agenttesla | bc58f1f37527b2256089b3fedbf5044ad396b267a762ca7e7f6fa7c81f76259b

Analysis

max time kernel
136s
max time network
140s
platform
windows10_x64
resource
win10v20201028
submitted
30-01-2021 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rtyuu.exe
Size

1.6MB
MD5

d30ff9ce946801b8590e2726b8154fea
SHA1

0ca3c4662dd05cee5aa1911940deebd598e10b83
SHA256

bc58f1f37527b2256089b3fedbf5044ad396b267a762ca7e7f6fa7c81f76259b
SHA512

7eb74a15da067728de3bec845930a3611e0e2be38ef927b896031e2f12b80c34cb1fc74b98f04af7d206a432e75ac48efc1200fbeaf7fea419bace6542e0c482

Score

10^/10

agenttesla hawkeye matiex keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.privateemail.com
Port:
587
Username:
[email protected]
Password:
MARYolanmauluogwo@ever

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.privateemail.com
Port:
587
Username:
[email protected]
Password:
MARYolanmauluogwo@ever

Extracted

Family

matiex

Credentials

Protocol: smtp
Host:
smtp.privateemail.com
Port:
587
Username:
[email protected]
Password:
MARYolanmauluogwo@ever

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/412-21-0x0000000000400000-0x0000000000562000-memory.dmp	family_matiex
behavioral2/memory/412-22-0x000000000040104C-mapping.dmp	family_matiex
C:\Users\Admin\AppData\Local\Temp\Matiexgoods.exe	family_matiex
C:\Users\Admin\AppData\Local\Temp\Matiexgoods.exe	family_matiex

AgentTesla Payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/412-21-0x0000000000400000-0x0000000000562000-memory.dmp	family_agenttesla
behavioral2/memory/412-22-0x000000000040104C-mapping.dmp	family_agenttesla
C:\Users\Admin\AppData\Local\Temp\origigoods40.exe	family_agenttesla
C:\Users\Admin\AppData\Local\Temp\origigoods20.exe	family_agenttesla
C:\Users\Admin\AppData\Local\Temp\origigoods20.exe	family_agenttesla
C:\Users\Admin\AppData\Local\Temp\origigoods40.exe	family_agenttesla

Beds Protector Packer 1 IoCs

Detects Beds Protector packer used to load .NET malware.

Processes:

resource	yara_rule
behavioral2/memory/1456-9-0x0000000008CB0000-0x0000000008E3D000-memory.dmp	beds_protector

NirSoft MailPassView 7 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/412-21-0x0000000000400000-0x0000000000562000-memory.dmp	MailPassView
behavioral2/memory/412-22-0x000000000040104C-mapping.dmp	MailPassView
C:\Users\Admin\AppData\Local\Temp\hawkgoods.exe	MailPassView
C:\Users\Admin\AppData\Local\Temp\hawkgoods.exe	MailPassView
behavioral2/memory/1524-70-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/1524-71-0x0000000000411654-mapping.dmp	MailPassView
behavioral2/memory/1524-74-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 7 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/412-21-0x0000000000400000-0x0000000000562000-memory.dmp	WebBrowserPassView
behavioral2/memory/412-22-0x000000000040104C-mapping.dmp	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\hawkgoods.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\hawkgoods.exe	WebBrowserPassView
behavioral2/memory/2944-76-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral2/memory/2944-77-0x0000000000442628-mapping.dmp	WebBrowserPassView
behavioral2/memory/2944-78-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView

Nirsoft 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/412-21-0x0000000000400000-0x0000000000562000-memory.dmp	Nirsoft
behavioral2/memory/412-22-0x000000000040104C-mapping.dmp	Nirsoft
C:\Users\Admin\AppData\Local\Temp\hawkgoods.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\hawkgoods.exe	Nirsoft
behavioral2/memory/1524-70-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/1524-71-0x0000000000411654-mapping.dmp	Nirsoft
behavioral2/memory/1524-74-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/2944-76-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral2/memory/2944-77-0x0000000000442628-mapping.dmp	Nirsoft
behavioral2/memory/2944-78-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft

Executes dropped EXE 4 IoCs

Processes:

hawkgoods.exeorigigoods40.exeMatiexgoods.exeorigigoods20.exe

pid process

3736 hawkgoods.exe
4044 origigoods40.exe
60 Matiexgoods.exe
416 origigoods20.exe

pid	process
3736	hawkgoods.exe
4044	origigoods40.exe
60	Matiexgoods.exe
416	origigoods20.exe

