agenttesla | 4debcaae1945cf89b96ce55e504a0c3d579d1ca3ce59f4551266fede8afa6064

Analysis

max time kernel
124s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2024 14:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Order - PO0005376876624_NATHERL GROUP UK.pdf(79KB).exe
Size

3.7MB
MD5

10543f9aaa9c0bf4085301bc7614ac20
SHA1

1561a634d02baaa557032b40f95b191deedb67d0
SHA256

4b35788594f482786143f276de0942d2f73c416c8e0b1d104e848187cb604749
SHA512

320dae470f3b5ad983b55fbaeb437daed163cea4a5166dd7c606012d9f21cb516b15d91e171469a594cf2522a71b0af367fe0b3c94cd9e2432570858280ec55e
SSDEEP

98304:FOH+wWNUsUX/WWxvy0GzbNPFZACmedrm:cewYUXX/TxvSzj5/

Score

10^/10

agenttesla quasar code discovery keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.privateemail.com
Port:
587
Username:
[email protected]
Password:
@#Qwerty12345

Extracted

Family

quasar

Version

1.4.1

Botnet

CODE

twart.myfirewall.org:9792

rency.ydns.eu:5287

wqo9.firewall-gateway.de:8841

Mutex

02351e291-5d041-4fa37-932c7-869aeiQec514992

Attributes

encryption_key
3145298725BA5E0DD56E87FFE3F8898EA81E6EDA
install_name
workbook.exe
log_directory
Logs
reconnect_delay
6000
startup_key
workbook
subdirectory
SubDir

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.privateemail.com
Port:
587
Username:
[email protected]
Password:
@#Qwerty12345
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/316-11-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

workbook.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	workbook.exe

Executes dropped EXE 11 IoCs

Processes:

workbook.exeworkbook.exerC35H5zPIxjh.exebtzpihN1XhWv.exeZPiFTyEGfvLK.exerC35H5zPIxjh.exerC35H5zPIxjh.exerC35H5zPIxjh.exebtzpihN1XhWv.exeZPiFTyEGfvLK.exeZPiFTyEGfvLK.exe

pid	Process
1844	workbook.exe
1064	workbook.exe
216	rC35H5zPIxjh.exe
3444	btzpihN1XhWv.exe
1828	ZPiFTyEGfvLK.exe
4840	rC35H5zPIxjh.exe
1600	rC35H5zPIxjh.exe
2480	rC35H5zPIxjh.exe
4856	btzpihN1XhWv.exe
4580	ZPiFTyEGfvLK.exe
4736	ZPiFTyEGfvLK.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
54	api.ipify.org
47	api.ipify.org
48	api.ipify.org
53	api.ipify.org

Suspicious use of SetThreadContext 5 IoCs

Processes:

Order - PO0005376876624_NATHERL GROUP UK.pdf(79KB).exeworkbook.exerC35H5zPIxjh.exebtzpihN1XhWv.exeZPiFTyEGfvLK.exe

description	pid	Process	procid_target
PID 4496 set thread context of 316	4496	Order - PO0005376876624_NATHERL GROUP UK.pdf(79KB).exe	97
PID 1844 set thread context of 1064	1844	workbook.exe	104
PID 216 set thread context of 2480	216	rC35H5zPIxjh.exe	114
PID 3444 set thread context of 4856	3444	btzpihN1XhWv.exe	117
PID 1828 set thread context of 4736	1828	ZPiFTyEGfvLK.exe	119

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Order - PO0005376876624_NATHERL GROUP UK.pdf(79KB).exeschtasks.exeworkbook.exeschtasks.exerC35H5zPIxjh.exebtzpihN1XhWv.exerC35H5zPIxjh.exeOrder - PO0005376876624_NATHERL GROUP UK.pdf(79KB).exeworkbook.exeZPiFTyEGfvLK.exebtzpihN1XhWv.exeZPiFTyEGfvLK.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Order - PO0005376876624_NATHERL GROUP UK.pdf(79KB).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	workbook.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rC35H5zPIxjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	btzpihN1XhWv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rC35H5zPIxjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Order - PO0005376876624_NATHERL GROUP UK.pdf(79KB).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	workbook.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZPiFTyEGfvLK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	btzpihN1XhWv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZPiFTyEGfvLK.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exe

pid	Process
4312	schtasks.exe
4808	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

rC35H5zPIxjh.exerC35H5zPIxjh.exebtzpihN1XhWv.exeZPiFTyEGfvLK.exeZPiFTyEGfvLK.exe

pid	Process
216	rC35H5zPIxjh.exe
216	rC35H5zPIxjh.exe
216	rC35H5zPIxjh.exe
216	rC35H5zPIxjh.exe
2480	rC35H5zPIxjh.exe
2480	rC35H5zPIxjh.exe
4856	btzpihN1XhWv.exe
4856	btzpihN1XhWv.exe
1828	ZPiFTyEGfvLK.exe
1828	ZPiFTyEGfvLK.exe
4736	ZPiFTyEGfvLK.exe
4736	ZPiFTyEGfvLK.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

