agenttesla | 5e8f82fa0592f63a811dea02c5875cc502ff322bbdf855de1b71e2399ec8f029

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-10-2024 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

111.vbe
Size

11KB
MD5

f4f90d06813ebae0cf591acfc33a9b72
SHA1

4f9563282b62e08ac9e31856c8394ffa474f6c15
SHA256

5e8f82fa0592f63a811dea02c5875cc502ff322bbdf855de1b71e2399ec8f029
SHA512

42b643ead7537c5a7ef63fde8eed3d75211cd0f39bdcefd79afd0345f00c2627f0a6f8120a1c1be1c947ed0e1c0ee8970d688221ff9f40572d3c6806b7b806b5
SSDEEP

192:kVPCg3XXH2AYKtbXq1qFqpSJ7sWfqH2hmDaOdC8NhuOzWNEK:cH3XXH2aA1qFkiQWfq2mDLdCpxF

Score

10^/10

agenttesla discovery keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
162.254.34.31
Port:
587
Username:
[email protected]
Password:
M992uew1mw6Z
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Blocklisted process makes network request 1 IoCs

flow	pid	Process
1	4412	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
45	api.ipify.org
44	api.ipify.org

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4380 set thread context of 4960	4380	powershell.exe	99

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer	wmplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}"	wmplayer.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	1	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4380	powershell.exe
4380	powershell.exe
32	powershell.exe
32	powershell.exe
4380	powershell.exe
4960	MSBuild.exe
4960	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4380	powershell.exe
Token: SeShutdownPrivilege	2860	unregmp2.exe
Token: SeCreatePagefilePrivilege	2860	unregmp2.exe
Token: SeShutdownPrivilege	2852	wmplayer.exe
Token: SeCreatePagefilePrivilege	2852	wmplayer.exe
Token: SeDebugPrivilege	32	powershell.exe
Token: SeDebugPrivilege	4960	MSBuild.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2852	wmplayer.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 4380	1732	WScript.exe	88
PID 1732 wrote to memory of 4380	1732	WScript.exe	88
PID 2852 wrote to memory of 516	2852	wmplayer.exe	93
PID 2852 wrote to memory of 516	2852	wmplayer.exe	93
PID 2852 wrote to memory of 516	2852	wmplayer.exe	93
PID 516 wrote to memory of 2860	516	unregmp2.exe	94
PID 516 wrote to memory of 2860	516	unregmp2.exe	94
PID 1732 wrote to memory of 32	1732	WScript.exe	97
PID 1732 wrote to memory of 32	1732	WScript.exe	97
PID 4380 wrote to memory of 4960	4380	powershell.exe	99
PID 4380 wrote to memory of 4960	4380	powershell.exe	99
PID 4380 wrote to memory of 4960	4380	powershell.exe	99
PID 4380 wrote to memory of 4960	4380	powershell.exe	99
PID 4380 wrote to memory of 4960	4380	powershell.exe	99
PID 4380 wrote to memory of 4960	4380	powershell.exe	99
PID 4380 wrote to memory of 4960	4380	powershell.exe	99
PID 4380 wrote to memory of 4960	4380	powershell.exe	99
PID 32 wrote to memory of 2264	32	powershell.exe	100
PID 32 wrote to memory of 2264	32	powershell.exe	100
PID 4380 wrote to memory of 924	4380	powershell.exe	101
PID 4380 wrote to memory of 924	4380	powershell.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\111.vbe"
1⤵
- Blocklisted process makes network request
PID:4412

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\QIbTTutRfdLJtpX.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4380
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4960
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4380" "2748" "2684" "2752" "0" "0" "2756" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:924
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:32
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "32" "2688" "2624" "2692" "0" "0" "2696" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:2264

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:516
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:2860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:3536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3f01549ee3e4c18244797530b588dad9

SHA1
3e87863fc06995fe4b741357c68931221d6cc0b9

SHA256
36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a

SHA512
73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
987a07b978cfe12e4ce45e513ef86619

SHA1
22eec9a9b2e83ad33bedc59e3205f86590b7d40c

SHA256
f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8

SHA512
39b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
c7e74ff144c55f2b021dcfb217508453

SHA1
34df62dbc9d89432a708636648b96fa517331882

SHA256
73587d34368cde7cedd819c6257885934db526c4a8fd1f8b3f9e85b4dedcbceb

SHA512
5eeeaa2e1b592593d9ca43ebe1f2edb24dea60dd83a8ca618e541c5571947adba2857712b1e8f7e6eebbbd6142f5fb13b42cc67c09a6edbc0f7835b9e3cc60da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
ef9905684d81712e0c6e5e0b1742f4ad

