpKo8sRexHyoRwMt7zANdi:etU+YxYtARN6wUK0

Score
10/10
snakekeyloggerevasionkeyloggerpersistencestealertrojan

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    mail.gkas.com.tr
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Gkasteknik@2022

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 4 IoCs
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.exe
    "C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2972
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2620
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:2504
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpD124.tmp.bat""
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2624
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:2544
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        3⤵
        • UAC bypass
        • Windows security bypass
        • Looks for VirtualBox Guest Additions in registry
        • Looks for VMWare Tools registry key
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Windows security modification
        • Checks whether UAC is enabled
        • Maps connected drives based on registry
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:2224
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1540
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"
          4⤵
            PID:2696
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2776
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=mscorsvw.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:820
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:820 CREDAT:275457 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:852

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    3
    T1562

    Disable or Modify Tools

    3
    T1562.001

    Modify Registry

    6
    T1112

    Virtualization/Sandbox Evasion

    2
    T1497

    Credential Access

    Discovery

    Peripheral Device Discovery

    1
    T1120

    Query Registry

    4
    T1012

    System Information Discovery

    4
    T1082

    Virtualization/Sandbox Evasion

    2
    T1497

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      2aa5a84cbe80457343927d831a93d401

      SHA1

      a1e8851ce418d20979d20c42c28879a720f3ecea

      SHA256

      41a93b58f17a92f280bdca2d640341ba2b12ac77e00a3da3f08c7bc8c9427ad0

      SHA512

      6c4189d5408f6b44c5b704046a7cd14fb0ab5e95ee593a606dfbf21f39c58b7fd1997d5ae8a118cea6c230cf5162e245cd8ff997922918f7c46202747b21e1dd

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      41ce9bdb75f35e6d7b4a69bec150a33f

      SHA1

      c4962f6d6470f2aa7071dd862f7009befdc1d792

      SHA256

      de7f9362994a6283a8ba64e5ded63e56e63fcbe7172da40e5e8576bf395a0143

      SHA512

      2bccac406973bb4af60a6437244b855ddc15fee10fe98d5a8a962185eb4d72058f1b8ad3113761bbede83f888b4d7929a65a4cce30524739d3661ac5b082cdec

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      90e814625938c3741d4f90abaa3984eb

      SHA1

      9924beb4e6d4d6d4304bb2880ba09107528fff62

      SHA256

      c56c7dda4d3ac5694ffe4fabc551b07c080644b20f5c58413f7792ea221aab33

      SHA512

      6914c0337fb88389dc2b24fc6dfe6a086e22d10d92be19e24be488de6a84cc6f8e75ebc8ebfbf634a5a53895c274f511e5dffc18ce3680e09a9c07835620312e

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      24d20f34c1f578f0e38d4ca53da5b53b

      SHA1

      15a3294848d22165be69e1138ae86a3d47b44286

      SHA256

      04d34e31761abdfed286b8320435fcceaf0f1dd63b1403d8119af8c1adca3ffb

      SHA512

      8e4ec1bd81ab96a951ab18713afab00b7b9ae1770fee504a6dfc5ee003b3a6b34344c22902779bcf4e4407dc5f9ed0520842dad4d4c3361d33917c00476741a3

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      b7515dce7d62460e45b57fab999a093b

      SHA1

      cf008d2fd50cd39d153d8aa982e21e6dfc70bbf7

      SHA256

      dac577dd659f52503848912ed075a2267036af3fcc7999d7645f5d86e15b6038

      SHA512

      bea7ca57d94f2020c706d6393d0ac176cae0f3851712aa882a3f69c03351c7248d19313fa89a16375032626d91abcb9d774ff58f047a6d868aaae95a2e29bb4a

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      015a3604038c4053303666d2d88e3b67

      SHA1

      9f7fbd178b1b2dcc5aea8becce9c66e09ab852f3

      SHA256

      24cc46aca4844c17fc20c74d88cec2f2510123753d6c84121907fc04dbdd5d12

      SHA512

      cd5da51052d2abe2b92d96e4b3673009dd3c13b94cee23df0c002362076015968915a97f88c13ad187924b53f80fd1bae2b723dc5e08bada7d4e0d808de85c97

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      a541c403b8c49f327370ba6401eb13e7

      SHA1

      3e72ef5925d00102622b0ead776016b6d4237457

      SHA256

      bbe50b5eac1fa376ed6e397108851adb75ba0e6c30ee74ec3dac820298a6144e

      SHA512

      fc9b71c4804d3d861bed561684b77680141957b094e9e556b9cabf3dd8094dbd06d17e9fea82a1fb63983fd6fa368b67892582d3f9d02e1fef7ed42ae483fbcb