Order - PO0005376876624_NATHERL GROUP UK.pdf(79KB).exeworkbook.exerC35H5zPIxjh.exerC35H5zPIxjh.exebtzpihN1XhWv.exeZPiFTyEGfvLK.exeZPiFTyEGfvLK.exe

description	pid	Process
Token: SeDebugPrivilege	316	Order - PO0005376876624_NATHERL GROUP UK.pdf(79KB).exe
Token: SeDebugPrivilege	1064	workbook.exe
Token: SeDebugPrivilege	216	rC35H5zPIxjh.exe
Token: SeDebugPrivilege	2480	rC35H5zPIxjh.exe
Token: SeDebugPrivilege	4856	btzpihN1XhWv.exe
Token: SeDebugPrivilege	1828	ZPiFTyEGfvLK.exe
Token: SeDebugPrivilege	4736	ZPiFTyEGfvLK.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

workbook.exe

pid	Process
1064	workbook.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Order - PO0005376876624_NATHERL GROUP UK.pdf(79KB).exeOrder - PO0005376876624_NATHERL GROUP UK.pdf(79KB).exeworkbook.exeworkbook.exerC35H5zPIxjh.exebtzpihN1XhWv.exeZPiFTyEGfvLK.exe

description	pid	Process	procid_target
PID 4496 wrote to memory of 316	4496	Order - PO0005376876624_NATHERL GROUP UK.pdf(79KB).exe	97
PID 4496 wrote to memory of 316	4496	Order - PO0005376876624_NATHERL GROUP UK.pdf(79KB).exe	97
PID 4496 wrote to memory of 316	4496	Order - PO0005376876624_NATHERL GROUP UK.pdf(79KB).exe	97
PID 4496 wrote to memory of 316	4496	Order - PO0005376876624_NATHERL GROUP UK.pdf(79KB).exe	97
PID 4496 wrote to memory of 316	4496	Order - PO0005376876624_NATHERL GROUP UK.pdf(79KB).exe	97
PID 4496 wrote to memory of 316	4496	Order - PO0005376876624_NATHERL GROUP UK.pdf(79KB).exe	97
PID 4496 wrote to memory of 316	4496	Order - PO0005376876624_NATHERL GROUP UK.pdf(79KB).exe	97
PID 4496 wrote to memory of 316	4496	Order - PO0005376876624_NATHERL GROUP UK.pdf(79KB).exe	97
PID 316 wrote to memory of 4808	316	Order - PO0005376876624_NATHERL GROUP UK.pdf(79KB).exe	98
PID 316 wrote to memory of 4808	316	Order - PO0005376876624_NATHERL GROUP UK.pdf(79KB).exe	98
PID 316 wrote to memory of 4808	316	Order - PO0005376876624_NATHERL GROUP UK.pdf(79KB).exe	98
PID 316 wrote to memory of 1844	316	Order - PO0005376876624_NATHERL GROUP UK.pdf(79KB).exe	100
PID 316 wrote to memory of 1844	316	Order - PO0005376876624_NATHERL GROUP UK.pdf(79KB).exe	100
PID 316 wrote to memory of 1844	316	Order - PO0005376876624_NATHERL GROUP UK.pdf(79KB).exe	100
PID 1844 wrote to memory of 1064	1844	workbook.exe	104
PID 1844 wrote to memory of 1064	1844	workbook.exe	104
PID 1844 wrote to memory of 1064	1844	workbook.exe	104
PID 1844 wrote to memory of 1064	1844	workbook.exe	104
PID 1844 wrote to memory of 1064	1844	workbook.exe	104
PID 1844 wrote to memory of 1064	1844	workbook.exe	104
PID 1844 wrote to memory of 1064	1844	workbook.exe	104
PID 1844 wrote to memory of 1064	1844	workbook.exe	104
PID 1064 wrote to memory of 4312	1064	workbook.exe	105
PID 1064 wrote to memory of 4312	1064	workbook.exe	105
PID 1064 wrote to memory of 4312	1064	workbook.exe	105
PID 1064 wrote to memory of 216	1064	workbook.exe	109
PID 1064 wrote to memory of 216	1064	workbook.exe	109
PID 1064 wrote to memory of 216	1064	workbook.exe	109
PID 1064 wrote to memory of 3444	1064	workbook.exe	110
PID 1064 wrote to memory of 3444	1064	workbook.exe	110
PID 1064 wrote to memory of 3444	1064	workbook.exe	110
