formbook | 1a0757646caa77704f3d029fa9abbb2d6846d134f7b29eb87f4eaaea134a84f5

Analysis

max time kernel
150s
max time network
134s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
06-12-2022 03:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a0757646caa77704f3d029fa9abbb2d6846d134f7b29eb87f4eaaea134a84f5.exe
Size

414KB
MD5

dfdeda2af8f802749ea92a46f1a15eb0
SHA1

1d4e20830f0059222251681524b8d04e2ef06b6c
SHA256

1a0757646caa77704f3d029fa9abbb2d6846d134f7b29eb87f4eaaea134a84f5
SHA512

207f6dd61ddbdeb216b5fe0385c406d4819475e99378930645bbd97add3832732b71a15fcfd80175478ad8d1b06234822699fc39a6fc5f6e06930a1e1393e114
SSDEEP

6144:PBnxm/hZudIIuLpVS0GKkGhxi4Y9p8Q2GNpoWkzxVeQMXdipolitSnIFkAFWQ:LzdIZpQ0lk2x0KVzL8diClQq4kc

Score

10^/10

formbook h3ha rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

h3ha

Decoy

ideas-dulces.store

store1995.store

swuhn.com

ninideal.com

musiqhaus.com

quranchart.com

kszq26.club

lightfx.online

thetickettruth.com

meritloancubk.com

lawnforcement.com

sogeanetwork.com

thedinoexotics.com

kojima-ah.net

gr-myab3z.xyz

platiniuminestor.net

reviewsiske.com

stessil-lifestyle.com

goodqjourney.biz

cirimpianti.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/4912-213-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/4912-236-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/4848-276-0x00000000026F0000-0x000000000271F000-memory.dmp	formbook
behavioral1/memory/4848-290-0x00000000026F0000-0x000000000271F000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

acctrzf.exeacctrzf.exe

pid process

3284 acctrzf.exe
4912 acctrzf.exe

pid	process
3284	acctrzf.exe
4912	acctrzf.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

acctrzf.exeacctrzf.exerundll32.exe

description	pid	process	target process
PID 3284 set thread context of 4912	3284	acctrzf.exe	acctrzf.exe
PID 4912 set thread context of 3024	4912	acctrzf.exe	Explorer.EXE
PID 4912 set thread context of 3024	4912	acctrzf.exe	Explorer.EXE
PID 4848 set thread context of 3024	4848	rundll32.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

acctrzf.exerundll32.exe

pid	process
4912	acctrzf.exe
4912	acctrzf.exe
4912	acctrzf.exe
4912	acctrzf.exe
4912	acctrzf.exe
4912	acctrzf.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3024 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

acctrzf.exeacctrzf.exerundll32.exe

pid process

3284 acctrzf.exe
4912 acctrzf.exe
4912 acctrzf.exe
4912 acctrzf.exe
4912 acctrzf.exe
4848 rundll32.exe
4848 rundll32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

acctrzf.exerundll32.exe

description pid process

Token: SeDebugPrivilege 4912 acctrzf.exe
Token: SeDebugPrivilege 4848 rundll32.exe

pid	process
3024	Explorer.EXE

pid	process
3284	acctrzf.exe
4912	acctrzf.exe
4912	acctrzf.exe
4912	acctrzf.exe
4912	acctrzf.exe
4848	rundll32.exe
4848	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	4912	acctrzf.exe
Token: SeDebugPrivilege	4848	rundll32.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