Drops startup file 2 IoCs

Processes:

Powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe	Powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe	Powershell.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 checkip.dyndns.org
10 freegeoip.app
11 freegeoip.app
15 whatismyipaddress.com

flow	ioc
7	checkip.dyndns.org
10	freegeoip.app
11	freegeoip.app
15	whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

rtyuu.exehawkgoods.exe

description	pid	process	target process
PID 1456 set thread context of 412	1456	rtyuu.exe	RegAsm.exe
PID 3736 set thread context of 1524	3736	hawkgoods.exe	vbc.exe
PID 3736 set thread context of 2944	3736	hawkgoods.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

rtyuu.exePowershell.exeorigigoods40.exeorigigoods20.exeMatiexgoods.exevbc.exehawkgoods.exe

pid	process
1456	rtyuu.exe
1456	rtyuu.exe
1456	rtyuu.exe
1456	rtyuu.exe
2272	Powershell.exe
2272	Powershell.exe
2272	Powershell.exe
4044	origigoods40.exe
4044	origigoods40.exe
416	origigoods20.exe
416	origigoods20.exe
60	Matiexgoods.exe
2944	vbc.exe
2944	vbc.exe
3736	hawkgoods.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Matiexgoods.exe

pid process

60 Matiexgoods.exe
Suspicious behavior: SetClipboardViewer 2 IoCs

Processes:

origigoods20.exeorigigoods40.exe

pid process

416 origigoods20.exe
4044 origigoods40.exe

pid	process
60	Matiexgoods.exe

pid	process
416	origigoods20.exe
4044	origigoods40.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

rtyuu.exePowershell.exeorigigoods40.exeorigigoods20.exeMatiexgoods.exehawkgoods.exe

description	pid	process
Token: SeDebugPrivilege	1456	rtyuu.exe
Token: SeDebugPrivilege	2272	Powershell.exe
Token: SeDebugPrivilege	4044	origigoods40.exe
Token: SeDebugPrivilege	416	origigoods20.exe
Token: SeDebugPrivilege	60	Matiexgoods.exe
Token: SeDebugPrivilege	3736	hawkgoods.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

RegAsm.exeMatiexgoods.exehawkgoods.exeorigigoods40.exeorigigoods20.exe

pid process

412 RegAsm.exe
60 Matiexgoods.exe
3736 hawkgoods.exe
4044 origigoods40.exe
416 origigoods20.exe

pid	process
412	RegAsm.exe
60	Matiexgoods.exe
3736	hawkgoods.exe
4044	origigoods40.exe
416	origigoods20.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