SHA1
5a1977b8e08b944aa1b3375afbfad8738f675a2b

SHA256
5d9ce21123a67694320ab80f45fb2e6179a7d31d6e1e8296fd35d3a06f507b26

SHA512
98970cf384fae387e3bda3e0996e5349e721badf70c36bdb917023fd0c8821ce5ec9e1553198ede93fad78c0089e81217fb8ca6630ba60ccf8e153aaacc0d8ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
5433eab10c6b5c6d55b7cbd302426a39

SHA1
c5b1604b3350dab290d081eecd5389a895c58de5

SHA256
23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131

SHA512
207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s2tg0pke.tqp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
2af2268182be25464a4c09d8fd1db10f

SHA1
21ab1c19dc20d1ed19d4209adda79e0094338998

SHA256
31864a96dad40755f3da3af111e97adb95021e5a5060e1c039f752dec9537ee1

SHA512
ce6eafef1240fe12cda9d06b8385f969038d4bd2f1c3234473e1460942b63eea9df9ea827dd3c37e4202a606bebaae9032859376407f87e52c7aa8e475544c90

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
cf148d06cca28e4b46341fc7304d8044

SHA1
d0f6782a35739c32d5758670e1c6d9e56c881f84

SHA256
b61a0da9099429f1087d86b083b55a6769ab125ce32acc370dbe9a3cfaf596dc

SHA512
7c3408681abdee18ab1358e0b6b40b3f75b36cab18c53edeac0c5a035233cdc707167cabb41af120791eb64cf5ea544e010e92d78ea425d64922eb0066660581

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
cd2253494f9eca2785c4ed3e59de2a25

SHA1
9e84dced914ed1a6e1d9cd972d88185d51067267

SHA256
4d20527b69f60255483712d42f1dc050ab5cb679abd1d054ccbb6ae3fdf96952

SHA512
85a18164867a62d9538c5a724d3ac38348df1cb3de212a0bdcc7d5007d3184a960f9c22955003be2f9d35ba6d4c9229bed907ae77a03c42b98ebc25448a110c6

Download Submit
C:\Users\Admin\AppData\Roaming\QIbTTutRfdLJtpX.vbs

Filesize
2KB

MD5
b60eb1408d589af97d9046b0de991ed2

SHA1
35b90248cd3f3253fbfaf80209de49e0321a6df1

SHA256
c9979fa459b5b5478dbc5bddf16723808c6946a613267e3b4c4cdcebb3b6abaa

SHA512
09567b9c43443a9e44b90f7c5a33742a86ffd44fb9ab44e0dd6e6e0d096b06fcca130c6ac16ab200f32c07fa6e2fc0dad8c19802334ad9232f696cf59355dcf3

Download Submit
memory/2852-52-0x0000000006890000-0x00000000068A0000-memory.dmp

Filesize
64KB

Download
memory/2852-49-0x0000000006890000-0x00000000068A0000-memory.dmp

Filesize
64KB

Download
memory/2852-47-0x0000000006890000-0x00000000068A0000-memory.dmp

Filesize
64KB

Download
memory/2852-48-0x0000000006890000-0x00000000068A0000-memory.dmp

Filesize
64KB

Download
memory/2852-51-0x0000000006890000-0x00000000068A0000-memory.dmp

Filesize
64KB

Download
memory/2852-53-0x0000000006890000-0x00000000068A0000-memory.dmp

Filesize
64KB

Download
memory/2852-50-0x0000000006890000-0x00000000068A0000-memory.dmp

Filesize
64KB

Download
memory/2852-45-0x0000000006890000-0x00000000068A0000-memory.dmp

Filesize
64KB

Download
memory/2852-107-0x00000000047B0000-0x00000000047C0000-memory.dmp

Filesize
64KB

Download
memory/4380-14-0x000001DAF2220000-0x000001DAF2264000-memory.dmp

Filesize
272KB

Download
memory/4380-85-0x000001DAF2210000-0x000001DAF2218000-memory.dmp

Filesize
32KB

Download
memory/4380-86-0x000001DAF2270000-0x000001DAF227C000-memory.dmp

Filesize
48KB

Download
memory/4380-13-0x000001DAF1F70000-0x000001DAF1F92000-memory.dmp

Filesize
136KB

Download
memory/4380-25-0x000001DAF4700000-0x000001DAF4776000-memory.dmp

Filesize
472KB

Download
memory/4960-87-0x00000000011C0000-0x0000000001200000-memory.dmp

Filesize
256KB

Download
memory/4960-101-0x0000000005CC0000-0x0000000006264000-memory.dmp

Filesize
5.6MB

Download
memory/4960-106-0x0000000005810000-0x0000000005876000-memory.dmp

Filesize
408KB

Download
memory/4960-115-0x0000000006C30000-0x0000000006C80000-memory.dmp

Filesize
320KB

Download
memory/4960-116-0x0000000006D20000-0x0000000006DB2000-memory.dmp

Filesize
584KB

Download
memory/4960-117-0x0000000006CA0000-0x0000000006CAA000-memory.dmp

Filesize
40KB

Download