formbook | 6c8bb939433b05a8b56b08ef68f8c5b5f396bc2b5454ec09d4ee1654951ff463

Analysis

max time kernel
148s
max time network
152s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
08/10/2023, 15:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DHL-081023.exe
Size

1005KB
MD5

e9577305797da56c4538f35d2da1e6ef
SHA1

4b19ed069368fa3b9433c9c8d8b4a050dfae77bc
SHA256

6c8bb939433b05a8b56b08ef68f8c5b5f396bc2b5454ec09d4ee1654951ff463
SHA512

28427e4d980c8aceb27fe0fd31275bf7fbf6fdac1b9730c80ff9e3917c6b064b0a605f83c0df3fd7cc0642305797e159711ffe5f94f6aaa3d42d3cc8373077f5
SSDEEP

24576:NTbBv5rUanWnNr75xArQDF8XhV+dFGa6mPcyGJzQfs8FiNGVDoB:HBjWnd7HbghVRoGBQfookB

Score

10^/10

formbook hesf rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hesf

Decoy

rizublog-aromama-a.com

87b52.club

allportablepower.com

brownkrosshui.com

schuobu.fun

qevtjrobrb.xyz

throne-rooms.com

hostcheker.net

buzztsunamiloja.com

kkudatogel27.com

91fulizifen.com

148secretbet.com

outlookthailand.com

zonaduniabet.net

boursobankk.com

tuneuphypnosis.com

sahabatzulhelmi.com

usbulletinnow.com

durdurdarshi.com

zz-agency.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/780-75-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/780-78-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2876-109-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook
behavioral1/memory/2876-111-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook

Executes dropped EXE 1 IoCs

pid	Process
2476	taol.dll

Loads dropped DLL 1 IoCs

pid	Process
2212	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2476 set thread context of 780	2476	taol.dll	36
PID 780 set thread context of 1192	780	RegSvcs.exe	12
PID 2876 set thread context of 1192	2876	wuapp.exe	12

