snakekeylogger | 5fa3a2796eaf9563333a8da8feae53d42fc90d4ab3de1dbb1bb38d4c3923945c

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2024 07:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Materien.exe
Size

752KB
MD5

da48313586a7ed35308c3d7b730be3a8
SHA1

3ccfbbce591a3f16cc620984d2be7929fd7c69a5
SHA256

802900953255394194cffac091a16c4edbee0cacb91ea43823ed2e36b5b4a3c4
SHA512

5fc0666e58ff30541c5205de42009ca9340308dd3c664b9b1e28ebaffdb7ee2ed24ad584b1de2157472ef2ce172dc84fee0521d6729c7e8af27573eeae49a186
SSDEEP

12288:jGHXvdN4G9MMe/OdNDqJ83eCOyGOs61IYZVAecgs9FMa1Mdq8jJa:juNNesNlLDGMIYO7MoOa

Score

10^/10

snakekeylogger collection discovery execution keylogger spyware stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
smtp.securemail.pro
Port:
587
Username:
[email protected]
Password:
jrpM0Y5k
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 2 IoCs

resource	yara_rule
behavioral2/memory/1316-123-0x0000000000470000-0x00000000016C4000-memory.dmp	family_snakekeylogger
behavioral2/memory/1316-125-0x0000000000470000-0x0000000000496000-memory.dmp	family_snakekeylogger

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1372	powershell.exe
3676	powershell.exe

Loads dropped DLL 2 IoCs

pid	Process
1316	responseriets.exe
1248	responseriets.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	responseriets.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	responseriets.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	responseriets.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	responseriets.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	responseriets.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	responseriets.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
11	drive.google.com
12	drive.google.com
10	drive.google.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
40	checkip.dyndns.org

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
1316	responseriets.exe
1248	responseriets.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
3676	powershell.exe
1372	powershell.exe
1316	responseriets.exe
1248	responseriets.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\resources\0409\Grubstaking.bro	Materien.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	responseriets.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	responseriets.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Materien.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3676	powershell.exe
1372	powershell.exe
1372	powershell.exe
3676	powershell.exe
1372	powershell.exe
1372	powershell.exe
1372	powershell.exe
1372	powershell.exe
1372	powershell.exe
1372	powershell.exe
3676	powershell.exe
3676	powershell.exe
3676	powershell.exe
3676	powershell.exe
1372	powershell.exe
3676	powershell.exe
1316	responseriets.exe
1248	responseriets.exe
1316	responseriets.exe
1248	responseriets.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1372	powershell.exe
3676	powershell.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	3676	powershell.exe
Token: SeIncreaseQuotaPrivilege	1372	powershell.exe
Token: SeSecurityPrivilege	1372	powershell.exe
Token: SeTakeOwnershipPrivilege	1372	powershell.exe
Token: SeLoadDriverPrivilege	1372	powershell.exe
Token: SeSystemProfilePrivilege	1372	powershell.exe
Token: SeSystemtimePrivilege	1372	powershell.exe
Token: SeProfSingleProcessPrivilege	1372	powershell.exe
Token: SeIncBasePriorityPrivilege	1372	powershell.exe
Token: SeCreatePagefilePrivilege	1372	powershell.exe
Token: SeBackupPrivilege	1372	powershell.exe
Token: SeRestorePrivilege	1372	powershell.exe
Token: SeShutdownPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeSystemEnvironmentPrivilege	1372	powershell.exe
Token: SeRemoteShutdownPrivilege	1372	powershell.exe
Token: SeUndockPrivilege	1372	powershell.exe
Token: SeManageVolumePrivilege	1372	powershell.exe
Token: 33	1372	powershell.exe
Token: 34	1372	powershell.exe
Token: 35	1372	powershell.exe
Token: 36	1372	powershell.exe
Token: SeIncreaseQuotaPrivilege	3676	powershell.exe
Token: SeSecurityPrivilege	3676	powershell.exe
Token: SeTakeOwnershipPrivilege	3676	powershell.exe
Token: SeLoadDriverPrivilege	3676	powershell.exe
Token: SeSystemProfilePrivilege	3676	powershell.exe
Token: SeSystemtimePrivilege	3676	powershell.exe
Token: SeProfSingleProcessPrivilege	3676	powershell.exe
Token: SeIncBasePriorityPrivilege	3676	powershell.exe
Token: SeCreatePagefilePrivilege	3676	powershell.exe
Token: SeBackupPrivilege	3676	powershell.exe
Token: SeRestorePrivilege	3676	powershell.exe
Token: SeShutdownPrivilege	3676	powershell.exe
Token: SeDebugPrivilege	3676	powershell.exe
Token: SeSystemEnvironmentPrivilege	3676	powershell.exe
Token: SeRemoteShutdownPrivilege	3676	powershell.exe
Token: SeUndockPrivilege	3676	powershell.exe
Token: SeManageVolumePrivilege	3676	powershell.exe
Token: 33	3676	powershell.exe
Token: 34	3676	powershell.exe
Token: 35	3676	powershell.exe
Token: 36	3676	powershell.exe
Token: SeDebugPrivilege	1316	responseriets.exe
Token: SeDebugPrivilege	1248	responseriets.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 1372	1400	Materien.exe	84
PID 1400 wrote to memory of 1372	1400	Materien.exe	84
PID 1400 wrote to memory of 1372	1400	Materien.exe	84
PID 1400 wrote to memory of 3676	1400	Materien.exe	86
PID 1400 wrote to memory of 3676	1400	Materien.exe	86
PID 1400 wrote to memory of 3676	1400	Materien.exe	86
PID 3676 wrote to memory of 1316	3676	powershell.exe	92
PID 3676 wrote to memory of 1316	3676	powershell.exe	92
PID 3676 wrote to memory of 1316	3676	powershell.exe	92
PID 1372 wrote to memory of 1248	1372	powershell.exe	93
PID 1372 wrote to memory of 1248	1372	powershell.exe	93
PID 1372 wrote to memory of 1248	1372	powershell.exe	93
PID 3676 wrote to memory of 1316	3676	powershell.exe	92
PID 1372 wrote to memory of 1248	1372	powershell.exe	93

