agenttesla | 4a41e0418949914320454262970d1c878a37b2c01b48a7e92047f536771bf6f9

Analysis

max time kernel
149s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2023 16:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ref-231017AF-Payment-Details.js
Size

7KB
MD5

e811c4c9c880e3fae8bfb0cd7be6a4f6
SHA1

b329fe66df345f51d229f5b76069a1f1263a1c2b
SHA256

4a41e0418949914320454262970d1c878a37b2c01b48a7e92047f536771bf6f9
SHA512

64ddaa45cddf959f07dac85ac412e169964f70150c02b32c1ff941791b2ce609a3d824d371b37e05bf7e7ec21b2658b7d462a9d9bfaa5a694c673aeefd335108
SSDEEP

48:6IDkWkpUJeT2nfw9LOABJCvs2LNL75q+tCqB5q04CXSR:8wm0JciBc0lo

Score

10^/10

agenttesla wshrat keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.martur.cl
Port:
21
Username:
[email protected]
Password:
(57reRWWw5dj

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.martur.cl
Port:
21
Username:
[email protected]
Password:
(57reRWWw5dj

Extracted

Family

wshrat

http://chongmei33.publicvm.com:7045

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

WSHRAT payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0002000000022618-10.dat	family_wshrat
behavioral2/files/0x0006000000023277-11.dat	family_wshrat

Blocklisted process makes network request 31 IoCs

flow	pid	Process
6	2216	wscript.exe
8	2216	wscript.exe
10	2216	wscript.exe
24	1216	WScript.exe
26	1216	WScript.exe
31	1216	WScript.exe
36	1216	WScript.exe
47	1216	WScript.exe
54	1216	WScript.exe
68	1216	WScript.exe
69	1216	WScript.exe
70	1216	WScript.exe
71	1216	WScript.exe
72	1216	WScript.exe
73	1216	WScript.exe
74	1216	WScript.exe
75	1216	WScript.exe
76	1216	WScript.exe
77	1216	WScript.exe
78	1216	WScript.exe
79	1216	WScript.exe
80	1216	WScript.exe
81	1216	WScript.exe
82	1216	WScript.exe
83	1216	WScript.exe
84	1216	WScript.exe
85	1216	WScript.exe
90	1216	WScript.exe
92	1216	WScript.exe
94	1216	WScript.exe
95	1216	WScript.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NAKFZC.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NAKFZC.js	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
2472	vOb.exe
2768	vOb.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NAKFZC = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\NAKFZC.js\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NAKFZC = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\NAKFZC.js\""	WScript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
23	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2472 set thread context of 2768	2472	vOb.exe	95

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000_Classes\Local Settings	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000_Classes\Local Settings	WScript.exe

Script User-Agent 27 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	81	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	31	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	73	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	74	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	75	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	83	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	84	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	95	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	54	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	69	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	94	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	36	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	47	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	68	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	71	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	77	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	79	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	82	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	92	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	26	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	72	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	85	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	70	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	76	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	78	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	80	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	90	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/10/2023\|JavaScript-v2.0\|NL:Netherlands

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3368	Powershell.exe
2768	vOb.exe
2768	vOb.exe
3368	Powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3368	Powershell.exe
Token: SeDebugPrivilege	2768	vOb.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2768	vOb.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 1216	2216	wscript.exe	84
PID 2216 wrote to memory of 1216	2216	wscript.exe	84
PID 1216 wrote to memory of 220	1216	WScript.exe	85
PID 1216 wrote to memory of 220	1216	WScript.exe	85
PID 220 wrote to memory of 2472	220	WScript.exe	87
PID 220 wrote to memory of 2472	220	WScript.exe	87
PID 220 wrote to memory of 2472	220	WScript.exe	87
PID 2472 wrote to memory of 3368	2472	vOb.exe	92
PID 2472 wrote to memory of 3368	2472	vOb.exe	92
PID 2472 wrote to memory of 3368	2472	vOb.exe	92
PID 2472 wrote to memory of 2768	2472	vOb.exe	95
PID 2472 wrote to memory of 2768	2472	vOb.exe	95
PID 2472 wrote to memory of 2768	2472	vOb.exe	95
PID 2472 wrote to memory of 2768	2472	vOb.exe	95
PID 2472 wrote to memory of 2768	2472	vOb.exe	95
PID 2472 wrote to memory of 2768	2472	vOb.exe	95
PID 2472 wrote to memory of 2768	2472	vOb.exe	95
PID 2472 wrote to memory of 2768	2472	vOb.exe	95

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Ref-231017AF-Payment-Details.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\NAKFZC.js"
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1216
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Output.js"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:220
  - - C:\Users\Admin\AppData\Local\Temp\vOb.exe
      "C:\Users\Admin\AppData\Local\Temp\vOb.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2472
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
        