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
580	ipconfig.exe

Modifies registry class 26 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "2"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2476	taol.dll
2476	taol.dll
2476	taol.dll
2476	taol.dll
2476	taol.dll
2476	taol.dll
780	RegSvcs.exe
780	RegSvcs.exe
2876	wuapp.exe
2876	wuapp.exe
2876	wuapp.exe
2876	wuapp.exe
2876	wuapp.exe
2876	wuapp.exe
2876	wuapp.exe
2876	wuapp.exe
2876	wuapp.exe
2876	wuapp.exe
2876	wuapp.exe
2876	wuapp.exe
2876	wuapp.exe
2876	wuapp.exe
2876	wuapp.exe
2876	wuapp.exe
2876	wuapp.exe
2876	wuapp.exe
2876	wuapp.exe
2876	wuapp.exe
2876	wuapp.exe
2876	wuapp.exe
2876	wuapp.exe
2876	wuapp.exe
2876	wuapp.exe
2876	wuapp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1192	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
780	RegSvcs.exe
780	RegSvcs.exe
780	RegSvcs.exe
2876	wuapp.exe
2876	wuapp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	780	RegSvcs.exe
Token: SeDebugPrivilege	2876	wuapp.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1816 wrote to memory of 2664	1816	DHL-081023.exe	28
PID 1816 wrote to memory of 2664	1816	DHL-081023.exe	28
PID 1816 wrote to memory of 2664	1816	DHL-081023.exe	28
PID 1816 wrote to memory of 2664	1816	DHL-081023.exe	28
PID 2664 wrote to memory of 2212	2664	WScript.exe	29
PID 2664 wrote to memory of 2212	2664	WScript.exe	29
PID 2664 wrote to memory of 2212	2664	WScript.exe	29
PID 2664 wrote to memory of 2212	2664	WScript.exe	29
PID 2212 wrote to memory of 2476	2212	cmd.exe	31
PID 2212 wrote to memory of 2476	2212	cmd.exe	31
PID 2212 wrote to memory of 2476	2212	cmd.exe	31
PID 2212 wrote to memory of 2476	2212	cmd.exe	31
PID 2664 wrote to memory of 2816	2664	WScript.exe	32
PID 2664 wrote to memory of 2816	2664	WScript.exe	32
PID 2664 wrote to memory of 2816	2664	WScript.exe	32
PID 2664 wrote to memory of 2816	2664	WScript.exe	32
PID 2816 wrote to memory of 580	2816	cmd.exe	34
PID 2816 wrote to memory of 580	2816	cmd.exe	34
PID 2816 wrote to memory of 580	2816	cmd.exe	34
PID 2816 wrote to memory of 580	2816	cmd.exe	34
PID 2476 wrote to memory of 692	2476	taol.dll	35
PID 2476 wrote to memory of 692	2476	taol.dll	35
PID 2476 wrote to memory of 692	2476	taol.dll	35
PID 2476 wrote to memory of 692	2476	taol.dll	35
PID 2476 wrote to memory of 692	2476	taol.dll	35
PID 2476 wrote to memory of 692	2476	taol.dll	35
PID 2476 wrote to memory of 692	2476	taol.dll	35
PID 2476 wrote to memory of 780	2476	taol.dll	36
PID 2476 wrote to memory of 780	2476	taol.dll	36
PID 2476 wrote to memory of 780	2476	taol.dll	36
PID 2476 wrote to memory of 780	2476	taol.dll	36
PID 2476 wrote to memory of 780	2476	taol.dll	36
PID 2476 wrote to memory of 780	2476	taol.dll	36
PID 2476 wrote to memory of 780	2476	taol.dll	36
PID 2476 wrote to memory of 780	2476	taol.dll	36
PID 2476 wrote to memory of 780	2476	taol.dll	36
PID 2476 wrote to memory of 780	2476	taol.dll	36
PID 1192 wrote to memory of 2876	1192	Explorer.EXE	37
PID 1192 wrote to memory of 2876	1192	Explorer.EXE	37
PID 1192 wrote to memory of 2876	1192	Explorer.EXE	37
PID 1192 wrote to memory of 2876	1192	Explorer.EXE	37
PID 1192 wrote to memory of 2876	1192	Explorer.EXE	37
PID 1192 wrote to memory of 2876	1192	Explorer.EXE	37
PID 1192 wrote to memory of 2876	1192	Explorer.EXE	37
PID 2876 wrote to memory of 1200	2876	wuapp.exe	38
PID 2876 wrote to memory of 1200	2876	wuapp.exe	38
PID 2876 wrote to memory of 1200	2876	wuapp.exe	38
PID 2876 wrote to memory of 1200	2876	wuapp.exe	38

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Users\Admin\AppData\Local\Temp\DHL-081023.exe
  "C:\Users\Admin\AppData\Local\Temp\DHL-081023.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\opw-s.vbe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taol.dll hoxcaxg.msc
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2212
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taol.dll
        
        taol.dll hoxcaxg.msc
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2476
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        6⤵
        
        PID:692
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:780
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ipconfig /renew
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2816
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /renew
        5⤵
        Gathers network information
        
        PID:580
- C:\Windows\SysWOW64\wuapp.exe
  "C:\Windows\SysWOW64\wuapp.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:1200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\bbcpmgvfqh.txt

Filesize
36KB

MD5
5da9afc278ffb2274a11e358952488b6

SHA1
03b59988b177d85196fa24ad16b3f479885a1225

SHA256
e6ddac6f7529b465d32ef9b859101978823c8548eb2abff81a24d4a157cb4f7c

SHA512
02f58173b7941cfa072129f3cc246659b09c97fe531aa8fb09a6c8c24a221d89feaf44392a29315817d0c981f3d8f33fff57dd1c3082b8832c8111620569f9e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hoxcaxg.msc

Filesize
99.9MB

MD5
7ce501e5d4da15b684f8af06858b42bd

SHA1
6aa3bf27660d54c339e7bd4b62240af304958030

SHA256
7ba659601042af782be15538c14574e8607649547cb07815f385f257b7c9a4d7

SHA512
d86f9e0420bca82e9325038691c40c017fd0acc21fba48e27b347f2aa7b8510efe192d9a71674a0357c63c2872e494ad9b2763620029fc4fa12791efef490d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\opw-s.vbe

