formbook | 58f1b6a6931817eaef17e92901372bc6032dd0e6aa0636f82c7b3176c1ded8ea

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
18-07-2023 13:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Scan005510.js
Size

5.3MB
MD5

dcdd70327905af1b3bee089b4f47a343
SHA1

fc26fd4b71a7d6f94d191eca8ad1e4303a679075
SHA256

58f1b6a6931817eaef17e92901372bc6032dd0e6aa0636f82c7b3176c1ded8ea
SHA512

befa67677050ae06352e55fbaefb7287ff88b1428eafa1cc63342339e358081b6b0e3fb98473906ee64bca28314c981fa98c70fcd94383da0d95d8d92b9f38ef
SSDEEP

6144:XgHrlNOv7uIeLpJMaO/lfSiSiV/r3ZPuK/v4lOVdMorRpVDBqP3nvBrXQklUOu6z:iPB

Score

10^/10

formbook guloader wshrat me15 downloader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

me15

Decoy

thegrill253.com

arthousecorp.com

acre-com.com

dreambarnhollow.com

winwin220693.online

shinohtrade.com

blockcchain.help

8hx3.vip

lifeshinelearning.com

havencoinvestmentgroup.com

thebesthomehacks.com

the-country-wiki.com

xskt.club

sunrisemedia.space

crecrown.com

0hpail.cyou

artwelding.store

psilome.com

layerbabuena.club

miras.shop

Extracted

Family

wshrat

http://45.90.222.131:7121

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/4796-181-0x0000000000400000-0x0000000001654000-memory.dmp	formbook
behavioral2/memory/3740-193-0x0000000000E40000-0x0000000000E6F000-memory.dmp	formbook
behavioral2/memory/3740-199-0x0000000000E40000-0x0000000000E6F000-memory.dmp	formbook

Blocklisted process makes network request 20 IoCs

flow	pid	Process
33	5096	wscript.exe
37	4964	wscript.exe
39	4964	wscript.exe
40	4964	wscript.exe
49	4964	wscript.exe
50	4964	wscript.exe
64	4964	wscript.exe
65	4964	wscript.exe
72	4964	wscript.exe
73	4964	wscript.exe
77	4964	wscript.exe
78	4964	wscript.exe
81	4964	wscript.exe
83	4964	wscript.exe
87	4964	wscript.exe
88	4964	wscript.exe
90	4964	wscript.exe
92	4964	wscript.exe
93	4964	wscript.exe
98	4964	wscript.exe

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	Gobiid.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	Gobiid.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan005510.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan005510.js	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
1932	Gobiid.exe

Loads dropped DLL 3 IoCs

pid	Process
1932	Gobiid.exe
1932	Gobiid.exe
4796	Gobiid.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scan005510 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scan005510.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scan005510 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scan005510.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scan005510 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scan005510.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scan005510 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scan005510.js\""	wscript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
38	ip-api.com

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
4796	Gobiid.exe
4796	Gobiid.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1932	Gobiid.exe
4796	Gobiid.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1932 set thread context of 4796	1932	Gobiid.exe	99
PID 4796 set thread context of 760	4796	Gobiid.exe	30
PID 3740 set thread context of 760	3740	wlanext.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 19 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	65	WSHRAT\|BE22C2A7\|YACSFKWT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	77	WSHRAT\|BE22C2A7\|YACSFKWT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	81	WSHRAT\|BE22C2A7\|YACSFKWT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	83	WSHRAT\|BE22C2A7\|YACSFKWT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	92	WSHRAT\|BE22C2A7\|YACSFKWT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	98	WSHRAT\|BE22C2A7\|YACSFKWT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	50	WSHRAT\|BE22C2A7\|YACSFKWT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	49	WSHRAT\|BE22C2A7\|YACSFKWT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	72	WSHRAT\|BE22C2A7\|YACSFKWT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	87	WSHRAT\|BE22C2A7\|YACSFKWT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	88	WSHRAT\|BE22C2A7\|YACSFKWT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	93	WSHRAT\|BE22C2A7\|YACSFKWT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	37	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	40	WSHRAT\|BE22C2A7\|YACSFKWT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	64	WSHRAT\|BE22C2A7\|YACSFKWT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	33	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	78	WSHRAT\|BE22C2A7\|YACSFKWT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	90	WSHRAT\|BE22C2A7\|YACSFKWT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	73	WSHRAT\|BE22C2A7\|YACSFKWT\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 18/7/2023\|JavaScript-v3.4\|NL:Netherlands

