modiloader | 9d2a6a4d069a3d2ad99a117b411facbc86de0102a65bf5027c6b0f7dd0ae9014

Analysis

max time kernel
141s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220722-en
resource tags

arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2022 14:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Tender_L2-UAE001930-gwyoyqlbopdd.xlsx.exe
Size

1.1MB
MD5

3506f47af9280b0cee32f9bc9319b461
SHA1

23c228520bd16733e7cc54fbf1f4bc48b897a2d9
SHA256

9d2a6a4d069a3d2ad99a117b411facbc86de0102a65bf5027c6b0f7dd0ae9014
SHA512

e6bd29c8c884a570fc295ac426f0818657dad7bea68023ccff0c7292fd2af71a13e0edc788186651fdc40a5bcd040b6adac61be27058ed4dcfefafeb89dd73a9

Score

10^/10

modiloader warzonerat infostealer persistence rat trojan

Malware Config

Extracted

Family

warzonerat

pentester01.duckdns.org:53078

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

ModiLoader Second Stage 61 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4976-147-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-163-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-164-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-165-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-166-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-167-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-168-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-169-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-170-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-171-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-172-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-173-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-174-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-175-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-176-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-177-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-178-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-179-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-180-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-181-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-182-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-183-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-184-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-185-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-186-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-187-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-188-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-189-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-190-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-191-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-192-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-193-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-194-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-195-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-196-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-197-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-199-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-198-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-200-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-225-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-226-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-228-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-227-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-229-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-230-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-235-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-236-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-237-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-238-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-239-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-240-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-241-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-242-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-243-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-245-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-247-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-248-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-249-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-250-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-251-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2
behavioral2/memory/4976-252-0x0000000003FC0000-0x0000000004067000-memory.dmp	modiloader_stage2

Warzone RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1988-246-0x0000000001220000-0x000000000137A000-memory.dmp	warzonerat
behavioral2/memory/1988-244-0x00000000506E0000-0x000000005083C000-memory.dmp	warzonerat
behavioral2/memory/1988-265-0x0000000001220000-0x000000000137A000-memory.dmp	warzonerat

Blocklisted process makes network request 1 IoCs

Processes:

cmd.exe

flow pid process

43 1988 cmd.exe

flow	pid	process
43	1988	cmd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Tender_L2-UAE001930-gwyoyqlbopdd.xlsx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation	Tender_L2-UAE001930-gwyoyqlbopdd.xlsx.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Tender_L2-UAE001930-gwyoyqlbopdd.xlsx.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gpvork = "C:\\Users\\Public\\Libraries\\krovpG.url"	Tender_L2-UAE001930-gwyoyqlbopdd.xlsx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exeTender_L2-UAE001930-gwyoyqlbopdd.xlsx.exe

pid process

2236 powershell.exe
2236 powershell.exe
4976 Tender_L2-UAE001930-gwyoyqlbopdd.xlsx.exe
4976 Tender_L2-UAE001930-gwyoyqlbopdd.xlsx.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2236 powershell.exe

pid	process
2236	powershell.exe
2236	powershell.exe
4976	Tender_L2-UAE001930-gwyoyqlbopdd.xlsx.exe
4976	Tender_L2-UAE001930-gwyoyqlbopdd.xlsx.exe

description	pid	process
Token: SeDebugPrivilege	2236	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

