modiloader | 4411b4a05f3bc654dc86eba66de02e9a20751357b57a411468eee55cf3c879ec

Analysis

max time kernel
149s
max time network
179s
platform
windows7_x64
resource
win7v20210408
submitted
06-08-2021 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FX-Transfer-Form.xlsx
Size

1.5MB
MD5

31b142cebbf97b880ead6a2dc3f415e2
SHA1

b8b33c7492e0c6a25b2677f1126663d06a91fc2c
SHA256

4411b4a05f3bc654dc86eba66de02e9a20751357b57a411468eee55cf3c879ec
SHA512

0d4863b7184165fffa02a6bf10a5c157ed8246774cc5da7d9013d8bf448df123abaedbdf2260913b64ca52804190472fbabc483ccffc1b3cc485010d7234e325

Score

10^/10

modiloader xloader 6mam loader persistence rat suricata trojan

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

6mam

http://www.mobiessence.com/6mam/

Decoy

gxduoke.com

lawmetricssolicitors.com

e-bizbox.com

ilovemehoodie.com

marcuslafond.com

bransolute.com

kuppers.info

kykyryky.art

vavasoo.com

tlamj.com

besport24.com

hibachiexpressnctogo.com

elglink99.com

maximos.world

uniamaa.com

aladinfarma.com

opticatervisof.com

delhibudokankarate.com

juliekifyukstyle.com

fuzhourexian.com

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1380-82-0x0000000000000000-mapping.dmp	xloader
behavioral1/memory/1380-91-0x0000000010410000-0x0000000010439000-memory.dmp	xloader
behavioral1/memory/1164-98-0x00000000000D0000-0x00000000000F9000-memory.dmp	xloader

Adds policy Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msiexec.exe

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

6 1256 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

vbc.exe

pid process

1744 vbc.exe
Loads dropped DLL 4 IoCs

Processes:

EQNEDT32.EXE

pid process

1256 EQNEDT32.EXE
1256 EQNEDT32.EXE
1256 EQNEDT32.EXE
1256 EQNEDT32.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

flow	pid	process
6	1256	EQNEDT32.EXE

pid	process
1744	vbc.exe

pid	process
1256	EQNEDT32.EXE
1256	EQNEDT32.EXE
1256	EQNEDT32.EXE
1256	EQNEDT32.EXE

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vbc.exemsiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fuvajut = "C:\\Users\\Public\\Libraries\\tujavuF.url"	vbc.exe
Key created	\Registry\User\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\DNUDU = "C:\\Program Files (x86)\\internet explorer\\ieinstal.exe"	msiexec.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

ieinstal.exemsiexec.exe

description	pid	process	target process
PID 1380 set thread context of 1208	1380	ieinstal.exe	Explorer.EXE
PID 1164 set thread context of 1208	1164	msiexec.exe	Explorer.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1256 EQNEDT32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1256	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE

Modifies registry key 1 TTPs 3 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exe

pid process

1768 reg.exe
1724 reg.exe
1680 reg.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1648 EXCEL.EXE

pid	process
1768	reg.exe
1724	reg.exe
1680	reg.exe

pid	process
1648	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

ieinstal.exemsiexec.exe

pid	process
1380	ieinstal.exe
1380	ieinstal.exe
1164	msiexec.exe
1164	msiexec.exe
1164	msiexec.exe
1164	msiexec.exe
1164	msiexec.exe
1164	msiexec.exe
1164	msiexec.exe
1164	msiexec.exe
1164	msiexec.exe
1164	msiexec.exe
1164	msiexec.exe
1164	msiexec.exe
1164	msiexec.exe
1164	msiexec.exe
1164	msiexec.exe
1164	msiexec.exe
1164	msiexec.exe
1164	msiexec.exe
1164	msiexec.exe
1164	msiexec.exe
1164	msiexec.exe
1164	msiexec.exe
1164	msiexec.exe
1164	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1208 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

ieinstal.exemsiexec.exe

pid process

1380 ieinstal.exe
1380 ieinstal.exe
1380 ieinstal.exe
1164 msiexec.exe
1164 msiexec.exe

pid	process
1208	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

ieinstal.exeExplorer.EXEmsiexec.exe

description	pid	process
Token: SeDebugPrivilege	1380	ieinstal.exe
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeDebugPrivilege	1164	msiexec.exe
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1208 Explorer.EXE
1208 Explorer.EXE
1208 Explorer.EXE
1208 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1208 Explorer.EXE
1208 Explorer.EXE
1208 Explorer.EXE
1208 Explorer.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1648 EXCEL.EXE
1648 EXCEL.EXE
1648 EXCEL.EXE

