formbook | 2d40f472fa610ec9068b1bb4d057ca2293e2389fe7915acd2237b6df85e9b6b3

Analysis

max time kernel
151s
max time network
143s
platform
windows7_x64
resource
win7-en-20211208
submitted
21-01-2022 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dce983778e604b799e0470fd69e833f2.exe
Size

174KB
MD5

dce983778e604b799e0470fd69e833f2
SHA1

b97b22599b0b87bab09f24a7531c89d4cf35f5c2
SHA256

2d40f472fa610ec9068b1bb4d057ca2293e2389fe7915acd2237b6df85e9b6b3
SHA512

bac7da0e8730d35e1c160c22e578c93f70a7d75cf700874b8ab485b3c0056848e6c39ebe19f8dafe19dd8b379b4fb655c974593782a1a181172a735ca88a5416

Score

10^/10

formbook oh75 persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

oh75

Decoy

denizgidam.com

6cc06.com

charlottewaldburgzeil.com

medijanus.com

qingdaoyiersan.com

datcabilgisayar.xyz

111439d.com

xn--1ruo40k.com

wu6enxwcx5h3.xyz

vnscloud.net

brtka.xyz

showztime.com

promocoesdedezenbro.com

wokpy.com

chnowuk.online

rockshotscafe.com

pelrjy.com

nato-riness.com

feixiang-chem.com

thcoinexchange.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 8 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1544-69-0x0000000000400000-0x000000000044F000-memory.dmp	formbook
\Users\Admin\AppData\Local\Temp\FB_D8B4.tmp.exe	formbook
behavioral1/memory/1544-77-0x0000000000400000-0x000000000044F000-memory.dmp	formbook
C:\Users\Admin\AppData\Local\Temp\FB_D8B4.tmp.exe	formbook
behavioral1/memory/1544-78-0x0000000000401000-0x000000000044F000-memory.dmp	formbook
\Users\Admin\AppData\Local\Temp\FB_D8B4.tmp.exe	formbook
C:\Users\Admin\AppData\Local\Temp\FB_D8B4.tmp.exe	formbook
behavioral1/memory/1496-90-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

FB_D807.tmp.exeFB_D8B4.tmp.exe

pid process

1100 FB_D807.tmp.exe
1608 FB_D8B4.tmp.exe
Loads dropped DLL 3 IoCs

Processes:

dce983778e604b799e0470fd69e833f2.exe

pid process

1544 dce983778e604b799e0470fd69e833f2.exe
1544 dce983778e604b799e0470fd69e833f2.exe
1544 dce983778e604b799e0470fd69e833f2.exe

pid	process
1100	FB_D807.tmp.exe
1608	FB_D8B4.tmp.exe

pid	process
1544	dce983778e604b799e0470fd69e833f2.exe
1544	dce983778e604b799e0470fd69e833f2.exe
1544	dce983778e604b799e0470fd69e833f2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dce983778e604b799e0470fd69e833f2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\update. = "\"C:\\Users\\Admin\\AppData\\Roaming\\update\\update..exe\""	dce983778e604b799e0470fd69e833f2.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

dce983778e604b799e0470fd69e833f2.exeFB_D8B4.tmp.exeipconfig.exe

description	pid	process	target process
PID 1580 set thread context of 1544	1580	dce983778e604b799e0470fd69e833f2.exe	dce983778e604b799e0470fd69e833f2.exe
PID 1608 set thread context of 1228	1608	FB_D8B4.tmp.exe	Explorer.EXE
PID 1496 set thread context of 1228	1496	ipconfig.exe	Explorer.EXE

Drops file in Windows directory 1 IoCs

Processes:

Explorer.EXE

description ioc process

File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe Explorer.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1496 ipconfig.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