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	responseriets.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	responseriets.exe

C:\Users\Admin\AppData\Local\Temp\Materien.exe
"C:\Users\Admin\AppData\Local\Temp\Materien.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Totemistic=Get-Content -raw 'C:\Users\Admin\AppData\Local\Temp\superincomprehensible\Tillgspensionen.Ask';$Skomagermestrene=$Totemistic.SubString(54750,3);.$Skomagermestrene($Totemistic)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Users\Admin\AppData\Local\Temp\responseriets.exe
    "C:\Users\Admin\AppData\Local\Temp\responseriets.exe"
    3⤵
    - Loads dropped DLL
    - Accesses Microsoft Outlook profiles
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:1248
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Totemistic=Get-Content -raw 'C:\Users\Admin\AppData\Local\Temp\superincomprehensible\Tillgspensionen.Ask';$Skomagermestrene=$Totemistic.SubString(54750,3);.$Skomagermestrene($Totemistic)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3676
- - C:\Users\Admin\AppData\Local\Temp\responseriets.exe
    "C:\Users\Admin\AppData\Local\Temp\responseriets.exe"
    3⤵
    - Loads dropped DLL
    - Accesses Microsoft Outlook profiles
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
e935bc5762068caf3e24a2683b1b8a88

SHA1
82b70eb774c0756837fe8d7acbfeec05ecbf5463

SHA256
a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

SHA512
bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
5c4d9413f56c30dfd546b7d0623f8dc9

SHA1
179b86ec8a371593a928d35db04da25104bd6ca4

SHA256
1f0b60c23cc18187d120c672dbd7d193fde9a4cda1848e237e68c1650176d967

SHA512
84a608e128b7b8720199e43b8dcb2e07f4f7cce6294dc531e208f0e1e54746ae5026c3745d7fc96718e3e4f41553a40d7b214b071291b6b3d3c3f0ef987138a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6DA548C7E5915679F87E910D6581DEF1_831B21EC05D416A4ADB2370CD79ABCDD

Filesize
471B

MD5
30b8219664afbb8d78a27969e8755ca1

SHA1
31e8ce9f55ef615280b21beb3eb5fb2f823f41df

SHA256
91324c7e829db20de8d55d5a425c5ac46c5551023221d4e36e2b61218f30815a

SHA512
5eb0d0d99460e54f69581cf35c20841efdabe17255d12b03e9f460dff723e8f2980b166fa9b71b6042034aa6b6fd2d7a70536dd1176bb13fb5981bcae14d4f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_CFDBFDB29AA6A71EBDC3E04CD6E276F4

Filesize
472B

MD5
a1f013adb9ec5f40524a6635540e628f

SHA1
76ed661478849d5bbe5c847d1e05f81becdd67dd

SHA256
450676438e2163fea2e341a9756355502bc35acc46efc68264578dfa76b30ab2

SHA512
9426895082573c3f5cf12b20b27f1733c64e9fe69757394e49f7491509a0b397c5bdf07bd0ae6ac8821640c7759ebe17725a8f507eb878fff7750c3c0b557c27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
c20da9f7f9ace75d42edc8d244eb5f17

