xloader | dc76eda7c92266e884d6c392f3fd087b75c659ffc1127b38cdee502491f70efb

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74037ff6cdc98978d62b5e298fa9f59a52c93186d24e419998b33e6270b8c56c.exe
Size

1.2MB
MD5

51f1f9633fda9697a21cfe3803505300
SHA1

f2c28c2fadfa10fbe41789736ef044fcccac9325
SHA256

74037ff6cdc98978d62b5e298fa9f59a52c93186d24e419998b33e6270b8c56c
SHA512

05c2b63e193f34f188dc226013a3366481302302b37c4ac6b2dfebe9b8986dfcc9329f1f528b4c300ac5c83a5d9390ca39f1132ae716f8411880ce41fe711fa5
SSDEEP

24576:v8s2L74wp7Fd0D5wHcgsVPorazZ+Dq9RE7:vb2L7HLM5wHcgkorU+DS

Score

10^/10

xloader xred b0ar backdoor discovery loader persistence rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

b0ar

Decoy

fbadformula.com

appdios.com

guyhoquet-immobilier-drancy.com

pokerwiro.com

maxwellhospitaljaipur.com

88n9.com

bennypc.com

corcoranconsult.com

cuidatusaludcuidatucasa.com

motlakfitnes.com

laurahurricanerelief.com

nostacktofullstack.com

privsec-mail.com

andalusaihealth.com

doosanmodelhouse.com

quickbookaccountingpro.com

falconrysouk.com

vnielvmdqxk538.xyz

asshop.space

mhscdnv1.club

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Xloader payload 11 IoCs

rat

resource	yara_rule
behavioral2/memory/5036-12-0x0000000000400000-0x00000000004EA000-memory.dmp	xloader
behavioral2/memory/5036-13-0x0000000000400000-0x00000000004EA000-memory.dmp	xloader
behavioral2/memory/5036-15-0x0000000000400000-0x00000000004EA000-memory.dmp	xloader
behavioral2/memory/5036-16-0x0000000000400000-0x00000000004EA000-memory.dmp	xloader
behavioral2/files/0x0009000000023c5a-22.dat	xloader
behavioral2/memory/5036-116-0x0000000000400000-0x00000000004EA000-memory.dmp	xloader
behavioral2/memory/4220-121-0x0000000000400000-0x00000000004EA000-memory.dmp	xloader
behavioral2/memory/4220-212-0x0000000000400000-0x00000000004EA000-memory.dmp	xloader
behavioral2/memory/4220-213-0x0000000000400000-0x00000000004EA000-memory.dmp	xloader
behavioral2/memory/924-215-0x0000000000590000-0x00000000005B9000-memory.dmp	xloader
behavioral2/memory/4220-216-0x0000000000400000-0x00000000004EA000-memory.dmp	xloader

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	74037ff6cdc98978d62b5e298fa9f59a52c93186d24e419998b33e6270b8c56c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 5 IoCs

pid	Process
1952	._cache_74037ff6cdc98978d62b5e298fa9f59a52c93186d24e419998b33e6270b8c56c.exe
4472	Synaptics.exe
3252	Synaptics.exe
4220	Synaptics.exe
3132	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	74037ff6cdc98978d62b5e298fa9f59a52c93186d24e419998b33e6270b8c56c.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4956 set thread context of 5036	4956	74037ff6cdc98978d62b5e298fa9f59a52c93186d24e419998b33e6270b8c56c.exe	92
PID 4472 set thread context of 4220	4472	Synaptics.exe	96
PID 3132 set thread context of 3424	3132	._cache_Synaptics.exe	55
PID 924 set thread context of 3424	924	rundll32.exe	55

