snakekeylogger | 512c9cc2ff12a390c6d3e9cb8c333230116361297920d724fbd847d4b6e1c7cc

Analysis

max time kernel
195s
max time network
294s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/02/2025, 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SCS AWB and Commercial Invoice.exe
Size

612KB
MD5

90d3693237ab538a39b44e399e96b668
SHA1

d8a59dc7a9d4d8c6f4f0c9a86219746b00a3bbd7
SHA256

777f42b7f48939008d57d46ff443a292669fbfdbba5c566090448b49fd5a79a3
SHA512

0d158bd0b2bdebf3ebc5601edad03af8bc6f87a77f222a4db13cd4cbe817537ff33d8f02c2e973bd3c44d6dfd42f6c1ab9d16b80cf124cfae745ce08d19b7ad8
SSDEEP

12288:Uvd17c3wecl9Z2Cjex7uQN2oQ1eSTu6/V9mdol:gb7c3weEGn2oqqWV9mdg

Score

10^/10

snakekeylogger xworm collection discovery execution keylogger rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

TZcnTcBHbLCXf1ef

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.haselayakkabi.com.tr
Port:
25
Username:
[email protected]
Password:
Ydj5DCO%
Email To:
[email protected]

Signatures

Detect Xworm Payload 5 IoCs

resource	yara_rule
behavioral1/memory/2592-29-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2592-28-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2592-25-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2592-23-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2592-31-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016c36-43.dat	family_snakekeylogger
behavioral1/memory/372-47-0x000000013F700000-0x000000013F724000-memory.dmp	family_snakekeylogger
behavioral1/memory/2832-72-0x0000000140000000-0x0000000140024000-memory.dmp	family_snakekeylogger
behavioral1/memory/2832-78-0x0000000140000000-0x0000000140024000-memory.dmp	family_snakekeylogger

Snakekeylogger family
snakekeylogger
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3000	powershell.exe
2980	powershell.exe
2120	powershell.exe
1428	powershell.exe

Executes dropped EXE 3 IoCs

pid	Process
1188	xrsgin.exe
372	tgvjsn.exe
2832	xrsgin.exe

Loads dropped DLL 3 IoCs

pid	Process
2592	SCS AWB and Commercial Invoice.exe
2592	SCS AWB and Commercial Invoice.exe
1188	xrsgin.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	tgvjsn.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	tgvjsn.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	tgvjsn.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	xrsgin.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	xrsgin.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	xrsgin.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	checkip.dyndns.org
10	reallyfreegeoip.org
11	reallyfreegeoip.org
25	reallyfreegeoip.org

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2324 set thread context of 2592	2324	SCS AWB and Commercial Invoice.exe	37
PID 1188 set thread context of 2832	1188	xrsgin.exe	48

