xloader | 5d8e95dcf9a291d1a3fe76875eac502899147aa4f86715c5db2fbbe8354ac262

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7v20201028
submitted
08-04-2021 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RFQ_ V-21-Kiel-050-D02.xlsx
Size

2.3MB
MD5

051054b344afd533b44a9ba0fccfb513
SHA1

49b9e0447b933f40359f4794669c9f4d6b91b3f0
SHA256

5d8e95dcf9a291d1a3fe76875eac502899147aa4f86715c5db2fbbe8354ac262
SHA512

6598a3647b3e7aa8e3515c68eabdb2d84c3500e2df84be2f0fd37a2d83c7cb6f6d1d38fa9f9e6353b7034f271bce307e9f9042b3eab464f4d31737bf85c5ce63

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

http://www.856380692.xyz/nsag/

Decoy

usopencoverage.com

5bo5j.com

deliveryourvote.com

bestbuycarpethd.com

worldsourcecloud.com

glowtheblog.com

translations.tools

ithacapella.com

machinerysubway.com

aashlokhospitals.com

athara-kiano.com

anabittencourt.com

hakimkhawatmi.com

fashionwatchesstore.com

krishnagiri.info

tencenttexts.com

kodairo.com

ouitum.club

robertbeauford.net

polling.asia

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2040-22-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/1656-207-0x0000000000080000-0x00000000000A8000-memory.dmp	xloader

Blocklisted process makes network request 3 IoCs

Processes:

EQNEDT32.EXE

flow pid process

6 1756 EQNEDT32.EXE
8 1756 EQNEDT32.EXE
10 1756 EQNEDT32.EXE
Executes dropped EXE 2 IoCs

Processes:

vbc.exevbc.exe

pid process

540 vbc.exe
2040 vbc.exe
Loads dropped DLL 4 IoCs

Processes:

EQNEDT32.EXEvbc.exe

pid process

1756 EQNEDT32.EXE
1756 EQNEDT32.EXE
1756 EQNEDT32.EXE
540 vbc.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

flow	pid	process
6	1756	EQNEDT32.EXE
8	1756	EQNEDT32.EXE
10	1756	EQNEDT32.EXE

pid	process
540	vbc.exe
2040	vbc.exe

pid	process
1756	EQNEDT32.EXE
1756	EQNEDT32.EXE
1756	EQNEDT32.EXE
540	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

vbc.exevbc.exechkdsk.exe

description	pid	process	target process
PID 540 set thread context of 2040	540	vbc.exe	vbc.exe
PID 2040 set thread context of 1236	2040	vbc.exe	Explorer.EXE
PID 1656 set thread context of 1236	1656	chkdsk.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
\Users\Public\vbc.exe	nsis_installer_1
\Users\Public\vbc.exe	nsis_installer_1
\Users\Public\vbc.exe	nsis_installer_1
C:\Users\Public\vbc.exe	nsis_installer_1
C:\Users\Public\vbc.exe	nsis_installer_1
C:\Users\Public\vbc.exe	nsis_installer_1

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEchkdsk.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1756 EQNEDT32.EXE

pid	process
1756	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1904 EXCEL.EXE

pid	process
1904	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

vbc.exechkdsk.exe

pid	process
2040	vbc.exe
2040	vbc.exe
1656	chkdsk.exe
1656	chkdsk.exe
1656	chkdsk.exe
1656	chkdsk.exe
1656	chkdsk.exe
1656	chkdsk.exe
1656	chkdsk.exe
1656	chkdsk.exe
1656	chkdsk.exe
1656	chkdsk.exe
1656	chkdsk.exe
1656	chkdsk.exe
1656	chkdsk.exe
1656	chkdsk.exe
1656	chkdsk.exe
1656	chkdsk.exe
1656	chkdsk.exe
1656	chkdsk.exe
1656	chkdsk.exe
1656	chkdsk.exe
1656	chkdsk.exe
1656	chkdsk.exe
1656	chkdsk.exe
1656	chkdsk.exe
1656	chkdsk.exe
1656	chkdsk.exe
1656	chkdsk.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

vbc.exevbc.exechkdsk.exe

pid process

540 vbc.exe
2040 vbc.exe
2040 vbc.exe
2040 vbc.exe
1656 chkdsk.exe
1656 chkdsk.exe

pid	process
540	vbc.exe
2040	vbc.exe
2040	vbc.exe
2040	vbc.exe
1656	chkdsk.exe
1656	chkdsk.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

