agenttesla | ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2024 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exe
Size

923KB
MD5

c214377ddbfc6b4721db28b83e381edd
SHA1

8ca975d7e8a3a581659076d09147cb2e1ff95b99
SHA256

ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1
SHA512

c9ed14ecfa7fbb127ea25eb97ae17c4e4f292dbc7ad18aa4d98dccac57859125d4b7333cd95e0e52d476ad4b7f6365000f61a047e498c5f6335c03ab85ef1319
SSDEEP

24576:kk7vQavyVoyXO+Q0drrgWID8TUo0yLWXTAxs0Ts:x7vQavyGZ2xrgWIUJLmYVo

Score

10^/10

agenttesla asyncrat redline sectoprat snakekeylogger default professor collection credential_access discovery infostealer keylogger rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

professor

91.92.109.70:9412

Attributes

auth_value
e49ffb4df6cacbfbb1d4dc8e6b137a0a

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.bursaplastik.com
Port:
587
Username:
[email protected]
Password:
ahm155
Email To:
[email protected]

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

91.92.109.70:5353

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

snakekeylogger

https://api.telegram.org/bot1982610890:AAFCcNp1Tl28ILhhdWKR-lR4Xpa_V1kwvCk/sendMessage?chat_id=860277004

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000b000000023b86-44.dat	family_redline
behavioral2/memory/1496-70-0x0000000000B60000-0x0000000000B82000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000b000000023b86-44.dat	family_sectoprat
behavioral2/memory/1496-70-0x0000000000B60000-0x0000000000B82000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000a000000023b8a-57.dat	family_snakekeylogger
behavioral2/memory/2468-67-0x0000000000B50000-0x0000000000B76000-memory.dmp	family_snakekeylogger

Snakekeylogger family
snakekeylogger

AgentTesla payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000b000000023b85-25.dat	family_agenttesla
behavioral2/memory/2244-45-0x00000000005F0000-0x000000000062C000-memory.dmp	family_agenttesla

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/files/0x000b000000023b87-47.dat	family_asyncrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exeef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exe

Executes dropped EXE 4 IoCs

Processes:

shawori4.0.exeDoc2.exeDoc.exeshaw snake 4.0.exe

pid	Process
2244	shawori4.0.exe
1496	Doc2.exe
2736	Doc.exe
2468	shaw snake 4.0.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

shawori4.0.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	shawori4.0.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	shawori4.0.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	shawori4.0.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
36	checkip.dyndns.org
39	freegeoip.app
40	freegeoip.app

Suspicious use of SetThreadContext 1 IoCs

Processes:

ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exe

description	pid	Process	procid_target
PID 3084 set thread context of 3604	3084	ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exe	93

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
2336	2468	WerFault.exe	98

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exeef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exeschtasks.exeshawori4.0.exeDoc.exeshaw snake 4.0.exeDoc2.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shawori4.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shaw snake 4.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doc2.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exe

pid	Process
1760	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exeshawori4.0.exeshaw snake 4.0.exe

pid	Process
3084	ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exe
3084	ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exe
3084	ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exe
3084	ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exe
3084	ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exe
3084	ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exe
3084	ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exe
2244	shawori4.0.exe
2244	shawori4.0.exe
2468	shaw snake 4.0.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exeshawori4.0.exeshaw snake 4.0.exe

description	pid	Process
Token: SeDebugPrivilege	3084	ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exe
Token: SeDebugPrivilege	2244	shawori4.0.exe
Token: SeDebugPrivilege	2468	shaw snake 4.0.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

shawori4.0.exe

pid	Process
2244	shawori4.0.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exeef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exe

description	pid	Process	procid_target
PID 3084 wrote to memory of 1760	3084	ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exe	91
PID 3084 wrote to memory of 1760	3084	ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exe	91
PID 3084 wrote to memory of 1760	3084	ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exe	91
PID 3084 wrote to memory of 3604	3084	ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exe	93
PID 3084 wrote to memory of 3604	3084	ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exe	93
PID 3084 wrote to memory of 3604	3084	ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exe	93
PID 3084 wrote to memory of 3604	3084	ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exe	93
PID 3084 wrote to memory of 3604	3084	ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exe	93
PID 3084 wrote to memory of 3604	3084	ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exe	93
PID 3084 wrote to memory of 3604	3084	ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exe	93
PID 3084 wrote to memory of 3604	3084	ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exe	93
PID 3604 wrote to memory of 2244	3604	ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exe	94
PID 3604 wrote to memory of 2244	3604	ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exe	94
PID 3604 wrote to memory of 2244	3604	ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exe	94
PID 3604 wrote to memory of 1496	3604	ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exe	95
PID 3604 wrote to memory of 1496	3604	ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exe	95
PID 3604 wrote to memory of 1496	3604	ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exe	95
PID 3604 wrote to memory of 2736	3604	ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exe	97
PID 3604 wrote to memory of 2736	3604	ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exe	97
PID 3604 wrote to memory of 2736	3604	ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exe	97
PID 3604 wrote to memory of 2468	3604	ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exe	98
PID 3604 wrote to memory of 2468	3604	ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exe	98
PID 3604 wrote to memory of 2468	3604	ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exe	98

outlook_office_path 1 IoCs

Processes:

shawori4.0.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	shawori4.0.exe

outlook_win_path 1 IoCs

Processes:

shawori4.0.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	shawori4.0.exe

C:\Users\Admin\AppData\Local\Temp\ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exe
"C:\Users\Admin\AppData\Local\Temp\ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3084
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOUbYWeBQhU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp194F.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1760
- C:\Users\Admin\AppData\Local\Temp\ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exe
  "C:\Users\Admin\AppData\Local\Temp\ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3604
- - C:\Users\Admin\AppData\Local\Temp\shawori4.0.exe
    "C:\Users\Admin\AppData\Local\Temp\shawori4.0.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - outlook_office_path
    - outlook_win_path
    PID:2244
- - C:\Users\Admin\AppData\Local\Temp\Doc2.exe
    "C:\Users\Admin\AppData\Local\Temp\Doc2.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1496
- - C:\Users\Admin\AppData\Local\Temp\Doc.exe
    "C:\Users\Admin\AppData\Local\Temp\Doc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2736
- - C:\Users\Admin\AppData\Local\Temp\shaw snake 4.0.exe
    "C:\Users\Admin\AppData\Local\Temp\shaw snake 4.0.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2468
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 1812
      4⤵
      Program crash
      PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2468 -ip 2468
1⤵
PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Doc.exe

