formbook | 1ade1d842f0cb779839799c419832a9c05238f94a678e7cbf44fae51e2264f71

Analysis

max time kernel
149s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
10-12-2022 04:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c974d9519a2bfe890a2fd763224d1e7.exe
Size

333KB
MD5

4c974d9519a2bfe890a2fd763224d1e7
SHA1

2e88feb98658d7ffee549438453aef2bc162b115
SHA256

1ade1d842f0cb779839799c419832a9c05238f94a678e7cbf44fae51e2264f71
SHA512

fbfccf98cf6cd86715c7990c31c1a3865ea5833f471cb198bf0bf523583e540f25b285022cecb40d97a93b230b5c89f566699f3c70382af03d13327854da5b27
SSDEEP

6144:9kw4zSWT5nfPUV3IyLOCJ8a2e8/rBpAUfoyrlAtn/3lxS5qr:k38RIyLG88TBawZi/3lkO

Score

10^/10

formbook dwdp persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

dwdp

Decoy

jPxWFTS1Rn/K/LD47WRRW7+Veuct8yc=

ke1Wv1l26dZZxDikX9dU3s6k8+w=

+vtNyVBkx8VMf5KCaIj8DYR5QyLJgQ==

GHXPhYzwXcKgZwqBb/kejm7rfobj

yalW64iE8+aXs70=

MD83dBR0KSF4fizgRhAM

Xti3uNm2JDWgssPgRhAM

X7gYbv5uJhpvjdI0Qg==

ydxGznbNJ3tCCLAX4arq4nweMuQ=

Ca+fvtST8OBbosPgRhAM

kG1QegD8mU/E/hLw1t0=

g9FFFjEC5C2IvR/BhbSrpw==

PCkpeg38W0aPdg1rav1DFnVASw==

vSq+xBf3qjY27H3yqepK+g+nOmOMc3m7

G7WYirSZS9EYob8=

WbEWaOVIAPlSNNc4LsfL53weMuQ=

hnyAvEY4n3rTKS4g5mHKxR0=

JN7b0uCqVrQydMl7JNw=

XTki/RASDK6BCW0q8sU=

DQMBWA9wJyOKqqGSmGHKxR0=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

wyziyqqllh.exewyziyqqllh.exe

pid process

2920 wyziyqqllh.exe
3340 wyziyqqllh.exe

pid	process
2920	wyziyqqllh.exe
3340	wyziyqqllh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wyziyqqllh.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wyziyqqllh.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wyziyqqllh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aecgru = "C:\\Users\\Admin\\AppData\\Roaming\\lcdobatkse\\puisxyjyut.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wyziyqqllh.exe\" C:\\Users\\Admin\\AppData"	wyziyqqllh.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

wyziyqqllh.exewyziyqqllh.exemstsc.exe

description	pid	process	target process
PID 2920 set thread context of 3340	2920	wyziyqqllh.exe	wyziyqqllh.exe
PID 3340 set thread context of 2948	3340	wyziyqqllh.exe	Explorer.EXE
PID 1364 set thread context of 2948	1364	mstsc.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

mstsc.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	mstsc.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

wyziyqqllh.exemstsc.exe

pid	process
3340	wyziyqqllh.exe
3340	wyziyqqllh.exe
3340	wyziyqqllh.exe
3340	wyziyqqllh.exe
3340	wyziyqqllh.exe
3340	wyziyqqllh.exe
3340	wyziyqqllh.exe
3340	wyziyqqllh.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2948 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

wyziyqqllh.exewyziyqqllh.exemstsc.exe

pid process

2920 wyziyqqllh.exe
3340 wyziyqqllh.exe
3340 wyziyqqllh.exe
3340 wyziyqqllh.exe
1364 mstsc.exe
1364 mstsc.exe
1364 mstsc.exe
1364 mstsc.exe

pid	process
2948	Explorer.EXE

pid	process
2920	wyziyqqllh.exe
3340	wyziyqqllh.exe
3340	wyziyqqllh.exe
3340	wyziyqqllh.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe
1364	mstsc.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

wyziyqqllh.exemstsc.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	3340	wyziyqqllh.exe
Token: SeDebugPrivilege	1364	mstsc.exe
Token: SeShutdownPrivilege	2948	Explorer.EXE
Token: SeCreatePagefilePrivilege	2948	Explorer.EXE
Token: SeShutdownPrivilege	2948	Explorer.EXE
Token: SeCreatePagefilePrivilege	2948	Explorer.EXE
Token: SeShutdownPrivilege	2948	Explorer.EXE
Token: SeCreatePagefilePrivilege	2948	Explorer.EXE
Token: SeShutdownPrivilege	2948	Explorer.EXE
Token: SeCreatePagefilePrivilege	2948	Explorer.EXE
Token: SeShutdownPrivilege	2948	Explorer.EXE
Token: SeCreatePagefilePrivilege	2948	Explorer.EXE
Token: SeShutdownPrivilege	2948	Explorer.EXE
Token: SeCreatePagefilePrivilege	2948	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

