formbook | d8e71f4f6c001ff40cdc03fff232d097a103a4413b8e74ecb9a333b8a2d6a436

Analysis

max time kernel
149s
max time network
148s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
27-01-2023 04:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d8e71f4f6c001ff40cdc03fff232d097a103a4413b8e74ecb9a333b8a2d6a436.exe
Size

264KB
MD5

c5edcf43ecc797a13c565d436c6a541c
SHA1

19df4c73ad340f89c0748031416c5a7fb4f9dabf
SHA256

d8e71f4f6c001ff40cdc03fff232d097a103a4413b8e74ecb9a333b8a2d6a436
SHA512

60938330a1613f8f1c61aff387593feeba47a6f240bb0e1320876507e278b99de3e0c6bd66c33d7f2183d750b277e1300ab312de465add258effb3023c505117
SSDEEP

6144:/Ya6nNcpeTPip2Ooh4U/W4+GGqAShPgsewR+7CRh76vNBxwo:/YVW8iQVhvJ+GxAig7G+7CD70zwo

Score

10^/10

formbook xloader poub loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

poub

Decoy

WY0eksfISzRg4O6c+opnGL6gaw==

moRjn9ExtYi8UmUo+Tya

2vME+GedoxzFnuLXesUoVj4=

EvW4JWJ1NQ8nN3tA3SM=

2mK9efMZMgN1VOs=

8d0jua5b0J6AQEW7

/2cyThOd37DSTYMASDye4Q0t/Vs=

ral+tbIh2KKAQEW7

YLY9jsPtYB/FRmMo+Tya

R1WcElWAMtFxFrVqtZT2ZpIS9xRZNho=

KFXGg/T1pCC9GjrxUPTcjw==

8mMlK5nDwjjPFTP5jMtAtQ0t/Vs=

c7am8nhhlCo=

UW91trZj6dENxuRdpxOvW1Cf

sjOMUcvq6lYJCZEfV4euFzY=

62nBgPjdmWQkmWElww==

64E8JqA1aruSUvw=

NqI1reXpcR+REye0

8+y1oOsbjgSyEhjXUPTcjw==

Rx9by8gNBwN1VOs=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2772-216-0x0000000000400000-0x000000000042C000-memory.dmp	xloader
behavioral1/memory/2772-240-0x0000000000400000-0x000000000042C000-memory.dmp	xloader
behavioral1/memory/4176-285-0x00000000001B0000-0x00000000001DC000-memory.dmp	xloader
behavioral1/memory/4176-288-0x0000000003FA0000-0x000000000412D000-memory.dmp	xloader
behavioral1/memory/4176-290-0x00000000001B0000-0x00000000001DC000-memory.dmp	xloader
behavioral1/memory/4176-291-0x0000000003FA0000-0x000000000412D000-memory.dmp	xloader

Executes dropped EXE 3 IoCs

Processes:

kyfhnzgx.exekyfhnzgx.exeregsvcd8tpu.exe

pid process

1724 kyfhnzgx.exe
2772 kyfhnzgx.exe
4724 regsvcd8tpu.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

kyfhnzgx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Control Panel\International\Geo\Nation	kyfhnzgx.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ZJO04ZIXVF = "C:\\Program Files (x86)\\Fvnu\\regsvcd8tpu.exe"	rundll32.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

kyfhnzgx.exekyfhnzgx.exerundll32.exe

description	pid	process	target process
PID 1724 set thread context of 2772	1724	kyfhnzgx.exe	kyfhnzgx.exe
PID 2772 set thread context of 3152	2772	kyfhnzgx.exe	Explorer.EXE
PID 2772 set thread context of 3152	2772	kyfhnzgx.exe	Explorer.EXE
PID 4176 set thread context of 3152	4176	rundll32.exe	Explorer.EXE

