agenttesla | 4a41e0418949914320454262970d1c878a37b2c01b48a7e92047f536771bf6f9

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
19-10-2023 17:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.4a41e0418949914320454262970d1c878a37b2c01b48a7e92047f536771bf6f9js_JC.js
Size

7KB
MD5

e811c4c9c880e3fae8bfb0cd7be6a4f6
SHA1

b329fe66df345f51d229f5b76069a1f1263a1c2b
SHA256

4a41e0418949914320454262970d1c878a37b2c01b48a7e92047f536771bf6f9
SHA512

64ddaa45cddf959f07dac85ac412e169964f70150c02b32c1ff941791b2ce609a3d824d371b37e05bf7e7ec21b2658b7d462a9d9bfaa5a694c673aeefd335108
SSDEEP

48:6IDkWkpUJeT2nfw9LOABJCvs2LNL75q+tCqB5q04CXSR:8wm0JciBc0lo

Score

10^/10

agenttesla wshrat keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.martur.cl
Port:
21
Username:
admin@martur.cl
Password:
(57reRWWw5dj

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.martur.cl
Port:
21
Username:
admin@martur.cl
Password:
(57reRWWw5dj

Extracted

Family

wshrat

http://chongmei33.publicvm.com:7045

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

WSHRAT payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\NAKFZC.js	family_wshrat
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NAKFZC.js	family_wshrat

Blocklisted process makes network request 30 IoCs

Processes:

wscript.exeWScript.exe

flow	pid	process
9	4268	wscript.exe
11	4268	wscript.exe
14	4268	wscript.exe
25	4904	WScript.exe
27	4904	WScript.exe
30	4904	WScript.exe
34	4904	WScript.exe
41	4904	WScript.exe
42	4904	WScript.exe
55	4904	WScript.exe
57	4904	WScript.exe
63	4904	WScript.exe
69	4904	WScript.exe
70	4904	WScript.exe
71	4904	WScript.exe
72	4904	WScript.exe
73	4904	WScript.exe
74	4904	WScript.exe
75	4904	WScript.exe
76	4904	WScript.exe
77	4904	WScript.exe
78	4904	WScript.exe
79	4904	WScript.exe
80	4904	WScript.exe
81	4904	WScript.exe
82	4904	WScript.exe
83	4904	WScript.exe
84	4904	WScript.exe
87	4904	WScript.exe
90	4904	WScript.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exeWScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NAKFZC.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NAKFZC.js	WScript.exe

Executes dropped EXE 2 IoCs

Processes:

vOb.exevOb.exe

pid process

1584 vOb.exe
4616 vOb.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1584	vOb.exe
4616	vOb.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NAKFZC = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\NAKFZC.js\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NAKFZC = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\NAKFZC.js\""	WScript.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

24 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

vOb.exe

description pid process target process

PID 1584 set thread context of 4616 1584 vOb.exe vOb.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
24	ip-api.com

description	pid	process	target process
PID 1584 set thread context of 4616	1584	vOb.exe	vOb.exe

Modifies registry class 2 IoCs

Processes:

wscript.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings	WScript.exe

Script User-Agent 26 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	34	WSHRAT\|E84DA272\|SMIJWJMH\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	69	WSHRAT\|E84DA272\|SMIJWJMH\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	70	WSHRAT\|E84DA272\|SMIJWJMH\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	73	WSHRAT\|E84DA272\|SMIJWJMH\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	76	WSHRAT\|E84DA272\|SMIJWJMH\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	77	WSHRAT\|E84DA272\|SMIJWJMH\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	82	WSHRAT\|E84DA272\|SMIJWJMH\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	83	WSHRAT\|E84DA272\|SMIJWJMH\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	63	WSHRAT\|E84DA272\|SMIJWJMH\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	72	WSHRAT\|E84DA272\|SMIJWJMH\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	80	WSHRAT\|E84DA272\|SMIJWJMH\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	30	WSHRAT\|E84DA272\|SMIJWJMH\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	78	WSHRAT\|E84DA272\|SMIJWJMH\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	90	WSHRAT\|E84DA272\|SMIJWJMH\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	55	WSHRAT\|E84DA272\|SMIJWJMH\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	79	WSHRAT\|E84DA272\|SMIJWJMH\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	87	WSHRAT\|E84DA272\|SMIJWJMH\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	57	WSHRAT\|E84DA272\|SMIJWJMH\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	41	WSHRAT\|E84DA272\|SMIJWJMH\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	42	WSHRAT\|E84DA272\|SMIJWJMH\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	75	WSHRAT\|E84DA272\|SMIJWJMH\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	81	WSHRAT\|E84DA272\|SMIJWJMH\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	84	WSHRAT\|E84DA272\|SMIJWJMH\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	27	WSHRAT\|E84DA272\|SMIJWJMH\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	71	WSHRAT\|E84DA272\|SMIJWJMH\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/10/2023\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	74	WSHRAT\|E84DA272\|SMIJWJMH\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/10/2023\|JavaScript-v2.0\|NL:Netherlands