pid	process
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE

pid	process
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE

pid	process
1648	EXCEL.EXE
1648	EXCEL.EXE
1648	EXCEL.EXE

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

EQNEDT32.EXEvbc.execmd.execmd.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1256 wrote to memory of 1744	1256	EQNEDT32.EXE	vbc.exe
PID 1256 wrote to memory of 1744	1256	EQNEDT32.EXE	vbc.exe
PID 1256 wrote to memory of 1744	1256	EQNEDT32.EXE	vbc.exe
PID 1256 wrote to memory of 1744	1256	EQNEDT32.EXE	vbc.exe
PID 1744 wrote to memory of 1380	1744	vbc.exe	ieinstal.exe
PID 1744 wrote to memory of 1380	1744	vbc.exe	ieinstal.exe
PID 1744 wrote to memory of 1380	1744	vbc.exe	ieinstal.exe
PID 1744 wrote to memory of 1380	1744	vbc.exe	ieinstal.exe
PID 1744 wrote to memory of 1380	1744	vbc.exe	ieinstal.exe
PID 1744 wrote to memory of 1380	1744	vbc.exe	ieinstal.exe
PID 1744 wrote to memory of 1380	1744	vbc.exe	ieinstal.exe
PID 1744 wrote to memory of 1380	1744	vbc.exe	ieinstal.exe
PID 1744 wrote to memory of 1380	1744	vbc.exe	ieinstal.exe
PID 1744 wrote to memory of 1380	1744	vbc.exe	ieinstal.exe
PID 1744 wrote to memory of 1168	1744	vbc.exe	cmd.exe
PID 1744 wrote to memory of 1168	1744	vbc.exe	cmd.exe
PID 1744 wrote to memory of 1168	1744	vbc.exe	cmd.exe
PID 1744 wrote to memory of 1168	1744	vbc.exe	cmd.exe
PID 1168 wrote to memory of 1576	1168	cmd.exe	cmd.exe
PID 1168 wrote to memory of 1576	1168	cmd.exe	cmd.exe
PID 1168 wrote to memory of 1576	1168	cmd.exe	cmd.exe
PID 1168 wrote to memory of 1576	1168	cmd.exe	cmd.exe
PID 1576 wrote to memory of 1768	1576	cmd.exe	reg.exe
PID 1576 wrote to memory of 1768	1576	cmd.exe	reg.exe
PID 1576 wrote to memory of 1768	1576	cmd.exe	reg.exe
PID 1576 wrote to memory of 1768	1576	cmd.exe	reg.exe
PID 1576 wrote to memory of 1724	1576	cmd.exe	reg.exe
PID 1576 wrote to memory of 1724	1576	cmd.exe	reg.exe
PID 1576 wrote to memory of 1724	1576	cmd.exe	reg.exe
PID 1576 wrote to memory of 1724	1576	cmd.exe	reg.exe
PID 1576 wrote to memory of 1708	1576	cmd.exe	schtasks.exe
PID 1576 wrote to memory of 1708	1576	cmd.exe	schtasks.exe
PID 1576 wrote to memory of 1708	1576	cmd.exe	schtasks.exe
PID 1576 wrote to memory of 1708	1576	cmd.exe	schtasks.exe
PID 1208 wrote to memory of 1164	1208	Explorer.EXE	msiexec.exe
PID 1208 wrote to memory of 1164	1208	Explorer.EXE	msiexec.exe
PID 1208 wrote to memory of 1164	1208	Explorer.EXE	msiexec.exe
PID 1208 wrote to memory of 1164	1208	Explorer.EXE	msiexec.exe
PID 1208 wrote to memory of 1164	1208	Explorer.EXE	msiexec.exe
PID 1208 wrote to memory of 1164	1208	Explorer.EXE	msiexec.exe
PID 1208 wrote to memory of 1164	1208	Explorer.EXE	msiexec.exe
PID 1744 wrote to memory of 1876	1744	vbc.exe	cmd.exe
PID 1744 wrote to memory of 1876	1744	vbc.exe	cmd.exe
PID 1744 wrote to memory of 1876	1744	vbc.exe	cmd.exe
PID 1744 wrote to memory of 1876	1744	vbc.exe	cmd.exe
PID 1876 wrote to memory of 1680	1876	cmd.exe	reg.exe
PID 1876 wrote to memory of 1680	1876	cmd.exe	reg.exe
PID 1876 wrote to memory of 1680	1876	cmd.exe	reg.exe
PID 1876 wrote to memory of 1680	1876	cmd.exe	reg.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1208