1a0757646caa77704f3d029fa9abbb2d6846d134f7b29eb87f4eaaea134a84f5.exeacctrzf.exeExplorer.EXErundll32.exe

description	pid	process	target process
PID 2188 wrote to memory of 3284	2188	1a0757646caa77704f3d029fa9abbb2d6846d134f7b29eb87f4eaaea134a84f5.exe	acctrzf.exe
PID 2188 wrote to memory of 3284	2188	1a0757646caa77704f3d029fa9abbb2d6846d134f7b29eb87f4eaaea134a84f5.exe	acctrzf.exe
PID 2188 wrote to memory of 3284	2188	1a0757646caa77704f3d029fa9abbb2d6846d134f7b29eb87f4eaaea134a84f5.exe	acctrzf.exe
PID 3284 wrote to memory of 4912	3284	acctrzf.exe	acctrzf.exe
PID 3284 wrote to memory of 4912	3284	acctrzf.exe	acctrzf.exe
PID 3284 wrote to memory of 4912	3284	acctrzf.exe	acctrzf.exe
PID 3284 wrote to memory of 4912	3284	acctrzf.exe	acctrzf.exe
PID 3024 wrote to memory of 4848	3024	Explorer.EXE	rundll32.exe
PID 3024 wrote to memory of 4848	3024	Explorer.EXE	rundll32.exe
PID 3024 wrote to memory of 4848	3024	Explorer.EXE	rundll32.exe
PID 4848 wrote to memory of 4040	4848	rundll32.exe	cmd.exe
PID 4848 wrote to memory of 4040	4848	rundll32.exe	cmd.exe
PID 4848 wrote to memory of 4040	4848	rundll32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3024

C:\Users\Admin\AppData\Local\Temp\1a0757646caa77704f3d029fa9abbb2d6846d134f7b29eb87f4eaaea134a84f5.exe
"C:\Users\Admin\AppData\Local\Temp\1a0757646caa77704f3d029fa9abbb2d6846d134f7b29eb87f4eaaea134a84f5.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2188

C:\Users\Admin\AppData\Local\Temp\acctrzf.exe
"C:\Users\Admin\AppData\Local\Temp\acctrzf.exe" C:\Users\Admin\AppData\Local\Temp\dvfsb.ah
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3284

C:\Users\Admin\AppData\Local\Temp\acctrzf.exe
"C:\Users\Admin\AppData\Local\Temp\acctrzf.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4912

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:4816

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:3588

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:4208

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:4216

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:4436

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:4232

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1532

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:332

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:388

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1436

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1592

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:4252

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:4240

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:520

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:4972

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:5008

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:776

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:4156

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:4172

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:4828

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4848

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\acctrzf.exe"
3⤵
PID:4040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\acctrzf.exe
Filesize
12KB

MD5
5df671fb2017fb9635b893743c8bea04

SHA1
b907492f85ec36f632c471b5acec7cd5a1bb6487

SHA256
7bdc4755f7bf0e566b69440fb54722b4a780d55a952ddab686eb174f47c8cabb

SHA512
ba9d9a0d078adb507bd737415704d9732e1e4658f21f7aca75929ffc33a7b7ad09130b48d60f19294c5b3d15df0ba5c578410258ec62116d764f669d764b7fef

Download Submit
C:\Users\Admin\AppData\Local\Temp\acctrzf.exe
Filesize
12KB

MD5
5df671fb2017fb9635b893743c8bea04

SHA1
b907492f85ec36f632c471b5acec7cd5a1bb6487

SHA256
7bdc4755f7bf0e566b69440fb54722b4a780d55a952ddab686eb174f47c8cabb

SHA512
ba9d9a0d078adb507bd737415704d9732e1e4658f21f7aca75929ffc33a7b7ad09130b48d60f19294c5b3d15df0ba5c578410258ec62116d764f669d764b7fef

Download Submit
C:\Users\Admin\AppData\Local\Temp\acctrzf.exe
Filesize
12KB

MD5
5df671fb2017fb9635b893743c8bea04

SHA1
b907492f85ec36f632c471b5acec7cd5a1bb6487

SHA256
7bdc4755f7bf0e566b69440fb54722b4a780d55a952ddab686eb174f47c8cabb

SHA512
ba9d9a0d078adb507bd737415704d9732e1e4658f21f7aca75929ffc33a7b7ad09130b48d60f19294c5b3d15df0ba5c578410258ec62116d764f669d764b7fef

