formbook | f3ddd84b590f6579c2bb685fa8bb486564c0ba53ff5619565feba5b79aba251a

Analysis

max time kernel
149s
max time network
151s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
04-11-2022 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3ddd84b590f6579c2bb685fa8bb486564c0ba53ff5619565feba5b79aba251a.exe
Size

225KB
MD5

a5c131c279492a7c4faf41aeb9d74df3
SHA1

b9682208bfd207f5ba509841babfc373abfb32a0
SHA256

f3ddd84b590f6579c2bb685fa8bb486564c0ba53ff5619565feba5b79aba251a
SHA512

9431ccddf09aac7f7c02acb501533f4892a3c5d65f999bcbdd0afaa02ab57af8542007064c1516ab8538a062288092c0e18686a34300a92dd918120e3fc2bb77
SSDEEP

3072:qUJoFfWzzl+cSMJysmAtGiTAumzXrz8FTE/CmDp9h4fP8oojb/fQE1a0oDmeWqH4:qweEp1wiTATO41hos/o0oYCoc7zd4Gi

Score

10^/10

formbook f4ca rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

f4ca

Decoy

omFHB5ajfJi1UEIEV9XcoRw=

UBjJkmQPyprdhcFF/bdCWQ==

evGKkBUj1je+otcfpw==

KgvGVeOATSt3nug0BIOm2JvOQycB

Lv6o3K0r9aSjI0lr9fg1txw=

LH1jJb/HieQpsEdqWCQTvX2PmsDVIeg=

99dte0XauJfk6Xv+uQxJFgA1gMktBA==

21FkkGB9gMniDQw2ffu6

r4lKBM/q6TZwVZfS

F+14qHeVWi56KdQ=

BgWXRsVoICMvvQ==

I+EozFl0Uy56KdQ=

xoXCgEllKEbWfjFCCLo=

qo9G1lXvvGt5GkxrLQWw

ORNlYic0PJ2ip4geEFSv

Yj+GFpvFxy0uVYx1fLI/XQ==

XL+veIKPjOTe4fjvFs+n

D2JKVAfuakXCAyoEvw==

voWJU81tH56wvt/vImbCcgVd

dVEcwFrmb8bZ4vXvFs+n

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

hpljh.exehpljh.exe

pid process

5088 hpljh.exe
4904 hpljh.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

hpljh.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Control Panel\International\Geo\Nation hpljh.exe

pid	process
5088	hpljh.exe
4904	hpljh.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Control Panel\International\Geo\Nation	hpljh.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

hpljh.exehpljh.exechkdsk.exe

description	pid	process	target process
PID 5088 set thread context of 4904	5088	hpljh.exe	hpljh.exe
PID 4904 set thread context of 2836	4904	hpljh.exe	Explorer.EXE
PID 4904 set thread context of 2836	4904	hpljh.exe	Explorer.EXE
PID 4384 set thread context of 2836	4384	chkdsk.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

chkdsk.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

chkdsk.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2368682536-4045190062-1465778271-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	chkdsk.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

hpljh.exechkdsk.exe

pid	process
4904	hpljh.exe
4904	hpljh.exe
4904	hpljh.exe
4904	hpljh.exe
4904	hpljh.exe
4904	hpljh.exe
4904	hpljh.exe
4904	hpljh.exe
4904	hpljh.exe
4904	hpljh.exe
4384	chkdsk.exe
4384	chkdsk.exe
4384	chkdsk.exe
4384	chkdsk.exe
4384	chkdsk.exe
4384	chkdsk.exe
4384	chkdsk.exe
4384	chkdsk.exe
4384	chkdsk.exe
4384	chkdsk.exe
4384	chkdsk.exe
4384	chkdsk.exe
4384	chkdsk.exe
4384	chkdsk.exe
4384	chkdsk.exe
4384	chkdsk.exe
4384	chkdsk.exe
4384	chkdsk.exe
4384	chkdsk.exe
4384	chkdsk.exe
4384	chkdsk.exe
4384	chkdsk.exe
4384	chkdsk.exe
4384	chkdsk.exe
4384	chkdsk.exe
4384	chkdsk.exe
4384	chkdsk.exe
4384	chkdsk.exe
4384	chkdsk.exe
4384	chkdsk.exe
4384	chkdsk.exe
4384	chkdsk.exe
4384	chkdsk.exe
4384	chkdsk.exe
4384	chkdsk.exe
4384	chkdsk.exe
4384	chkdsk.exe
4384	chkdsk.exe
4384	chkdsk.exe
4384	chkdsk.exe
4384	chkdsk.exe
4384	chkdsk.exe
4384	chkdsk.exe
4384	chkdsk.exe
4384	chkdsk.exe
4384	chkdsk.exe
4384	chkdsk.exe
4384	chkdsk.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2836 Explorer.EXE
Suspicious behavior: MapViewOfSection 9 IoCs

