formbook | dd508146ad5a649b3a7b95f241f645406052d7d7df9479246a9bb5f721505a99

Analysis

max time kernel
146s
max time network
138s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
16/08/2023, 10:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Quotation.xls
Size

1.7MB
MD5

91b74843c1331a494baed98c8234bc95
SHA1

424fc6c1b33f666d8b6ad211cef14714d45aa513
SHA256

dd508146ad5a649b3a7b95f241f645406052d7d7df9479246a9bb5f721505a99
SHA512

34fee3770255c2750d43c0fd44e17fc6f17f4e91b12d3896c1093864cb62420f6bbfe6b6edb0ebd3439bf6e846d7015601620a35fc6160fbf9044cca143b96dd
SSDEEP

24576:9LQqSXdQp/XX46rg1HiA+6bvdXXXXXXXXXXXXUXXXXXXXXXXXXXXXX5XLQqSXdQ8:90XdOwBEl680XdOwBExre4ErDcF3BO

Score

10^/10

formbook gs22 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gs22

Decoy

maneoftheface.com

geektechbuzz.com

gptprivate.website

onivixo.com

jasabuatlapangan.com

sapinfoblog.com

likesmind.com

carnivoroussnacks.com

thuglifetokens.app

inclinewellness.com

stickewrstashoutlet.com

1wjmsd.top

marketmall1.com

elchaparralderevenga.com

charlestonrvresort.com

immigrationsouthkorea.com

tswwvbuw.click

propmeellc.com

amusant.xyz

xc14265.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

resource	yara_rule
behavioral1/memory/532-175-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/532-182-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/532-191-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1540-198-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/1540-200-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Blocklisted process makes network request 1 IoCs

flow	pid	Process
11	2148	EQNEDT32.EXE

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2464	dasHost.exe
532	dasHost.exe

Loads dropped DLL 3 IoCs

pid	Process
2148	EQNEDT32.EXE
2148	EQNEDT32.EXE
2464	dasHost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2464 set thread context of 532	2464	dasHost.exe	40
PID 532 set thread context of 1388	532	dasHost.exe	13
PID 532 set thread context of 1388	532	dasHost.exe	13
PID 1540 set thread context of 1388	1540	NETSTAT.EXE	13