PID 1064 wrote to memory of 1828	1064	workbook.exe	111
PID 1064 wrote to memory of 1828	1064	workbook.exe	111
PID 1064 wrote to memory of 1828	1064	workbook.exe	111
PID 216 wrote to memory of 4840	216	rC35H5zPIxjh.exe	112
PID 216 wrote to memory of 4840	216	rC35H5zPIxjh.exe	112
PID 216 wrote to memory of 4840	216	rC35H5zPIxjh.exe	112
PID 216 wrote to memory of 1600	216	rC35H5zPIxjh.exe	113
PID 216 wrote to memory of 1600	216	rC35H5zPIxjh.exe	113
PID 216 wrote to memory of 1600	216	rC35H5zPIxjh.exe	113
PID 216 wrote to memory of 2480	216	rC35H5zPIxjh.exe	114
PID 216 wrote to memory of 2480	216	rC35H5zPIxjh.exe	114
PID 216 wrote to memory of 2480	216	rC35H5zPIxjh.exe	114
PID 216 wrote to memory of 2480	216	rC35H5zPIxjh.exe	114
PID 216 wrote to memory of 2480	216	rC35H5zPIxjh.exe	114
PID 216 wrote to memory of 2480	216	rC35H5zPIxjh.exe	114
PID 216 wrote to memory of 2480	216	rC35H5zPIxjh.exe	114
PID 216 wrote to memory of 2480	216	rC35H5zPIxjh.exe	114
PID 3444 wrote to memory of 4856	3444	btzpihN1XhWv.exe	117
PID 3444 wrote to memory of 4856	3444	btzpihN1XhWv.exe	117
PID 3444 wrote to memory of 4856	3444	btzpihN1XhWv.exe	117
PID 3444 wrote to memory of 4856	3444	btzpihN1XhWv.exe	117
PID 3444 wrote to memory of 4856	3444	btzpihN1XhWv.exe	117
PID 3444 wrote to memory of 4856	3444	btzpihN1XhWv.exe	117
PID 3444 wrote to memory of 4856	3444	btzpihN1XhWv.exe	117
PID 3444 wrote to memory of 4856	3444	btzpihN1XhWv.exe	117
PID 1828 wrote to memory of 4580	1828	ZPiFTyEGfvLK.exe	118
PID 1828 wrote to memory of 4580	1828	ZPiFTyEGfvLK.exe	118
PID 1828 wrote to memory of 4580	1828	ZPiFTyEGfvLK.exe	118
PID 1828 wrote to memory of 4736	1828	ZPiFTyEGfvLK.exe	119
PID 1828 wrote to memory of 4736	1828	ZPiFTyEGfvLK.exe	119
PID 1828 wrote to memory of 4736	1828	ZPiFTyEGfvLK.exe	119
PID 1828 wrote to memory of 4736	1828	ZPiFTyEGfvLK.exe	119
PID 1828 wrote to memory of 4736	1828	ZPiFTyEGfvLK.exe	119

C:\Users\Admin\AppData\Local\Temp\Order - PO0005376876624_NATHERL GROUP UK.pdf(79KB).exe
"C:\Users\Admin\AppData\Local\Temp\Order - PO0005376876624_NATHERL GROUP UK.pdf(79KB).exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Users\Admin\AppData\Local\Temp\Order - PO0005376876624_NATHERL GROUP UK.pdf(79KB).exe
  "C:\Users\Admin\AppData\Local\Temp\Order - PO0005376876624_NATHERL GROUP UK.pdf(79KB).exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4808
- - C:\Users\Admin\AppData\Roaming\SubDir\workbook.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\workbook.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1844
  - - C:\Users\Admin\AppData\Roaming\SubDir\workbook.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\workbook.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1064
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4312
    - - C:\Users\Admin\AppData\Local\Temp\rC35H5zPIxjh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rC35H5zPIxjh.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:216
      - C:\Users\Admin\AppData\Local\Temp\rC35H5zPIxjh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rC35H5zPIxjh.exe"
        6⤵
        Executes dropped EXE
        