        "Powershell.exe" -ExecutionPolicy Bypass -command xHpF2m2TxzO3qr4FIuPswPaRZvbKhAgsHoUgVc5c1AMOAI4xiJqOjlkD3YO/6qULkSENmFl3GsolqcGGkZrBbaRXVu7YY+n3wiyv8wS+UHUpwhx/IX6ZerqvTzuOLuRdO08npei7HwfH2wKRuaecB8P/FVecfW9FoWjF1A6O/68O0qK192cnIhUcctWjx/GW8ULXo/Un0WwvyWYxGKqhFtUjf6hQETjLzO/F68/W3GXggNfn4E0tbsHcWJ4Qs9QeauMywyAB+V1+9Uw+hcoLBpcocrYAhSqf6iaaMKaTanR4JlGBlD4IjJQmV1gvQRYmjDXbZawN8IgwRgaI+xcKtFjiFVvuA6CawFF5jzi4mENimIA39OD54y/zMb7idEh4oTy+f+VDOiQ16HbDvRyX1gv6ar2K+vNdRpiEk+FL75Dwi1y2R1DSLLrnXH75cn9Sxxkx16fkjltmZNwZYnnZc0VCbJz5PE8snBKcKUEemoAvDwcgj8rVX1tuhqqeYXrhP1hn6oaUpa8dLV9GkxPvUPm2U2PxYjlaVQk75pkxpaspctI89cBy4lXgWn0XYPaK1+WjxY5j1F5jeSb75FxuowoTWUXfk8j1s2KbANCsBuN3nd5227aIGAKGm+1kHAm/4MePOuLnj7mVqVrGuW9smZZvnluk2n2p0v6RGPmD818= 'C:\Users\Admin\AppData\Local\Temp\vOb.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows Audio.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3368
    - - C:\Users\Admin\AppData\Local\Temp\vOb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vOb.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vOb.exe.log

Filesize
706B

MD5
2ef5ef69dadb8865b3d5b58c956077b8

SHA1
af2d869bac00685c745652bbd8b3fe82829a8998

SHA256
363502eb2a4e53ba02d2d85412b901fcf8e06de221736bdffa949799ef3d21e3

SHA512
66d4db5dd17d88e1d54ea0df3a7211a503dc4355de701259cefccc9f2e4e3ced9534b700099ffbb089a5a3acb082011c80b61801aa14aff76b379ce8f90d4fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\NAKFZC.js

Filesize
764KB

MD5
8d38022aafef200f061a873cad79fe61

SHA1
536fb4fe64ce9695322eaca56ad895457acdfde8

SHA256
15921f2949858a67b8f01ac048ceed3083774b664549ea455d12eb8748049961

SHA512
e65acf7151e032df49a4f2bcd29dbcac0a3b1c2eb63f240bf556d603869ca5a73a61ba23aba924efb8fb764f212cceb9705c3ff8cdb635651ba9e10d2bb94060

Download Submit
C:\Users\Admin\AppData\Local\Temp\Output.js

Filesize
484KB

MD5
183b67bb3bced4ef59e57cfbfff3d08e

SHA1
f79fe87e3c5f331895db528dd7beef8b5477187a

SHA256
33170390bddb29dc3b25b4301982f88451c1cdff4415f98050a470c7f6d31f32

SHA512
21f2c5d01f493dc1d5f7c84c387b5cea5270f635ab154946a208977e8c9cc95b837d82230b74b307d0e20cabfabbf8a578b9b9be9260790d886426e358e0dabc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hyzl1btl.arl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\vOb.exe

Filesize
346KB

MD5
84c9943b3b720f2090e42202d733ff5b

SHA1
da75a570bdceaa6eeb9beb3cf1a2a2a334265349

SHA256
1fd86142972ca45a894e5bae8f464164d521694d7a65e3e28d59be74ba6d5166

SHA512
aefc0c23ffc5b7d832e76eac265c403088b4ebbb120ceb718b753fda1b4292c9d3a05bfba303756fa25bed2e9090ac9f1925c232aa7cd443ebeb412f3dc88624

Download Submit
C:\Users\Admin\AppData\Local\Temp\vOb.exe

Filesize
346KB

MD5
84c9943b3b720f2090e42202d733ff5b

SHA1
da75a570bdceaa6eeb9beb3cf1a2a2a334265349

SHA256
1fd86142972ca45a894e5bae8f464164d521694d7a65e3e28d59be74ba6d5166

SHA512
aefc0c23ffc5b7d832e76eac265c403088b4ebbb120ceb718b753fda1b4292c9d3a05bfba303756fa25bed2e9090ac9f1925c232aa7cd443ebeb412f3dc88624

Download Submit
C:\Users\Admin\AppData\Local\Temp\vOb.exe

Filesize
346KB

MD5
84c9943b3b720f2090e42202d733ff5b

SHA1
da75a570bdceaa6eeb9beb3cf1a2a2a334265349

SHA256
1fd86142972ca45a894e5bae8f464164d521694d7a65e3e28d59be74ba6d5166

SHA512
aefc0c23ffc5b7d832e76eac265c403088b4ebbb120ceb718b753fda1b4292c9d3a05bfba303756fa25bed2e9090ac9f1925c232aa7cd443ebeb412f3dc88624