560 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

FB_D807.tmp.exe

pid process

1100 FB_D807.tmp.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe	Explorer.EXE

pid	process
1496	ipconfig.exe

pid	process
560	PING.EXE

pid	process
1100	FB_D807.tmp.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

dce983778e604b799e0470fd69e833f2.exeFB_D8B4.tmp.exeipconfig.exe

pid	process
1580	dce983778e604b799e0470fd69e833f2.exe
1608	FB_D8B4.tmp.exe
1608	FB_D8B4.tmp.exe
1496	ipconfig.exe
1496	ipconfig.exe
1496	ipconfig.exe
1496	ipconfig.exe
1496	ipconfig.exe
1496	ipconfig.exe
1496	ipconfig.exe
1496	ipconfig.exe
1496	ipconfig.exe
1496	ipconfig.exe
1496	ipconfig.exe
1496	ipconfig.exe
1496	ipconfig.exe
1496	ipconfig.exe
1496	ipconfig.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

FB_D8B4.tmp.exeipconfig.exe

pid process

1608 FB_D8B4.tmp.exe
1608 FB_D8B4.tmp.exe
1608 FB_D8B4.tmp.exe
1496 ipconfig.exe
1496 ipconfig.exe

pid	process
1608	FB_D8B4.tmp.exe
1608	FB_D8B4.tmp.exe
1608	FB_D8B4.tmp.exe
1496	ipconfig.exe
1496	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

dce983778e604b799e0470fd69e833f2.exeFB_D8B4.tmp.exeFB_D807.tmp.exeExplorer.EXEipconfig.exe

description	pid	process
Token: SeDebugPrivilege	1580	dce983778e604b799e0470fd69e833f2.exe
Token: SeDebugPrivilege	1608	FB_D8B4.tmp.exe
Token: SeDebugPrivilege	1100	FB_D807.tmp.exe
Token: SeShutdownPrivilege	1228	Explorer.EXE
Token: SeDebugPrivilege	1496	ipconfig.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

1432 AcroRd32.exe
1432 AcroRd32.exe
1432 AcroRd32.exe
1432 AcroRd32.exe

pid	process
1432	AcroRd32.exe
1432	AcroRd32.exe
1432	AcroRd32.exe
1432	AcroRd32.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

dce983778e604b799e0470fd69e833f2.execmd.exeWScript.exedce983778e604b799e0470fd69e833f2.exeExplorer.EXEipconfig.exe