Tender_L2-UAE001930-gwyoyqlbopdd.xlsx.execmd.execmd.exenet.exe

description	pid	process	target process
PID 4976 wrote to memory of 3420	4976	Tender_L2-UAE001930-gwyoyqlbopdd.xlsx.exe	cmd.exe
PID 4976 wrote to memory of 3420	4976	Tender_L2-UAE001930-gwyoyqlbopdd.xlsx.exe	cmd.exe
PID 4976 wrote to memory of 3420	4976	Tender_L2-UAE001930-gwyoyqlbopdd.xlsx.exe	cmd.exe
PID 3420 wrote to memory of 5028	3420	cmd.exe	cmd.exe
PID 3420 wrote to memory of 5028	3420	cmd.exe	cmd.exe
PID 3420 wrote to memory of 5028	3420	cmd.exe	cmd.exe
PID 5028 wrote to memory of 4932	5028	cmd.exe	net.exe
PID 5028 wrote to memory of 4932	5028	cmd.exe	net.exe
PID 5028 wrote to memory of 4932	5028	cmd.exe	net.exe
PID 4932 wrote to memory of 3132	4932	net.exe	net1.exe
PID 4932 wrote to memory of 3132	4932	net.exe	net1.exe
PID 4932 wrote to memory of 3132	4932	net.exe	net1.exe
PID 5028 wrote to memory of 2236	5028	cmd.exe	powershell.exe
PID 5028 wrote to memory of 2236	5028	cmd.exe	powershell.exe
PID 5028 wrote to memory of 2236	5028	cmd.exe	powershell.exe
PID 4976 wrote to memory of 1988	4976	Tender_L2-UAE001930-gwyoyqlbopdd.xlsx.exe	cmd.exe
PID 4976 wrote to memory of 1988	4976	Tender_L2-UAE001930-gwyoyqlbopdd.xlsx.exe	cmd.exe
PID 4976 wrote to memory of 1988	4976	Tender_L2-UAE001930-gwyoyqlbopdd.xlsx.exe	cmd.exe
PID 4976 wrote to memory of 1988	4976	Tender_L2-UAE001930-gwyoyqlbopdd.xlsx.exe	cmd.exe
PID 4976 wrote to memory of 1988	4976	Tender_L2-UAE001930-gwyoyqlbopdd.xlsx.exe	cmd.exe
PID 4976 wrote to memory of 1988	4976	Tender_L2-UAE001930-gwyoyqlbopdd.xlsx.exe	cmd.exe
PID 4976 wrote to memory of 1988	4976	Tender_L2-UAE001930-gwyoyqlbopdd.xlsx.exe	cmd.exe
PID 4976 wrote to memory of 1988	4976	Tender_L2-UAE001930-gwyoyqlbopdd.xlsx.exe	cmd.exe
PID 4976 wrote to memory of 1988	4976	Tender_L2-UAE001930-gwyoyqlbopdd.xlsx.exe	cmd.exe
PID 4976 wrote to memory of 1988	4976	Tender_L2-UAE001930-gwyoyqlbopdd.xlsx.exe	cmd.exe
PID 4976 wrote to memory of 1988	4976	Tender_L2-UAE001930-gwyoyqlbopdd.xlsx.exe	cmd.exe
PID 4976 wrote to memory of 1988	4976	Tender_L2-UAE001930-gwyoyqlbopdd.xlsx.exe	cmd.exe
PID 4976 wrote to memory of 1988	4976	Tender_L2-UAE001930-gwyoyqlbopdd.xlsx.exe	cmd.exe
PID 4976 wrote to memory of 1988	4976	Tender_L2-UAE001930-gwyoyqlbopdd.xlsx.exe	cmd.exe
PID 4976 wrote to memory of 1988	4976	Tender_L2-UAE001930-gwyoyqlbopdd.xlsx.exe	cmd.exe
PID 4976 wrote to memory of 1988	4976	Tender_L2-UAE001930-gwyoyqlbopdd.xlsx.exe	cmd.exe
PID 4976 wrote to memory of 1988	4976	Tender_L2-UAE001930-gwyoyqlbopdd.xlsx.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Tender_L2-UAE001930-gwyoyqlbopdd.xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\Tender_L2-UAE001930-gwyoyqlbopdd.xlsx.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\Gpvorkt.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:3420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Public\Libraries\GpvorkO.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:5028

C:\Windows\SysWOW64\net.exe
net session
4⤵
- Suspicious use of WriteProcessMemory
PID:4932

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 session
5⤵
PID:3132

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
- Blocklisted process makes network request
PID:1988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Libraries\Cdex.bat
Filesize
155B

MD5
213c60adf1c9ef88dc3c9b2d579959d2

SHA1
e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021

SHA256
37c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e

SHA512
fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7

Download Submit
C:\Users\Public\Libraries\GpvorkO.bat
Filesize
1KB

MD5
df48c09f243ebcc8a165f77a1c2bf889

SHA1
455f7db0adcc2a58d006f1630fb0bd55cd868c07

SHA256
4ef9821678da07138c19405387f3fb95e409fbd461c7b8d847c05075facd63ca

SHA512
735838c7cca953697ded48adfcd037b7f198072a8962f5940ce12e1bb1c7dd8c1f257a829276f5f5456f776f5bd13342222dd6e0dfc8f18a23f464f2c8d8f1cc