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\FX-Transfer-Form.xlsx
2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1648

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1256

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1744

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1380

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Public\Trast.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\SysWOW64\reg.exe
reg delete hkcu\Environment /v windir /f
5⤵
- Modifies registry key
PID:1768

C:\Windows\SysWOW64\reg.exe
reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "
5⤵
- Modifies registry key
PID:1724

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
5⤵
PID:1708

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Public\nest.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\SysWOW64\reg.exe
reg delete hkcu\Environment /v windir /f
4⤵
- Modifies registry key
PID:1680

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Exploitation for Client Execution

T1203

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Trast.bat
MD5
4068c9f69fcd8a171c67f81d4a952a54

SHA1
4d2536a8c28cdcc17465e20d6693fb9e8e713b36

SHA256
24222300c78180b50ed1f8361ba63cb27316ec994c1c9079708a51b4a1a9d810

SHA512
a64f9319acc51fffd0491c74dcd9c9084c2783b82f95727e4bfe387a8528c6dcf68f11418e88f1e133d115daf907549c86dd7ad866b2a7938add5225fbb2811d

Download Submit
C:\Users\Public\UKO.bat
MD5
eaf8d967454c3bbddbf2e05a421411f8

SHA1
6170880409b24de75c2dc3d56a506fbff7f6622c

SHA256
f35f2658455a2e40f151549a7d6465a836c33fa9109e67623916f889849eac56

SHA512
fe5be5c673e99f70c93019d01abb0a29dd2ecf25b2d895190ff551f020c28e7d8f99f65007f440f0f76c5bcac343b2a179a94d190c938ea3b9e1197890a412e9

Download Submit
C:\Users\Public\nest.bat
MD5
8ada51400b7915de2124baaf75e3414c

SHA1
1a7b9db12184ab7fd7fce1c383f9670a00adb081

SHA256
45aa3957c29865260a78f03eef18ae9aebdbf7bea751ecc88be4a799f2bb46c7

SHA512
9afc138157a4565294ca49942579cdb6f5d8084e56f9354738de62b585f4c0fa3e7f2cbc9541827f2084e3ff36c46eed29b46f5dd2444062ffcd05c599992e68

Download Submit
C:\Users\Public\vbc.exe
MD5
442d2d8a7820a1c0c0ba418476d67fb0

SHA1
97ce48bc5177efca1214d82aec85049373fe4671

SHA256
be6c146acab77dfb4116c0805a1244c79a5da7393ce8ee582f59ae8c1773e406

SHA512
1251bcd8e6cf6502626e8dd9f93c617209c031d253fe7769bed5efd251b1c1424bf8ad7040a3be227477f5ad5603c6c95fd0aa3ad11e38df03367f278a9341b9

Download Submit
C:\Users\Public\vbc.exe
MD5
442d2d8a7820a1c0c0ba418476d67fb0

SHA1
97ce48bc5177efca1214d82aec85049373fe4671

SHA256
be6c146acab77dfb4116c0805a1244c79a5da7393ce8ee582f59ae8c1773e406

SHA512
1251bcd8e6cf6502626e8dd9f93c617209c031d253fe7769bed5efd251b1c1424bf8ad7040a3be227477f5ad5603c6c95fd0aa3ad11e38df03367f278a9341b9

Download Submit
\Users\Public\vbc.exe
MD5
442d2d8a7820a1c0c0ba418476d67fb0

SHA1
97ce48bc5177efca1214d82aec85049373fe4671

SHA256
be6c146acab77dfb4116c0805a1244c79a5da7393ce8ee582f59ae8c1773e406

SHA512
1251bcd8e6cf6502626e8dd9f93c617209c031d253fe7769bed5efd251b1c1424bf8ad7040a3be227477f5ad5603c6c95fd0aa3ad11e38df03367f278a9341b9