rtyuu.exeRegAsm.exeMatiexgoods.exehawkgoods.exe

description	pid	process	target process
PID 1456 wrote to memory of 2272	1456	rtyuu.exe	Powershell.exe
PID 1456 wrote to memory of 2272	1456	rtyuu.exe	Powershell.exe
PID 1456 wrote to memory of 2272	1456	rtyuu.exe	Powershell.exe
PID 1456 wrote to memory of 688	1456	rtyuu.exe	RegAsm.exe
PID 1456 wrote to memory of 688	1456	rtyuu.exe	RegAsm.exe
PID 1456 wrote to memory of 688	1456	rtyuu.exe	RegAsm.exe
PID 1456 wrote to memory of 3996	1456	rtyuu.exe	RegAsm.exe
PID 1456 wrote to memory of 3996	1456	rtyuu.exe	RegAsm.exe
PID 1456 wrote to memory of 3996	1456	rtyuu.exe	RegAsm.exe
PID 1456 wrote to memory of 412	1456	rtyuu.exe	RegAsm.exe
PID 1456 wrote to memory of 412	1456	rtyuu.exe	RegAsm.exe
PID 1456 wrote to memory of 412	1456	rtyuu.exe	RegAsm.exe
PID 1456 wrote to memory of 412	1456	rtyuu.exe	RegAsm.exe
PID 1456 wrote to memory of 412	1456	rtyuu.exe	RegAsm.exe
PID 1456 wrote to memory of 412	1456	rtyuu.exe	RegAsm.exe
PID 1456 wrote to memory of 412	1456	rtyuu.exe	RegAsm.exe
PID 412 wrote to memory of 3736	412	RegAsm.exe	hawkgoods.exe
PID 412 wrote to memory of 3736	412	RegAsm.exe	hawkgoods.exe
PID 412 wrote to memory of 3736	412	RegAsm.exe	hawkgoods.exe
PID 412 wrote to memory of 4044	412	RegAsm.exe	origigoods40.exe
PID 412 wrote to memory of 4044	412	RegAsm.exe	origigoods40.exe
PID 412 wrote to memory of 4044	412	RegAsm.exe	origigoods40.exe
PID 412 wrote to memory of 60	412	RegAsm.exe	Matiexgoods.exe
PID 412 wrote to memory of 60	412	RegAsm.exe	Matiexgoods.exe
PID 412 wrote to memory of 60	412	RegAsm.exe	Matiexgoods.exe
PID 412 wrote to memory of 416	412	RegAsm.exe	origigoods20.exe
PID 412 wrote to memory of 416	412	RegAsm.exe	origigoods20.exe
PID 412 wrote to memory of 416	412	RegAsm.exe	origigoods20.exe
PID 60 wrote to memory of 632	60	Matiexgoods.exe	netsh.exe
PID 60 wrote to memory of 632	60	Matiexgoods.exe	netsh.exe
PID 60 wrote to memory of 632	60	Matiexgoods.exe	netsh.exe
PID 3736 wrote to memory of 1524	3736	hawkgoods.exe	vbc.exe
PID 3736 wrote to memory of 1524	3736	hawkgoods.exe	vbc.exe
PID 3736 wrote to memory of 1524	3736	hawkgoods.exe	vbc.exe
PID 3736 wrote to memory of 1524	3736	hawkgoods.exe	vbc.exe
PID 3736 wrote to memory of 1524	3736	hawkgoods.exe	vbc.exe
PID 3736 wrote to memory of 1524	3736	hawkgoods.exe	vbc.exe
PID 3736 wrote to memory of 1524	3736	hawkgoods.exe	vbc.exe
PID 3736 wrote to memory of 1524	3736	hawkgoods.exe	vbc.exe
PID 3736 wrote to memory of 1524	3736	hawkgoods.exe	vbc.exe
PID 3736 wrote to memory of 2944	3736	hawkgoods.exe	vbc.exe
PID 3736 wrote to memory of 2944	3736	hawkgoods.exe	vbc.exe
PID 3736 wrote to memory of 2944	3736	hawkgoods.exe	vbc.exe
PID 3736 wrote to memory of 2944	3736	hawkgoods.exe	vbc.exe
PID 3736 wrote to memory of 2944	3736	hawkgoods.exe	vbc.exe
PID 3736 wrote to memory of 2944	3736	hawkgoods.exe	vbc.exe
PID 3736 wrote to memory of 2944	3736	hawkgoods.exe	vbc.exe
PID 3736 wrote to memory of 2944	3736	hawkgoods.exe	vbc.exe
PID 3736 wrote to memory of 2944	3736	hawkgoods.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\rtyuu.exe
"C:\Users\Admin\AppData\Local\Temp\rtyuu.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\rtyuu.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'
2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:3996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:412

C:\Users\Admin\AppData\Local\Temp\hawkgoods.exe
"C:\Users\Admin\AppData\Local\Temp\hawkgoods.exe" 0
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3736

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
4⤵
PID:1524

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2944

C:\Users\Admin\AppData\Local\Temp\origigoods40.exe
"C:\Users\Admin\AppData\Local\Temp\origigoods40.exe" 0
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4044

C:\Users\Admin\AppData\Local\Temp\origigoods20.exe
"C:\Users\Admin\AppData\Local\Temp\origigoods20.exe" 0
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:416

C:\Users\Admin\AppData\Local\Temp\Matiexgoods.exe
"C:\Users\Admin\AppData\Local\Temp\Matiexgoods.exe" 0
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:60

C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
4⤵
PID:632

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Matiexgoods.exe
MD5
80c61b903400b534858d047dd0919f0e

SHA1
d0ab5400b74392308140642c75f0897e16a88d60

SHA256
25ade9899c000a27570b527cffc938ec9626978219ec8a086082b113cbe4f492

SHA512
b3216f0e4e95c7f50bccba5fdcca2ad622a42379383be855546fa1e0bac41a6beea8226f8634ad5e0d8596169e0443494018bbe70b7052f094402aecaa038bce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Matiexgoods.exe
MD5
80c61b903400b534858d047dd0919f0e