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SCS AWB and Commercial Invoice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SCS AWB and Commercial Invoice.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2920	schtasks.exe
1012	schtasks.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
2324	SCS AWB and Commercial Invoice.exe
2324	SCS AWB and Commercial Invoice.exe
2324	SCS AWB and Commercial Invoice.exe
2324	SCS AWB and Commercial Invoice.exe
2324	SCS AWB and Commercial Invoice.exe
2324	SCS AWB and Commercial Invoice.exe
2324	SCS AWB and Commercial Invoice.exe
2324	SCS AWB and Commercial Invoice.exe
2324	SCS AWB and Commercial Invoice.exe
2324	SCS AWB and Commercial Invoice.exe
2324	SCS AWB and Commercial Invoice.exe
2324	SCS AWB and Commercial Invoice.exe
2324	SCS AWB and Commercial Invoice.exe
2324	SCS AWB and Commercial Invoice.exe
2324	SCS AWB and Commercial Invoice.exe
2324	SCS AWB and Commercial Invoice.exe
2324	SCS AWB and Commercial Invoice.exe
2980	powershell.exe
3000	powershell.exe
372	tgvjsn.exe
1188	xrsgin.exe
1188	xrsgin.exe
1188	xrsgin.exe
1188	xrsgin.exe
1188	xrsgin.exe
1188	xrsgin.exe
1188	xrsgin.exe
1188	xrsgin.exe
1188	xrsgin.exe
1188	xrsgin.exe
372	tgvjsn.exe
1188	xrsgin.exe
1188	xrsgin.exe
1188	xrsgin.exe
1188	xrsgin.exe
1188	xrsgin.exe
1188	xrsgin.exe
1428	powershell.exe
2120	powershell.exe
2832	xrsgin.exe
2832	xrsgin.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2324	SCS AWB and Commercial Invoice.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	2592	SCS AWB and Commercial Invoice.exe
Token: SeDebugPrivilege	372	tgvjsn.exe
Token: SeDebugPrivilege	1188	xrsgin.exe
Token: SeDebugPrivilege	1428	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	2832	xrsgin.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 3000	2324	SCS AWB and Commercial Invoice.exe	31
PID 2324 wrote to memory of 3000	2324	SCS AWB and Commercial Invoice.exe	31
PID 2324 wrote to memory of 3000	2324	SCS AWB and Commercial Invoice.exe	31
PID 2324 wrote to memory of 3000	2324	SCS AWB and Commercial Invoice.exe	31
PID 2324 wrote to memory of 2980	2324	SCS AWB and Commercial Invoice.exe	33
PID 2324 wrote to memory of 2980	2324	SCS AWB and Commercial Invoice.exe	33
PID 2324 wrote to memory of 2980	2324	SCS AWB and Commercial Invoice.exe	33
PID 2324 wrote to memory of 2980	2324	SCS AWB and Commercial Invoice.exe	33
PID 2324 wrote to memory of 2920	2324	SCS AWB and Commercial Invoice.exe	34
PID 2324 wrote to memory of 2920	2324	SCS AWB and Commercial Invoice.exe	34
PID 2324 wrote to memory of 2920	2324	SCS AWB and Commercial Invoice.exe	34
PID 2324 wrote to memory of 2920	2324	SCS AWB and Commercial Invoice.exe	34
PID 2324 wrote to memory of 2592	2324	SCS AWB and Commercial Invoice.exe	37
PID 2324 wrote to memory of 2592	2324	SCS AWB and Commercial Invoice.exe	37
PID 2324 wrote to memory of 2592	2324	SCS AWB and Commercial Invoice.exe	37
PID 2324 wrote to memory of 2592	2324	SCS AWB and Commercial Invoice.exe	37
PID 2324 wrote to memory of 2592	2324	SCS AWB and Commercial Invoice.exe	37
PID 2324 wrote to memory of 2592	2324	SCS AWB and Commercial Invoice.exe	37
PID 2324 wrote to memory of 2592	2324	SCS AWB and Commercial Invoice.exe	37
PID 2324 wrote to memory of 2592	2324	SCS AWB and Commercial Invoice.exe	37
PID 2324 wrote to memory of 2592	2324	SCS AWB and Commercial Invoice.exe	37
PID 2592 wrote to memory of 1188	2592	SCS AWB and Commercial Invoice.exe	39
PID 2592 wrote to memory of 1188	2592	SCS AWB and Commercial Invoice.exe	39
PID 2592 wrote to memory of 1188	2592	SCS AWB and Commercial Invoice.exe	39
PID 2592 wrote to memory of 1188	2592	SCS AWB and Commercial Invoice.exe	39
PID 2592 wrote to memory of 372	2592	SCS AWB and Commercial Invoice.exe	40
PID 2592 wrote to memory of 372	2592	SCS AWB and Commercial Invoice.exe	40
PID 2592 wrote to memory of 372	2592	SCS AWB and Commercial Invoice.exe	40
PID 2592 wrote to memory of 372	2592	SCS AWB and Commercial Invoice.exe	40
PID 1188 wrote to memory of 2120	1188	xrsgin.exe	42
PID 1188 wrote to memory of 2120	1188	xrsgin.exe	42
PID 1188 wrote to memory of 2120	1188	xrsgin.exe	42
PID 1188 wrote to memory of 1428	1188	xrsgin.exe	44
PID 1188 wrote to memory of 1428	1188	xrsgin.exe	44
PID 1188 wrote to memory of 1428	1188	xrsgin.exe	44
PID 1188 wrote to memory of 1012	1188	xrsgin.exe	46
PID 1188 wrote to memory of 1012	1188	xrsgin.exe	46
PID 1188 wrote to memory of 1012	1188	xrsgin.exe	46
PID 1188 wrote to memory of 2832	1188	xrsgin.exe	48
PID 1188 wrote to memory of 2832	1188	xrsgin.exe	48
PID 1188 wrote to memory of 2832	1188	xrsgin.exe	48
PID 1188 wrote to memory of 2832	1188	xrsgin.exe	48
PID 1188 wrote to memory of 2832	1188	xrsgin.exe	48
PID 1188 wrote to memory of 2832	1188	xrsgin.exe	48
PID 1188 wrote to memory of 2832	1188	xrsgin.exe	48