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      71035fa302b5d2c8c9ead1d67092e212

      SHA1

      03c0d6dd12e10cbd640d771a18ab50b3d1243801

      SHA256

      6e0d23a0061a93c12e0b7e1150b7c8569f3c9c15a19918eac196eb8a9f6978e3

      SHA512

      6ea7024978541e28ca3206fd5ff892bf05ef3474bc690e6d099c360630f5fe19a1b6c044eb4827165a56b07c766167bb18f468279415b40e19679cd7841177bc

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      692538b920ef1385075afffd1e490d02

      SHA1

      3a67256ae02d9f1565b39de4a73b1ac1346a8c03

      SHA256

      118000ea6d0373ad2cc1aebd5e85bf5c2b83399c16f60dff1bc3970c673ad258

      SHA512

      020f3785638943fc5a147b88ffdc2327639b3d0349796faa10f969c53226851dc1eed1b3cd92549eb2778f54457ac5908531c73489457a2763f802eb321fcce9

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      ae8a44183aa331fcb7175a77cd6319b4

      SHA1

      f0d51fc8702406fd027b1709fb9bffa9e31a24ff

      SHA256

      153b80a1ad1c12f735da91e4ca75392fafcc0e72fac0307f3391cb3ab01dc044

      SHA512

      4e71af705901d7ffc1711af376370816a8f313fe163b459fb7aceb861a2972815b3631a91c13fd395a9f917638c8e4ca062871de8ed2c6fc593850bb924453ee

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      3b06495774e6cd8d8721fcb33b1efa5c

      SHA1

      2082ce54f3665aa44d3c6ba4db75e96998a46a12

      SHA256

      52a277a1e0f5d423f34e0843cf91e9c0b1b0ffcd01a94c9a1c88a119f8860c3d

      SHA512

      749fc961447a745d16ccb25acdd70fa897921a54b087354d4e8681bd921953c8bf7ab08ecb1d373b28892bed53af0c60c2dcdad003c0e090b6c384ceaf1ba134

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      ca790c9c27b23f7c9a275eb57ae41916

      SHA1

      f4bec774dc0ff91f5529e2622f7999957be122ef

      SHA256

      bc335570e8bbb895ebe17f134849427d496ea6bb1a1b014a76f7a7d7723760cf

      SHA512

      7c5bd717660a45064275bc864541de63a7ff2ca9f782a5e4796abfb6997f70a0b0a71b53bb1d45badf5c3e862770fb04cc486dc8c6e769ac184a6feb446043fb

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      6d422c3f1e33ee9f6e6bb327e29035f6

      SHA1

      0053e50ef950aaf77e433749c28e6b6a08a16385

      SHA256

      4ff7c184523e656371bc1e1bef72f869435312aa2f0b74db388275256b4292f4

      SHA512

      41f4dc365cece7cdafa4b59699ff2c6ce01344084104140464cb4a782598f76687aa64f77a5686f71f686689f2f3e12d6924c4b28737701bd64da8dba0992749

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      3eb3267b23418fe41b81c4f251b0987d

      SHA1

      f646c9102b003934a13ebf2188095b7add3d32a7

      SHA256

      41e9deeee35eff345d93c41083e9997b8c34e6e3317d3518a432ede05b32d4d2

      SHA512

      0848599d9c0edf78348f4698b1be0cc5677b9947a66fed19e2f4261e72c93bb4610d4157fd497be825a00a643c910ad8a330f39ca76d7463f7c85611c8cdb048

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      8a5b441cb644e7002109f60121a14ed1

      SHA1

      16d86c0cc41f744e6a39a1bc5a806b39c95254bf

      SHA256

      c3857db9f5e1bef8a351218fbb28a58cda28d7a958f6167b5594874fa3d09a77

      SHA512

      720c381f6086212f387a22986744c1b0c770881eec3ba4293376abe680633763ea011f26f49c0fa195855c9e8d8faacb507545bd7064b77fe4527b668cdcfb29

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      3c1eddc9e9cec15886ef9322d94ee661

      SHA1

      6cdd26e528155b1ad55db958e8414a1931ad23d3

      SHA256

      adbd23805717df5a072985553013a50afaf5d7d57c75753224ab5c854cb9dea8

      SHA512

      614bab9569c548c594e9c5af4ab9e345b3ef81d05f553e00262203cb4e80bae31e5a1ec6aab350af65de7bb998bfcec4a179aa3cd0dffb07fc818cc115bd4e8d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab1FA4.tmp
      Filesize