SHA1
c8de97f2010d6577b0c518c354f5d294ca3b7c79

SHA256
32d85cf535c9f9e59a04bd9fd5d4e2469ea469d8471673213c7fc412e3b785be

SHA512
82d23ff2bea4b5f39025385a5b1fd8af95c74476ac14a7c9d6d9a99698616c640908795284c931326d3ccc8ab079915e0d80bbffc80ac9542eb732f856d1a9dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
2f483486ee0861cd8fe8d4f98de1af40

SHA1
521f66b1ffd240b8db4c52e58d2d4d1019d20690

SHA256
a28204e60c20a4271fa213b0bd71d36392a0519db631e82440d69c18e200a39c

SHA512
67241ca4d0ad0fec1859e466ebb8de5c7c202101918ac8114819bfe26a8ec5af9a5460753d25ba1f239a61c04e182843d58d7ab297bc0d461571608044b68277

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6DA548C7E5915679F87E910D6581DEF1_831B21EC05D416A4ADB2370CD79ABCDD

Filesize
402B

MD5
0209cdd7da195d4a480aa27dc5ff465d

SHA1
e8ef75e5e9f08af2ca4be33c481ce883f41bb372

SHA256
a3606617a1b4d800360e511e8d74c669574340d9678c331c476a397fe115c741

SHA512
c103cc168149bf722919b44b97fdade235c86a5e51cf54a0c50998b56ac6c8e797ab9d2a72b5969d88fcc9b838a70b969fd53a1f47f52af3130dd42d153c989a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_CFDBFDB29AA6A71EBDC3E04CD6E276F4

Filesize
398B

MD5
5b14d0861de4fa7f514c630af51699a4

SHA1
04b751eb874edbcb2d2d544331a3da598511cbc1

SHA256
693f06223f4976203765dea1f10809fd0746cb1d54fec3285d02b53426a90509

SHA512
bfd0a3cd10b2d7467d69f1e6fec089a81ce27325f0d9deb55b3ffbfbaf43a787fb94ada7bbc7a6a3744ac9a66d1e7be856e674530ee92e175546ff951f1dbdb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r5bz2a1q.m3i.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\responseriets.exe

Filesize
752KB

MD5
da48313586a7ed35308c3d7b730be3a8

SHA1
3ccfbbce591a3f16cc620984d2be7929fd7c69a5

SHA256
802900953255394194cffac091a16c4edbee0cacb91ea43823ed2e36b5b4a3c4

SHA512
5fc0666e58ff30541c5205de42009ca9340308dd3c664b9b1e28ebaffdb7ee2ed24ad584b1de2157472ef2ce172dc84fee0521d6729c7e8af27573eeae49a186

Download Submit
C:\Users\Admin\AppData\Local\Temp\superincomprehensible\Disputpkr.Obj

Filesize
314KB

MD5
b3a6ae1fbef18fc7ed2d6c9a2349441b

SHA1
db868dce61b49f96cec7b4dc9356bf8e86262bb1

SHA256
da736ce450c5e470f291b965f43994010adf164f5539d659be3737ec271d9197

SHA512
b9db47aa9de54e2e4abafab6adda04f46e0962f4ac34eb01a32674e9dc0f6c54d9db9b029215e7c9d9bfe729fdb5f96657482bbc19b52a263e76ac8a4446a7d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\superincomprehensible\Tillgspensionen.Ask

Filesize
53KB

MD5
1e72916a0e82da66cf7753db11b602a2

SHA1
322d0c1a058a5c4ba50f534137c45462dd8b989d

SHA256
8a7aca1e042680f82f1703da26587d5058e55cdc50a9da8bc7bd226d1a6748d4

SHA512
b32c7d41172e7df012277acb4f8662e1d5949db80d9a35a68433eaee8d740b46a0d3a068d6609140e86e846b0ac436e21e18ba7d85b17db3214cc7ef833af203