SHA1
d0ab5400b74392308140642c75f0897e16a88d60

SHA256
25ade9899c000a27570b527cffc938ec9626978219ec8a086082b113cbe4f492

SHA512
b3216f0e4e95c7f50bccba5fdcca2ad622a42379383be855546fa1e0bac41a6beea8226f8634ad5e0d8596169e0443494018bbe70b7052f094402aecaa038bce

Download Submit
C:\Users\Admin\AppData\Local\Temp\hawkgoods.exe
MD5
ffdb58533d5d1362e896e96fb6f02a95

SHA1
d6e4a3ca253bfc372a9a3180b5887c716ed285c6

SHA256
b3d02fd5c69293db419ac03cdf6396bd5e7765682fb3b2390454d9a52ba2ca88

SHA512
3ae6e49d3d728531201453a0bc27436b1a4305c8ef938b2cbb5e34ee45bb9a9a88cf2a41b08e4914fda9a96bbaa48bd999a2d2f1dffcd39761bb1f3620ca725f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hawkgoods.exe
MD5
ffdb58533d5d1362e896e96fb6f02a95

SHA1
d6e4a3ca253bfc372a9a3180b5887c716ed285c6

SHA256
b3d02fd5c69293db419ac03cdf6396bd5e7765682fb3b2390454d9a52ba2ca88

SHA512
3ae6e49d3d728531201453a0bc27436b1a4305c8ef938b2cbb5e34ee45bb9a9a88cf2a41b08e4914fda9a96bbaa48bd999a2d2f1dffcd39761bb1f3620ca725f

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderwb.txt
MD5
f94dc819ca773f1e3cb27abbc9e7fa27

SHA1
9a7700efadc5ea09ab288544ef1e3cd876255086

SHA256
a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

SHA512
72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

Download Submit
C:\Users\Admin\AppData\Local\Temp\origigoods20.exe
MD5
61dc57c6575e1f3f2ae14c1b332ad2fb

SHA1
f52f34623048e5fd720e97a72eedfd32358cd3a9

SHA256
1c7757ee223f2480fbc478ae2ecaf82e1d3c17f2e4d47581d3972416166c54ab

SHA512
81a7db927f53660d3a04a161d5c18aab17d676bcc7ae0738ab786d9bee82b91016e54e6f70428aec4087961744be89b1511f9e07d8dabbe5c2a9d836722395a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\origigoods20.exe
MD5
61dc57c6575e1f3f2ae14c1b332ad2fb

SHA1
f52f34623048e5fd720e97a72eedfd32358cd3a9

SHA256
1c7757ee223f2480fbc478ae2ecaf82e1d3c17f2e4d47581d3972416166c54ab

SHA512
81a7db927f53660d3a04a161d5c18aab17d676bcc7ae0738ab786d9bee82b91016e54e6f70428aec4087961744be89b1511f9e07d8dabbe5c2a9d836722395a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\origigoods40.exe
MD5
ae36f0d16230b9f41ffecbd3c5b1d660

SHA1
88afc2923d1eefb70bad3c0cd9304949954377ef

SHA256
cfad1e486666ff3fb042ba0e9967634de1065f1bbd505c61b3295e55705a2a50

SHA512
1e98aee7dc693822113dcde1446a5bed1c564b76eef39f39f3a5d98d7d2099cf69ac92717a3297afc7082203929f1e9437f21cb6bc690974a0ef6d6cf6e4393c

Download Submit
C:\Users\Admin\AppData\Local\Temp\origigoods40.exe
MD5
ae36f0d16230b9f41ffecbd3c5b1d660

SHA1
88afc2923d1eefb70bad3c0cd9304949954377ef

SHA256
cfad1e486666ff3fb042ba0e9967634de1065f1bbd505c61b3295e55705a2a50

SHA512
1e98aee7dc693822113dcde1446a5bed1c564b76eef39f39f3a5d98d7d2099cf69ac92717a3297afc7082203929f1e9437f21cb6bc690974a0ef6d6cf6e4393c

Download Submit
memory/60-47-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/60-39-0x0000000000000000-mapping.dmp

Download
memory/60-59-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/60-44-0x0000000073550000-0x0000000073C3E000-memory.dmp

Filesize
6.9MB

Download
memory/60-68-0x00000000066C0000-0x00000000066C1000-memory.dmp

Filesize
4KB

Download
memory/60-69-0x0000000004D13000-0x0000000004D15000-memory.dmp

Filesize
8KB

Download
memory/412-21-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/412-22-0x000000000040104C-mapping.dmp