description	pid	process	target process
PID 1580 wrote to memory of 764	1580	dce983778e604b799e0470fd69e833f2.exe	cmd.exe
PID 1580 wrote to memory of 764	1580	dce983778e604b799e0470fd69e833f2.exe	cmd.exe
PID 1580 wrote to memory of 764	1580	dce983778e604b799e0470fd69e833f2.exe	cmd.exe
PID 1580 wrote to memory of 764	1580	dce983778e604b799e0470fd69e833f2.exe	cmd.exe
PID 764 wrote to memory of 560	764	cmd.exe	PING.EXE
PID 764 wrote to memory of 560	764	cmd.exe	PING.EXE
PID 764 wrote to memory of 560	764	cmd.exe	PING.EXE
PID 764 wrote to memory of 560	764	cmd.exe	PING.EXE
PID 1580 wrote to memory of 436	1580	dce983778e604b799e0470fd69e833f2.exe	WScript.exe
PID 1580 wrote to memory of 436	1580	dce983778e604b799e0470fd69e833f2.exe	WScript.exe
PID 1580 wrote to memory of 436	1580	dce983778e604b799e0470fd69e833f2.exe	WScript.exe
PID 1580 wrote to memory of 436	1580	dce983778e604b799e0470fd69e833f2.exe	WScript.exe
PID 436 wrote to memory of 1432	436	WScript.exe	AcroRd32.exe
PID 436 wrote to memory of 1432	436	WScript.exe	AcroRd32.exe
PID 436 wrote to memory of 1432	436	WScript.exe	AcroRd32.exe
PID 436 wrote to memory of 1432	436	WScript.exe	AcroRd32.exe
PID 1580 wrote to memory of 1544	1580	dce983778e604b799e0470fd69e833f2.exe	dce983778e604b799e0470fd69e833f2.exe
PID 1580 wrote to memory of 1544	1580	dce983778e604b799e0470fd69e833f2.exe	dce983778e604b799e0470fd69e833f2.exe
PID 1580 wrote to memory of 1544	1580	dce983778e604b799e0470fd69e833f2.exe	dce983778e604b799e0470fd69e833f2.exe
PID 1580 wrote to memory of 1544	1580	dce983778e604b799e0470fd69e833f2.exe	dce983778e604b799e0470fd69e833f2.exe
PID 1580 wrote to memory of 1544	1580	dce983778e604b799e0470fd69e833f2.exe	dce983778e604b799e0470fd69e833f2.exe
PID 1580 wrote to memory of 1544	1580	dce983778e604b799e0470fd69e833f2.exe	dce983778e604b799e0470fd69e833f2.exe
PID 1580 wrote to memory of 1544	1580	dce983778e604b799e0470fd69e833f2.exe	dce983778e604b799e0470fd69e833f2.exe
PID 1580 wrote to memory of 1544	1580	dce983778e604b799e0470fd69e833f2.exe	dce983778e604b799e0470fd69e833f2.exe
PID 1580 wrote to memory of 1544	1580	dce983778e604b799e0470fd69e833f2.exe	dce983778e604b799e0470fd69e833f2.exe
PID 1580 wrote to memory of 1544	1580	dce983778e604b799e0470fd69e833f2.exe	dce983778e604b799e0470fd69e833f2.exe
PID 1544 wrote to memory of 1100	1544	dce983778e604b799e0470fd69e833f2.exe	FB_D807.tmp.exe
PID 1544 wrote to memory of 1100	1544	dce983778e604b799e0470fd69e833f2.exe	FB_D807.tmp.exe
PID 1544 wrote to memory of 1100	1544	dce983778e604b799e0470fd69e833f2.exe	FB_D807.tmp.exe
PID 1544 wrote to memory of 1100	1544	dce983778e604b799e0470fd69e833f2.exe	FB_D807.tmp.exe
PID 1544 wrote to memory of 1608	1544	dce983778e604b799e0470fd69e833f2.exe	FB_D8B4.tmp.exe
PID 1544 wrote to memory of 1608	1544	dce983778e604b799e0470fd69e833f2.exe	FB_D8B4.tmp.exe
PID 1544 wrote to memory of 1608	1544	dce983778e604b799e0470fd69e833f2.exe	FB_D8B4.tmp.exe
PID 1544 wrote to memory of 1608	1544	dce983778e604b799e0470fd69e833f2.exe	FB_D8B4.tmp.exe
PID 1228 wrote to memory of 1496	1228	Explorer.EXE	ipconfig.exe
PID 1228 wrote to memory of 1496	1228	Explorer.EXE	ipconfig.exe
PID 1228 wrote to memory of 1496	1228	Explorer.EXE	ipconfig.exe
PID 1228 wrote to memory of 1496	1228	Explorer.EXE	ipconfig.exe
PID 1496 wrote to memory of 1392	1496	ipconfig.exe	cmd.exe
PID 1496 wrote to memory of 1392	1496	ipconfig.exe	cmd.exe
PID 1496 wrote to memory of 1392	1496	ipconfig.exe	cmd.exe
PID 1496 wrote to memory of 1392	1496	ipconfig.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228

C:\Users\Admin\AppData\Local\Temp\dce983778e604b799e0470fd69e833f2.exe
"C:\Users\Admin\AppData\Local\Temp\dce983778e604b799e0470fd69e833f2.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping google.com
3⤵
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\SysWOW64\PING.EXE
ping google.com
4⤵
- Runs ping.exe
PID:560

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bjz0x04rcey.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:436

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Dunyfmjfile.pdf"
4⤵
- Suspicious use of SetWindowsHookEx
PID:1432