        PID:4840
      - C:\Users\Admin\AppData\Local\Temp\rC35H5zPIxjh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rC35H5zPIxjh.exe"
        6⤵
        Executes dropped EXE
        
        PID:1600
      - C:\Users\Admin\AppData\Local\Temp\rC35H5zPIxjh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rC35H5zPIxjh.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
    - - C:\Users\Admin\AppData\Local\Temp\btzpihN1XhWv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\btzpihN1XhWv.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3444
      - C:\Users\Admin\AppData\Local\Temp\btzpihN1XhWv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\btzpihN1XhWv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4856
    - - C:\Users\Admin\AppData\Local\Temp\ZPiFTyEGfvLK.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ZPiFTyEGfvLK.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1828
      - C:\Users\Admin\AppData\Local\Temp\ZPiFTyEGfvLK.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ZPiFTyEGfvLK.exe"
        6⤵
        Executes dropped EXE
        
        PID:4580
      - C:\Users\Admin\AppData\Local\Temp\ZPiFTyEGfvLK.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ZPiFTyEGfvLK.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Order - PO0005376876624_NATHERL GROUP UK.pdf(79KB).exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\rC35H5zPIxjh.exe

Filesize
794KB

MD5
08ca1aa7629a23a8310daf06579da0b1

SHA1
2930d676eff99be7adbfccb48b11b41758c66fc2

SHA256
f8c395958551b1d8681e6a870b8dbbc9aaf41d6b9636a8d6c8c9328d9fbeeef5

SHA512
390132d495042e652196a4e7246e0ada5402726d46527f79edbc74690c15821c11b32cb8037ddf2da911b6e8285e08cb5542ffcfecbc7a6278199bdd64ced857

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\workbook.exe

Filesize
3.7MB

MD5
10543f9aaa9c0bf4085301bc7614ac20

SHA1
1561a634d02baaa557032b40f95b191deedb67d0

SHA256
4b35788594f482786143f276de0942d2f73c416c8e0b1d104e848187cb604749

SHA512
320dae470f3b5ad983b55fbaeb437daed163cea4a5166dd7c606012d9f21cb516b15d91e171469a594cf2522a71b0af367fe0b3c94cd9e2432570858280ec55e

Download Submit
memory/216-72-0x0000000002F70000-0x0000000002FF2000-memory.dmp

Filesize
520KB

Download
memory/216-49-0x0000000000C00000-0x0000000000CCC000-memory.dmp

Filesize
816KB

Download
memory/316-11-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/316-22-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/316-15-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/316-13-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/1064-32-0x0000000006C70000-0x0000000006D22000-memory.dmp

Filesize
712KB

Download
memory/1064-30-0x0000000006E60000-0x0000000007478000-memory.dmp

Filesize
6.1MB

Download
memory/1064-37-0x0000000008250000-0x00000000082B6000-memory.dmp

Filesize
408KB

Download
memory/1064-36-0x00000000081A0000-0x00000000081DC000-memory.dmp

Filesize
240KB

Download
memory/1064-35-0x0000000008140000-0x0000000008152000-memory.dmp

Filesize
72KB

Download
memory/1064-31-0x0000000006A00000-0x0000000006A50000-memory.dmp

Filesize
320KB

Download
memory/1844-25-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/1844-29-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/1844-23-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/1844-24-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/2480-75-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4496-0-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

Filesize
4KB

Download
memory/4496-10-0x000000000E170000-0x000000000E20C000-memory.dmp

Filesize
624KB

Download
memory/4496-6-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

Filesize
4KB

Download
memory/4496-7-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/4496-5-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/4496-14-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/4496-8-0x00000000060C0000-0x00000000060DC000-memory.dmp

Filesize
112KB

Download
memory/4496-9-0x0000000009E70000-0x000000000A1D6000-memory.dmp

Filesize
3.4MB

Download
memory/4496-3-0x0000000004E40000-0x0000000004ED2000-memory.dmp

Filesize
584KB

Download
memory/4496-2-0x0000000005510000-0x0000000005AB4000-memory.dmp

Filesize
5.6MB

Download
memory/4496-1-0x0000000000050000-0x000000000040A000-memory.dmp

Filesize
3.7MB

Download
memory/4496-4-0x0000000004E10000-0x0000000004E1A000-memory.dmp

Filesize
40KB

Download