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	74037ff6cdc98978d62b5e298fa9f59a52c93186d24e419998b33e6270b8c56c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_74037ff6cdc98978d62b5e298fa9f59a52c93186d24e419998b33e6270b8c56c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	74037ff6cdc98978d62b5e298fa9f59a52c93186d24e419998b33e6270b8c56c.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	74037ff6cdc98978d62b5e298fa9f59a52c93186d24e419998b33e6270b8c56c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2968	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
4956	74037ff6cdc98978d62b5e298fa9f59a52c93186d24e419998b33e6270b8c56c.exe
4956	74037ff6cdc98978d62b5e298fa9f59a52c93186d24e419998b33e6270b8c56c.exe
1952	._cache_74037ff6cdc98978d62b5e298fa9f59a52c93186d24e419998b33e6270b8c56c.exe
1952	._cache_74037ff6cdc98978d62b5e298fa9f59a52c93186d24e419998b33e6270b8c56c.exe
4472	Synaptics.exe
4472	Synaptics.exe
3132	._cache_Synaptics.exe
3132	._cache_Synaptics.exe
3132	._cache_Synaptics.exe
3132	._cache_Synaptics.exe
924	rundll32.exe
924	rundll32.exe
924	rundll32.exe
924	rundll32.exe
924	rundll32.exe
924	rundll32.exe
924	rundll32.exe
924	rundll32.exe
924	rundll32.exe
924	rundll32.exe
924	rundll32.exe
924	rundll32.exe
924	rundll32.exe
924	rundll32.exe
924	rundll32.exe
924	rundll32.exe
924	rundll32.exe
924	rundll32.exe
924	rundll32.exe
924	rundll32.exe
924	rundll32.exe
924	rundll32.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
3132	._cache_Synaptics.exe
3132	._cache_Synaptics.exe
3132	._cache_Synaptics.exe
924	rundll32.exe
924	rundll32.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	4956	74037ff6cdc98978d62b5e298fa9f59a52c93186d24e419998b33e6270b8c56c.exe
Token: SeDebugPrivilege	4472	Synaptics.exe
Token: SeDebugPrivilege	3132	._cache_Synaptics.exe
Token: SeShutdownPrivilege	3424	Explorer.EXE
Token: SeCreatePagefilePrivilege	3424	Explorer.EXE
Token: SeShutdownPrivilege	3424	Explorer.EXE
Token: SeCreatePagefilePrivilege	3424	Explorer.EXE
Token: SeDebugPrivilege	924	rundll32.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2968	EXCEL.EXE
2968	EXCEL.EXE
2968	EXCEL.EXE
2968	EXCEL.EXE
2968	EXCEL.EXE
2968	EXCEL.EXE
2968	EXCEL.EXE
2968	EXCEL.EXE

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 5100	4956	74037ff6cdc98978d62b5e298fa9f59a52c93186d24e419998b33e6270b8c56c.exe	91
PID 4956 wrote to memory of 5100	4956	74037ff6cdc98978d62b5e298fa9f59a52c93186d24e419998b33e6270b8c56c.exe	91
PID 4956 wrote to memory of 5100	4956	74037ff6cdc98978d62b5e298fa9f59a52c93186d24e419998b33e6270b8c56c.exe	91
PID 4956 wrote to memory of 5036	4956	74037ff6cdc98978d62b5e298fa9f59a52c93186d24e419998b33e6270b8c56c.exe	92
PID 4956 wrote to memory of 5036	4956	74037ff6cdc98978d62b5e298fa9f59a52c93186d24e419998b33e6270b8c56c.exe	92
PID 4956 wrote to memory of 5036	4956	74037ff6cdc98978d62b5e298fa9f59a52c93186d24e419998b33e6270b8c56c.exe	92
PID 4956 wrote to memory of 5036	4956	74037ff6cdc98978d62b5e298fa9f59a52c93186d24e419998b33e6270b8c56c.exe	92
PID 4956 wrote to memory of 5036	4956	74037ff6cdc98978d62b5e298fa9f59a52c93186d24e419998b33e6270b8c56c.exe	92
PID 4956 wrote to memory of 5036	4956	74037ff6cdc98978d62b5e298fa9f59a52c93186d24e419998b33e6270b8c56c.exe	92
PID 4956 wrote to memory of 5036	4956	74037ff6cdc98978d62b5e298fa9f59a52c93186d24e419998b33e6270b8c56c.exe	92
PID 4956 wrote to memory of 5036	4956	74037ff6cdc98978d62b5e298fa9f59a52c93186d24e419998b33e6270b8c56c.exe	92
PID 4956 wrote to memory of 5036	4956	74037ff6cdc98978d62b5e298fa9f59a52c93186d24e419998b33e6270b8c56c.exe	92
PID 4956 wrote to memory of 5036	4956	74037ff6cdc98978d62b5e298fa9f59a52c93186d24e419998b33e6270b8c56c.exe	92
PID 4956 wrote to memory of 5036	4956	74037ff6cdc98978d62b5e298fa9f59a52c93186d24e419998b33e6270b8c56c.exe	92
PID 5036 wrote to memory of 1952	5036	74037ff6cdc98978d62b5e298fa9f59a52c93186d24e419998b33e6270b8c56c.exe	93
PID 5036 wrote to memory of 1952	5036	74037ff6cdc98978d62b5e298fa9f59a52c93186d24e419998b33e6270b8c56c.exe	93
PID 5036 wrote to memory of 1952	5036	74037ff6cdc98978d62b5e298fa9f59a52c93186d24e419998b33e6270b8c56c.exe	93
PID 5036 wrote to memory of 4472	5036	74037ff6cdc98978d62b5e298fa9f59a52c93186d24e419998b33e6270b8c56c.exe	94
PID 5036 wrote to memory of 4472	5036	74037ff6cdc98978d62b5e298fa9f59a52c93186d24e419998b33e6270b8c56c.exe	94
PID 5036 wrote to memory of 4472	5036	74037ff6cdc98978d62b5e298fa9f59a52c93186d24e419998b33e6270b8c56c.exe	94
PID 4472 wrote to memory of 3252	4472	Synaptics.exe	95
PID 4472 wrote to memory of 3252	4472	Synaptics.exe	95
PID 4472 wrote to memory of 3252	4472	Synaptics.exe	95
PID 4472 wrote to memory of 4220	4472	Synaptics.exe	96
PID 4472 wrote to memory of 4220	4472	Synaptics.exe	96
PID 4472 wrote to memory of 4220	4472	Synaptics.exe	96
PID 4472 wrote to memory of 4220	4472	Synaptics.exe	96
PID 4472 wrote to memory of 4220	4472	Synaptics.exe	96
PID 4472 wrote to memory of 4220	4472	Synaptics.exe	96
PID 4472 wrote to memory of 4220	4472	Synaptics.exe	96
PID 4472 wrote to memory of 4220	4472	Synaptics.exe	96
PID 4472 wrote to memory of 4220	4472	Synaptics.exe	96
PID 4472 wrote to memory of 4220	4472	Synaptics.exe	96
PID 4472 wrote to memory of 4220	4472	Synaptics.exe	96
PID 4220 wrote to memory of 3132	4220	Synaptics.exe	97
PID 4220 wrote to memory of 3132	4220	Synaptics.exe	97
PID 4220 wrote to memory of 3132	4220	Synaptics.exe	97
PID 3424 wrote to memory of 924	3424	Explorer.EXE	99
PID 3424 wrote to memory of 924	3424	Explorer.EXE	99
PID 3424 wrote to memory of 924	3424	Explorer.EXE	99
PID 924 wrote to memory of 4856	924	rundll32.exe	103
PID 924 wrote to memory of 4856	924	rundll32.exe	103
PID 924 wrote to memory of 4856	924	rundll32.exe	103