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
4796	Gobiid.exe
4796	Gobiid.exe
4796	Gobiid.exe
4796	Gobiid.exe
3740	wlanext.exe
3740	wlanext.exe
3740	wlanext.exe
3740	wlanext.exe
3740	wlanext.exe
3740	wlanext.exe
3740	wlanext.exe
3740	wlanext.exe
3740	wlanext.exe
3740	wlanext.exe
3740	wlanext.exe
3740	wlanext.exe
3740	wlanext.exe
3740	wlanext.exe
3740	wlanext.exe
3740	wlanext.exe
3740	wlanext.exe
3740	wlanext.exe
3740	wlanext.exe
3740	wlanext.exe
3740	wlanext.exe
3740	wlanext.exe
3740	wlanext.exe
3740	wlanext.exe
3740	wlanext.exe
3740	wlanext.exe
3740	wlanext.exe
3740	wlanext.exe
3740	wlanext.exe
3740	wlanext.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
760	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
1932	Gobiid.exe
4796	Gobiid.exe
4796	Gobiid.exe
4796	Gobiid.exe
3740	wlanext.exe
3740	wlanext.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	4796	Gobiid.exe
Token: SeShutdownPrivilege	760	Explorer.EXE
Token: SeCreatePagefilePrivilege	760	Explorer.EXE
Token: SeShutdownPrivilege	760	Explorer.EXE
Token: SeCreatePagefilePrivilege	760	Explorer.EXE
Token: SeShutdownPrivilege	760	Explorer.EXE
Token: SeCreatePagefilePrivilege	760	Explorer.EXE
Token: SeDebugPrivilege	3740	wlanext.exe
Token: SeShutdownPrivilege	760	Explorer.EXE
Token: SeCreatePagefilePrivilege	760	Explorer.EXE
Token: SeShutdownPrivilege	760	Explorer.EXE
Token: SeCreatePagefilePrivilege	760	Explorer.EXE
Token: SeShutdownPrivilege	760	Explorer.EXE
Token: SeCreatePagefilePrivilege	760	Explorer.EXE
Token: SeShutdownPrivilege	760	Explorer.EXE
Token: SeCreatePagefilePrivilege	760	Explorer.EXE
Token: SeShutdownPrivilege	760	Explorer.EXE
Token: SeCreatePagefilePrivilege	760	Explorer.EXE
Token: SeShutdownPrivilege	760	Explorer.EXE
Token: SeCreatePagefilePrivilege	760	Explorer.EXE
Token: SeShutdownPrivilege	760	Explorer.EXE
Token: SeCreatePagefilePrivilege	760	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
760	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 4964	5096	wscript.exe	92
PID 5096 wrote to memory of 4964	5096	wscript.exe	92
PID 4964 wrote to memory of 1932	4964	wscript.exe	95
PID 4964 wrote to memory of 1932	4964	wscript.exe	95
PID 4964 wrote to memory of 1932	4964	wscript.exe	95
PID 1932 wrote to memory of 4796	1932	Gobiid.exe	99
PID 1932 wrote to memory of 4796	1932	Gobiid.exe	99
PID 1932 wrote to memory of 4796	1932	Gobiid.exe	99
PID 1932 wrote to memory of 4796	1932	Gobiid.exe	99
PID 760 wrote to memory of 3740	760	Explorer.EXE	102
PID 760 wrote to memory of 3740	760	Explorer.EXE	102
PID 760 wrote to memory of 3740	760	Explorer.EXE	102
PID 3740 wrote to memory of 4036	3740	wlanext.exe	103
PID 3740 wrote to memory of 4036	3740	wlanext.exe	103
PID 3740 wrote to memory of 4036	3740	wlanext.exe	103

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:760
- C:\Windows\system32\wscript.exe
  wscript.exe C:\Users\Admin\AppData\Local\Temp\Scan005510.js
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5096
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Scan005510.js"
    3⤵
    - Blocklisted process makes network request
    - Checks computer location settings
    - Drops startup file
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4964
  - - C:\Users\Admin\AppData\Roaming\Gobiid.exe
      "C:\Users\Admin\AppData\Roaming\Gobiid.exe"
      4⤵
      Checks QEMU agent file
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:1932
    - - C:\Users\Admin\AppData\Roaming\Gobiid.exe
        
        "C:\Users\Admin\AppData\Roaming\Gobiid.exe"
        5⤵
        Checks QEMU agent file
        Loads dropped DLL
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4796
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:4464
- C:\Windows\SysWOW64\wlanext.exe
  "C:\Windows\SysWOW64\wlanext.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3740
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Roaming\Gobiid.exe"
    3⤵
    PID:4036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsl94A1.tmp\System.dll

