snakekeylogger | 777f42b7f48939008d57d46ff443a292669fbfdbba5c566090448b49fd5a79a3

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-02-2025 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SCS AWB and Commercial Invoice.exe
Size

612KB
MD5

90d3693237ab538a39b44e399e96b668
SHA1

d8a59dc7a9d4d8c6f4f0c9a86219746b00a3bbd7
SHA256

777f42b7f48939008d57d46ff443a292669fbfdbba5c566090448b49fd5a79a3
SHA512

0d158bd0b2bdebf3ebc5601edad03af8bc6f87a77f222a4db13cd4cbe817537ff33d8f02c2e973bd3c44d6dfd42f6c1ab9d16b80cf124cfae745ce08d19b7ad8
SSDEEP

12288:Uvd17c3wecl9Z2Cjex7uQN2oQ1eSTu6/V9mdol:gb7c3weEGn2oqqWV9mdg

Score

10^/10

snakekeylogger xworm collection discovery execution keylogger rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

TZcnTcBHbLCXf1ef

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.haselayakkabi.com.tr
Port:
25
Username:
[email protected]
Password:
Ydj5DCO%
Email To:
[email protected]

Signatures

Detect Xworm Payload 5 IoCs

resource	yara_rule
behavioral1/memory/1932-23-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/1932-30-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/1932-29-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/1932-28-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/1932-25-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0007000000015f71-34.dat	family_snakekeylogger
behavioral1/memory/3024-38-0x000000013F990000-0x000000013F9B4000-memory.dmp	family_snakekeylogger
behavioral1/memory/2096-70-0x0000000140000000-0x0000000140024000-memory.dmp	family_snakekeylogger
behavioral1/memory/2096-76-0x0000000140000000-0x0000000140024000-memory.dmp	family_snakekeylogger

Snakekeylogger family
snakekeylogger
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2316	powershell.exe
2932	powershell.exe
1548	powershell.exe
1920	powershell.exe

Executes dropped EXE 3 IoCs

pid	Process
3024	exyqho.exe
588	pohiqv.exe
2096	pohiqv.exe

Loads dropped DLL 3 IoCs

pid	Process
1932	SCS AWB and Commercial Invoice.exe
1932	SCS AWB and Commercial Invoice.exe
588	pohiqv.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	exyqho.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	exyqho.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	exyqho.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	checkip.dyndns.org
14	reallyfreegeoip.org
15	reallyfreegeoip.org
26	checkip.dyndns.org

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1804 set thread context of 1932	1804	SCS AWB and Commercial Invoice.exe	38
PID 588 set thread context of 2096	588	pohiqv.exe	48