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1080	schtasks.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1540	NETSTAT.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2148	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-722410544-1258951091-1992882075-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	NETSTAT.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2396	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
532	dasHost.exe
532	dasHost.exe
524	powershell.exe
532	dasHost.exe
1540	NETSTAT.EXE
1540	NETSTAT.EXE
1540	NETSTAT.EXE
1540	NETSTAT.EXE
1540	NETSTAT.EXE
1540	NETSTAT.EXE
1540	NETSTAT.EXE
1540	NETSTAT.EXE
1540	NETSTAT.EXE
1540	NETSTAT.EXE
1540	NETSTAT.EXE
1540	NETSTAT.EXE
1540	NETSTAT.EXE
1540	NETSTAT.EXE
1540	NETSTAT.EXE
1540	NETSTAT.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
532	dasHost.exe
532	dasHost.exe
532	dasHost.exe
532	dasHost.exe
1540	NETSTAT.EXE
1540	NETSTAT.EXE
1540	NETSTAT.EXE
1540	NETSTAT.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	532	dasHost.exe
Token: SeDebugPrivilege	524	powershell.exe
Token: SeDebugPrivilege	1540	NETSTAT.EXE
Token: SeShutdownPrivilege	1388	Explorer.EXE
Token: SeShutdownPrivilege	1388	Explorer.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2396	EXCEL.EXE
2396	EXCEL.EXE
2396	EXCEL.EXE
3052	WINWORD.EXE
3052	WINWORD.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 2464	2148	EQNEDT32.EXE	31
PID 2148 wrote to memory of 2464	2148	EQNEDT32.EXE	31
PID 2148 wrote to memory of 2464	2148	EQNEDT32.EXE	31
PID 2148 wrote to memory of 2464	2148	EQNEDT32.EXE	31
PID 3052 wrote to memory of 1768	3052	WINWORD.EXE	32
PID 3052 wrote to memory of 1768	3052	WINWORD.EXE	32
PID 3052 wrote to memory of 1768	3052	WINWORD.EXE	32
PID 3052 wrote to memory of 1768	3052	WINWORD.EXE	32
PID 2464 wrote to memory of 524	2464	dasHost.exe	36
PID 2464 wrote to memory of 524	2464	dasHost.exe	36
PID 2464 wrote to memory of 524	2464	dasHost.exe	36
PID 2464 wrote to memory of 524	2464	dasHost.exe	36
PID 2464 wrote to memory of 1080	2464	dasHost.exe	38
PID 2464 wrote to memory of 1080	2464	dasHost.exe	38
PID 2464 wrote to memory of 1080	2464	dasHost.exe	38
PID 2464 wrote to memory of 1080	2464	dasHost.exe	38
PID 2464 wrote to memory of 532	2464	dasHost.exe	40
PID 2464 wrote to memory of 532	2464	dasHost.exe	40
PID 2464 wrote to memory of 532	2464	dasHost.exe	40
PID 2464 wrote to memory of 532	2464	dasHost.exe	40
PID 2464 wrote to memory of 532	2464	dasHost.exe	40
PID 2464 wrote to memory of 532	2464	dasHost.exe	40
PID 2464 wrote to memory of 532	2464	dasHost.exe	40
PID 532 wrote to memory of 1540	532	dasHost.exe	41
PID 532 wrote to memory of 1540	532	dasHost.exe	41
PID 532 wrote to memory of 1540	532	dasHost.exe	41
PID 532 wrote to memory of 1540	532	dasHost.exe	41
PID 1540 wrote to memory of 2804	1540	NETSTAT.EXE	42
PID 1540 wrote to memory of 2804	1540	NETSTAT.EXE	42
PID 1540 wrote to memory of 2804	1540	NETSTAT.EXE	42
PID 1540 wrote to memory of 2804	1540	NETSTAT.EXE	42
PID 1540 wrote to memory of 2804	1540	NETSTAT.EXE	42

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1388
- C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Quotation.xls
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:2396

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1768

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Users\Admin\AppData\Local\Temp\dasHost.exe
  "C:\Users\Admin\AppData\Local\Temp\dasHost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\EQpnUk.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:524
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EQpnUk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4BC0.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:1080
- - C:\Users\Admin\AppData\Local\Temp\dasHost.exe
    "C:\Users\Admin\AppData\Local\Temp\dasHost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:532
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      "C:\Windows\SysWOW64\NETSTAT.EXE"
      4⤵
      Suspicious use of SetThreadContext
      Gathers network information
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1540
    - - C:\Program Files\Mozilla Firefox\Firefox.exe
        
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        5⤵
        
        PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Exploitation for Client Execution

T1203

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{6B661223-FFCF-41EA-B4F7-7AC015C458D1}.FSD

Filesize
128KB

MD5
a07c02e8d99f0e430e872b6367f82151

SHA1
add5978044fbe51a294d915be311158ed5c3b7a2

SHA256
3367aea4e9a2d5324ddf11e877762af94950e6d542b06052bd1290063f4846cc

SHA512
53535d634f04f1a0e92061de5179116608156f0f18ade3bb72c2f9665e04a20328548375610e0a9735f8b6d443719fdc968f5cd396380e9ae7ab6886c611de61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
66a79f27b3d2f9b4e9d8b04fdfcc8204

SHA1
91701dcf4075a59002aa1460c94d6b26acfe7252

SHA256
3979b10538a7a79353ce03ef7001b98c1525d31933b722efa5beb2064c3d1ed3

SHA512
7a1acabaa50adf269fccfa61dcd55260996e1a9bf2a43031c5e26c8d275faea4fe7f859771a34956bdf908c5a2e44dca81e9c4c0f0c92cd52f022008f427d67e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
98e833f7660661e1b02b36eb65c3c654