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	xrsgin.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	xrsgin.exe

C:\Users\Admin\AppData\Local\Temp\SCS AWB and Commercial Invoice.exe
"C:\Users\Admin\AppData\Local\Temp\SCS AWB and Commercial Invoice.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SCS AWB and Commercial Invoice.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3000
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HOYVjVj.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2980
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HOYVjVj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8843.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2920
- C:\Users\Admin\AppData\Local\Temp\SCS AWB and Commercial Invoice.exe
  "C:\Users\Admin\AppData\Local\Temp\SCS AWB and Commercial Invoice.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Users\Admin\AppData\Local\Temp\xrsgin.exe
    "C:\Users\Admin\AppData\Local\Temp\xrsgin.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1188
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\xrsgin.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2120
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ungagCKiEnZdl.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1428
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ungagCKiEnZdl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8D7.tmp"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1012
  - - C:\Users\Admin\AppData\Local\Temp\xrsgin.exe
      C:\Users\Admin\AppData\Local\Temp\xrsgin.exe
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:2832
- - C:\Users\Admin\AppData\Local\Temp\tgvjsn.exe
    "C:\Users\Admin\AppData\Local\Temp\tgvjsn.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8843.tmp

Filesize
1KB

MD5
a63cb1a2ff5616f24e2f26ec81578e4b

SHA1
3bc4762c83ae1983805be1c98e90ec89d2f3b071

SHA256
5c262b490d645e395b1f88c9bc9f0121525b180dd8d4bd7a98f89d80d24cfe5a

SHA512
48437e3d838ca1155565d0bd713f8faf8629ae07856b95c8d0a0afe5e07310256d3cfc00121e5ae6c805c25dffd462ac4ea91fd2518d5f3a8026f61084a2709c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8D7.tmp

Filesize
1KB

MD5
a8d92b26755c074792030d3b6a28277f

SHA1
3e7fea8be36a46563b0af0723fd3c509d604694e

SHA256
772a7aacd756460a289a7af37982020c5b25498a2754120a155a651ce1dff736

SHA512
5a6e25aa89e6c3086aa06645a94d3ba7fb1bc23f58620c3b2bcf0f994018b6850d363fa5fb6e64a6cee060b9cc248e159291d14e4e763e240f0b0888a947fb75

Download Submit
C:\Users\Admin\AppData\Local\Temp\xrsgin.exe

Filesize
749KB

MD5
95778b5e445f34c619d287b89dded497

SHA1
e000e426e27c49eacaf01574ab275edbb9c7821b

SHA256
055685f3b4d56822d4b85563b67db68d0f6e5e6a2d8e3f2f5ccb5348a526f7fb

SHA512
33bfe93fde659ac89968c9775148fdd0265ffb63e897f44f744c7dfb98423cbbac68a69814626c31fef6afc556e0be4cd56be337ee775dc7b5d120ce7c690b21