Download Submit
C:\Users\Admin\AppData\Local\Temp\vOb.exe

Filesize
346KB

MD5
84c9943b3b720f2090e42202d733ff5b

SHA1
da75a570bdceaa6eeb9beb3cf1a2a2a334265349

SHA256
1fd86142972ca45a894e5bae8f464164d521694d7a65e3e28d59be74ba6d5166

SHA512
aefc0c23ffc5b7d832e76eac265c403088b4ebbb120ceb718b753fda1b4292c9d3a05bfba303756fa25bed2e9090ac9f1925c232aa7cd443ebeb412f3dc88624

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NAKFZC.js

Filesize
764KB

MD5
8d38022aafef200f061a873cad79fe61

SHA1
536fb4fe64ce9695322eaca56ad895457acdfde8

SHA256
15921f2949858a67b8f01ac048ceed3083774b664549ea455d12eb8748049961

SHA512
e65acf7151e032df49a4f2bcd29dbcac0a3b1c2eb63f240bf556d603869ca5a73a61ba23aba924efb8fb764f212cceb9705c3ff8cdb635651ba9e10d2bb94060

Download Submit
memory/2472-36-0x0000000004DF0000-0x0000000004E8C000-memory.dmp

Filesize
624KB

Download
memory/2472-40-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/2472-34-0x0000000004B60000-0x0000000004B70000-memory.dmp

Filesize
64KB

Download
memory/2472-59-0x0000000004B60000-0x0000000004B70000-memory.dmp

Filesize
64KB

Download
memory/2472-32-0x0000000005170000-0x0000000005714000-memory.dmp

Filesize
5.6MB

Download
memory/2472-29-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/2472-50-0x0000000004C50000-0x0000000004C5A000-memory.dmp

Filesize
40KB

Download
memory/2472-33-0x0000000004CB0000-0x0000000004D42000-memory.dmp

Filesize
584KB

Download
memory/2472-30-0x00000000001A0000-0x00000000001FC000-memory.dmp

Filesize
368KB

Download
memory/2472-31-0x0000000004B70000-0x0000000004BC4000-memory.dmp

Filesize
336KB

Download
memory/2472-62-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/2768-61-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/2768-81-0x0000000005E80000-0x0000000005ED0000-memory.dmp

Filesize
320KB

Download
memory/2768-91-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/2768-51-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2768-99-0x0000000006790000-0x000000000679A000-memory.dmp

Filesize
40KB

Download
memory/3368-37-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/3368-83-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/3368-43-0x0000000005000000-0x0000000005066000-memory.dmp

Filesize
408KB

Download
memory/3368-42-0x0000000004E60000-0x0000000004E82000-memory.dmp

Filesize
136KB

Download
memory/3368-60-0x0000000005820000-0x0000000005B74000-memory.dmp

Filesize
3.3MB

Download
memory/3368-63-0x0000000004AA0000-0x0000000004ABE000-memory.dmp

Filesize
120KB

Download
memory/3368-64-0x0000000005D70000-0x0000000005DBC000-memory.dmp

Filesize
304KB

Download
memory/3368-66-0x000000007EEA0000-0x000000007EEB0000-memory.dmp

Filesize
64KB

Download
memory/3368-67-0x00000000062F0000-0x0000000006322000-memory.dmp

Filesize
200KB

Download
memory/3368-68-0x0000000070150000-0x000000007019C000-memory.dmp

Filesize
304KB

Download
memory/3368-78-0x00000000062D0000-0x00000000062EE000-memory.dmp

Filesize
120KB

Download
memory/3368-80-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/3368-79-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/3368-41-0x0000000005070000-0x0000000005698000-memory.dmp

Filesize
6.2MB

Download
memory/3368-82-0x0000000006CF0000-0x0000000006D93000-memory.dmp

Filesize
652KB

Download
memory/3368-45-0x00000000056A0000-0x0000000005706000-memory.dmp

Filesize
408KB

Download
memory/3368-84-0x00000000076D0000-0x0000000007D4A000-memory.dmp

Filesize
6.5MB

Download
memory/3368-85-0x0000000007070000-0x000000000708A000-memory.dmp

Filesize
104KB

Download
memory/3368-86-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/3368-87-0x00000000070D0000-0x00000000070DA000-memory.dmp

Filesize
40KB

Download
memory/3368-89-0x00000000072E0000-0x0000000007376000-memory.dmp

Filesize
600KB

Download
memory/3368-90-0x0000000007030000-0x0000000007041000-memory.dmp

Filesize
68KB

Download
memory/3368-39-0x00000000023F0000-0x0000000002426000-memory.dmp

Filesize
216KB

Download
memory/3368-92-0x0000000007290000-0x000000000729E000-memory.dmp

Filesize
56KB

Download
memory/3368-93-0x00000000072A0000-0x00000000072B4000-memory.dmp

Filesize
80KB

Download
memory/3368-94-0x00000000073A0000-0x00000000073BA000-memory.dmp

Filesize
104KB

Download
memory/3368-95-0x0000000007380000-0x0000000007388000-memory.dmp

Filesize
32KB

Download
memory/3368-97-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/3368-38-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download