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Powershell.exevOb.exe

pid process

2000 Powershell.exe
2000 Powershell.exe
4616 vOb.exe
4616 vOb.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Powershell.exevOb.exe

description pid process

Token: SeDebugPrivilege 2000 Powershell.exe
Token: SeDebugPrivilege 4616 vOb.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vOb.exe

pid process

4616 vOb.exe

pid	process
2000	Powershell.exe
2000	Powershell.exe
4616	vOb.exe
4616	vOb.exe

description	pid	process
Token: SeDebugPrivilege	2000	Powershell.exe
Token: SeDebugPrivilege	4616	vOb.exe

pid	process
4616	vOb.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

wscript.exeWScript.exeWScript.exevOb.exe

description	pid	process	target process
PID 4268 wrote to memory of 4904	4268	wscript.exe	WScript.exe
PID 4268 wrote to memory of 4904	4268	wscript.exe	WScript.exe
PID 4904 wrote to memory of 3340	4904	WScript.exe	WScript.exe
PID 4904 wrote to memory of 3340	4904	WScript.exe	WScript.exe
PID 3340 wrote to memory of 1584	3340	WScript.exe	vOb.exe
PID 3340 wrote to memory of 1584	3340	WScript.exe	vOb.exe
PID 3340 wrote to memory of 1584	3340	WScript.exe	vOb.exe
PID 1584 wrote to memory of 2000	1584	vOb.exe	Powershell.exe
PID 1584 wrote to memory of 2000	1584	vOb.exe	Powershell.exe
PID 1584 wrote to memory of 2000	1584	vOb.exe	Powershell.exe
PID 1584 wrote to memory of 4616	1584	vOb.exe	vOb.exe
PID 1584 wrote to memory of 4616	1584	vOb.exe	vOb.exe
PID 1584 wrote to memory of 4616	1584	vOb.exe	vOb.exe
PID 1584 wrote to memory of 4616	1584	vOb.exe	vOb.exe
PID 1584 wrote to memory of 4616	1584	vOb.exe	vOb.exe
PID 1584 wrote to memory of 4616	1584	vOb.exe	vOb.exe
PID 1584 wrote to memory of 4616	1584	vOb.exe	vOb.exe
PID 1584 wrote to memory of 4616	1584	vOb.exe	vOb.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\NEAS.4a41e0418949914320454262970d1c878a37b2c01b48a7e92047f536771bf6f9js_JC.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4268

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\NAKFZC.js"
2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4904

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Output.js"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3340

C:\Users\Admin\AppData\Local\Temp\vOb.exe
"C:\Users\Admin\AppData\Local\Temp\vOb.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell.exe" -ExecutionPolicy Bypass -command xHpF2m2TxzO3qr4FIuPswPaRZvbKhAgsHoUgVc5c1AMOAI4xiJqOjlkD3YO/6qULkSENmFl3GsolqcGGkZrBbaRXVu7YY+n3wiyv8wS+UHUpwhx/IX6ZerqvTzuOLuRdO08npei7HwfH2wKRuaecB8P/FVecfW9FoWjF1A6O/68O0qK192cnIhUcctWjx/GW8ULXo/Un0WwvyWYxGKqhFtUjf6hQETjLzO/F68/W3GXggNfn4E0tbsHcWJ4Qs9QeauMywyAB+V1+9Uw+hcoLBpcocrYAhSqf6iaaMKaTanR4JlGBlD4IjJQmV1gvQRYmjDXbZawN8IgwRgaI+xcKtFjiFVvuA6CawFF5jzi4mENimIA39OD54y/zMb7idEh4oTy+f+VDOiQ16HbDvRyX1gv6ar2K+vNdRpiEk+FL75Dwi1y2R1DSLLrnXH75cn9Sxxkx16fkjltmZNwZYnnZc0VCbJz5PE8snBKcKUEemoAvDwcgj8rVX1tuhqqeYXrhP1hn6oaUpa8dLV9GkxPvUPm2U2PxYjlaVQk75pkxpaspctI89cBy4lXgWn0XYPaK1+WjxY5j1F5jeSb75FxuowoTWUXfk8j1s2KbANCsBuN3nd5227aIGAKGm+1kHAm/4MePOuLnj7mVqVrGuW9smZZvnluk2n2p0v6RGPmD818= 'C:\Users\Admin\AppData\Local\Temp\vOb.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows Audio.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Users\Admin\AppData\Local\Temp\vOb.exe
"C:\Users\Admin\AppData\Local\Temp\vOb.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4616