Filesize
45KB

MD5
ff911b01de9c67664cbeebf071651d9b

SHA1
a4965610cb6f0a28f29d64977c1535a80ff78792

SHA256
75958183900ca3ae5e707883fac463595f5b9faf79ebe14166987abceacd91a9

SHA512
bbe15c5e94e89c138503e6790cf186ee7e854e78a4f5c7c743bead341eeb23468e04fbbaf5f6c642f3409e32d62e6ac525548b97f05c67b18150a470b98e238c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Doc2.exe

Filesize
113KB

MD5
f824b1597b0746ebeee1679d0b5dcc20

SHA1
00f489e1ccf525375e65fa8b7f5e2c3e805af195

SHA256
69cccd5a3c14567765d9ab3c826dbf37c3a82c8c477e3070460c8eb7935dd3f8

SHA512
43507337e82242141499a9b987303c1dbcffb9c7674dedd92317c7fe519a615db9b836f0367706a043861635e9305f220dbb4a6781cd34e75ef95469995da057

Download Submit
C:\Users\Admin\AppData\Local\Temp\shaw snake 4.0.exe

Filesize
126KB

MD5
00bbb41ac9e00544de16a8328c0fc897

SHA1
b4fcda6c599ed90229094df77d3b4c5eb2e73c94

SHA256
01f13fca1b5e671d54999a10a6081e51fae1b37e907a29d800241202f69a196b

SHA512
30ac40ace33d6b2693fb9f8910d3b5bf656fb2974551bed20982f2d0a8cb834cdb2a1246fce736371e1f76f0d4a10a8549d41ddd4940f2aef60548de54fadfcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\shawori4.0.exe

Filesize
216KB

MD5
b2d8b1dbac147077cae57ee37de6f696

SHA1
b288a5e3602d7ae8dc36dd599a96db18505ea34b

SHA256
38cef761a233c69139074ba5366dbadba96a30035d29bd684fd985f3ea903fcd

SHA512
546c7e49a40fde647045c5af19a6761c79ae92377f3802c72c4491ab290f49dfba10fd6d44d9b38fda00860a9e6ec6ab79ad61fbee2d3cb3aeacc0a7a663f3ba

Download Submit
memory/1496-70-0x0000000000B60000-0x0000000000B82000-memory.dmp

Filesize
136KB

Download
memory/1496-75-0x00000000054B0000-0x00000000054FC000-memory.dmp

Filesize
304KB

Download
memory/1496-74-0x0000000005470000-0x00000000054AC000-memory.dmp

Filesize
240KB

Download
memory/1496-73-0x0000000005530000-0x000000000563A000-memory.dmp

Filesize
1.0MB

Download
memory/1496-72-0x0000000005400000-0x0000000005412000-memory.dmp

Filesize
72KB

Download
memory/1496-71-0x0000000005A00000-0x0000000006018000-memory.dmp

Filesize
6.1MB

Download
memory/2244-45-0x00000000005F0000-0x000000000062C000-memory.dmp

Filesize
240KB

Download
memory/2244-78-0x0000000000EB0000-0x0000000000F00000-memory.dmp

Filesize
320KB

Download
memory/2244-77-0x0000000005D90000-0x0000000005DF6000-memory.dmp

Filesize
408KB

Download
memory/2244-76-0x00000000050B0000-0x00000000050C8000-memory.dmp

Filesize
96KB

Download
memory/2468-67-0x0000000000B50000-0x0000000000B76000-memory.dmp

Filesize
152KB

Download
memory/2736-63-0x00000000008D0000-0x00000000008E2000-memory.dmp

Filesize
72KB

Download
memory/3084-0-0x0000000074C4E000-0x0000000074C4F000-memory.dmp

Filesize
4KB

Download
memory/3084-6-0x00000000058A0000-0x00000000058AE000-memory.dmp

Filesize
56KB

Download
memory/3084-2-0x0000000005C70000-0x0000000006214000-memory.dmp

Filesize
5.6MB

Download
memory/3084-1-0x0000000000B00000-0x0000000000BEE000-memory.dmp

Filesize
952KB

Download
memory/3084-5-0x0000000005690000-0x000000000569A000-memory.dmp

Filesize
40KB

Download
memory/3084-4-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download
memory/3084-7-0x0000000074C4E000-0x0000000074C4F000-memory.dmp

Filesize
4KB

Download
memory/3084-3-0x00000000055F0000-0x0000000005682000-memory.dmp

Filesize
584KB

Download
memory/3084-8-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download
memory/3084-20-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download
memory/3084-9-0x0000000008280000-0x000000000831C000-memory.dmp

Filesize
624KB

Download
memory/3084-10-0x00000000085B0000-0x0000000008686000-memory.dmp

Filesize
856KB

Download
memory/3604-16-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3604-18-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download
memory/3604-21-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download
memory/3604-68-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download