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3424
- C:\Users\Admin\AppData\Local\Temp\74037ff6cdc98978d62b5e298fa9f59a52c93186d24e419998b33e6270b8c56c.exe
  "C:\Users\Admin\AppData\Local\Temp\74037ff6cdc98978d62b5e298fa9f59a52c93186d24e419998b33e6270b8c56c.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Users\Admin\AppData\Local\Temp\74037ff6cdc98978d62b5e298fa9f59a52c93186d24e419998b33e6270b8c56c.exe
    "C:\Users\Admin\AppData\Local\Temp\74037ff6cdc98978d62b5e298fa9f59a52c93186d24e419998b33e6270b8c56c.exe"
    3⤵
    PID:5100
- - C:\Users\Admin\AppData\Local\Temp\74037ff6cdc98978d62b5e298fa9f59a52c93186d24e419998b33e6270b8c56c.exe
    "C:\Users\Admin\AppData\Local\Temp\74037ff6cdc98978d62b5e298fa9f59a52c93186d24e419998b33e6270b8c56c.exe"
    3⤵
    - Checks computer location settings
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5036
  - - C:\Users\Admin\AppData\Local\Temp\._cache_74037ff6cdc98978d62b5e298fa9f59a52c93186d24e419998b33e6270b8c56c.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_74037ff6cdc98978d62b5e298fa9f59a52c93186d24e419998b33e6270b8c56c.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1952
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4472
    - - C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe"
        5⤵
        Executes dropped EXE
        
        PID:3252
    - - C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4220
      - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3132
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\SysWOW64\rundll32.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:924
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4856

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.2MB

MD5
51f1f9633fda9697a21cfe3803505300

SHA1
f2c28c2fadfa10fbe41789736ef044fcccac9325

SHA256
74037ff6cdc98978d62b5e298fa9f59a52c93186d24e419998b33e6270b8c56c

SHA512
05c2b63e193f34f188dc226013a3366481302302b37c4ac6b2dfebe9b8986dfcc9329f1f528b4c300ac5c83a5d9390ca39f1132ae716f8411880ce41fe711fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_74037ff6cdc98978d62b5e298fa9f59a52c93186d24e419998b33e6270b8c56c.exe