Download Submit
memory/1316-119-0x0000000000470000-0x00000000016C4000-memory.dmp

Filesize
18.3MB

Download
memory/1316-131-0x0000000021DC0000-0x0000000021F82000-memory.dmp

Filesize
1.8MB

Download
memory/1316-132-0x0000000021F90000-0x0000000022022000-memory.dmp

Filesize
584KB

Download
memory/1316-126-0x00000000217D0000-0x000000002186C000-memory.dmp

Filesize
624KB

Download
memory/1316-133-0x0000000022060000-0x000000002206A000-memory.dmp

Filesize
40KB

Download
memory/1316-130-0x0000000021D70000-0x0000000021DC0000-memory.dmp

Filesize
320KB

Download
memory/1316-123-0x0000000000470000-0x00000000016C4000-memory.dmp

Filesize
18.3MB

Download
memory/1316-125-0x0000000000470000-0x0000000000496000-memory.dmp

Filesize
152KB

Download
memory/1372-44-0x0000000007670000-0x00000000076A2000-memory.dmp

Filesize
200KB

Download
memory/1372-56-0x0000000074170000-0x0000000074920000-memory.dmp

Filesize
7.7MB

Download
memory/1372-57-0x0000000007650000-0x000000000766E000-memory.dmp

Filesize
120KB

Download
memory/1372-11-0x0000000074170000-0x0000000074920000-memory.dmp

Filesize
7.7MB

Download
memory/1372-70-0x0000000074170000-0x0000000074920000-memory.dmp

Filesize
7.7MB

Download
memory/1372-10-0x00000000054E0000-0x0000000005B08000-memory.dmp

Filesize
6.2MB

Download
memory/1372-15-0x0000000074170000-0x0000000074920000-memory.dmp

Filesize
7.7MB

Download
memory/1372-46-0x0000000070D80000-0x00000000710D4000-memory.dmp

Filesize
3.3MB

Download
memory/1372-21-0x0000000005C10000-0x0000000005F64000-memory.dmp

Filesize
3.3MB

Download
memory/1372-45-0x0000000070600000-0x000000007064C000-memory.dmp

Filesize
304KB

Download
memory/1372-6-0x000000007417E000-0x000000007417F000-memory.dmp

Filesize
4KB

Download
memory/1372-41-0x00000000077E0000-0x0000000007D84000-memory.dmp

Filesize
5.6MB

Download
memory/1372-36-0x0000000006230000-0x000000000624E000-memory.dmp

Filesize
120KB

Download
memory/1372-37-0x0000000006250000-0x000000000629C000-memory.dmp

Filesize
304KB

Download
memory/1372-38-0x00000000067A0000-0x0000000006836000-memory.dmp

Filesize
600KB

Download
memory/1372-40-0x0000000007200000-0x0000000007222000-memory.dmp

Filesize
136KB

Download
memory/1372-78-0x0000000008A90000-0x0000000009D78000-memory.dmp

Filesize
18.9MB

Download
memory/1372-39-0x0000000006740000-0x000000000675A000-memory.dmp

Filesize
104KB

Download
memory/1372-80-0x000000007417E000-0x000000007417F000-memory.dmp

Filesize
4KB

Download
memory/1372-90-0x0000000074170000-0x0000000074920000-memory.dmp

Filesize
7.7MB

Download
memory/1372-83-0x0000000074170000-0x0000000074920000-memory.dmp

Filesize
7.7MB

Download
memory/1372-84-0x0000000074170000-0x0000000074920000-memory.dmp

Filesize
7.7MB

Download
memory/3676-72-0x0000000074170000-0x0000000074920000-memory.dmp

Filesize
7.7MB

Download
memory/3676-85-0x0000000074170000-0x0000000074920000-memory.dmp

Filesize
7.7MB

Download
memory/3676-91-0x0000000074170000-0x0000000074920000-memory.dmp

Filesize
7.7MB

Download
memory/3676-82-0x0000000074170000-0x0000000074920000-memory.dmp

Filesize
7.7MB

Download
memory/3676-81-0x0000000074170000-0x0000000074920000-memory.dmp

Filesize
7.7MB

Download
memory/3676-43-0x0000000008900000-0x0000000008F7A000-memory.dmp

Filesize
6.5MB

Download
memory/3676-73-0x0000000074170000-0x0000000074920000-memory.dmp

Filesize
7.7MB

Download
memory/3676-75-0x00000000083C0000-0x00000000083E4000-memory.dmp

Filesize
144KB

Download
memory/3676-74-0x0000000007C80000-0x0000000007CAA000-memory.dmp

Filesize
168KB

Download
memory/3676-35-0x0000000074170000-0x0000000074920000-memory.dmp

Filesize
7.7MB

Download
memory/3676-14-0x0000000005F60000-0x0000000005FC6000-memory.dmp

Filesize
408KB

Download
memory/3676-71-0x0000000007C40000-0x0000000007C4A000-memory.dmp

Filesize
40KB

Download
memory/3676-58-0x0000000070600000-0x000000007064C000-memory.dmp

Filesize
304KB

Download
memory/3676-12-0x00000000057C0000-0x00000000057E2000-memory.dmp

Filesize
136KB

Download
memory/3676-13-0x0000000005EF0000-0x0000000005F56000-memory.dmp

Filesize
408KB

Download
memory/3676-69-0x0000000007B10000-0x0000000007BB3000-memory.dmp

Filesize
652KB

Download
memory/3676-9-0x0000000074170000-0x0000000074920000-memory.dmp

Filesize
7.7MB

Download
memory/3676-59-0x0000000070D80000-0x00000000710D4000-memory.dmp

Filesize
3.3MB

Download
memory/3676-8-0x0000000074170000-0x0000000074920000-memory.dmp

Filesize
7.7MB

Download
memory/3676-7-0x00000000030A0000-0x00000000030D6000-memory.dmp

Filesize
216KB

Download