Filesize
11KB

MD5
8b3830b9dbf87f84ddd3b26645fed3a0

SHA1
223bef1f19e644a610a0877d01eadc9e28299509

SHA256
f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37

SHA512
d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl94A1.tmp\System.dll

Filesize
11KB

MD5
8b3830b9dbf87f84ddd3b26645fed3a0

SHA1
223bef1f19e644a610a0877d01eadc9e28299509

SHA256
f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37

SHA512
d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl94A1.tmp\System.dll

Filesize
11KB

MD5
8b3830b9dbf87f84ddd3b26645fed3a0

SHA1
223bef1f19e644a610a0877d01eadc9e28299509

SHA256
f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37

SHA512
d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03

Download Submit
C:\Users\Admin\AppData\Roaming\Gobiid.exe

Filesize
471KB

MD5
2ac363924422db721825e34bccfad5cc

SHA1
22f2163826bc7f585d7ab0e55551e11d418afd31

SHA256
67c9cd193f85637de60b33b0253e89d5e95e7f263683bfa49e5e1b3745d695db

SHA512
3b82a463be8d0ddb2fba006c0880f19b54f8bb88090f6effb69d62dbea0f6a038ce5dffc2808bcea24513be3c23b7dcbe5db3ad334a20a94586e20801f450156

Download Submit
C:\Users\Admin\AppData\Roaming\Gobiid.exe

Filesize
471KB

MD5
2ac363924422db721825e34bccfad5cc

SHA1
22f2163826bc7f585d7ab0e55551e11d418afd31

SHA256
67c9cd193f85637de60b33b0253e89d5e95e7f263683bfa49e5e1b3745d695db

SHA512
3b82a463be8d0ddb2fba006c0880f19b54f8bb88090f6effb69d62dbea0f6a038ce5dffc2808bcea24513be3c23b7dcbe5db3ad334a20a94586e20801f450156

Download Submit
C:\Users\Admin\AppData\Roaming\Gobiid.exe

Filesize
471KB

MD5
2ac363924422db721825e34bccfad5cc

SHA1
22f2163826bc7f585d7ab0e55551e11d418afd31

SHA256
67c9cd193f85637de60b33b0253e89d5e95e7f263683bfa49e5e1b3745d695db

SHA512
3b82a463be8d0ddb2fba006c0880f19b54f8bb88090f6effb69d62dbea0f6a038ce5dffc2808bcea24513be3c23b7dcbe5db3ad334a20a94586e20801f450156

Download Submit
C:\Users\Admin\AppData\Roaming\Gobiid.exe

Filesize
471KB

MD5
2ac363924422db721825e34bccfad5cc

SHA1
22f2163826bc7f585d7ab0e55551e11d418afd31

SHA256
67c9cd193f85637de60b33b0253e89d5e95e7f263683bfa49e5e1b3745d695db

SHA512
3b82a463be8d0ddb2fba006c0880f19b54f8bb88090f6effb69d62dbea0f6a038ce5dffc2808bcea24513be3c23b7dcbe5db3ad334a20a94586e20801f450156

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan005510.js

Filesize
5.3MB

MD5
dcdd70327905af1b3bee089b4f47a343

SHA1
fc26fd4b71a7d6f94d191eca8ad1e4303a679075

SHA256
58f1b6a6931817eaef17e92901372bc6032dd0e6aa0636f82c7b3176c1ded8ea

SHA512
befa67677050ae06352e55fbaefb7287ff88b1428eafa1cc63342339e358081b6b0e3fb98473906ee64bca28314c981fa98c70fcd94383da0d95d8d92b9f38ef

Download Submit
C:\Users\Admin\AppData\Roaming\Scan005510.js

Filesize
5.3MB

MD5
dcdd70327905af1b3bee089b4f47a343

SHA1
fc26fd4b71a7d6f94d191eca8ad1e4303a679075

SHA256
58f1b6a6931817eaef17e92901372bc6032dd0e6aa0636f82c7b3176c1ded8ea

SHA512
befa67677050ae06352e55fbaefb7287ff88b1428eafa1cc63342339e358081b6b0e3fb98473906ee64bca28314c981fa98c70fcd94383da0d95d8d92b9f38ef

Download Submit
C:\Users\Admin\AppData\Roaming\Scan005510.js

Filesize
5.3MB

MD5
dcdd70327905af1b3bee089b4f47a343

SHA1
fc26fd4b71a7d6f94d191eca8ad1e4303a679075

SHA256
58f1b6a6931817eaef17e92901372bc6032dd0e6aa0636f82c7b3176c1ded8ea

SHA512
befa67677050ae06352e55fbaefb7287ff88b1428eafa1cc63342339e358081b6b0e3fb98473906ee64bca28314c981fa98c70fcd94383da0d95d8d92b9f38ef