C:\Users\Admin\AppData\Local\Temp\dce983778e604b799e0470fd69e833f2.exe
C:\Users\Admin\AppData\Local\Temp\dce983778e604b799e0470fd69e833f2.exe
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1544

C:\Users\Admin\AppData\Local\Temp\FB_D807.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\FB_D807.tmp.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Users\Admin\AppData\Local\Temp\FB_D8B4.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\FB_D8B4.tmp.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\FB_D8B4.tmp.exe"
3⤵
PID:1392

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Dunyfmjfile.pdf
MD5
33e77f08076d0a57cf0c49bac2eb5427

SHA1
4913cfb36cf8faa5df289eda8dfc35a196c37df4

SHA256
4df1b409aeabe59d70d24524e2b2ca1b9ac1a7b5b65722df951faacbc8e44d1a

SHA512
5320f8d8585d298a5af08bf5120b66b78edbe253d4e0299855e52624fde28e025caf78a1c17c770c82ec8a3f8becb25eaa3afbb5ac02a82503e9f17b31ee0070

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_D807.tmp.exe
MD5
4538ef7f9c0d0e7c883d0aabb46c1052

SHA1
6c6517c8dae3a31abeb814700f38f31ea124d8a8

SHA256
bfdff4ccf418088fbfc206b769c378e096240e2b0596998458afc393a2ffa077

SHA512
891d900251e8d6936da1bf9467b0b2f353eda71ccc4b2e2892f009b9958b0c9e0657baddb3ab0a0df5a2dc93d4d2b96f6d4e1c692a3fc53e0c7e661fbc5fd706

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_D807.tmp.exe
MD5
4538ef7f9c0d0e7c883d0aabb46c1052

SHA1
6c6517c8dae3a31abeb814700f38f31ea124d8a8

SHA256
bfdff4ccf418088fbfc206b769c378e096240e2b0596998458afc393a2ffa077

SHA512
891d900251e8d6936da1bf9467b0b2f353eda71ccc4b2e2892f009b9958b0c9e0657baddb3ab0a0df5a2dc93d4d2b96f6d4e1c692a3fc53e0c7e661fbc5fd706

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_D8B4.tmp.exe
MD5
679e273b07867f0bfcd45402e8d92d00

SHA1
d6cfa3ed71af28f95229bce69fea45fe18eeaf5e

SHA256
37ed1ba1aab413fbf59e196f9337f6295a1fbbf1540e76525b43725b1e0b012d

SHA512
fa3e0ad8afd1791d304ed4a8f81af498f2005f83b0c7add8c5775d92c69c11c42462f5d3349bbcda1ffb251abf4c46915abcc3844eaabdc2bfd38e030a5f7e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_D8B4.tmp.exe
MD5
679e273b07867f0bfcd45402e8d92d00

SHA1
d6cfa3ed71af28f95229bce69fea45fe18eeaf5e

SHA256
37ed1ba1aab413fbf59e196f9337f6295a1fbbf1540e76525b43725b1e0b012d

SHA512
fa3e0ad8afd1791d304ed4a8f81af498f2005f83b0c7add8c5775d92c69c11c42462f5d3349bbcda1ffb251abf4c46915abcc3844eaabdc2bfd38e030a5f7e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\bjz0x04rcey.vbs
MD5
2acb2457b23d92c73721bb1e64bc97c1

SHA1
16f82f5555ad88b45104cae5dc777b7258e47d83

SHA256
0b60d3eeb34e312053b043cf22ee13946f525298e6ab35adad99d64b073a72b2

SHA512
524410e9cecefd2987a8096618fba1c0141d6f6eb2a9c6a491133c70eaef6441fd4a60d1ed7cca196e9d5a06495926b35cc1c9d4fe8f58ec738e13d3f53ca1a3

Download Submit
\Users\Admin\AppData\Local\Temp\FB_D807.tmp.exe
MD5
4538ef7f9c0d0e7c883d0aabb46c1052