Download Submit
C:\Users\Public\Libraries\Gpvorkt.bat
Filesize
55B

MD5
682009f53044826c83d332da2f98137e

SHA1
fc1658b99caf9a1d7040ec295b1201db758e758e

SHA256
c3df04b933ca2088f241ba7f07b824243f673b902be3841e06ef7cc7ab9b526a

SHA512
a8027f0fc91981150fd021536ea76a499d3be33bc51383a2f7b31f88380cb1f9f082fb15fb53f7d7ff4c2eee55791db746fb5bab8793be930ae23814eee70af3

Download Submit
memory/1988-265-0x0000000001220000-0x000000000137A000-memory.dmp

Filesize
1.4MB

Download
memory/1988-244-0x00000000506E0000-0x000000005083C000-memory.dmp

Filesize
1.4MB

Download
memory/1988-246-0x0000000001220000-0x000000000137A000-memory.dmp

Filesize
1.4MB

Download
memory/1988-231-0x0000000000000000-mapping.dmp

Download
memory/2236-217-0x0000000006B70000-0x0000000006B8E000-memory.dmp

Filesize
120KB

Download
memory/2236-209-0x0000000003130000-0x0000000003166000-memory.dmp

Filesize
216KB

Download
memory/2236-220-0x0000000007970000-0x000000000797A000-memory.dmp

Filesize
40KB

Download
memory/2236-219-0x0000000007830000-0x000000000784A000-memory.dmp

Filesize
104KB

Download
memory/2236-218-0x0000000007FA0000-0x000000000861A000-memory.dmp

Filesize
6.5MB

Download
memory/2236-224-0x0000000007C10000-0x0000000007C18000-memory.dmp

Filesize
32KB

Download
memory/2236-216-0x000000006EFC0000-0x000000006F00C000-memory.dmp

Filesize
304KB

Download
memory/2236-215-0x0000000006B90000-0x0000000006BC2000-memory.dmp

Filesize
200KB

Download
memory/2236-214-0x00000000065E0000-0x00000000065FE000-memory.dmp

Filesize
120KB

Download
memory/2236-213-0x00000000060D0000-0x0000000006136000-memory.dmp

Filesize
408KB

Download
memory/2236-212-0x0000000005F60000-0x0000000005FC6000-memory.dmp

Filesize
408KB

Download
memory/2236-211-0x0000000005750000-0x0000000005772000-memory.dmp

Filesize
136KB

Download
memory/2236-210-0x0000000005930000-0x0000000005F58000-memory.dmp

Filesize
6.2MB

Download
memory/2236-221-0x0000000007B60000-0x0000000007BF6000-memory.dmp

Filesize
600KB

Download
memory/2236-208-0x0000000000000000-mapping.dmp

Download
memory/2236-222-0x0000000007B20000-0x0000000007B2E000-memory.dmp

Filesize
56KB

Download
memory/2236-223-0x0000000007C20000-0x0000000007C3A000-memory.dmp

Filesize
104KB

Download
memory/3132-206-0x0000000000000000-mapping.dmp

Download
memory/3420-201-0x0000000000000000-mapping.dmp

Download
memory/4932-205-0x0000000000000000-mapping.dmp

Download
memory/4976-184-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-171-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-191-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-192-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-193-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-194-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-195-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-196-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-197-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-199-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-198-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-200-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-189-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-188-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-163-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-187-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-186-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-185-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-147-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-183-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-182-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-181-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-180-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-179-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-178-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-177-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-176-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-175-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-174-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-173-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-172-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-190-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-170-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-169-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-168-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-167-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-225-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-226-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-228-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-227-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-229-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-230-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-166-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-233-0x00000000506E0000-0x000000005083C000-memory.dmp

Filesize
1.4MB

Download
memory/4976-235-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-236-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-237-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-238-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-239-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-240-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-241-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-242-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-243-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-245-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-247-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-165-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-164-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-248-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-249-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-250-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-251-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/4976-252-0x0000000003FC0000-0x0000000004067000-memory.dmp

Filesize
668KB

Download
memory/5028-203-0x0000000000000000-mapping.dmp

Download