Download Submit
C:\Users\Admin\AppData\Local\Temp\dvfsb.ah
Filesize
5KB

MD5
11a7bbf818c66ff345b63a0382c1696f

SHA1
5fa8e53822f31d7fd03e6948c3207105ce07c59b

SHA256
9fc7eb7e06c9fd5a4d48406627f1acd38b8f26600c94a8b675b79b31164e9fb0

SHA512
f35290e495994286d5f09ded0f00f40dd36be12ecaf4e6bfe8cd4aaa83e7d1524f77a690539f14f2fe26c0870049a75e898a1545e7a3ed7d441aee470d0753ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcuwygjbwxy.sr
Filesize
185KB

MD5
a5490791e10f0649f71b7e9296426565

SHA1
30f3cad402dfec9ec12777685b417097b340d035

SHA256
12af2ff9d43b37956e860620f34977c9325b8f9945ef760dd531b00fbdbb0efd

SHA512
e251bc764952220382e5432fd89debc3d0f7c917ee8da18ab24a954fccc8b022b4cf603f667a7585d580cdea9fd65ae4980d3fb8a822d9366439c41052eb9235

Download Submit
memory/2188-144-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-122-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-127-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-128-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-129-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-130-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-132-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-131-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-133-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-134-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-135-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-136-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-137-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-138-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-139-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-140-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-147-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-142-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-143-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-125-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-145-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-146-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-149-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-126-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-141-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-150-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-151-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-152-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-153-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-154-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-155-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-156-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-157-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-158-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-159-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-160-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-121-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-148-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-120-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-123-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-124-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3024-233-0x00000000026D0000-0x00000000027AF000-memory.dmp

Filesize
892KB

Download
memory/3024-231-0x0000000004F60000-0x0000000005085000-memory.dmp

Filesize
1.1MB

Download
memory/3024-287-0x00000000026D0000-0x00000000027AF000-memory.dmp

Filesize
892KB

Download
memory/3024-289-0x0000000005100000-0x0000000005235000-memory.dmp

Filesize
1.2MB

Download
memory/3024-292-0x0000000005100000-0x0000000005235000-memory.dmp

Filesize
1.2MB

Download
memory/3284-166-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3284-185-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3284-173-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3284-175-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3284-176-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3284-168-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3284-177-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3284-178-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3284-179-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3284-180-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3284-181-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3284-182-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3284-183-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3284-161-0x0000000000000000-mapping.dmp

Download
memory/3284-186-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3284-184-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3284-172-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3284-171-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3284-170-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3284-164-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3284-163-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3284-165-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3284-167-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3284-174-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4040-277-0x0000000000000000-mapping.dmp

Download
memory/4848-275-0x0000000000170000-0x0000000000183000-memory.dmp

Filesize
76KB

Download
memory/4848-234-0x0000000000000000-mapping.dmp

Download
memory/4848-276-0x00000000026F0000-0x000000000271F000-memory.dmp

Filesize
188KB

Download
memory/4848-283-0x00000000044A0000-0x00000000047C0000-memory.dmp

Filesize
3.1MB

Download
memory/4848-288-0x0000000004160000-0x00000000042F4000-memory.dmp

Filesize
1.6MB

Download
memory/4848-290-0x00000000026F0000-0x000000000271F000-memory.dmp

Filesize
188KB

Download
memory/4848-291-0x0000000004160000-0x00000000042F4000-memory.dmp

Filesize
1.6MB

Download
memory/4912-236-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4912-232-0x0000000000E00000-0x0000000000F9A000-memory.dmp

Filesize
1.6MB

Download
memory/4912-230-0x0000000000E00000-0x0000000000F9A000-memory.dmp

Filesize
1.6MB

Download
memory/4912-229-0x0000000000FA0000-0x00000000012C0000-memory.dmp

Filesize
3.1MB

Download
memory/4912-213-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4912-206-0x000000000041F0D0-mapping.dmp

Download