Download Submit
\Users\Public\vbc.exe
MD5
442d2d8a7820a1c0c0ba418476d67fb0

SHA1
97ce48bc5177efca1214d82aec85049373fe4671

SHA256
be6c146acab77dfb4116c0805a1244c79a5da7393ce8ee582f59ae8c1773e406

SHA512
1251bcd8e6cf6502626e8dd9f93c617209c031d253fe7769bed5efd251b1c1424bf8ad7040a3be227477f5ad5603c6c95fd0aa3ad11e38df03367f278a9341b9

Download Submit
\Users\Public\vbc.exe
MD5
442d2d8a7820a1c0c0ba418476d67fb0

SHA1
97ce48bc5177efca1214d82aec85049373fe4671

SHA256
be6c146acab77dfb4116c0805a1244c79a5da7393ce8ee582f59ae8c1773e406

SHA512
1251bcd8e6cf6502626e8dd9f93c617209c031d253fe7769bed5efd251b1c1424bf8ad7040a3be227477f5ad5603c6c95fd0aa3ad11e38df03367f278a9341b9

Download Submit
\Users\Public\vbc.exe
MD5
442d2d8a7820a1c0c0ba418476d67fb0

SHA1
97ce48bc5177efca1214d82aec85049373fe4671

SHA256
be6c146acab77dfb4116c0805a1244c79a5da7393ce8ee582f59ae8c1773e406

SHA512
1251bcd8e6cf6502626e8dd9f93c617209c031d253fe7769bed5efd251b1c1424bf8ad7040a3be227477f5ad5603c6c95fd0aa3ad11e38df03367f278a9341b9

Download Submit
memory/1164-97-0x0000000000E70000-0x0000000000E84000-memory.dmp

Filesize
80KB

Download
memory/1164-98-0x00000000000D0000-0x00000000000F9000-memory.dmp

Filesize
164KB

Download
memory/1164-95-0x0000000000000000-mapping.dmp

Download
memory/1164-99-0x0000000002290000-0x0000000002593000-memory.dmp

Filesize
3.0MB

Download
memory/1164-101-0x0000000000AD0000-0x0000000000B60000-memory.dmp

Filesize
576KB

Download
memory/1168-83-0x0000000000000000-mapping.dmp

Download
memory/1208-94-0x0000000007340000-0x000000000749B000-memory.dmp

Filesize
1.4MB

Download
memory/1208-104-0x00000000074A0000-0x000000000761A000-memory.dmp

Filesize
1.5MB

Download
memory/1256-63-0x0000000076641000-0x0000000076643000-memory.dmp

Filesize
8KB

Download
memory/1380-93-0x0000000000410000-0x0000000000421000-memory.dmp

Filesize
68KB

Download
memory/1380-90-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1380-92-0x00000000021A0000-0x00000000024A3000-memory.dmp

Filesize
3.0MB

Download
memory/1380-82-0x0000000000000000-mapping.dmp

Download
memory/1380-91-0x0000000010410000-0x0000000010439000-memory.dmp

Filesize
164KB

Download
memory/1576-85-0x0000000000000000-mapping.dmp

Download
memory/1648-105-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1648-61-0x00000000716D1000-0x00000000716D3000-memory.dmp

Filesize
8KB

Download
memory/1648-80-0x0000000006270000-0x0000000006EBA000-memory.dmp

Filesize
12.3MB

Download
memory/1648-60-0x000000002F661000-0x000000002F664000-memory.dmp

Filesize
12KB

Download
memory/1648-76-0x0000000006270000-0x0000000006EBA000-memory.dmp

Filesize
12.3MB

Download
memory/1648-78-0x0000000006270000-0x0000000006EBA000-memory.dmp

Filesize
12.3MB

Download
memory/1648-79-0x0000000006270000-0x0000000006EBA000-memory.dmp

Filesize
12.3MB

Download
memory/1648-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1648-77-0x0000000006270000-0x0000000006EBA000-memory.dmp

Filesize
12.3MB

Download
memory/1680-103-0x0000000000000000-mapping.dmp

Download
memory/1708-89-0x0000000000000000-mapping.dmp

Download
memory/1724-88-0x0000000000000000-mapping.dmp

Download
memory/1744-68-0x0000000000000000-mapping.dmp

Download
memory/1744-72-0x0000000000240000-0x000000000025B000-memory.dmp

Filesize
108KB

Download
memory/1744-75-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1768-87-0x0000000000000000-mapping.dmp

Download
memory/1876-100-0x0000000000000000-mapping.dmp

Download