Download Submit
memory/760-261-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/760-264-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/760-293-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/760-292-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/760-289-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/760-290-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/760-286-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/760-287-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/760-288-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/760-285-0x0000000000A80000-0x0000000000A90000-memory.dmp

Filesize
64KB

Download
memory/760-284-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/760-283-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/760-281-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/760-279-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/760-274-0x0000000000A80000-0x0000000000A90000-memory.dmp

Filesize
64KB

Download
memory/760-192-0x00000000080D0000-0x00000000081D3000-memory.dmp

Filesize
1.0MB

Download
memory/760-275-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/760-230-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/760-277-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/760-273-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/760-272-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/760-271-0x0000000000A80000-0x0000000000A90000-memory.dmp

Filesize
64KB

Download
memory/760-270-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/760-203-0x0000000008450000-0x00000000085A3000-memory.dmp

Filesize
1.3MB

Download
memory/760-204-0x0000000008450000-0x00000000085A3000-memory.dmp

Filesize
1.3MB

Download
memory/760-205-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/760-225-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/760-208-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/760-207-0x00000000028A0000-0x00000000028B0000-memory.dmp

Filesize
64KB

Download
memory/760-209-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/760-210-0x0000000008450000-0x00000000085A3000-memory.dmp

Filesize
1.3MB

Download
memory/760-213-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/760-212-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/760-214-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/760-216-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/760-217-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/760-219-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/760-220-0x00000000028C0000-0x00000000028D0000-memory.dmp

Filesize
64KB

Download
memory/760-221-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/760-222-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/760-224-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/760-223-0x00000000028C0000-0x00000000028D0000-memory.dmp

Filesize
64KB

Download
memory/760-238-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/760-206-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/760-269-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/760-228-0x00000000028A0000-0x00000000028B0000-memory.dmp

Filesize
64KB

Download
memory/760-227-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/760-232-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/760-233-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/760-234-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/760-236-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/760-235-0x00000000028C0000-0x00000000028D0000-memory.dmp

Filesize
64KB

Download
memory/760-226-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/760-239-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/760-242-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/760-240-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/760-243-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/760-244-0x00000000028C0000-0x00000000028D0000-memory.dmp

Filesize
64KB

Download
memory/760-258-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/760-259-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/760-260-0x0000000000A80000-0x0000000000A90000-memory.dmp

Filesize
64KB

Download
memory/760-267-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/760-262-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/760-263-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/760-265-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/1932-163-0x0000000077391000-0x00000000774B1000-memory.dmp

Filesize
1.1MB

Download
memory/1932-165-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/1932-164-0x0000000077391000-0x00000000774B1000-memory.dmp

Filesize
1.1MB

Download
memory/3740-186-0x0000000000E20000-0x0000000000E37000-memory.dmp

Filesize
92KB

Download
memory/3740-193-0x0000000000E40000-0x0000000000E6F000-memory.dmp

Filesize
188KB

Download
memory/3740-202-0x0000000001360000-0x00000000013F4000-memory.dmp

Filesize
592KB

Download
memory/3740-199-0x0000000000E40000-0x0000000000E6F000-memory.dmp

Filesize
188KB

Download
memory/3740-194-0x00000000014C0000-0x000000000180A000-memory.dmp

Filesize
3.3MB

Download
memory/3740-184-0x0000000000E20000-0x0000000000E37000-memory.dmp

Filesize
92KB

Download
memory/4796-196-0x0000000036EC0000-0x000000003720A000-memory.dmp

Filesize
3.3MB

Download
memory/4796-195-0x0000000077391000-0x00000000774B1000-memory.dmp

Filesize
1.1MB

Download
memory/4796-191-0x0000000036CB0000-0x0000000036CC5000-memory.dmp

Filesize
84KB

Download
memory/4796-181-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4796-180-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4796-179-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4796-178-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4796-177-0x0000000001660000-0x000000000685C000-memory.dmp

Filesize
82.0MB

Download
memory/4796-175-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4796-171-0x0000000077418000-0x0000000077419000-memory.dmp

Filesize
4KB

Download
memory/4796-170-0x0000000077391000-0x00000000774B1000-memory.dmp

Filesize
1.1MB

Download
memory/4796-167-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4796-182-0x0000000001660000-0x000000000685C000-memory.dmp

Filesize
82.0MB

Download