Download
memory/416-41-0x0000000000000000-mapping.dmp

Download
memory/416-75-0x0000000000F31000-0x0000000000F32000-memory.dmp

Filesize
4KB

Download
memory/416-52-0x0000000000F30000-0x0000000000F31000-memory.dmp

Filesize
4KB

Download
memory/416-83-0x0000000000F32000-0x0000000000F33000-memory.dmp

Filesize
4KB

Download
memory/632-66-0x0000000000000000-mapping.dmp

Download
memory/1456-6-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/1456-10-0x0000000008E40000-0x0000000008E41000-memory.dmp

Filesize
4KB

Download
memory/1456-12-0x00000000092A0000-0x00000000092A1000-memory.dmp

Filesize
4KB

Download
memory/1456-3-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/1456-18-0x00000000091D0000-0x00000000091DF000-memory.dmp

Filesize
60KB

Download
memory/1456-14-0x0000000005773000-0x0000000005775000-memory.dmp

Filesize
8KB

Download
memory/1456-11-0x00000000091E0000-0x00000000091E1000-memory.dmp

Filesize
4KB

Download
memory/1456-5-0x00000000059D0000-0x00000000059D1000-memory.dmp

Filesize
4KB

Download
memory/1456-9-0x0000000008CB0000-0x0000000008E3D000-memory.dmp

Filesize
1.6MB

Download
memory/1456-2-0x0000000073550000-0x0000000073C3E000-memory.dmp

Filesize
6.9MB

Download
memory/1456-8-0x0000000005500000-0x0000000005501000-memory.dmp

Filesize
4KB

Download
memory/1456-7-0x0000000005770000-0x0000000005771000-memory.dmp

Filesize
4KB

Download
memory/1524-70-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1524-74-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1524-71-0x0000000000411654-mapping.dmp

Download
memory/2272-19-0x0000000007080000-0x0000000007081000-memory.dmp

Filesize
4KB

Download
memory/2272-17-0x00000000076C0000-0x00000000076C1000-memory.dmp

Filesize
4KB

Download
memory/2272-40-0x0000000008660000-0x0000000008661000-memory.dmp

Filesize
4KB

Download
memory/2272-13-0x0000000000000000-mapping.dmp

Download
memory/2272-15-0x0000000073550000-0x0000000073C3E000-memory.dmp

Filesize
6.9MB

Download
memory/2272-16-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/2272-20-0x0000000007082000-0x0000000007083000-memory.dmp

Filesize
4KB

Download
memory/2272-23-0x0000000007410000-0x0000000007411000-memory.dmp

Filesize
4KB

Download
memory/2272-31-0x0000000008390000-0x0000000008391000-memory.dmp

Filesize
4KB

Download
memory/2272-60-0x0000000009380000-0x0000000009381000-memory.dmp

Filesize
4KB

Download
memory/2272-61-0x00000000092A0000-0x00000000092A1000-memory.dmp

Filesize
4KB

Download
memory/2272-62-0x0000000009310000-0x0000000009311000-memory.dmp

Filesize
4KB

Download
memory/2272-30-0x0000000007610000-0x0000000007611000-memory.dmp

Filesize
4KB

Download
memory/2272-67-0x0000000007083000-0x0000000007084000-memory.dmp

Filesize
4KB

Download
memory/2272-25-0x0000000007650000-0x0000000007651000-memory.dmp

Filesize
4KB

Download
memory/2272-24-0x00000000074B0000-0x00000000074B1000-memory.dmp

Filesize
4KB

Download
memory/2944-76-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2944-77-0x0000000000442628-mapping.dmp

Download
memory/2944-78-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3736-32-0x0000000000000000-mapping.dmp

Download
memory/3736-49-0x0000000003260000-0x0000000003261000-memory.dmp

Filesize
4KB

Download
memory/3736-80-0x0000000003261000-0x0000000003262000-memory.dmp

Filesize
4KB

Download
memory/4044-58-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download
memory/4044-72-0x0000000005450000-0x0000000005451000-memory.dmp

Filesize
4KB

Download
memory/4044-38-0x0000000073550000-0x0000000073C3E000-memory.dmp

Filesize
6.9MB

Download
memory/4044-35-0x0000000000000000-mapping.dmp

Download
memory/4044-48-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download