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SCS AWB and Commercial Invoice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SCS AWB and Commercial Invoice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2940	schtasks.exe
2324	schtasks.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
1804	SCS AWB and Commercial Invoice.exe
1804	SCS AWB and Commercial Invoice.exe
1804	SCS AWB and Commercial Invoice.exe
1804	SCS AWB and Commercial Invoice.exe
1804	SCS AWB and Commercial Invoice.exe
1804	SCS AWB and Commercial Invoice.exe
1804	SCS AWB and Commercial Invoice.exe
1804	SCS AWB and Commercial Invoice.exe
1804	SCS AWB and Commercial Invoice.exe
1804	SCS AWB and Commercial Invoice.exe
1804	SCS AWB and Commercial Invoice.exe
1804	SCS AWB and Commercial Invoice.exe
1804	SCS AWB and Commercial Invoice.exe
1804	SCS AWB and Commercial Invoice.exe
1804	SCS AWB and Commercial Invoice.exe
1804	SCS AWB and Commercial Invoice.exe
1804	SCS AWB and Commercial Invoice.exe
1804	SCS AWB and Commercial Invoice.exe
1804	SCS AWB and Commercial Invoice.exe
2316	powershell.exe
2932	powershell.exe
3024	exyqho.exe
588	pohiqv.exe
588	pohiqv.exe
588	pohiqv.exe
588	pohiqv.exe
588	pohiqv.exe
588	pohiqv.exe
588	pohiqv.exe
588	pohiqv.exe
588	pohiqv.exe
588	pohiqv.exe
588	pohiqv.exe
3024	exyqho.exe
588	pohiqv.exe
588	pohiqv.exe
588	pohiqv.exe
588	pohiqv.exe
1548	powershell.exe
1920	powershell.exe
588	pohiqv.exe
2096	pohiqv.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	1804	SCS AWB and Commercial Invoice.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	1932	SCS AWB and Commercial Invoice.exe
Token: SeDebugPrivilege	3024	exyqho.exe
Token: SeDebugPrivilege	588	pohiqv.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	2096	pohiqv.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 2316	1804	SCS AWB and Commercial Invoice.exe	31
PID 1804 wrote to memory of 2316	1804	SCS AWB and Commercial Invoice.exe	31
PID 1804 wrote to memory of 2316	1804	SCS AWB and Commercial Invoice.exe	31
PID 1804 wrote to memory of 2316	1804	SCS AWB and Commercial Invoice.exe	31
PID 1804 wrote to memory of 2932	1804	SCS AWB and Commercial Invoice.exe	33
PID 1804 wrote to memory of 2932	1804	SCS AWB and Commercial Invoice.exe	33
PID 1804 wrote to memory of 2932	1804	SCS AWB and Commercial Invoice.exe	33
PID 1804 wrote to memory of 2932	1804	SCS AWB and Commercial Invoice.exe	33
PID 1804 wrote to memory of 2940	1804	SCS AWB and Commercial Invoice.exe	34
PID 1804 wrote to memory of 2940	1804	SCS AWB and Commercial Invoice.exe	34
PID 1804 wrote to memory of 2940	1804	SCS AWB and Commercial Invoice.exe	34
PID 1804 wrote to memory of 2940	1804	SCS AWB and Commercial Invoice.exe	34
PID 1804 wrote to memory of 2060	1804	SCS AWB and Commercial Invoice.exe	37
PID 1804 wrote to memory of 2060	1804	SCS AWB and Commercial Invoice.exe	37
PID 1804 wrote to memory of 2060	1804	SCS AWB and Commercial Invoice.exe	37
PID 1804 wrote to memory of 2060	1804	SCS AWB and Commercial Invoice.exe	37
PID 1804 wrote to memory of 1932	1804	SCS AWB and Commercial Invoice.exe	38
PID 1804 wrote to memory of 1932	1804	SCS AWB and Commercial Invoice.exe	38
PID 1804 wrote to memory of 1932	1804	SCS AWB and Commercial Invoice.exe	38
PID 1804 wrote to memory of 1932	1804	SCS AWB and Commercial Invoice.exe	38
PID 1804 wrote to memory of 1932	1804	SCS AWB and Commercial Invoice.exe	38
PID 1804 wrote to memory of 1932	1804	SCS AWB and Commercial Invoice.exe	38
PID 1804 wrote to memory of 1932	1804	SCS AWB and Commercial Invoice.exe	38
PID 1804 wrote to memory of 1932	1804	SCS AWB and Commercial Invoice.exe	38
PID 1804 wrote to memory of 1932	1804	SCS AWB and Commercial Invoice.exe	38
PID 1932 wrote to memory of 3024	1932	SCS AWB and Commercial Invoice.exe	40
PID 1932 wrote to memory of 3024	1932	SCS AWB and Commercial Invoice.exe	40
PID 1932 wrote to memory of 3024	1932	SCS AWB and Commercial Invoice.exe	40
PID 1932 wrote to memory of 3024	1932	SCS AWB and Commercial Invoice.exe	40
PID 1932 wrote to memory of 588	1932	SCS AWB and Commercial Invoice.exe	41
PID 1932 wrote to memory of 588	1932	SCS AWB and Commercial Invoice.exe	41
PID 1932 wrote to memory of 588	1932	SCS AWB and Commercial Invoice.exe	41
PID 1932 wrote to memory of 588	1932	SCS AWB and Commercial Invoice.exe	41
PID 588 wrote to memory of 1548	588	pohiqv.exe	42
PID 588 wrote to memory of 1548	588	pohiqv.exe	42
PID 588 wrote to memory of 1548	588	pohiqv.exe	42
PID 588 wrote to memory of 1920	588	pohiqv.exe	44
PID 588 wrote to memory of 1920	588	pohiqv.exe	44
PID 588 wrote to memory of 1920	588	pohiqv.exe	44
PID 588 wrote to memory of 2324	588	pohiqv.exe	46
PID 588 wrote to memory of 2324	588	pohiqv.exe	46
PID 588 wrote to memory of 2324	588	pohiqv.exe	46
PID 588 wrote to memory of 2096	588	pohiqv.exe	48
PID 588 wrote to memory of 2096	588	pohiqv.exe	48
PID 588 wrote to memory of 2096	588	pohiqv.exe	48
PID 588 wrote to memory of 2096	588	pohiqv.exe	48
PID 588 wrote to memory of 2096	588	pohiqv.exe	48
PID 588 wrote to memory of 2096	588	pohiqv.exe	48
PID 588 wrote to memory of 2096	588	pohiqv.exe	48

