formbook | d8e71f4f6c001ff40cdc03fff232d097a103a4413b8e74ecb9a333b8a2d6a436

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27-01-2023 04:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5edcf43ecc797a13c565d436c6a541c.exe
Size

264KB
MD5

c5edcf43ecc797a13c565d436c6a541c
SHA1

19df4c73ad340f89c0748031416c5a7fb4f9dabf
SHA256

d8e71f4f6c001ff40cdc03fff232d097a103a4413b8e74ecb9a333b8a2d6a436
SHA512

60938330a1613f8f1c61aff387593feeba47a6f240bb0e1320876507e278b99de3e0c6bd66c33d7f2183d750b277e1300ab312de465add258effb3023c505117
SSDEEP

6144:/Ya6nNcpeTPip2Ooh4U/W4+GGqAShPgsewR+7CRh76vNBxwo:/YVW8iQVhvJ+GxAig7G+7CD70zwo

Score

10^/10

formbook xloader poub loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

poub

Decoy

WY0eksfISzRg4O6c+opnGL6gaw==

moRjn9ExtYi8UmUo+Tya

2vME+GedoxzFnuLXesUoVj4=

EvW4JWJ1NQ8nN3tA3SM=

2mK9efMZMgN1VOs=

8d0jua5b0J6AQEW7

/2cyThOd37DSTYMASDye4Q0t/Vs=

ral+tbIh2KKAQEW7

YLY9jsPtYB/FRmMo+Tya

R1WcElWAMtFxFrVqtZT2ZpIS9xRZNho=

KFXGg/T1pCC9GjrxUPTcjw==

8mMlK5nDwjjPFTP5jMtAtQ0t/Vs=

c7am8nhhlCo=

UW91trZj6dENxuRdpxOvW1Cf

sjOMUcvq6lYJCZEfV4euFzY=

62nBgPjdmWQkmWElww==

64E8JqA1aruSUvw=

NqI1reXpcR+REye0

8+y1oOsbjgSyEhjXUPTcjw==

Rx9by8gNBwN1VOs=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1472-66-0x0000000000400000-0x000000000042C000-memory.dmp	xloader
behavioral1/memory/1180-73-0x0000000000080000-0x00000000000AC000-memory.dmp	xloader
behavioral1/memory/1180-78-0x0000000000080000-0x00000000000AC000-memory.dmp	xloader

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

raserver.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	raserver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\JPMXV4SH940 = "C:\\Program Files (x86)\\M-z_\\gdiyhl0vfnh.exe"	raserver.exe

Executes dropped EXE 3 IoCs

Processes:

kyfhnzgx.exekyfhnzgx.exegdiyhl0vfnh.exe

pid process

1444 kyfhnzgx.exe
1472 kyfhnzgx.exe
1104 gdiyhl0vfnh.exe

pid	process
1444	kyfhnzgx.exe
1472	kyfhnzgx.exe
1104	gdiyhl0vfnh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

kyfhnzgx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Control Panel\International\Geo\Nation	kyfhnzgx.exe

Loads dropped DLL 7 IoCs

Processes:

c5edcf43ecc797a13c565d436c6a541c.exekyfhnzgx.exeWerFault.exe

pid	process
1584	c5edcf43ecc797a13c565d436c6a541c.exe
1584	c5edcf43ecc797a13c565d436c6a541c.exe
1444	kyfhnzgx.exe
952	WerFault.exe
952	WerFault.exe
952	WerFault.exe
952	WerFault.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

kyfhnzgx.exekyfhnzgx.exeraserver.exe

description	pid	process	target process
PID 1444 set thread context of 1472	1444	kyfhnzgx.exe	kyfhnzgx.exe
PID 1472 set thread context of 1260	1472	kyfhnzgx.exe	Explorer.EXE
PID 1180 set thread context of 1260	1180	raserver.exe	Explorer.EXE

Drops file in Program Files directory 2 IoCs

Processes:

raserver.exeExplorer.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\M-z_\gdiyhl0vfnh.exe	raserver.exe
File created	C:\Program Files (x86)\M-z_\gdiyhl0vfnh.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