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b995a6ad527671853947da9cfa44b6aa

SHA1
c3652b96df52425745fa9da8b620904d90fb75d1

SHA256
0ff6ca45f5a60d21807f5917b596fe1d3bd2fc18a4ff4928edc0a8cda2ca0e40

SHA512
971b4c4e5eb05f9ae30073e53fe9c7f90dfe517c538805e4c03173510649bd510fb51f20a5db2fee86ad6ce6c10bcfbac6d6c2494769e651ba5f6f442895b46c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
2d759d7025416f18a8005b53c993cbe8

SHA1
078fb87d233df15c81fafeb647852383023a14ea

SHA256
0a24404cf9659fcfc5a562cc7ae6e5a8be32c8f043fa613ff11dea41e3c2bf93

SHA512
133a33ac60731408cd010b40bf9db87040572ce76b1f1b553618905c83eff7b2878bd38b993f34f7d13b0baa4e34c8583826a0d32a706a6218f0578b88b7bfd9

Download Submit
\Users\Admin\AppData\Local\Temp\tgvjsn.exe

Filesize
125KB

MD5
2c7947deaf97810d71cc5ad07871ff30

SHA1
c9922d761a88491493d3b386ecb495efe151e074

SHA256
d03238cdd5d39c714ae852c35fc27b813093ae6323e20521f3032023b128988c

SHA512
4f3fc590b72f6f3bfb3d96c3b3bb1536b9796463ab8095a5086fff71ff98fb080d726eae7334414acc65d3ab7fe6d3e0669a2c66cfd94200b10d7ea1ab6b8616

Download Submit
memory/372-47-0x000000013F700000-0x000000013F724000-memory.dmp

Filesize
144KB

Download
memory/1188-49-0x000000001BFF0000-0x000000001C058000-memory.dmp

Filesize
416KB

Download
memory/1188-39-0x000000013FC60000-0x000000013FD20000-memory.dmp

Filesize
768KB

Download
memory/1188-48-0x0000000002270000-0x0000000002284000-memory.dmp

Filesize
80KB

Download
memory/1188-40-0x00000000020B0000-0x00000000020D6000-memory.dmp

Filesize
152KB

Download
memory/2120-66-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2120-65-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/2324-1-0x0000000000E10000-0x0000000000EB0000-memory.dmp

Filesize
640KB

Download
memory/2324-4-0x000000007448E000-0x000000007448F000-memory.dmp

Filesize
4KB

Download
memory/2324-2-0x0000000074480000-0x0000000074B6E000-memory.dmp

Filesize
6.9MB

Download
memory/2324-32-0x0000000074480000-0x0000000074B6E000-memory.dmp

Filesize
6.9MB

Download
memory/2324-6-0x0000000000560000-0x00000000005B4000-memory.dmp

Filesize
336KB

Download
memory/2324-3-0x0000000000600000-0x000000000061E000-memory.dmp

Filesize
120KB

Download
memory/2324-0-0x000000007448E000-0x000000007448F000-memory.dmp

Filesize
4KB

Download
memory/2324-5-0x0000000074480000-0x0000000074B6E000-memory.dmp

Filesize
6.9MB

Download
memory/2592-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2592-28-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2592-23-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2592-25-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2592-31-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2592-19-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2592-29-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2592-21-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2832-72-0x0000000140000000-0x0000000140024000-memory.dmp

Filesize
144KB

Download
memory/2832-70-0x0000000140000000-0x0000000140024000-memory.dmp

Filesize
144KB

Download
memory/2832-68-0x0000000140000000-0x0000000140024000-memory.dmp

Filesize
144KB

Download
memory/2832-74-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download
memory/2832-78-0x0000000140000000-0x0000000140024000-memory.dmp

Filesize
144KB

Download