Drops file in Program Files directory 4 IoCs

Processes:

rundll32.exeExplorer.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\Fvnu\regsvcd8tpu.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Fvnu	Explorer.EXE
File created	C:\Program Files (x86)\Fvnu\regsvcd8tpu.exe	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Fvnu\regsvcd8tpu.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

584 4724 WerFault.exe regsvcd8tpu.exe

pid	pid_target	process	target process
584	4724	WerFault.exe	regsvcd8tpu.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-3844063266-715245855-4050956231-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	rundll32.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

kyfhnzgx.exerundll32.exe

pid	process
2772	kyfhnzgx.exe
2772	kyfhnzgx.exe
2772	kyfhnzgx.exe
2772	kyfhnzgx.exe
2772	kyfhnzgx.exe
2772	kyfhnzgx.exe
4176	rundll32.exe
4176	rundll32.exe
4176	rundll32.exe
4176	rundll32.exe
4176	rundll32.exe
4176	rundll32.exe
4176	rundll32.exe
4176	rundll32.exe
4176	rundll32.exe
4176	rundll32.exe
4176	rundll32.exe
4176	rundll32.exe
4176	rundll32.exe
4176	rundll32.exe
4176	rundll32.exe
4176	rundll32.exe
4176	rundll32.exe
4176	rundll32.exe
4176	rundll32.exe
4176	rundll32.exe
4176	rundll32.exe
4176	rundll32.exe
4176	rundll32.exe
4176	rundll32.exe
4176	rundll32.exe
4176	rundll32.exe
4176	rundll32.exe
4176	rundll32.exe
4176	rundll32.exe
4176	rundll32.exe
4176	rundll32.exe
4176	rundll32.exe
4176	rundll32.exe
4176	rundll32.exe
4176	rundll32.exe
4176	rundll32.exe
4176	rundll32.exe
4176	rundll32.exe
4176	rundll32.exe
4176	rundll32.exe
4176	rundll32.exe
4176	rundll32.exe
4176	rundll32.exe
4176	rundll32.exe
4176	rundll32.exe
4176	rundll32.exe
4176	rundll32.exe
4176	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3152 Explorer.EXE

pid	process
3152	Explorer.EXE

Suspicious behavior: MapViewOfSection 9 IoCs

Processes:

kyfhnzgx.exekyfhnzgx.exerundll32.exe

pid	process
1724	kyfhnzgx.exe
2772	kyfhnzgx.exe
2772	kyfhnzgx.exe
2772	kyfhnzgx.exe
2772	kyfhnzgx.exe
4176	rundll32.exe
4176	rundll32.exe
4176	rundll32.exe
4176	rundll32.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

kyfhnzgx.exerundll32.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	2772	kyfhnzgx.exe
Token: SeDebugPrivilege	4176	rundll32.exe
Token: SeShutdownPrivilege	3152	Explorer.EXE
Token: SeCreatePagefilePrivilege	3152	Explorer.EXE
Token: SeShutdownPrivilege	3152	Explorer.EXE
Token: SeCreatePagefilePrivilege	3152	Explorer.EXE
Token: SeShutdownPrivilege	3152	Explorer.EXE
Token: SeCreatePagefilePrivilege	3152	Explorer.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

d8e71f4f6c001ff40cdc03fff232d097a103a4413b8e74ecb9a333b8a2d6a436.exekyfhnzgx.exeExplorer.EXErundll32.exe