SHA1
b5a4727a69ed4e3f7581528a5b1b894f09b5bd6f

SHA256
379a2fde43f0ab7c804913e0b839e921b24a8be61e24fcb183b9829151ad0a98

SHA512
a422c71ad4fbb6fbc766d9a566b2652e9f8a9bb8a3895f3cc3bf928e55a5a62423bb2cc78ebd3eabac4582d3d51e281cbef964a4f6d0dd515f9f63ea36eb55ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{01ED0CC0-4A5B-4C35-B564-F736C50FAFA7}.FSD

Filesize
128KB

MD5
8d8c652fea4166e0e78e7b7775ccf7b3

SHA1
88cda76fb768f6d7c27990f29a1e0f451163e500

SHA256
de5f577bd6c5d17891a721d09eb842ba7df8d84dcdc3bcf5f63aa55b009eef17

SHA512
5b1447ee5372f89bda8f151a069da5d71ccffc0972143c08b50a6d6b38a5178637e443742b8a8013ec009c404d9475bcc4912f79357d0116f7dde5307508227c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TGCFYHZ3\00000O0O0OOO0000O0OO0Oo0o00o0o000000000##############000000000##############00000000000[1].doc

Filesize
26KB

MD5
c56ab202de96a4eeee43ffbe0a8ae3c3

SHA1
db6700b75353d157c571de5bd6950f56cfc16c38

SHA256
b1efbf9bc1589f00c095291d6dfe2a869983440ca1961ddcc5ed1fd8db5a0b9b

SHA512
9e2bc312ff2f9c50ed87e77acc3597c24f2c5add09fb49cb542832997b089f4e17d601561f0bfb9e151ffb0e7cffa03ad619aa064c6c8d371bcb08f5363fc488

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C0F476E2.doc

Filesize
26KB

MD5
c56ab202de96a4eeee43ffbe0a8ae3c3

SHA1
db6700b75353d157c571de5bd6950f56cfc16c38

SHA256
b1efbf9bc1589f00c095291d6dfe2a869983440ca1961ddcc5ed1fd8db5a0b9b

SHA512
9e2bc312ff2f9c50ed87e77acc3597c24f2c5add09fb49cb542832997b089f4e17d601561f0bfb9e151ffb0e7cffa03ad619aa064c6c8d371bcb08f5363fc488

Download Submit
C:\Users\Admin\AppData\Local\Temp\dasHost.exe

Filesize
562KB

MD5
3ccdd54dcb6cf8114737154cfd6d8a79

SHA1
8bbfcc6cae063f62d3fc5c0b017143d6d3389e07

SHA256
bb0c37d119a9c69714cc9ca92efed31266d6b71f4275546e804c8d0dc9c9b2c4

SHA512
f4baecaeee31529e288dd6d39250a4e6440887a0452be4b417c77a4c4513307d36eadc84753a19c7872762070a0cf3cd768a8708dc83297e8fac7a5d4fb262b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\dasHost.exe

Filesize
562KB

MD5
3ccdd54dcb6cf8114737154cfd6d8a79

SHA1
8bbfcc6cae063f62d3fc5c0b017143d6d3389e07

SHA256
bb0c37d119a9c69714cc9ca92efed31266d6b71f4275546e804c8d0dc9c9b2c4

SHA512
f4baecaeee31529e288dd6d39250a4e6440887a0452be4b417c77a4c4513307d36eadc84753a19c7872762070a0cf3cd768a8708dc83297e8fac7a5d4fb262b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\dasHost.exe