Filesize
52KB

MD5
e0eaf1e9ac5bf23c5fe44e27a1846835

SHA1
becc298f97effe56108d3cf51a4a827763bed2bf

SHA256
7c5feaf38228475be4d3396fafe423f0331f8d6d4ad8ba6f669d8739932daaa7

SHA512
39a0c9fc6f610ffaf3502e9ef4e5819ba5b649c5f351e9d87f6511415fd8b5d5b07733f9362704c3f2119d058d34a46a8795d984a51c2d77d808e4c5852bad0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taol.dll

Filesize
925KB

MD5
874798cb576e238642281b10189b031c

SHA1
eafb30e710d557918533a6f10f09ca1f4227c77e

SHA256
e24858235af8c85aed95375be6dea083c7910917f78731ef4d195799e6f49713

SHA512
eaa0cff408fd3366813f1a80cf866bd590a885984a525d4a1b07fdf21c2d6df07c98fd0782050539f912a93b7df6a5a8831b676cb6200592995f108cb2659b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taol.dll

Filesize
925KB

MD5
874798cb576e238642281b10189b031c

SHA1
eafb30e710d557918533a6f10f09ca1f4227c77e

SHA256
e24858235af8c85aed95375be6dea083c7910917f78731ef4d195799e6f49713

SHA512
eaa0cff408fd3366813f1a80cf866bd590a885984a525d4a1b07fdf21c2d6df07c98fd0782050539f912a93b7df6a5a8831b676cb6200592995f108cb2659b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vfgio.ssj

Filesize
352KB

MD5
8cddef3c2e89cfe5b2bc527cdf316725

SHA1
1a689db5e39e1e788605316d3524b50d499c84e2

SHA256
bf1169787491f2f717aa645277d678e34593aff8996044f1623dfa1b046d4352

SHA512
a85d6d2926765a256006fbdd9e0b3e62ff0f4ffe42a2c1b4f29269671ac4b5bf0eaad3b181814d6bbf89e7faf96134f1f2f850550c8c0ecbebe554803bd22586

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\taol.dll

Filesize
925KB

MD5
874798cb576e238642281b10189b031c

SHA1
eafb30e710d557918533a6f10f09ca1f4227c77e

SHA256
e24858235af8c85aed95375be6dea083c7910917f78731ef4d195799e6f49713

SHA512
eaa0cff408fd3366813f1a80cf866bd590a885984a525d4a1b07fdf21c2d6df07c98fd0782050539f912a93b7df6a5a8831b676cb6200592995f108cb2659b92

Download Submit
memory/780-78-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/780-74-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/780-75-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/780-76-0x0000000000870000-0x0000000000B73000-memory.dmp

Filesize
3.0MB

Download
memory/780-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/780-80-0x0000000000290000-0x00000000002A4000-memory.dmp

Filesize
80KB

Download
memory/780-73-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1192-112-0x0000000008BE0000-0x0000000008CFD000-memory.dmp

Filesize
1.1MB

Download
memory/1192-79-0x00000000039B0000-0x0000000003AB0000-memory.dmp

Filesize
1024KB

Download
memory/1192-81-0x0000000008BE0000-0x0000000008CFD000-memory.dmp

Filesize
1.1MB

Download
memory/1192-119-0x0000000008D00000-0x0000000008DBA000-memory.dmp

Filesize
744KB

Download
memory/1192-117-0x0000000008D00000-0x0000000008DBA000-memory.dmp

Filesize
744KB

Download
memory/1192-116-0x0000000008D00000-0x0000000008DBA000-memory.dmp

Filesize
744KB

Download
memory/2876-107-0x00000000000F0000-0x00000000000FB000-memory.dmp

Filesize
44KB

Download
memory/2876-111-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/2876-113-0x00000000003F0000-0x0000000000483000-memory.dmp

Filesize
588KB

Download
memory/2876-110-0x0000000002050000-0x0000000002353000-memory.dmp

Filesize
3.0MB

Download
memory/2876-109-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/2876-108-0x00000000000F0000-0x00000000000FB000-memory.dmp

Filesize
44KB

Download