description	pid	process	target process
PID 2248 wrote to memory of 1724	2248	d8e71f4f6c001ff40cdc03fff232d097a103a4413b8e74ecb9a333b8a2d6a436.exe	kyfhnzgx.exe
PID 2248 wrote to memory of 1724	2248	d8e71f4f6c001ff40cdc03fff232d097a103a4413b8e74ecb9a333b8a2d6a436.exe	kyfhnzgx.exe
PID 2248 wrote to memory of 1724	2248	d8e71f4f6c001ff40cdc03fff232d097a103a4413b8e74ecb9a333b8a2d6a436.exe	kyfhnzgx.exe
PID 1724 wrote to memory of 2772	1724	kyfhnzgx.exe	kyfhnzgx.exe
PID 1724 wrote to memory of 2772	1724	kyfhnzgx.exe	kyfhnzgx.exe
PID 1724 wrote to memory of 2772	1724	kyfhnzgx.exe	kyfhnzgx.exe
PID 1724 wrote to memory of 2772	1724	kyfhnzgx.exe	kyfhnzgx.exe
PID 3152 wrote to memory of 4176	3152	Explorer.EXE	rundll32.exe
PID 3152 wrote to memory of 4176	3152	Explorer.EXE	rundll32.exe
PID 3152 wrote to memory of 4176	3152	Explorer.EXE	rundll32.exe
PID 4176 wrote to memory of 3816	4176	rundll32.exe	cmd.exe
PID 4176 wrote to memory of 3816	4176	rundll32.exe	cmd.exe
PID 4176 wrote to memory of 3816	4176	rundll32.exe	cmd.exe
PID 4176 wrote to memory of 4084	4176	rundll32.exe	cmd.exe
PID 4176 wrote to memory of 4084	4176	rundll32.exe	cmd.exe
PID 4176 wrote to memory of 4084	4176	rundll32.exe	cmd.exe
PID 4176 wrote to memory of 4596	4176	rundll32.exe	Firefox.exe
PID 4176 wrote to memory of 4596	4176	rundll32.exe	Firefox.exe
PID 4176 wrote to memory of 4596	4176	rundll32.exe	Firefox.exe
PID 3152 wrote to memory of 4724	3152	Explorer.EXE	regsvcd8tpu.exe
PID 3152 wrote to memory of 4724	3152	Explorer.EXE	regsvcd8tpu.exe
PID 3152 wrote to memory of 4724	3152	Explorer.EXE	regsvcd8tpu.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3152

C:\Users\Admin\AppData\Local\Temp\d8e71f4f6c001ff40cdc03fff232d097a103a4413b8e74ecb9a333b8a2d6a436.exe
"C:\Users\Admin\AppData\Local\Temp\d8e71f4f6c001ff40cdc03fff232d097a103a4413b8e74ecb9a333b8a2d6a436.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2248

C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe
"C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe" C:\Users\Admin\AppData\Local\Temp\guiaopyy.j
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1724

C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe
"C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4176

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe"
3⤵
PID:3816

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:4084

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:4596

C:\Program Files (x86)\Fvnu\regsvcd8tpu.exe
"C:\Program Files (x86)\Fvnu\regsvcd8tpu.exe"
2⤵
- Executes dropped EXE
PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 532
3⤵
- Program crash
PID:584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Fvnu\regsvcd8tpu.exe
Filesize
81KB

MD5
85af329a0a06c1401e60a9c02d060948

SHA1
d83acc707040401fe1d88570608e8e8f05589944

SHA256
79d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d

SHA512
f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66

Download Submit
C:\Program Files (x86)\Fvnu\regsvcd8tpu.exe
Filesize
81KB

MD5
85af329a0a06c1401e60a9c02d060948

SHA1
d83acc707040401fe1d88570608e8e8f05589944

SHA256
79d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d

SHA512
f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB1
Filesize
40KB

MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\guiaopyy.j
Filesize
5KB

MD5
7dd82af1732e277c64b7f580fb68b3f8

SHA1
7f1cac07464b57d03eeba50d4371a6fbcaff1798

SHA256
237438a1c80ff20bb45e9a0b804322f2a3527f849bef2aaf406d18c189a44c0b

SHA512
0a675216d4e0a03165c3f3d11cd3d125b31624d93e4a901799b3066e691fc7dbf81aed86bea23e3167d230d880682c814b77e219f471ad770a43a28a1d496207

Download Submit
C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe
Filesize
81KB

MD5
85af329a0a06c1401e60a9c02d060948

SHA1
d83acc707040401fe1d88570608e8e8f05589944

SHA256
79d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d

SHA512
f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66

Download Submit
C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe
Filesize
81KB