Processes:

hpljh.exehpljh.exechkdsk.exe

pid process

5088 hpljh.exe
4904 hpljh.exe
4904 hpljh.exe
4904 hpljh.exe
4904 hpljh.exe
4384 chkdsk.exe
4384 chkdsk.exe
4384 chkdsk.exe
4384 chkdsk.exe

pid	process
2836	Explorer.EXE

pid	process
5088	hpljh.exe
4904	hpljh.exe
4904	hpljh.exe
4904	hpljh.exe
4904	hpljh.exe
4384	chkdsk.exe
4384	chkdsk.exe
4384	chkdsk.exe
4384	chkdsk.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

hpljh.exechkdsk.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	4904	hpljh.exe
Token: SeDebugPrivilege	4384	chkdsk.exe
Token: SeShutdownPrivilege	2836	Explorer.EXE
Token: SeCreatePagefilePrivilege	2836	Explorer.EXE
Token: SeShutdownPrivilege	2836	Explorer.EXE
Token: SeCreatePagefilePrivilege	2836	Explorer.EXE
Token: SeShutdownPrivilege	2836	Explorer.EXE
Token: SeCreatePagefilePrivilege	2836	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

f3ddd84b590f6579c2bb685fa8bb486564c0ba53ff5619565feba5b79aba251a.exehpljh.exeExplorer.EXEchkdsk.exe

description	pid	process	target process
PID 1748 wrote to memory of 5088	1748	f3ddd84b590f6579c2bb685fa8bb486564c0ba53ff5619565feba5b79aba251a.exe	hpljh.exe
PID 1748 wrote to memory of 5088	1748	f3ddd84b590f6579c2bb685fa8bb486564c0ba53ff5619565feba5b79aba251a.exe	hpljh.exe
PID 1748 wrote to memory of 5088	1748	f3ddd84b590f6579c2bb685fa8bb486564c0ba53ff5619565feba5b79aba251a.exe	hpljh.exe
PID 5088 wrote to memory of 4904	5088	hpljh.exe	hpljh.exe
PID 5088 wrote to memory of 4904	5088	hpljh.exe	hpljh.exe
PID 5088 wrote to memory of 4904	5088	hpljh.exe	hpljh.exe
PID 5088 wrote to memory of 4904	5088	hpljh.exe	hpljh.exe
PID 2836 wrote to memory of 4384	2836	Explorer.EXE	chkdsk.exe
PID 2836 wrote to memory of 4384	2836	Explorer.EXE	chkdsk.exe
PID 2836 wrote to memory of 4384	2836	Explorer.EXE	chkdsk.exe
PID 4384 wrote to memory of 5068	4384	chkdsk.exe	Firefox.exe
PID 4384 wrote to memory of 5068	4384	chkdsk.exe	Firefox.exe
PID 4384 wrote to memory of 5068	4384	chkdsk.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836

C:\Users\Admin\AppData\Local\Temp\f3ddd84b590f6579c2bb685fa8bb486564c0ba53ff5619565feba5b79aba251a.exe
"C:\Users\Admin\AppData\Local\Temp\f3ddd84b590f6579c2bb685fa8bb486564c0ba53ff5619565feba5b79aba251a.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1748

C:\Users\Admin\AppData\Local\Temp\hpljh.exe
"C:\Users\Admin\AppData\Local\Temp\hpljh.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5088

C:\Users\Admin\AppData\Local\Temp\hpljh.exe
"C:\Users\Admin\AppData\Local\Temp\hpljh.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4904

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:2760

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:3664

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:4272

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:4252

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:4276

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4384

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:5068

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hpljh.exe
Filesize
7KB

MD5
ace05960243c6e7aaf5781461abe17cb

SHA1
47685952a9f8fa378e646b486554f40783480d23

SHA256
b6db1550533e56708aef093cc94bc003f3ed669b2674fd32ad3235f55dbac2e0

SHA512
7a2ea5d897c96026dd910300b330808740445f89d2ec0b4008522b3f578eea7080eed1763adf15e03b58854476f4d17dd2eacec583bff287e2d9ebf74c16c9a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpljh.exe
Filesize
7KB