Filesize
562KB

MD5
3ccdd54dcb6cf8114737154cfd6d8a79

SHA1
8bbfcc6cae063f62d3fc5c0b017143d6d3389e07

SHA256
bb0c37d119a9c69714cc9ca92efed31266d6b71f4275546e804c8d0dc9c9b2c4

SHA512
f4baecaeee31529e288dd6d39250a4e6440887a0452be4b417c77a4c4513307d36eadc84753a19c7872762070a0cf3cd768a8708dc83297e8fac7a5d4fb262b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\dasHost.exe

Filesize
562KB

MD5
3ccdd54dcb6cf8114737154cfd6d8a79

SHA1
8bbfcc6cae063f62d3fc5c0b017143d6d3389e07

SHA256
bb0c37d119a9c69714cc9ca92efed31266d6b71f4275546e804c8d0dc9c9b2c4

SHA512
f4baecaeee31529e288dd6d39250a4e6440887a0452be4b417c77a4c4513307d36eadc84753a19c7872762070a0cf3cd768a8708dc83297e8fac7a5d4fb262b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4BC0.tmp

Filesize
1KB

MD5
1b2a6838da1ccad5ece8be6a9d199b0b

SHA1
9e9e9ad6ff7d316f91f9f9d2fabf09738b08e009

SHA256
d53d489dae0c9b5989298dc4260e23bc600dc88274b84a886807f018c2160723

SHA512
a122e9c5f08ce24ab95b73d1f8034bb7f64d9357e556568640367d91f08ca611f8476269bf41f0a0fe37ac45b741b3125b380d23ff8d6bb9ff88543c330c1f22

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5322B3EA-7A6C-4F17-8F09-F8BF21F5CCE1}

Filesize
128KB

MD5
c18fea0ee43684f6f28b3e169f7086d2

SHA1
56c1047e4887c5fdfd293ac5380d981abadbe611

SHA256
84699fd7d4e1094ecc0480cf447fd0970281ffcbc62f1b15325b6ecf928c5738

SHA512
6fc8126bb1d358b17630ae228573a39fe059098ec12bafc9fa59119a8af41f915859c2cdfad30fa511d951a2173fc2701de0bb0ddeba7c07e41def7fa9b9a30a

Download Submit
\Users\Admin\AppData\Local\Temp\dasHost.exe

Filesize
562KB

MD5
3ccdd54dcb6cf8114737154cfd6d8a79

SHA1
8bbfcc6cae063f62d3fc5c0b017143d6d3389e07

SHA256
bb0c37d119a9c69714cc9ca92efed31266d6b71f4275546e804c8d0dc9c9b2c4

SHA512
f4baecaeee31529e288dd6d39250a4e6440887a0452be4b417c77a4c4513307d36eadc84753a19c7872762070a0cf3cd768a8708dc83297e8fac7a5d4fb262b3

Download Submit
\Users\Admin\AppData\Local\Temp\dasHost.exe

Filesize
562KB

MD5
3ccdd54dcb6cf8114737154cfd6d8a79

SHA1
8bbfcc6cae063f62d3fc5c0b017143d6d3389e07

SHA256
bb0c37d119a9c69714cc9ca92efed31266d6b71f4275546e804c8d0dc9c9b2c4

SHA512
f4baecaeee31529e288dd6d39250a4e6440887a0452be4b417c77a4c4513307d36eadc84753a19c7872762070a0cf3cd768a8708dc83297e8fac7a5d4fb262b3

Download Submit
\Users\Admin\AppData\Local\Temp\dasHost.exe

Filesize
562KB

MD5
3ccdd54dcb6cf8114737154cfd6d8a79

SHA1
8bbfcc6cae063f62d3fc5c0b017143d6d3389e07

SHA256
bb0c37d119a9c69714cc9ca92efed31266d6b71f4275546e804c8d0dc9c9b2c4

SHA512
f4baecaeee31529e288dd6d39250a4e6440887a0452be4b417c77a4c4513307d36eadc84753a19c7872762070a0cf3cd768a8708dc83297e8fac7a5d4fb262b3

