Malware Analysis Report

2024-12-07 03:21

Sample ID 241113-adx6hswraj
Target 13112024_0006_12112024_számla kiegyenlítése fizetéshez 2024. november 12 xlsx.z
SHA256 5c2a86ed29bd6dd599bd6be9aaaa55a130479f5bbce253ab18bc70c3efcdedec
Tags
formbook ud04 discovery rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5c2a86ed29bd6dd599bd6be9aaaa55a130479f5bbce253ab18bc70c3efcdedec

Threat Level: Known bad

The file 13112024_0006_12112024_számla kiegyenlítése fizetéshez 2024. november 12 xlsx.z was found to be: Known bad.

Malicious Activity Summary

formbook ud04 discovery rat spyware stealer trojan

Formbook

Formbook family

Formbook payload

AutoIT Executable

Suspicious use of SetThreadContext

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Program crash

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 00:06

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 00:06

Reported

2024-11-13 00:11

Platform

win7-20240903-en

Max time kernel

300s

Max time network

121s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook family

formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2648 set thread context of 2744 N/A C:\Users\Admin\AppData\Local\Temp\számla kiegyenlítése fizetéshez 2024. november 12.xlsx.exe C:\Windows\SysWOW64\svchost.exe
PID 2744 set thread context of 1216 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\Explorer.EXE
PID 2780 set thread context of 1216 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\Explorer.EXE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\számla kiegyenlítése fizetéshez 2024. november 12.xlsx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2648 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\számla kiegyenlítése fizetéshez 2024. november 12.xlsx.exe C:\Windows\SysWOW64\svchost.exe
PID 2648 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\számla kiegyenlítése fizetéshez 2024. november 12.xlsx.exe C:\Windows\SysWOW64\svchost.exe
PID 2648 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\számla kiegyenlítése fizetéshez 2024. november 12.xlsx.exe C:\Windows\SysWOW64\svchost.exe
PID 2648 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\számla kiegyenlítése fizetéshez 2024. november 12.xlsx.exe C:\Windows\SysWOW64\svchost.exe
PID 2648 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\számla kiegyenlítése fizetéshez 2024. november 12.xlsx.exe C:\Windows\SysWOW64\svchost.exe
PID 1216 wrote to memory of 2780 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\svchost.exe
PID 1216 wrote to memory of 2780 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\svchost.exe
PID 1216 wrote to memory of 2780 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\svchost.exe
PID 1216 wrote to memory of 2780 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\svchost.exe
PID 2780 wrote to memory of 2564 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2564 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2564 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2564 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\számla kiegyenlítése fizetéshez 2024. november 12.xlsx.exe

"C:\Users\Admin\AppData\Local\Temp\számla kiegyenlítése fizetéshez 2024. november 12.xlsx.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\számla kiegyenlítése fizetéshez 2024. november 12.xlsx.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Windows\SysWOW64\svchost.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Windows\SysWOW64\svchost.exe"

Network

N/A

Files

memory/2648-11-0x0000000002490000-0x0000000002590000-memory.dmp

memory/2744-12-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2744-13-0x0000000000770000-0x0000000000A73000-memory.dmp

memory/2744-15-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2744-16-0x0000000000110000-0x0000000000124000-memory.dmp

memory/1216-18-0x0000000004FD0000-0x0000000005119000-memory.dmp

memory/1216-17-0x0000000003F50000-0x0000000004150000-memory.dmp

memory/2780-19-0x0000000000F20000-0x0000000000F28000-memory.dmp

memory/2780-21-0x0000000000F20000-0x0000000000F28000-memory.dmp

memory/2780-22-0x00000000000C0000-0x00000000000EF000-memory.dmp

memory/1216-23-0x0000000004FD0000-0x0000000005119000-memory.dmp

memory/1216-25-0x0000000003F50000-0x0000000004150000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 00:06

Reported

2024-11-13 00:11

Platform

win10v2004-20241007-en

Max time kernel

298s

Max time network

299s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook family

formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2192 set thread context of 2208 N/A C:\Users\Admin\AppData\Local\Temp\számla kiegyenlítése fizetéshez 2024. november 12.xlsx.exe C:\Windows\SysWOW64\svchost.exe
PID 2208 set thread context of 3524 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\Explorer.EXE
PID 2208 set thread context of 3524 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\Explorer.EXE
PID 1620 set thread context of 3524 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\Explorer.EXE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\számla kiegyenlítése fizetéshez 2024. november 12.xlsx.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\Explorer.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\számla kiegyenlítése fizetéshez 2024. november 12.xlsx.exe

"C:\Users\Admin\AppData\Local\Temp\számla kiegyenlítése fizetéshez 2024. november 12.xlsx.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\számla kiegyenlítése fizetéshez 2024. november 12.xlsx.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2192 -ip 2192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 744

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\SysWOW64\msiexec.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Windows\SysWOW64\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 www.linko1win.icu udp
US 8.8.8.8:53 www.asik-eye-surgery-63293.bond udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 www.uy-now-pay-later-74776.bond udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.unluoren.top udp
US 8.8.8.8:53 www.2creativedesign.online udp
US 8.8.8.8:53 www.itaxia.dev udp
US 8.8.8.8:53 www.el-radu-easy4y.one udp
US 8.8.8.8:53 www.enobscotlobster.online udp
US 8.8.8.8:53 www.ovonordisk.online udp
US 8.8.8.8:53 www.raquewear.shop udp
US 8.8.8.8:53 www.tendmtedcpsa.site udp
US 8.8.8.8:53 www.udulbet88.net udp
US 8.8.8.8:53 www.ugeniolopez.art udp

Files

memory/2192-11-0x0000000004090000-0x0000000004290000-memory.dmp

memory/2208-12-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2208-13-0x0000000001200000-0x000000000154A000-memory.dmp

memory/2208-15-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2208-16-0x0000000000970000-0x0000000000984000-memory.dmp

memory/3524-17-0x00000000084B0000-0x00000000085A4000-memory.dmp

memory/3524-21-0x000000000AEB0000-0x000000000AF76000-memory.dmp

memory/2208-20-0x0000000002EC0000-0x0000000002ED4000-memory.dmp

memory/2208-19-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3524-22-0x00000000084B0000-0x00000000085A4000-memory.dmp

memory/1620-27-0x0000000000690000-0x00000000006A2000-memory.dmp

memory/1620-25-0x0000000000690000-0x00000000006A2000-memory.dmp

memory/1620-28-0x0000000000C70000-0x0000000000C9F000-memory.dmp

memory/1620-23-0x0000000000690000-0x00000000006A2000-memory.dmp

memory/1620-29-0x0000000002AC0000-0x0000000002E0A000-memory.dmp

memory/3524-30-0x000000000AEB0000-0x000000000AF76000-memory.dmp

memory/1620-31-0x0000000000C70000-0x0000000000C9F000-memory.dmp

memory/1620-32-0x00000000029B0000-0x0000000002A43000-memory.dmp

memory/3524-34-0x00000000097B0000-0x00000000098A0000-memory.dmp

memory/3524-36-0x00000000097B0000-0x00000000098A0000-memory.dmp

memory/3524-37-0x00000000097B0000-0x00000000098A0000-memory.dmp