952 1104 WerFault.exe gdiyhl0vfnh.exe

pid	pid_target	process	target process
952	1104	WerFault.exe	gdiyhl0vfnh.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

raserver.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-1214520366-621468234-4062160515-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	raserver.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

kyfhnzgx.exeraserver.exe

pid	process
1472	kyfhnzgx.exe
1472	kyfhnzgx.exe
1180	raserver.exe
1180	raserver.exe
1180	raserver.exe
1180	raserver.exe
1180	raserver.exe
1180	raserver.exe
1180	raserver.exe
1180	raserver.exe
1180	raserver.exe
1180	raserver.exe
1180	raserver.exe
1180	raserver.exe
1180	raserver.exe
1180	raserver.exe
1180	raserver.exe
1180	raserver.exe
1180	raserver.exe
1180	raserver.exe
1180	raserver.exe
1180	raserver.exe
1180	raserver.exe
1180	raserver.exe
1180	raserver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1260 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

kyfhnzgx.exekyfhnzgx.exeraserver.exe

pid process

1444 kyfhnzgx.exe
1472 kyfhnzgx.exe
1472 kyfhnzgx.exe
1472 kyfhnzgx.exe
1180 raserver.exe
1180 raserver.exe
1180 raserver.exe
1180 raserver.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

kyfhnzgx.exeraserver.exeExplorer.EXE

description pid process

Token: SeDebugPrivilege 1472 kyfhnzgx.exe
Token: SeDebugPrivilege 1180 raserver.exe
Token: SeShutdownPrivilege 1260 Explorer.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1260 Explorer.EXE
1260 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1260 Explorer.EXE
1260 Explorer.EXE

pid	process
1260	Explorer.EXE

pid	process
1444	kyfhnzgx.exe
1472	kyfhnzgx.exe
1472	kyfhnzgx.exe
1472	kyfhnzgx.exe
1180	raserver.exe
1180	raserver.exe
1180	raserver.exe
1180	raserver.exe

description	pid	process
Token: SeDebugPrivilege	1472	kyfhnzgx.exe
Token: SeDebugPrivilege	1180	raserver.exe
Token: SeShutdownPrivilege	1260	Explorer.EXE

pid	process
1260	Explorer.EXE
1260	Explorer.EXE

pid	process
1260	Explorer.EXE
1260	Explorer.EXE

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

c5edcf43ecc797a13c565d436c6a541c.exekyfhnzgx.exeExplorer.EXEraserver.exegdiyhl0vfnh.exe