MD5
ace05960243c6e7aaf5781461abe17cb

SHA1
47685952a9f8fa378e646b486554f40783480d23

SHA256
b6db1550533e56708aef093cc94bc003f3ed669b2674fd32ad3235f55dbac2e0

SHA512
7a2ea5d897c96026dd910300b330808740445f89d2ec0b4008522b3f578eea7080eed1763adf15e03b58854476f4d17dd2eacec583bff287e2d9ebf74c16c9a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpljh.exe
Filesize
7KB

MD5
ace05960243c6e7aaf5781461abe17cb

SHA1
47685952a9f8fa378e646b486554f40783480d23

SHA256
b6db1550533e56708aef093cc94bc003f3ed669b2674fd32ad3235f55dbac2e0

SHA512
7a2ea5d897c96026dd910300b330808740445f89d2ec0b4008522b3f578eea7080eed1763adf15e03b58854476f4d17dd2eacec583bff287e2d9ebf74c16c9a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwjcnqk.ucy
Filesize
5KB

MD5
54e0e76113007819985eaddacf9981e0

SHA1
e2817c8a079ed3fe23b4e7cc20ac216cab5f71df

SHA256
8879822873d43a514773a7cdd8d9621cea35dbda5254921e4cdd3852f2fb7a70

SHA512
a61df458c27886a23737732617361fe4f5445a2b82da827150a07bb4cff76071ad778d87348d6b8b17fd8e6f93e426254cb62d6f8ce389b0f89570ca68f2dd9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwwjuoxw.x
Filesize
185KB

MD5
ee3288ffe86a657552d2c9c8464de868

SHA1
bb8289bbb5746bb655b661bcea180e9c7188399a

SHA256
bf839e9f2f3ca0858aefb5a7c337e9f5672208f54a69df7b373e59788c213a0b

SHA512
feab7269b99e8a0e149313c244e1d2d1b27c0d6ee87ec72752c87bf6c6152324600e6f1b085397b8a7860811eb391f2e8e622c552aceeae4bca1a2b6548bb71e

Download Submit
memory/1748-144-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1748-131-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1748-127-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1748-128-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1748-129-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1748-130-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1748-154-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1748-132-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1748-133-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1748-134-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1748-135-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1748-136-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1748-137-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1748-138-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1748-140-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1748-139-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1748-141-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1748-142-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1748-143-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1748-145-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1748-146-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1748-147-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1748-149-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1748-148-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1748-150-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1748-155-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1748-153-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1748-125-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1748-152-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1748-126-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1748-151-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1748-156-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1748-157-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1748-158-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1748-159-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1748-160-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1748-121-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1748-124-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1748-123-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1748-120-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1748-122-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/2836-265-0x0000000004F30000-0x0000000005025000-memory.dmp

Filesize
980KB

Download
memory/2836-233-0x0000000004E20000-0x0000000004F2A000-memory.dmp

Filesize
1.0MB

Download
memory/2836-267-0x0000000004F30000-0x0000000005025000-memory.dmp

Filesize
980KB

Download
memory/2836-231-0x0000000002960000-0x0000000002AC5000-memory.dmp

Filesize
1.4MB

Download
memory/4384-255-0x0000000004E00000-0x0000000004F4A000-memory.dmp

Filesize
1.3MB

Download
memory/4384-253-0x0000000000B20000-0x0000000000B2A000-memory.dmp

Filesize
40KB

Download
memory/4384-264-0x00000000051B0000-0x000000000523F000-memory.dmp

Filesize
572KB

Download
memory/4384-266-0x00000000009E0000-0x0000000000A0D000-memory.dmp

Filesize
180KB

Download
memory/4384-234-0x0000000000000000-mapping.dmp

Download
memory/4384-254-0x00000000009E0000-0x0000000000A0D000-memory.dmp

Filesize
180KB

Download
memory/4904-238-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/4904-230-0x00000000010A0000-0x000000000123B000-memory.dmp

Filesize
1.6MB

Download
memory/4904-229-0x0000000001500000-0x0000000001820000-memory.dmp

Filesize
3.1MB

Download
memory/4904-213-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/4904-212-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4904-236-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4904-206-0x00000000004012B0-mapping.dmp

Download
memory/4904-232-0x00000000010A0000-0x000000000123B000-memory.dmp

Filesize
1.6MB

Download
memory/5088-164-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/5088-185-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/5088-186-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/5088-184-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/5088-182-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/5088-183-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/5088-181-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/5088-179-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/5088-180-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/5088-178-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/5088-177-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/5088-176-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/5088-175-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/5088-174-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/5088-173-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/5088-172-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/5088-171-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/5088-170-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/5088-168-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/5088-167-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/5088-165-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/5088-166-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/5088-163-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/5088-161-0x0000000000000000-mapping.dmp

Download