      61KB

      MD5

      f3441b8572aae8801c04f3060b550443

      SHA1

      4ef0a35436125d6821831ef36c28ffaf196cda15

      SHA256

      6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

      SHA512

      5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar1FE7.tmp
      Filesize

      163KB

      MD5

      9441737383d21192400eca82fda910ec

      SHA1

      725e0d606a4fc9ba44aa8ffde65bed15e65367e4

      SHA256

      bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

      SHA512

      7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpD124.tmp.bat
      Filesize

      151B

      MD5

      7fa1a8f0597e251473bc6768879aa2ed

      SHA1

      d76819e763bbad358852adf00dff36ae354fbdbf

      SHA256

      f4691eaa83d71c3494961198a5d6439bfb1eeb6e65313ba31367e0a14328b1c4

      SHA512

      770ba0b75628554b2fed78d353058079e09397c6cb52bfd992c176f54b454ec7d4188543653ab32e3b2fea0605e323fa0982b8837b4b55de9a8bc8912f8be672

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpD124.tmp.bat
      Filesize

      151B

      MD5

      7fa1a8f0597e251473bc6768879aa2ed

      SHA1

      d76819e763bbad358852adf00dff36ae354fbdbf

      SHA256

      f4691eaa83d71c3494961198a5d6439bfb1eeb6e65313ba31367e0a14328b1c4

      SHA512

      770ba0b75628554b2fed78d353058079e09397c6cb52bfd992c176f54b454ec7d4188543653ab32e3b2fea0605e323fa0982b8837b4b55de9a8bc8912f8be672

      Download Submit

    • C:\Users\Admin\AppData\Roaming\svchost.exe
      Filesize

      731KB

      MD5

      3024f8b8500d2629b5d934d0ef334efb

      SHA1

      d2013e0488e50fe9039986129e46725c2353e0a7

      SHA256

      12a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31

      SHA512

      b8ca6e76ebfd879d3f5643caa614d57fb7d57e5a95d79aecea2bdbd71bbed366b72a59a12b96b6f84e988c45e15e1c3369fd01418972e0aed7dba65ee2a4a998

      Download Submit

    • C:\Users\Admin\AppData\Roaming\svchost.exe
      Filesize

      731KB

      MD5

      3024f8b8500d2629b5d934d0ef334efb

      SHA1

      d2013e0488e50fe9039986129e46725c2353e0a7

      SHA256

      12a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31

      SHA512

      b8ca6e76ebfd879d3f5643caa614d57fb7d57e5a95d79aecea2bdbd71bbed366b72a59a12b96b6f84e988c45e15e1c3369fd01418972e0aed7dba65ee2a4a998

      Download Submit

    • \Users\Admin\AppData\Roaming\svchost.exe
      Filesize

      731KB

      MD5

      3024f8b8500d2629b5d934d0ef334efb

      SHA1

      d2013e0488e50fe9039986129e46725c2353e0a7

      SHA256

      12a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31

      SHA512

      b8ca6e76ebfd879d3f5643caa614d57fb7d57e5a95d79aecea2bdbd71bbed366b72a59a12b96b6f84e988c45e15e1c3369fd01418972e0aed7dba65ee2a4a998

      Download Submit

    • memory/1540-35-0x0000000002700000-0x0000000002740000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1540-191-0x0000000002700000-0x0000000002740000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1540-36-0x0000000002700000-0x0000000002740000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1540-41-0x000000006F380000-0x000000006F92B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1540-42-0x000000006F380000-0x000000006F92B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1540-34-0x0000000002700000-0x0000000002740000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1540-33-0x000000006F380000-0x000000006F92B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1540-32-0x000000006F380000-0x000000006F92B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1540-473-0x000000006F380000-0x000000006F92B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1540-382-0x0000000002700000-0x0000000002740000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2224-23-0x0000000004A20000-0x0000000004A60000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2224-22-0x0000000000590000-0x00000000005AA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2224-19-0x0000000001340000-0x00000000013FC000-memory.dmp

      Filesize

      752KB

      Download

    • memory/2224-20-0x0000000000A50000-0x0000000000AA2000-memory.dmp

      Filesize

      328KB

      Download

    • memory/2224-21-0x0000000074020000-0x000000007470E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2224-28-0x0000000074020000-0x000000007470E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2776-31-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/2776-29-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/2776-26-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/2972-0-0x0000000073FE0000-0x00000000746CE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2972-15-0x0000000073FE0000-0x00000000746CE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2972-5-0x00000000003F0000-0x000000000040A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2972-4-0x0000000000450000-0x00000000004A2000-memory.dmp

      Filesize

      328KB

      Download

    • memory/2972-3-0x0000000002380000-0x00000000023C0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2972-2-0x0000000073FE0000-0x00000000746CE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2972-1-0x0000000000AD0000-0x0000000000B8C000-memory.dmp

      Filesize

      752KB

      Download