Filesize
161KB

MD5
ccdba7fe08b69254661fcdf739120e3f

SHA1
6583c4ed27d1713d7125305ea511a1dc7b92ae59

SHA256
1dfe7070f57df2729baa9e0df5106db0968a18614a4496d2e28395f1fee3201b

SHA512
50f12eb54bd79d1bd7e31803eb8e006fd27b10a18b4057338a93fcbffe3d5bb0f10617a483e7b48f9c82fdedaa9af157cf519eaef08a9de612776c5e98922378

Download Submit
C:\Users\Admin\AppData\Local\Temp\5KDajajz.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\B5195E00

Filesize
23KB

MD5
3f9941e04a73751dbe69bbef280478bb

SHA1
b6031328888463350152159ca040f02b50d1df8d

SHA256
d2a8d8c2dc0ce5406d6f6e0b9d01a2e93f029c16e9d7bf2ed5496e1c18707d2a

SHA512
98fce95acdd35d0d0edb786bf1a61bd0774bfeac74f747e1d3d73036043925cb9ebe105c18bd1b3e1a3d3f609142df3e5be131912e0db84b64a50ce75b492233

Download Submit
memory/924-215-0x0000000000590000-0x00000000005B9000-memory.dmp

Filesize
164KB

Download
memory/924-207-0x0000000000490000-0x00000000004A4000-memory.dmp

Filesize
80KB

Download
memory/924-206-0x0000000000490000-0x00000000004A4000-memory.dmp

Filesize
80KB

Download
memory/1952-112-0x0000000001450000-0x000000000179A000-memory.dmp

Filesize
3.3MB

Download
memory/2968-158-0x00007FFBEC270000-0x00007FFBEC280000-memory.dmp

Filesize
64KB

Download
memory/2968-161-0x00007FFBE9B10000-0x00007FFBE9B20000-memory.dmp

Filesize
64KB

Download
memory/2968-160-0x00007FFBE9B10000-0x00007FFBE9B20000-memory.dmp

Filesize
64KB

Download
memory/2968-155-0x00007FFBEC270000-0x00007FFBEC280000-memory.dmp

Filesize
64KB

Download
memory/2968-159-0x00007FFBEC270000-0x00007FFBEC280000-memory.dmp

Filesize
64KB

Download
memory/2968-156-0x00007FFBEC270000-0x00007FFBEC280000-memory.dmp

Filesize
64KB

Download
memory/2968-157-0x00007FFBEC270000-0x00007FFBEC280000-memory.dmp

Filesize
64KB

Download
memory/3424-222-0x0000000009290000-0x0000000009404000-memory.dmp

Filesize
1.5MB

Download
memory/4220-212-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/4220-213-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/4220-216-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/4220-121-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/4956-9-0x0000000074AB0000-0x0000000075260000-memory.dmp

Filesize
7.7MB

Download
memory/4956-6-0x0000000006940000-0x000000000695C000-memory.dmp

Filesize
112KB

Download
memory/4956-44-0x0000000074AB0000-0x0000000075260000-memory.dmp

Filesize
7.7MB

Download
memory/4956-1-0x0000000000610000-0x0000000000750000-memory.dmp

Filesize
1.2MB

Download
memory/4956-2-0x0000000005720000-0x0000000005CC4000-memory.dmp

Filesize
5.6MB

Download
memory/4956-3-0x0000000005170000-0x0000000005202000-memory.dmp

Filesize
584KB

Download
memory/4956-4-0x0000000005150000-0x000000000515A000-memory.dmp

Filesize
40KB

Download
memory/4956-5-0x0000000074AB0000-0x0000000075260000-memory.dmp

Filesize
7.7MB

Download
memory/4956-11-0x0000000009710000-0x00000000097FC000-memory.dmp

Filesize
944KB

Download
memory/4956-10-0x0000000007010000-0x0000000007102000-memory.dmp

Filesize
968KB

Download
memory/4956-0-0x0000000074ABE000-0x0000000074ABF000-memory.dmp

Filesize
4KB

Download
memory/4956-8-0x0000000074ABE000-0x0000000074ABF000-memory.dmp

Filesize
4KB

Download
memory/4956-7-0x0000000006A00000-0x0000000006A9C000-memory.dmp

Filesize
624KB

Download
memory/5036-116-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/5036-12-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/5036-13-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/5036-15-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/5036-16-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/5036-17-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download