vbc.exeExplorer.EXEchkdsk.exe

description	pid	process
Token: SeDebugPrivilege	2040	vbc.exe
Token: SeShutdownPrivilege	1236	Explorer.EXE
Token: SeShutdownPrivilege	1236	Explorer.EXE
Token: SeShutdownPrivilege	1236	Explorer.EXE
Token: SeShutdownPrivilege	1236	Explorer.EXE
Token: SeDebugPrivilege	1656	chkdsk.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1236 Explorer.EXE
1236 Explorer.EXE
1236 Explorer.EXE
1236 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1236 Explorer.EXE
1236 Explorer.EXE
1236 Explorer.EXE
1236 Explorer.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1904 EXCEL.EXE
1904 EXCEL.EXE
1904 EXCEL.EXE

pid	process
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE

pid	process
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE

pid	process
1904	EXCEL.EXE
1904	EXCEL.EXE
1904	EXCEL.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

EQNEDT32.EXEvbc.exeExplorer.EXEchkdsk.exe

description	pid	process	target process
PID 1756 wrote to memory of 540	1756	EQNEDT32.EXE	vbc.exe
PID 1756 wrote to memory of 540	1756	EQNEDT32.EXE	vbc.exe
PID 1756 wrote to memory of 540	1756	EQNEDT32.EXE	vbc.exe
PID 1756 wrote to memory of 540	1756	EQNEDT32.EXE	vbc.exe
PID 540 wrote to memory of 2040	540	vbc.exe	vbc.exe
PID 540 wrote to memory of 2040	540	vbc.exe	vbc.exe
PID 540 wrote to memory of 2040	540	vbc.exe	vbc.exe
PID 540 wrote to memory of 2040	540	vbc.exe	vbc.exe
PID 540 wrote to memory of 2040	540	vbc.exe	vbc.exe
PID 1236 wrote to memory of 1656	1236	Explorer.EXE	chkdsk.exe
PID 1236 wrote to memory of 1656	1236	Explorer.EXE	chkdsk.exe
PID 1236 wrote to memory of 1656	1236	Explorer.EXE	chkdsk.exe
PID 1236 wrote to memory of 1656	1236	Explorer.EXE	chkdsk.exe
PID 1656 wrote to memory of 1744	1656	chkdsk.exe	cmd.exe
PID 1656 wrote to memory of 1744	1656	chkdsk.exe	cmd.exe
PID 1656 wrote to memory of 1744	1656	chkdsk.exe	cmd.exe
PID 1656 wrote to memory of 1744	1656	chkdsk.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1236

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\RFQ_ V-21-Kiel-050-D02.xlsx"
2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1904

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Public\vbc.exe"
3⤵
PID:1744

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1756

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:540

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\vbc.exe
MD5
3ee47ef2fed1383543fed2509ee9d533

SHA1
25bb17677a44eef76caab249e90188e2b6263b98

SHA256
6a708470ee13d86b51352b69e755a9bcbd2730ecef34133dd1b5ed10b95f56a3

SHA512
e42958a2b5d334fff9cbbb03259df1583be3bcb43807e786d6f896f1c78af22dfc8110687c4e6e5bca7a2a6a9a586af537568780b801258e9718d080c8507106

Download Submit
C:\Users\Public\vbc.exe
MD5
3ee47ef2fed1383543fed2509ee9d533

SHA1
25bb17677a44eef76caab249e90188e2b6263b98

SHA256
6a708470ee13d86b51352b69e755a9bcbd2730ecef34133dd1b5ed10b95f56a3

SHA512
e42958a2b5d334fff9cbbb03259df1583be3bcb43807e786d6f896f1c78af22dfc8110687c4e6e5bca7a2a6a9a586af537568780b801258e9718d080c8507106

Download Submit
C:\Users\Public\vbc.exe
MD5
3ee47ef2fed1383543fed2509ee9d533

SHA1
25bb17677a44eef76caab249e90188e2b6263b98

SHA256
6a708470ee13d86b51352b69e755a9bcbd2730ecef34133dd1b5ed10b95f56a3

SHA512
e42958a2b5d334fff9cbbb03259df1583be3bcb43807e786d6f896f1c78af22dfc8110687c4e6e5bca7a2a6a9a586af537568780b801258e9718d080c8507106

Download Submit
\Users\Admin\AppData\Local\Temp\nsi344B.tmp\utxxc4czqys.dll
MD5
a25fe018f6fb4fcd1134d4ffa75e9029