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	exyqho.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	exyqho.exe

C:\Users\Admin\AppData\Local\Temp\SCS AWB and Commercial Invoice.exe
"C:\Users\Admin\AppData\Local\Temp\SCS AWB and Commercial Invoice.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SCS AWB and Commercial Invoice.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2316
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HOYVjVj.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2932
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HOYVjVj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp64CB.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2940
- C:\Users\Admin\AppData\Local\Temp\SCS AWB and Commercial Invoice.exe
  "C:\Users\Admin\AppData\Local\Temp\SCS AWB and Commercial Invoice.exe"
  2⤵
  PID:2060
- C:\Users\Admin\AppData\Local\Temp\SCS AWB and Commercial Invoice.exe
  "C:\Users\Admin\AppData\Local\Temp\SCS AWB and Commercial Invoice.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Users\Admin\AppData\Local\Temp\exyqho.exe
    "C:\Users\Admin\AppData\Local\Temp\exyqho.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:3024
- - C:\Users\Admin\AppData\Local\Temp\pohiqv.exe
    "C:\Users\Admin\AppData\Local\Temp\pohiqv.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:588
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\pohiqv.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1548
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ungagCKiEnZdl.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1920
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ungagCKiEnZdl" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDBCE.tmp"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2324
  - - C:\Users\Admin\AppData\Local\Temp\pohiqv.exe
      C:\Users\Admin\AppData\Local\Temp\pohiqv.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp64CB.tmp

Filesize
1KB

MD5
2adfe12d9e61a217eb68e86c55593eaf

SHA1
f8537fbafc0da135ac02daa6e39115927fca45dc

SHA256
6c5b5392cae754aa3f04c262273ef8d87f5e4fd8e549eed0fac15accbe33d107

SHA512
a45da89342aa888ab4120d215f8b165d8a14b50a794285170b71810c7f8b3a31c7e8820c7375a86575d18050229587758351c66e682ca8b90041ed366c8465dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDBCE.tmp

Filesize
1KB

MD5
6be288dd3c0dddf3bf8f2678cb523af4

SHA1
7ef3a7d9b2467575a9c71540919004e9a48c4a49

SHA256
d0b10de676fead19efde25ecfb504a3e6d0ae2ef267986cbcdeefa8b8f32c4e0

SHA512
cb7b1b37e96defb2ab5e3daae77a65471dddc831d0f856361dde7023bb74e0b56ea988491fafcfe8371f0c21776a84f51b14443514b26b9ce88a10293a6fb21c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e59ca9c768ec053527093882e49a3054

SHA1
ccc939b7f55f9d49dcc3f6d332082bbe5ea03196

SHA256
d2f839a079e617ef93d072e3ccf481cfa272e65943b118d3259bcfd475e08fc5

SHA512
7cd15fbf5c23172fc9a9997dfd8ae2c2190a787d3b90291d21e23932be23047fc89bd3bd0eb4dc36ccb4fe142242a2dab504f1fb6a2f2295901561d7ea8b2b0e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\61OD8DG1IY61ZH7FXNEF.temp