4c974d9519a2bfe890a2fd763224d1e7.exewyziyqqllh.exeExplorer.EXEmstsc.exe

description	pid	process	target process
PID 5052 wrote to memory of 2920	5052	4c974d9519a2bfe890a2fd763224d1e7.exe	wyziyqqllh.exe
PID 5052 wrote to memory of 2920	5052	4c974d9519a2bfe890a2fd763224d1e7.exe	wyziyqqllh.exe
PID 5052 wrote to memory of 2920	5052	4c974d9519a2bfe890a2fd763224d1e7.exe	wyziyqqllh.exe
PID 2920 wrote to memory of 3340	2920	wyziyqqllh.exe	wyziyqqllh.exe
PID 2920 wrote to memory of 3340	2920	wyziyqqllh.exe	wyziyqqllh.exe
PID 2920 wrote to memory of 3340	2920	wyziyqqllh.exe	wyziyqqllh.exe
PID 2920 wrote to memory of 3340	2920	wyziyqqllh.exe	wyziyqqllh.exe
PID 2948 wrote to memory of 1364	2948	Explorer.EXE	mstsc.exe
PID 2948 wrote to memory of 1364	2948	Explorer.EXE	mstsc.exe
PID 2948 wrote to memory of 1364	2948	Explorer.EXE	mstsc.exe
PID 1364 wrote to memory of 4720	1364	mstsc.exe	Firefox.exe
PID 1364 wrote to memory of 4720	1364	mstsc.exe	Firefox.exe
PID 1364 wrote to memory of 4720	1364	mstsc.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948

C:\Users\Admin\AppData\Local\Temp\4c974d9519a2bfe890a2fd763224d1e7.exe
"C:\Users\Admin\AppData\Local\Temp\4c974d9519a2bfe890a2fd763224d1e7.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:5052

C:\Users\Admin\AppData\Local\Temp\wyziyqqllh.exe
"C:\Users\Admin\AppData\Local\Temp\wyziyqqllh.exe" C:\Users\Admin\AppData\Local\Temp\qwdscgke.dnn
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2920

C:\Users\Admin\AppData\Local\Temp\wyziyqqllh.exe
"C:\Users\Admin\AppData\Local\Temp\wyziyqqllh.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3340

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:616

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:944

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:532

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1696

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2328

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:4720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fugegefct.s
Filesize
185KB

MD5
2375912c75db13281f3bfc9c3ddf7646

SHA1
9955467017fcb057d1ca868db84f4f7ebc31fd45

SHA256
f9cdfa1edf4a5f85d8ddaae338fc550580ff5094eed1507c9beca4097298d861

SHA512
56242ec311c00540ebee80b661fb3fcf8674635d48675b17e1de677271ab997f3ae057f009cf34654b5241b11e1a3f0d97f8f99be4e78a4b32b519a7695e5256

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwdscgke.dnn
Filesize
7KB

MD5
2c406815d04080e2fa43ba9e99ceabd3

SHA1
27b0f2b81e15d7715867accb5fa68f8c8f4ea209

SHA256
b70fa69ab56821b4902e9922d786948c5673440e0f8dd5403385d96d0167cee4

SHA512
32df91288abf935fb71e1fa04beeed0d945877f2ed2830fd7068344523371a05bc5fe973f475e8a1f9b5d95f50ca4ae9ab75a5182a063476209f2cb22b6c9b89

Download Submit
C:\Users\Admin\AppData\Local\Temp\wyziyqqllh.exe
Filesize
276KB

MD5
bd4eb7604f815c32830ec68cc479ad62

SHA1
00ac1b0b12be758027c01083ad85604305d4b1af

SHA256
1b417034908720dffd6e5847b89a013f0414b46a31f2e93f91446f8efede1f64

SHA512
b72e5e0e8cce7a22b6053f6daed91e91bc7c81c7a314a8340aa2903d1506b4e04e91ed2d08f343f9a616ecbf3f83cbe4763ee0876dd61e2acab141adc8d4dcd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wyziyqqllh.exe
Filesize
276KB

