formbook | 9613def893d5be7da45a15cbb94ed1d7c372351522695220ec2804fdbab95562

Analysis

max time kernel
149s
max time network
148s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
16-06-2024 19:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4c6efe830638972f4e71cdd7d25355b_JaffaCakes118.rtf
Size

717KB
MD5

b4c6efe830638972f4e71cdd7d25355b
SHA1

151b41c0078c66651306b02879d7aa5a027d0ac6
SHA256

9613def893d5be7da45a15cbb94ed1d7c372351522695220ec2804fdbab95562
SHA512

6571f41323efd37d27c3ba67f09a75ee31547a344c9cf81ee064c637dd66e2f4cb9e3181bf7d60ec03929566f3ed00cecdb4a98e85da7cae84d6c74fe87ec6bb
SSDEEP

12288:moDIPSZVj0KgRCsjoJ6HWCeRRp5agN6Igzp3vv0xDbTvo2bP2OENXDIPSc3:lIPSZVjEpo4c15pNSzFcCnTIPSI

Score

10^/10

formbook ch41 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

ch41

Decoy

109ch.com

mikesguitarclass.com

atelidev.com

hanafiquranacademy.com

bothpartiesmust.win

shelterevents.com

tianshenmaoyi.com

xn--iev583c.com

minijin.net

laka-nosy.com

kireini-biyou.com

gymequipment.click

kena.ltd

taoorders.com

upstairsblogs.com

zubi17.win

direct-mobile.com

bdtimes.info

nyssyf.com

fordnotice.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/272-19-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/272-23-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/272-25-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

exe.exeexe.exe

pid process

2556 exe.exe
272 exe.exe
Loads dropped DLL 3 IoCs

Processes:

cmd.exeexe.exe

pid process

2536 cmd.exe
2536 cmd.exe
2556 exe.exe

pid	process
2556	exe.exe
272	exe.exe

pid	process
2536	cmd.exe
2536	cmd.exe
2556	exe.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

exe.exeexe.exewlanext.exe

description	pid	process	target process
PID 2556 set thread context of 272	2556	exe.exe	exe.exe
PID 272 set thread context of 1208	272	exe.exe	Explorer.EXE
PID 272 set thread context of 1208	272	exe.exe	Explorer.EXE
PID 532 set thread context of 1208	532	wlanext.exe	Explorer.EXE

Office loads VBA resources, possible macro or embedded object present
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2748 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2520 taskkill.exe
Launches Equation Editor 1 TTPs 2 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXEEQNEDT32.EXE

pid process

2656 EQNEDT32.EXE
2508 EQNEDT32.EXE

pid	process
2748	timeout.exe

pid	process
2520	taskkill.exe

pid	process
2656	EQNEDT32.EXE
2508	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2176 WINWORD.EXE

pid	process
2176	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

exe.exewlanext.exe

pid	process
272	exe.exe
272	exe.exe
272	exe.exe
532	wlanext.exe
532	wlanext.exe
532	wlanext.exe
532	wlanext.exe
532	wlanext.exe
532	wlanext.exe
532	wlanext.exe
532	wlanext.exe
532	wlanext.exe
532	wlanext.exe
532	wlanext.exe
532	wlanext.exe
532	wlanext.exe
532	wlanext.exe
532	wlanext.exe
532	wlanext.exe
532	wlanext.exe
532	wlanext.exe
532	wlanext.exe
532	wlanext.exe
532	wlanext.exe
532	wlanext.exe
532	wlanext.exe
532	wlanext.exe
532	wlanext.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

exe.exewlanext.exe

pid process

272 exe.exe
272 exe.exe
272 exe.exe
272 exe.exe
532 wlanext.exe
532 wlanext.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

taskkill.exeexe.exewlanext.exe

description pid process

Token: SeDebugPrivilege 2520 taskkill.exe
Token: SeDebugPrivilege 272 exe.exe
Token: SeDebugPrivilege 532 wlanext.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

exe.exe

pid process

2556 exe.exe
2556 exe.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

exe.exe

pid process

2556 exe.exe
2556 exe.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

WINWORD.EXEexe.exe

pid process

2176 WINWORD.EXE
2176 WINWORD.EXE
2176 WINWORD.EXE
2176 WINWORD.EXE
2556 exe.exe

description	pid	process
Token: SeDebugPrivilege	2520	taskkill.exe
Token: SeDebugPrivilege	272	exe.exe
Token: SeDebugPrivilege	532	wlanext.exe

pid	process
2556	exe.exe
2556	exe.exe

pid	process
2556	exe.exe
2556	exe.exe

pid	process
2176	WINWORD.EXE
2176	WINWORD.EXE
2176	WINWORD.EXE
2176	WINWORD.EXE
2556	exe.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EQNEDT32.EXECmD.execmd.execmd.exe