description	pid	process	target process
PID 1584 wrote to memory of 1444	1584	c5edcf43ecc797a13c565d436c6a541c.exe	kyfhnzgx.exe
PID 1584 wrote to memory of 1444	1584	c5edcf43ecc797a13c565d436c6a541c.exe	kyfhnzgx.exe
PID 1584 wrote to memory of 1444	1584	c5edcf43ecc797a13c565d436c6a541c.exe	kyfhnzgx.exe
PID 1584 wrote to memory of 1444	1584	c5edcf43ecc797a13c565d436c6a541c.exe	kyfhnzgx.exe
PID 1444 wrote to memory of 1472	1444	kyfhnzgx.exe	kyfhnzgx.exe
PID 1444 wrote to memory of 1472	1444	kyfhnzgx.exe	kyfhnzgx.exe
PID 1444 wrote to memory of 1472	1444	kyfhnzgx.exe	kyfhnzgx.exe
PID 1444 wrote to memory of 1472	1444	kyfhnzgx.exe	kyfhnzgx.exe
PID 1444 wrote to memory of 1472	1444	kyfhnzgx.exe	kyfhnzgx.exe
PID 1260 wrote to memory of 1180	1260	Explorer.EXE	raserver.exe
PID 1260 wrote to memory of 1180	1260	Explorer.EXE	raserver.exe
PID 1260 wrote to memory of 1180	1260	Explorer.EXE	raserver.exe
PID 1260 wrote to memory of 1180	1260	Explorer.EXE	raserver.exe
PID 1180 wrote to memory of 1564	1180	raserver.exe	cmd.exe
PID 1180 wrote to memory of 1564	1180	raserver.exe	cmd.exe
PID 1180 wrote to memory of 1564	1180	raserver.exe	cmd.exe
PID 1180 wrote to memory of 1564	1180	raserver.exe	cmd.exe
PID 1180 wrote to memory of 364	1180	raserver.exe	Firefox.exe
PID 1180 wrote to memory of 364	1180	raserver.exe	Firefox.exe
PID 1180 wrote to memory of 364	1180	raserver.exe	Firefox.exe
PID 1180 wrote to memory of 364	1180	raserver.exe	Firefox.exe
PID 1180 wrote to memory of 364	1180	raserver.exe	Firefox.exe
PID 1260 wrote to memory of 1104	1260	Explorer.EXE	gdiyhl0vfnh.exe
PID 1260 wrote to memory of 1104	1260	Explorer.EXE	gdiyhl0vfnh.exe
PID 1260 wrote to memory of 1104	1260	Explorer.EXE	gdiyhl0vfnh.exe
PID 1260 wrote to memory of 1104	1260	Explorer.EXE	gdiyhl0vfnh.exe
PID 1104 wrote to memory of 952	1104	gdiyhl0vfnh.exe	WerFault.exe
PID 1104 wrote to memory of 952	1104	gdiyhl0vfnh.exe	WerFault.exe
PID 1104 wrote to memory of 952	1104	gdiyhl0vfnh.exe	WerFault.exe
PID 1104 wrote to memory of 952	1104	gdiyhl0vfnh.exe	WerFault.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1260

C:\Users\Admin\AppData\Local\Temp\c5edcf43ecc797a13c565d436c6a541c.exe
"C:\Users\Admin\AppData\Local\Temp\c5edcf43ecc797a13c565d436c6a541c.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1584

C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe
"C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe" C:\Users\Admin\AppData\Local\Temp\guiaopyy.j
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1444

C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe
"C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1180

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe"
3⤵
PID:1564

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:364

C:\Program Files (x86)\M-z_\gdiyhl0vfnh.exe
"C:\Program Files (x86)\M-z_\gdiyhl0vfnh.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 216
3⤵
- Loads dropped DLL
- Program crash
PID:952

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\M-z_\gdiyhl0vfnh.exe
Filesize
81KB

MD5
85af329a0a06c1401e60a9c02d060948

SHA1
d83acc707040401fe1d88570608e8e8f05589944

SHA256
79d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d

SHA512
f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66

Download Submit
C:\Program Files (x86)\M-z_\gdiyhl0vfnh.exe
Filesize
81KB

MD5
85af329a0a06c1401e60a9c02d060948

SHA1
d83acc707040401fe1d88570608e8e8f05589944

SHA256
79d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d

SHA512
f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66

Download Submit
C:\Users\Admin\AppData\Local\Temp\guiaopyy.j
Filesize
5KB

MD5
7dd82af1732e277c64b7f580fb68b3f8

SHA1
7f1cac07464b57d03eeba50d4371a6fbcaff1798

SHA256
237438a1c80ff20bb45e9a0b804322f2a3527f849bef2aaf406d18c189a44c0b

SHA512
0a675216d4e0a03165c3f3d11cd3d125b31624d93e4a901799b3066e691fc7dbf81aed86bea23e3167d230d880682c814b77e219f471ad770a43a28a1d496207

Download Submit
C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe
Filesize
81KB

MD5
85af329a0a06c1401e60a9c02d060948

SHA1
d83acc707040401fe1d88570608e8e8f05589944

SHA256
79d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d

SHA512
f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66

Download Submit
C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe
Filesize
81KB

MD5
85af329a0a06c1401e60a9c02d060948

SHA1
d83acc707040401fe1d88570608e8e8f05589944

SHA256
79d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d

SHA512
f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66

Download Submit
C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe
Filesize
81KB