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NAKFZC.js
Filesize
764KB

MD5
8d38022aafef200f061a873cad79fe61

SHA1
536fb4fe64ce9695322eaca56ad895457acdfde8

SHA256
15921f2949858a67b8f01ac048ceed3083774b664549ea455d12eb8748049961

SHA512
e65acf7151e032df49a4f2bcd29dbcac0a3b1c2eb63f240bf556d603869ca5a73a61ba23aba924efb8fb764f212cceb9705c3ff8cdb635651ba9e10d2bb94060

Download Submit
C:\Users\Admin\AppData\Local\Temp\Output.js
Filesize
484KB

MD5
183b67bb3bced4ef59e57cfbfff3d08e

SHA1
f79fe87e3c5f331895db528dd7beef8b5477187a

SHA256
33170390bddb29dc3b25b4301982f88451c1cdff4415f98050a470c7f6d31f32

SHA512
21f2c5d01f493dc1d5f7c84c387b5cea5270f635ab154946a208977e8c9cc95b837d82230b74b307d0e20cabfabbf8a578b9b9be9260790d886426e358e0dabc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_om4twynt.el2.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\vOb.exe
Filesize
346KB

MD5
84c9943b3b720f2090e42202d733ff5b

SHA1
da75a570bdceaa6eeb9beb3cf1a2a2a334265349

SHA256
1fd86142972ca45a894e5bae8f464164d521694d7a65e3e28d59be74ba6d5166

SHA512
aefc0c23ffc5b7d832e76eac265c403088b4ebbb120ceb718b753fda1b4292c9d3a05bfba303756fa25bed2e9090ac9f1925c232aa7cd443ebeb412f3dc88624

Download Submit
C:\Users\Admin\AppData\Local\Temp\vOb.exe
Filesize
346KB

MD5
84c9943b3b720f2090e42202d733ff5b

SHA1
da75a570bdceaa6eeb9beb3cf1a2a2a334265349

SHA256
1fd86142972ca45a894e5bae8f464164d521694d7a65e3e28d59be74ba6d5166

SHA512
aefc0c23ffc5b7d832e76eac265c403088b4ebbb120ceb718b753fda1b4292c9d3a05bfba303756fa25bed2e9090ac9f1925c232aa7cd443ebeb412f3dc88624

Download Submit
C:\Users\Admin\AppData\Local\Temp\vOb.exe
Filesize
346KB

MD5
84c9943b3b720f2090e42202d733ff5b

SHA1
da75a570bdceaa6eeb9beb3cf1a2a2a334265349

SHA256
1fd86142972ca45a894e5bae8f464164d521694d7a65e3e28d59be74ba6d5166

SHA512
aefc0c23ffc5b7d832e76eac265c403088b4ebbb120ceb718b753fda1b4292c9d3a05bfba303756fa25bed2e9090ac9f1925c232aa7cd443ebeb412f3dc88624

Download Submit
C:\Users\Admin\AppData\Local\Temp\vOb.exe
Filesize
346KB

MD5
84c9943b3b720f2090e42202d733ff5b

SHA1
da75a570bdceaa6eeb9beb3cf1a2a2a334265349

SHA256
1fd86142972ca45a894e5bae8f464164d521694d7a65e3e28d59be74ba6d5166

SHA512
aefc0c23ffc5b7d832e76eac265c403088b4ebbb120ceb718b753fda1b4292c9d3a05bfba303756fa25bed2e9090ac9f1925c232aa7cd443ebeb412f3dc88624

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NAKFZC.js
Filesize
764KB

MD5
8d38022aafef200f061a873cad79fe61

SHA1
536fb4fe64ce9695322eaca56ad895457acdfde8

SHA256
15921f2949858a67b8f01ac048ceed3083774b664549ea455d12eb8748049961

SHA512
e65acf7151e032df49a4f2bcd29dbcac0a3b1c2eb63f240bf556d603869ca5a73a61ba23aba924efb8fb764f212cceb9705c3ff8cdb635651ba9e10d2bb94060