SHA1
e79647b873328ea7c0bb78002aebfcb28faac117

SHA256
3782ffc7a3c50c4953d328144e6e6c154eaf4986f2a4c7cb5781d64790c8cc9b

SHA512
8260e5008728bd161fc7f16923de5e266ffc5ac1d3758b667a275dfd5ac3f2fb713193b477b0565e5a9dfdf5b52428a9a6f33fb53a6572573bea637da772a15c

Download Submit
\Users\Public\vbc.exe
MD5
3ee47ef2fed1383543fed2509ee9d533

SHA1
25bb17677a44eef76caab249e90188e2b6263b98

SHA256
6a708470ee13d86b51352b69e755a9bcbd2730ecef34133dd1b5ed10b95f56a3

SHA512
e42958a2b5d334fff9cbbb03259df1583be3bcb43807e786d6f896f1c78af22dfc8110687c4e6e5bca7a2a6a9a586af537568780b801258e9718d080c8507106

Download Submit
\Users\Public\vbc.exe
MD5
3ee47ef2fed1383543fed2509ee9d533

SHA1
25bb17677a44eef76caab249e90188e2b6263b98

SHA256
6a708470ee13d86b51352b69e755a9bcbd2730ecef34133dd1b5ed10b95f56a3

SHA512
e42958a2b5d334fff9cbbb03259df1583be3bcb43807e786d6f896f1c78af22dfc8110687c4e6e5bca7a2a6a9a586af537568780b801258e9718d080c8507106

Download Submit
\Users\Public\vbc.exe
MD5
3ee47ef2fed1383543fed2509ee9d533

SHA1
25bb17677a44eef76caab249e90188e2b6263b98

SHA256
6a708470ee13d86b51352b69e755a9bcbd2730ecef34133dd1b5ed10b95f56a3

SHA512
e42958a2b5d334fff9cbbb03259df1583be3bcb43807e786d6f896f1c78af22dfc8110687c4e6e5bca7a2a6a9a586af537568780b801258e9718d080c8507106

Download Submit
memory/540-10-0x0000000000000000-mapping.dmp

Download
memory/540-21-0x00000000007D0000-0x00000000007D2000-memory.dmp

Filesize
8KB

Download
memory/1236-144-0x0000000006C10000-0x0000000006D50000-memory.dmp

Filesize
1.2MB

Download
memory/1236-210-0x0000000006570000-0x000000000667B000-memory.dmp

Filesize
1.0MB

Download
memory/1656-207-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/1656-208-0x0000000002070000-0x0000000002373000-memory.dmp

Filesize
3.0MB

Download
memory/1656-209-0x0000000001E30000-0x0000000001EBF000-memory.dmp

Filesize
572KB

Download
memory/1656-206-0x0000000000540000-0x0000000000547000-memory.dmp

Filesize
28KB

Download
memory/1656-204-0x0000000000000000-mapping.dmp

Download
memory/1728-6-0x000007FEF6080000-0x000007FEF62FA000-memory.dmp

Filesize
2.5MB

Download
memory/1744-205-0x0000000000000000-mapping.dmp

Download
memory/1756-5-0x0000000075781000-0x0000000075783000-memory.dmp

Filesize
8KB

Download
memory/1904-99-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-119-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-26-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-28-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-30-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-32-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-34-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-36-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-38-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-40-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-42-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-44-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-46-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-48-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-50-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-52-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-54-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-56-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-58-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-60-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-62-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-63-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-64-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-65-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-66-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-67-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-69-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-71-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-73-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-75-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-77-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-79-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-81-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-83-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-85-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-87-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-89-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-91-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-93-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-95-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-97-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-24-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-101-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-103-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-105-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-107-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-109-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-111-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-113-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-115-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-117-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-25-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-121-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-123-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-125-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-127-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-129-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-131-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-133-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-135-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-137-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-139-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-2-0x000000002F931000-0x000000002F934000-memory.dmp

Filesize
12KB

Download
memory/1904-143-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-3-0x0000000071271000-0x0000000071273000-memory.dmp

Filesize
8KB

Download
memory/1904-23-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-146-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-148-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-150-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-152-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-154-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-156-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-158-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-160-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-162-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-164-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-166-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-168-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-170-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-172-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-174-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-176-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-178-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-180-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-182-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-184-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-186-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-188-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-190-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-192-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-194-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-196-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-198-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-200-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-202-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1904-19-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1904-15-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/2040-17-0x000000000041D000-mapping.dmp

Download
memory/2040-22-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2040-142-0x00000000002A0000-0x00000000002B0000-memory.dmp

Filesize
64KB

Download
memory/2040-141-0x0000000000950000-0x0000000000C53000-memory.dmp

Filesize
3.0MB

Download