Filesize
7KB

MD5
71df512c3552c0b52349306d5986fa7c

SHA1
b090149089a8001e531d064b242682770483a704

SHA256
a9d365a6c8e3c3efa68916b6648254f581fec52247de8b83200314b9cbe892c6

SHA512
24da8af379b0999ea0d9b48305051d8032709ae0167ff9d645604be5112fedbc06964f73334bb94ee093ef4ba6803f92b37d0b6b28807f3fe224bba19a33ded9

Download Submit
\Users\Admin\AppData\Local\Temp\exyqho.exe

Filesize
125KB

MD5
2c7947deaf97810d71cc5ad07871ff30

SHA1
c9922d761a88491493d3b386ecb495efe151e074

SHA256
d03238cdd5d39c714ae852c35fc27b813093ae6323e20521f3032023b128988c

SHA512
4f3fc590b72f6f3bfb3d96c3b3bb1536b9796463ab8095a5086fff71ff98fb080d726eae7334414acc65d3ab7fe6d3e0669a2c66cfd94200b10d7ea1ab6b8616

Download Submit
\Users\Admin\AppData\Local\Temp\pohiqv.exe

Filesize
749KB

MD5
95778b5e445f34c619d287b89dded497

SHA1
e000e426e27c49eacaf01574ab275edbb9c7821b

SHA256
055685f3b4d56822d4b85563b67db68d0f6e5e6a2d8e3f2f5ccb5348a526f7fb

SHA512
33bfe93fde659ac89968c9775148fdd0265ffb63e897f44f744c7dfb98423cbbac68a69814626c31fef6afc556e0be4cd56be337ee775dc7b5d120ce7c690b21

Download Submit
memory/588-48-0x000000001B4D0000-0x000000001B538000-memory.dmp

Filesize
416KB

Download
memory/588-47-0x0000000000900000-0x0000000000914000-memory.dmp

Filesize
80KB

Download
memory/588-45-0x000000013F4F0000-0x000000013F5B0000-memory.dmp

Filesize
768KB

Download
memory/588-46-0x0000000000960000-0x0000000000986000-memory.dmp

Filesize
152KB

Download
memory/1548-62-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/1548-64-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/1804-1-0x0000000000CD0000-0x0000000000D70000-memory.dmp

Filesize
640KB

Download
memory/1804-2-0x00000000743B0000-0x0000000074A9E000-memory.dmp

Filesize
6.9MB

Download
memory/1804-6-0x0000000000A20000-0x0000000000A74000-memory.dmp

Filesize
336KB

Download
memory/1804-0-0x00000000743BE000-0x00000000743BF000-memory.dmp

Filesize
4KB

Download
memory/1804-3-0x0000000000430000-0x000000000044E000-memory.dmp

Filesize
120KB

Download
memory/1804-31-0x00000000743B0000-0x0000000074A9E000-memory.dmp

Filesize
6.9MB

Download
memory/1804-4-0x00000000743BE000-0x00000000743BF000-memory.dmp

Filesize
4KB

Download
memory/1804-5-0x00000000743B0000-0x0000000074A9E000-memory.dmp

Filesize
6.9MB

Download
memory/1932-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1932-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1932-19-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1932-21-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1932-25-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1932-28-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1932-29-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1932-23-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2096-72-0x000007FFFFFD9000-0x000007FFFFFDA000-memory.dmp

Filesize
4KB

Download
memory/2096-70-0x0000000140000000-0x0000000140024000-memory.dmp

Filesize
144KB

Download
memory/2096-76-0x0000000140000000-0x0000000140024000-memory.dmp

Filesize
144KB

Download
memory/2096-68-0x0000000140000000-0x0000000140024000-memory.dmp

Filesize
144KB

Download
memory/2096-66-0x0000000140000000-0x0000000140024000-memory.dmp

Filesize
144KB

Download
memory/3024-38-0x000000013F990000-0x000000013F9B4000-memory.dmp

Filesize
144KB

Download