description	pid	process	target process
PID 2656 wrote to memory of 1268	2656	EQNEDT32.EXE	CmD.exe
PID 2656 wrote to memory of 1268	2656	EQNEDT32.EXE	CmD.exe
PID 2656 wrote to memory of 1268	2656	EQNEDT32.EXE	CmD.exe
PID 2656 wrote to memory of 1268	2656	EQNEDT32.EXE	CmD.exe
PID 1268 wrote to memory of 2536	1268	CmD.exe	cmd.exe
PID 1268 wrote to memory of 2536	1268	CmD.exe	cmd.exe
PID 1268 wrote to memory of 2536	1268	CmD.exe	cmd.exe
PID 1268 wrote to memory of 2536	1268	CmD.exe	cmd.exe
PID 2536 wrote to memory of 2748	2536	cmd.exe	timeout.exe
PID 2536 wrote to memory of 2748	2536	cmd.exe	timeout.exe
PID 2536 wrote to memory of 2748	2536	cmd.exe	timeout.exe
PID 2536 wrote to memory of 2748	2536	cmd.exe	timeout.exe
PID 2536 wrote to memory of 2556	2536	cmd.exe	exe.exe
PID 2536 wrote to memory of 2556	2536	cmd.exe	exe.exe
PID 2536 wrote to memory of 2556	2536	cmd.exe	exe.exe
PID 2536 wrote to memory of 2556	2536	cmd.exe	exe.exe
PID 2536 wrote to memory of 2520	2536	cmd.exe	taskkill.exe
PID 2536 wrote to memory of 2520	2536	cmd.exe	taskkill.exe
PID 2536 wrote to memory of 2520	2536	cmd.exe	taskkill.exe
PID 2536 wrote to memory of 2520	2536	cmd.exe	taskkill.exe
PID 2536 wrote to memory of 1508	2536	cmd.exe	reg.exe
PID 2536 wrote to memory of 1508	2536	cmd.exe	reg.exe
PID 2536 wrote to memory of 1508	2536	cmd.exe	reg.exe
PID 2536 wrote to memory of 1508	2536	cmd.exe	reg.exe
PID 2536 wrote to memory of 340	2536	cmd.exe	reg.exe
PID 2536 wrote to memory of 340	2536	cmd.exe	reg.exe
PID 2536 wrote to memory of 340	2536	cmd.exe	reg.exe
PID 2536 wrote to memory of 340	2536	cmd.exe	reg.exe
PID 2536 wrote to memory of 1808	2536	cmd.exe	reg.exe
PID 2536 wrote to memory of 1808	2536	cmd.exe	reg.exe
PID 2536 wrote to memory of 1808	2536	cmd.exe	reg.exe
PID 2536 wrote to memory of 1808	2536	cmd.exe	reg.exe
PID 2536 wrote to memory of 1296	2536	cmd.exe	reg.exe
PID 2536 wrote to memory of 1296	2536	cmd.exe	reg.exe
PID 2536 wrote to memory of 1296	2536	cmd.exe	reg.exe
PID 2536 wrote to memory of 1296	2536	cmd.exe	reg.exe
PID 2536 wrote to memory of 1912	2536	cmd.exe	reg.exe
PID 2536 wrote to memory of 1912	2536	cmd.exe	reg.exe
PID 2536 wrote to memory of 1912	2536	cmd.exe	reg.exe
PID 2536 wrote to memory of 1912	2536	cmd.exe	reg.exe
PID 2536 wrote to memory of 2560	2536	cmd.exe	reg.exe
PID 2536 wrote to memory of 2560	2536	cmd.exe	reg.exe
PID 2536 wrote to memory of 2560	2536	cmd.exe	reg.exe
PID 2536 wrote to memory of 2560	2536	cmd.exe	reg.exe
PID 2536 wrote to memory of 2488	2536	cmd.exe	reg.exe
PID 2536 wrote to memory of 2488	2536	cmd.exe	reg.exe
PID 2536 wrote to memory of 2488	2536	cmd.exe	reg.exe
PID 2536 wrote to memory of 2488	2536	cmd.exe	reg.exe
PID 2536 wrote to memory of 2568	2536	cmd.exe	reg.exe
PID 2536 wrote to memory of 2568	2536	cmd.exe	reg.exe
PID 2536 wrote to memory of 2568	2536	cmd.exe	reg.exe
PID 2536 wrote to memory of 2568	2536	cmd.exe	reg.exe
PID 2536 wrote to memory of 2796	2536	cmd.exe	cmd.exe
PID 2536 wrote to memory of 2796	2536	cmd.exe	cmd.exe
PID 2536 wrote to memory of 2796	2536	cmd.exe	cmd.exe
PID 2536 wrote to memory of 2796	2536	cmd.exe	cmd.exe
PID 2796 wrote to memory of 2800	2796	cmd.exe	reg.exe
PID 2796 wrote to memory of 2800	2796	cmd.exe	reg.exe
PID 2796 wrote to memory of 2800	2796	cmd.exe	reg.exe
PID 2796 wrote to memory of 2800	2796	cmd.exe	reg.exe
PID 2536 wrote to memory of 2692	2536	cmd.exe	cmd.exe
PID 2536 wrote to memory of 2692	2536	cmd.exe	cmd.exe
PID 2536 wrote to memory of 2692	2536	cmd.exe	cmd.exe
PID 2536 wrote to memory of 2692	2536	cmd.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\b4c6efe830638972f4e71cdd7d25355b_JaffaCakes118.rtf"
2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2176