SHA1
6c6517c8dae3a31abeb814700f38f31ea124d8a8

SHA256
bfdff4ccf418088fbfc206b769c378e096240e2b0596998458afc393a2ffa077

SHA512
891d900251e8d6936da1bf9467b0b2f353eda71ccc4b2e2892f009b9958b0c9e0657baddb3ab0a0df5a2dc93d4d2b96f6d4e1c692a3fc53e0c7e661fbc5fd706

Download Submit
\Users\Admin\AppData\Local\Temp\FB_D8B4.tmp.exe
MD5
679e273b07867f0bfcd45402e8d92d00

SHA1
d6cfa3ed71af28f95229bce69fea45fe18eeaf5e

SHA256
37ed1ba1aab413fbf59e196f9337f6295a1fbbf1540e76525b43725b1e0b012d

SHA512
fa3e0ad8afd1791d304ed4a8f81af498f2005f83b0c7add8c5775d92c69c11c42462f5d3349bbcda1ffb251abf4c46915abcc3844eaabdc2bfd38e030a5f7e63

Download Submit
\Users\Admin\AppData\Local\Temp\FB_D8B4.tmp.exe
MD5
679e273b07867f0bfcd45402e8d92d00

SHA1
d6cfa3ed71af28f95229bce69fea45fe18eeaf5e

SHA256
37ed1ba1aab413fbf59e196f9337f6295a1fbbf1540e76525b43725b1e0b012d

SHA512
fa3e0ad8afd1791d304ed4a8f81af498f2005f83b0c7add8c5775d92c69c11c42462f5d3349bbcda1ffb251abf4c46915abcc3844eaabdc2bfd38e030a5f7e63

Download Submit
memory/1100-82-0x0000000004550000-0x0000000004551000-memory.dmp

Filesize
4KB

Download
memory/1100-79-0x00000000003E0000-0x0000000000400000-memory.dmp

Filesize
128KB

Download
memory/1100-81-0x00000000005B0000-0x00000000005B8000-memory.dmp

Filesize
32KB

Download
memory/1100-80-0x00000000003A0000-0x00000000003D2000-memory.dmp

Filesize
200KB

Download
memory/1228-86-0x0000000007310000-0x00000000074A9000-memory.dmp

Filesize
1.6MB

Download
memory/1228-93-0x00000000080E0000-0x0000000008256000-memory.dmp

Filesize
1.5MB

Download
memory/1496-91-0x0000000002120000-0x0000000002423000-memory.dmp

Filesize
3.0MB

Download
memory/1496-89-0x00000000003F0000-0x00000000003FA000-memory.dmp

Filesize
40KB

Download
memory/1496-90-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download
memory/1496-92-0x00000000005D0000-0x0000000000663000-memory.dmp

Filesize
588KB

Download
memory/1544-67-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1544-66-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1544-78-0x0000000000401000-0x000000000044F000-memory.dmp

Filesize
312KB

Download
memory/1544-69-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1544-68-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1544-65-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1544-77-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1544-64-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1580-55-0x0000000000BD0000-0x0000000000C00000-memory.dmp

Filesize
192KB

Download
memory/1580-56-0x00000000763F1000-0x00000000763F3000-memory.dmp

Filesize
8KB

Download
memory/1580-57-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download
memory/1580-58-0x0000000005270000-0x0000000005322000-memory.dmp

Filesize
712KB

Download
memory/1580-59-0x00000000057B0000-0x0000000005818000-memory.dmp

Filesize
416KB

Download
memory/1580-60-0x0000000004440000-0x000000000448C000-memory.dmp

Filesize
304KB

Download
memory/1608-85-0x0000000000270000-0x0000000000284000-memory.dmp

Filesize
80KB

Download
memory/1608-84-0x00000000007F0000-0x0000000000AF3000-memory.dmp

Filesize
3.0MB

Download