Download Submit
memory/524-186-0x000000006A750000-0x000000006ACFB000-memory.dmp

Filesize
5.7MB

Download
memory/524-187-0x00000000023D0000-0x0000000002410000-memory.dmp

Filesize
256KB

Download
memory/524-185-0x000000006A750000-0x000000006ACFB000-memory.dmp

Filesize
5.7MB

Download
memory/524-189-0x000000006A750000-0x000000006ACFB000-memory.dmp

Filesize
5.7MB

Download
memory/524-188-0x00000000023D0000-0x0000000002410000-memory.dmp

Filesize
256KB

Download
memory/532-192-0x00000000002C0000-0x00000000002D5000-memory.dmp

Filesize
84KB

Download
memory/532-182-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/532-178-0x0000000000AD0000-0x0000000000DD3000-memory.dmp

Filesize
3.0MB

Download
memory/532-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/532-173-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/532-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/532-183-0x0000000000280000-0x0000000000295000-memory.dmp

Filesize
84KB

Download
memory/532-171-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/532-172-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1388-184-0x00000000063D0000-0x0000000006560000-memory.dmp

Filesize
1.6MB

Download
memory/1388-204-0x00000000069C0000-0x0000000006AFF000-memory.dmp

Filesize
1.2MB

Download
memory/1388-195-0x00000000069C0000-0x0000000006AFF000-memory.dmp

Filesize
1.2MB

Download
memory/1388-194-0x00000000063D0000-0x0000000006560000-memory.dmp

Filesize
1.6MB

Download
memory/1540-198-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1540-196-0x0000000000D30000-0x0000000000D39000-memory.dmp

Filesize
36KB

Download
memory/1540-197-0x0000000000D30000-0x0000000000D39000-memory.dmp

Filesize
36KB

Download
memory/1540-199-0x0000000002140000-0x0000000002443000-memory.dmp

Filesize
3.0MB

Download
memory/1540-200-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1540-205-0x0000000000B50000-0x0000000000BE4000-memory.dmp

Filesize
592KB

Download
memory/2396-55-0x0000000073C7D000-0x0000000073C88000-memory.dmp

Filesize
44KB

Download
memory/2396-130-0x0000000073C7D000-0x0000000073C88000-memory.dmp

Filesize
44KB

Download
memory/2396-65-0x00000000023E0000-0x00000000023E2000-memory.dmp

Filesize
8KB

Download
memory/2396-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2464-162-0x0000000000700000-0x0000000000740000-memory.dmp

Filesize
256KB

Download
memory/2464-159-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2464-145-0x0000000000A30000-0x0000000000AC2000-memory.dmp

Filesize
584KB

Download
memory/2464-156-0x000000006A610000-0x000000006ACFE000-memory.dmp

Filesize
6.9MB

Download
memory/2464-164-0x0000000005020000-0x000000000508E000-memory.dmp

Filesize
440KB

Download
memory/2464-163-0x00000000006F0000-0x00000000006FE000-memory.dmp

Filesize
56KB

Download
memory/2464-161-0x000000006A610000-0x000000006ACFE000-memory.dmp

Filesize
6.9MB

Download
memory/2464-177-0x000000006A610000-0x000000006ACFE000-memory.dmp

Filesize
6.9MB

Download
memory/2464-158-0x0000000000700000-0x0000000000740000-memory.dmp

Filesize
256KB

Download
memory/3052-157-0x0000000073C7D000-0x0000000073C88000-memory.dmp

Filesize
44KB

Download
memory/3052-62-0x0000000073C7D000-0x0000000073C88000-memory.dmp

Filesize
44KB

Download
memory/3052-60-0x000000002FA30000-0x000000002FB8D000-memory.dmp

Filesize
1.4MB

Download
memory/3052-144-0x000000002FA30000-0x000000002FB8D000-memory.dmp

Filesize
1.4MB

Download
memory/3052-64-0x00000000036C0000-0x00000000036C2000-memory.dmp

Filesize
8KB

Download