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:532

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\exe.exe"
3⤵
PID:556

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\SysWOW64\CmD.exe
CmD /C %tmp%\task.bat & UUUUUUUU c
2⤵
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\2nd.bat
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536

C:\Windows\SysWOW64\timeout.exe
TIMEOUT 1
4⤵
- Delays execution with timeout.exe
PID:2748

C:\Users\Admin\AppData\Local\Temp\exe.exe
C:\Users\Admin\AppData\Local\Temp\ExE.ExE
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2556

C:\Users\Admin\AppData\Local\Temp\exe.exe
C:\Users\Admin\AppData\Local\Temp\ExE.ExE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:272

C:\Windows\SysWOW64\taskkill.exe
TASKKILL /F /IM winword.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Resiliency /f
4⤵
PID:1508

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Resiliency /f
4⤵
PID:340

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Resiliency /f
4⤵
PID:1808

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Resiliency /f
4⤵
PID:1296

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency /f
4⤵
PID:1912

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency /f
4⤵
PID:2560

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Resiliency /f
4⤵
PID:2488

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency /f
4⤵
PID:2568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"
4⤵
- Suspicious use of WriteProcessMemory
PID:2796

C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"
5⤵
PID:2800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"
4⤵
PID:2692

C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"
5⤵
PID:2816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"
4⤵
PID:2588

C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"
5⤵
PID:2824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
4⤵
PID:2840

C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
5⤵
PID:1000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
4⤵
PID:1968

C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
5⤵
PID:1224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
4⤵
PID:2036

C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
5⤵
PID:2948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
4⤵
PID:1564

C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
5⤵
PID:820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
4⤵
PID:1664

C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
5⤵
PID:1748

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Launches Equation Editor
PID:2508

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2nd.bat
Filesize
2KB

MD5
59183fbaedf0883c681c39dd5ec21ffa

SHA1
333f6c6863b70dcf66dbacc677903896f5062cd9

SHA256
014a4aca93a93dbfb3c747bf5fb9ec9e6236a5532837730b804eb0d0d3096c8c

SHA512
44ee17ab15e370766f40cde472b136f6739c9cbb880be26b8b81794dba37805a1faea995d601cc86e4ac7646f32f6e4a743481b988d9dd59cfd6a6d7424c966b

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe.exe
Filesize
344KB

MD5
6085c24a02ee83509c1f31be29e001e6

SHA1
555fd639414a04d23b2bcf7485c865691b4964a7

SHA256
e39c5055757c8135765bbade87feeeeda684b5b9b405c87e0268be0cf942a902

SHA512
a653c3712b0865a9efd8abb1ab93f1eb234e847027e4c139319d18657233312496776c9e8f19d94cbe87541c03ee5e81e65ee2ed75294907f8a5d2dc54edd59d

Download Submit
C:\Users\Admin\AppData\Local\Temp\task.bat
Filesize
154B

MD5
c6df97bd319c2e2b887d5de476623737

SHA1
41a7fdf29b42950b3a076ad46c78b48bb3874140

SHA256
8c629d6202f6084f4100920659d623364a4bf01fad652b121148a9a3ff739da0

SHA512
5bce66c71d2e2dcdda82fb9b9596a20fa77d06afcc5de82a7ab34b3945c48559301158eff86606200c784a1c84b088684b1aa4443b52bf6069b78b60f48b8524

Download Submit
memory/272-23-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/272-19-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/272-25-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/532-27-0x00000000008D0000-0x00000000008E6000-memory.dmp

Filesize
88KB

Download
memory/1208-22-0x00000000002A0000-0x00000000003A0000-memory.dmp

Filesize
1024KB

Download
memory/1208-24-0x0000000004D50000-0x0000000004EDC000-memory.dmp

Filesize
1.5MB

Download
memory/1208-30-0x0000000007190000-0x0000000007274000-memory.dmp

Filesize
912KB

Download
memory/2176-2-0x00000000710FD000-0x0000000071108000-memory.dmp

Filesize
44KB

Download
memory/2176-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2176-17-0x00000000710FD000-0x0000000071108000-memory.dmp

Filesize
44KB

Download
memory/2176-0-0x000000002FB11000-0x000000002FB12000-memory.dmp

Filesize
4KB

Download