Download Submit
memory/1584-31-0x0000000004ED0000-0x0000000004F24000-memory.dmp

Filesize
336KB

Download
memory/1584-32-0x00000000054D0000-0x0000000005A74000-memory.dmp

Filesize
5.6MB

Download
memory/1584-33-0x0000000005000000-0x0000000005092000-memory.dmp

Filesize
584KB

Download
memory/1584-34-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/1584-36-0x00000000744C0000-0x0000000074C70000-memory.dmp

Filesize
7.7MB

Download
memory/1584-37-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/1584-38-0x00000000050A0000-0x000000000513C000-memory.dmp

Filesize
624KB

Download
memory/1584-29-0x00000000004C0000-0x000000000051C000-memory.dmp

Filesize
368KB

Download
memory/1584-63-0x00000000744C0000-0x0000000074C70000-memory.dmp

Filesize
7.7MB

Download
memory/1584-30-0x00000000744C0000-0x0000000074C70000-memory.dmp

Filesize
7.7MB

Download
memory/1584-58-0x0000000004F70000-0x0000000004F7A000-memory.dmp

Filesize
40KB

Download
memory/2000-90-0x00000000073A0000-0x00000000073BE000-memory.dmp

Filesize
120KB

Download
memory/2000-95-0x00000000075D0000-0x00000000075DA000-memory.dmp

Filesize
40KB

Download
memory/2000-46-0x00000000059B0000-0x0000000005A16000-memory.dmp

Filesize
408KB

Download
memory/2000-43-0x0000000005310000-0x0000000005938000-memory.dmp

Filesize
6.2MB

Download
memory/2000-47-0x0000000005B50000-0x0000000005BB6000-memory.dmp

Filesize
408KB

Download
memory/2000-57-0x0000000005BC0000-0x0000000005F14000-memory.dmp

Filesize
3.3MB

Download
memory/2000-41-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/2000-42-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/2000-40-0x00000000744C0000-0x0000000074C70000-memory.dmp

Filesize
7.7MB

Download
memory/2000-104-0x00000000744C0000-0x0000000074C70000-memory.dmp

Filesize
7.7MB

Download
memory/2000-102-0x0000000007880000-0x0000000007888000-memory.dmp

Filesize
32KB

Download
memory/2000-64-0x0000000006130000-0x000000000614E000-memory.dmp

Filesize
120KB

Download
memory/2000-66-0x0000000006210000-0x000000000625C000-memory.dmp

Filesize
304KB

Download
memory/2000-101-0x00000000078A0000-0x00000000078BA000-memory.dmp

Filesize
104KB

Download
memory/2000-69-0x00000000744C0000-0x0000000074C70000-memory.dmp

Filesize
7.7MB

Download
memory/2000-70-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/2000-71-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/2000-100-0x00000000077A0000-0x00000000077B4000-memory.dmp

Filesize
80KB

Download
memory/2000-99-0x0000000007790000-0x000000000779E000-memory.dmp

Filesize
56KB

Download
memory/2000-77-0x000000007EEC0000-0x000000007EED0000-memory.dmp

Filesize
64KB

Download
memory/2000-78-0x00000000073E0000-0x0000000007412000-memory.dmp

Filesize
200KB

Download
memory/2000-79-0x0000000070240000-0x000000007028C000-memory.dmp

Filesize
304KB

Download
memory/2000-80-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/2000-39-0x0000000002870000-0x00000000028A6000-memory.dmp

Filesize
216KB

Download
memory/2000-91-0x0000000007450000-0x00000000074F3000-memory.dmp

Filesize
652KB

Download
memory/2000-97-0x0000000007760000-0x0000000007771000-memory.dmp

Filesize
68KB

Download
memory/2000-93-0x0000000007C00000-0x000000000827A000-memory.dmp

Filesize
6.5MB

Download
memory/2000-94-0x0000000007420000-0x000000000743A000-memory.dmp

Filesize
104KB

Download
memory/2000-45-0x00000000052C0000-0x00000000052E2000-memory.dmp

Filesize
136KB

Download
memory/2000-96-0x00000000077E0000-0x0000000007876000-memory.dmp

Filesize
600KB

Download
memory/4616-92-0x0000000005840000-0x0000000005890000-memory.dmp

Filesize
320KB

Download
memory/4616-74-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/4616-73-0x00000000744C0000-0x0000000074C70000-memory.dmp

Filesize
7.7MB

Download
memory/4616-67-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/4616-65-0x00000000744C0000-0x0000000074C70000-memory.dmp

Filesize
7.7MB

Download
memory/4616-62-0x0000000000510000-0x0000000000552000-memory.dmp

Filesize
264KB

Download
memory/4616-106-0x0000000006150000-0x000000000615A000-memory.dmp

Filesize
40KB

Download