MD5
85af329a0a06c1401e60a9c02d060948

SHA1
d83acc707040401fe1d88570608e8e8f05589944

SHA256
79d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d

SHA512
f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66

Download Submit
C:\Users\Admin\AppData\Local\Temp\lufvp.o
Filesize
196KB

MD5
a69fcb977745da1e8892aed65f6a5a89

SHA1
32b35f70fc0d3686ea4ffc26f70c80a8ede70474

SHA256
108668a80bdff8cc56a95903d011d86410054cadbd4f52530a0ff9f4c0f0e24b

SHA512
21badfef569bfebcabf03ef5ab6061b4c723b241ccf69ff67ad5649ee1dda08b1bb99f43de0b43687841274356dafbe67a799c4cead6dd15309845c253e6a508

Download Submit
\Program Files (x86)\M-z_\gdiyhl0vfnh.exe
Filesize
81KB

MD5
85af329a0a06c1401e60a9c02d060948

SHA1
d83acc707040401fe1d88570608e8e8f05589944

SHA256
79d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d

SHA512
f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66

Download Submit
\Program Files (x86)\M-z_\gdiyhl0vfnh.exe
Filesize
81KB

MD5
85af329a0a06c1401e60a9c02d060948

SHA1
d83acc707040401fe1d88570608e8e8f05589944

SHA256
79d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d

SHA512
f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66

Download Submit
\Program Files (x86)\M-z_\gdiyhl0vfnh.exe
Filesize
81KB

MD5
85af329a0a06c1401e60a9c02d060948

SHA1
d83acc707040401fe1d88570608e8e8f05589944

SHA256
79d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d

SHA512
f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66

Download Submit
\Program Files (x86)\M-z_\gdiyhl0vfnh.exe
Filesize
81KB

MD5
85af329a0a06c1401e60a9c02d060948

SHA1
d83acc707040401fe1d88570608e8e8f05589944

SHA256
79d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d

SHA512
f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66

Download Submit
\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe
Filesize
81KB

MD5
85af329a0a06c1401e60a9c02d060948

SHA1
d83acc707040401fe1d88570608e8e8f05589944

SHA256
79d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d

SHA512
f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66

Download Submit
\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe
Filesize
81KB

MD5
85af329a0a06c1401e60a9c02d060948

SHA1
d83acc707040401fe1d88570608e8e8f05589944

SHA256
79d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d

SHA512
f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66

Download Submit
\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe
Filesize
81KB

MD5
85af329a0a06c1401e60a9c02d060948

SHA1
d83acc707040401fe1d88570608e8e8f05589944

SHA256
79d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d

SHA512
f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66

Download Submit
memory/952-83-0x0000000000000000-mapping.dmp

Download
memory/1104-80-0x0000000000000000-mapping.dmp

Download
memory/1180-73-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/1180-75-0x0000000001F20000-0x0000000002223000-memory.dmp

Filesize
3.0MB

Download
memory/1180-76-0x0000000000850000-0x00000000008E0000-memory.dmp

Filesize
576KB

Download
memory/1180-78-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/1180-72-0x0000000000B00000-0x0000000000B1C000-memory.dmp

Filesize
112KB

Download
memory/1180-70-0x0000000000000000-mapping.dmp

Download
memory/1260-69-0x0000000006850000-0x00000000069A0000-memory.dmp

Filesize
1.3MB

Download
memory/1260-77-0x0000000004BF0000-0x0000000004CAA000-memory.dmp

Filesize
744KB

Download
memory/1260-79-0x0000000004BF0000-0x0000000004CAA000-memory.dmp

Filesize
744KB

Download
memory/1444-57-0x0000000000000000-mapping.dmp

Download
memory/1472-67-0x00000000008B0000-0x0000000000BB3000-memory.dmp

Filesize
3.0MB

Download
memory/1472-68-0x0000000000330000-0x0000000000341000-memory.dmp

Filesize
68KB

Download
memory/1472-66-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1472-64-0x000000000041FF10-mapping.dmp

Download
memory/1564-74-0x0000000000000000-mapping.dmp

Download
memory/1584-54-0x0000000075491000-0x0000000075493000-memory.dmp

Filesize
8KB

Download