MD5
bd4eb7604f815c32830ec68cc479ad62

SHA1
00ac1b0b12be758027c01083ad85604305d4b1af

SHA256
1b417034908720dffd6e5847b89a013f0414b46a31f2e93f91446f8efede1f64

SHA512
b72e5e0e8cce7a22b6053f6daed91e91bc7c81c7a314a8340aa2903d1506b4e04e91ed2d08f343f9a616ecbf3f83cbe4763ee0876dd61e2acab141adc8d4dcd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wyziyqqllh.exe
Filesize
276KB

MD5
bd4eb7604f815c32830ec68cc479ad62

SHA1
00ac1b0b12be758027c01083ad85604305d4b1af

SHA256
1b417034908720dffd6e5847b89a013f0414b46a31f2e93f91446f8efede1f64

SHA512
b72e5e0e8cce7a22b6053f6daed91e91bc7c81c7a314a8340aa2903d1506b4e04e91ed2d08f343f9a616ecbf3f83cbe4763ee0876dd61e2acab141adc8d4dcd9

Download Submit
memory/1364-146-0x00000000008C0000-0x00000000009FA000-memory.dmp

Filesize
1.2MB

Download
memory/1364-144-0x0000000000000000-mapping.dmp

Download
memory/1364-151-0x0000000001290000-0x00000000012BD000-memory.dmp

Filesize
180KB

Download
memory/1364-149-0x0000000003030000-0x00000000030BF000-memory.dmp

Filesize
572KB

Download
memory/1364-148-0x00000000031D0000-0x000000000351A000-memory.dmp

Filesize
3.3MB

Download
memory/1364-147-0x0000000001290000-0x00000000012BD000-memory.dmp

Filesize
180KB

Download
memory/2920-132-0x0000000000000000-mapping.dmp

Download
memory/2948-174-0x0000000003010000-0x0000000003020000-memory.dmp

Filesize
64KB

Download
memory/2948-181-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-218-0x0000000002A30000-0x0000000002A40000-memory.dmp

Filesize
64KB

Download
memory/2948-217-0x0000000002A30000-0x0000000002A40000-memory.dmp

Filesize
64KB

Download
memory/2948-216-0x0000000000B20000-0x0000000000B30000-memory.dmp

Filesize
64KB

Download
memory/2948-215-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-150-0x0000000007CE0000-0x0000000007E32000-memory.dmp

Filesize
1.3MB

Download
memory/2948-214-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-152-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-153-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-154-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-155-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-156-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-157-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-158-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-159-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-160-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-162-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-163-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-161-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-164-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-165-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-166-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-167-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-168-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-169-0x0000000002FF0000-0x0000000003000000-memory.dmp

Filesize
64KB

Download
memory/2948-170-0x0000000003010000-0x0000000003020000-memory.dmp

Filesize
64KB

Download
memory/2948-171-0x0000000003010000-0x0000000003020000-memory.dmp

Filesize
64KB

Download
memory/2948-172-0x0000000007CE0000-0x0000000007E32000-memory.dmp

Filesize
1.3MB

Download
memory/2948-173-0x0000000003010000-0x0000000003020000-memory.dmp

Filesize
64KB

Download
memory/2948-143-0x00000000028E0000-0x00000000029A9000-memory.dmp

Filesize
804KB

Download
memory/2948-175-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-176-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-177-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-178-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-179-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-180-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-213-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-182-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-183-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-184-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-185-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-186-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-187-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-188-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-189-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-190-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-191-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-192-0x0000000000B20000-0x0000000000B30000-memory.dmp

Filesize
64KB

Download
memory/2948-193-0x0000000002810000-0x0000000002820000-memory.dmp

Filesize
64KB

Download
memory/2948-194-0x0000000002810000-0x0000000002820000-memory.dmp

Filesize
64KB

Download
memory/2948-195-0x0000000000B20000-0x0000000000B30000-memory.dmp

Filesize
64KB

Download
memory/2948-196-0x0000000002810000-0x0000000002820000-memory.dmp

Filesize
64KB

Download
memory/2948-197-0x0000000002810000-0x0000000002820000-memory.dmp

Filesize
64KB

Download
memory/2948-198-0x0000000002810000-0x0000000002820000-memory.dmp

Filesize
64KB

Download
memory/2948-199-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-200-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-201-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-202-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-203-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-204-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-205-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-206-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-210-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-209-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-208-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-207-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-211-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-212-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/3340-145-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3340-137-0x0000000000000000-mapping.dmp

Download
memory/3340-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3340-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3340-141-0x0000000000A00000-0x0000000000D4A000-memory.dmp

Filesize
3.3MB

Download
memory/3340-142-0x00000000005B0000-0x00000000005C0000-memory.dmp

Filesize
64KB

Download