MD5
85af329a0a06c1401e60a9c02d060948

SHA1
d83acc707040401fe1d88570608e8e8f05589944

SHA256
79d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d

SHA512
f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66

Download Submit
C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe
Filesize
81KB

MD5
85af329a0a06c1401e60a9c02d060948

SHA1
d83acc707040401fe1d88570608e8e8f05589944

SHA256
79d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d

SHA512
f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66

Download Submit
C:\Users\Admin\AppData\Local\Temp\lufvp.o
Filesize
196KB

MD5
a69fcb977745da1e8892aed65f6a5a89

SHA1
32b35f70fc0d3686ea4ffc26f70c80a8ede70474

SHA256
108668a80bdff8cc56a95903d011d86410054cadbd4f52530a0ff9f4c0f0e24b

SHA512
21badfef569bfebcabf03ef5ab6061b4c723b241ccf69ff67ad5649ee1dda08b1bb99f43de0b43687841274356dafbe67a799c4cead6dd15309845c253e6a508

Download Submit
memory/1724-175-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/1724-174-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/1724-181-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/1724-180-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/1724-179-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/1724-178-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/1724-177-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/1724-176-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/1724-182-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/1724-183-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/1724-167-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/1724-172-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/1724-171-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/1724-170-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/1724-169-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/1724-165-0x0000000000000000-mapping.dmp

Download
memory/1724-168-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/1724-184-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-142-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-132-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-144-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-150-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-152-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-154-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-156-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-158-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-160-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-159-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-157-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-155-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-153-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-151-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-149-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-143-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-139-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-161-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-162-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-163-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-164-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-147-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-146-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-145-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-118-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-141-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-140-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-138-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-137-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-136-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-135-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-134-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-133-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-148-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-131-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-130-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-129-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-128-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-127-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-126-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-125-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-124-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-123-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-119-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-122-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-120-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-121-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-235-0x0000000002770000-0x0000000002781000-memory.dmp

Filesize
68KB

Download
memory/2772-209-0x000000000041FF10-mapping.dmp

Download
memory/2772-240-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2772-216-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2772-232-0x0000000000A00000-0x0000000000D20000-memory.dmp

Filesize
3.1MB

Download
memory/2772-233-0x0000000000870000-0x0000000000A00000-memory.dmp

Filesize
1.6MB

Download
memory/3152-289-0x00000000063E0000-0x0000000006517000-memory.dmp

Filesize
1.2MB

Download
memory/3152-234-0x0000000005FE0000-0x000000000610D000-memory.dmp

Filesize
1.2MB

Download
memory/3152-236-0x00000000061E0000-0x0000000006337000-memory.dmp

Filesize
1.3MB

Download
memory/3152-292-0x00000000063E0000-0x0000000006517000-memory.dmp

Filesize
1.2MB

Download
memory/3816-278-0x0000000000000000-mapping.dmp

Download
memory/4084-314-0x0000000000000000-mapping.dmp

Download
memory/4176-290-0x00000000001B0000-0x00000000001DC000-memory.dmp

Filesize
176KB

Download
memory/4176-291-0x0000000003FA0000-0x000000000412D000-memory.dmp

Filesize
1.6MB

Download
memory/4176-288-0x0000000003FA0000-0x000000000412D000-memory.dmp

Filesize
1.6MB

Download
memory/4176-286-0x00000000042D0000-0x00000000045F0000-memory.dmp

Filesize
3.1MB

Download
memory/4176-284-0x0000000000B80000-0x0000000000B93000-memory.dmp

Filesize
76KB

Download
memory/4176-285-0x00000000001B0000-0x00000000001DC000-memory.dmp

Filesize
176KB

Download
memory/4176-237-0x0000000000000000-mapping.dmp

Download
memory/4724-331-0x0000000000000000-mapping.dmp

Download