ramnit | 53de53007ecd2497d183c9184d74fe1ac165d096ed8e83287ea1ec510fa43d1d

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2022 21:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53de53007ecd2497d183c9184d74fe1ac165d096ed8e83287ea1ec510fa43d1d.dll
Size

468KB
MD5

05f43c6ab4e70109bb0dc17b24273a40
SHA1

b59e21936afb470081009b4fa0b6a1b025c2153e
SHA256

53de53007ecd2497d183c9184d74fe1ac165d096ed8e83287ea1ec510fa43d1d
SHA512

eb04efb19ad14061f4f1d3f0e14aec3e029fc6c39b423b69b930bf79bb606bfee14d9d3e1d318fc5b7c749159fab19026e3c2fc3f5868e7e3762fb51f219f54b
SSDEEP

12288:LXClLduO3HyzesG5ybCsUa2J/iKtsazrml:LyPPSzesG59qK63

Score

10^/10

ramnit banker evasion spyware stealer trojan upx worm

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	rundll32Srv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	rundll32Srv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	rundll32Srv.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\rundll32Srv.exe = "C:\\Windows\\SysWOW64\\rundll32Srv.exe:*:enabled:@shell32.dll,-1"	rundll32Srv.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 1 IoCs

pid	Process
5084	rundll32Srv.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0009000000022e54-134.dat	upx
behavioral2/memory/5084-136-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/files/0x0009000000022e54-137.dat	upx
behavioral2/memory/5084-139-0x0000000000400000-0x0000000000435000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32Srv.exe	rundll32.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\px6D07.tmp	rundll32Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	rundll32Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	rundll32Srv.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1508	5084	WerFault.exe	83

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5084	rundll32Srv.exe
5084	rundll32Srv.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe
5084	rundll32Srv.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5084	rundll32Srv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 5012	5040	rundll32.exe	82
PID 5040 wrote to memory of 5012	5040	rundll32.exe	82
PID 5040 wrote to memory of 5012	5040	rundll32.exe	82
PID 5012 wrote to memory of 5084	5012	rundll32.exe	83
PID 5012 wrote to memory of 5084	5012	rundll32.exe	83
PID 5012 wrote to memory of 5084	5012	rundll32.exe	83
PID 5084 wrote to memory of 576	5084	rundll32Srv.exe	6
PID 5084 wrote to memory of 576	5084	rundll32Srv.exe	6
PID 5084 wrote to memory of 576	5084	rundll32Srv.exe	6
PID 5084 wrote to memory of 576	5084	rundll32Srv.exe	6
PID 5084 wrote to memory of 576	5084	rundll32Srv.exe	6
PID 5084 wrote to memory of 576	5084	rundll32Srv.exe	6
PID 5084 wrote to memory of 664	5084	rundll32Srv.exe	4
PID 5084 wrote to memory of 664	5084	rundll32Srv.exe	4
PID 5084 wrote to memory of 664	5084	rundll32Srv.exe	4
PID 5084 wrote to memory of 664	5084	rundll32Srv.exe	4
PID 5084 wrote to memory of 664	5084	rundll32Srv.exe	4
PID 5084 wrote to memory of 664	5084	rundll32Srv.exe	4
PID 5084 wrote to memory of 764	5084	rundll32Srv.exe	14
PID 5084 wrote to memory of 764	5084	rundll32Srv.exe	14
PID 5084 wrote to memory of 764	5084	rundll32Srv.exe	14
PID 5084 wrote to memory of 764	5084	rundll32Srv.exe	14
PID 5084 wrote to memory of 764	5084	rundll32Srv.exe	14
PID 5084 wrote to memory of 764	5084	rundll32Srv.exe	14
PID 5084 wrote to memory of 768	5084	rundll32Srv.exe	13
PID 5084 wrote to memory of 768	5084	rundll32Srv.exe	13
PID 5084 wrote to memory of 768	5084	rundll32Srv.exe	13
PID 5084 wrote to memory of 768	5084	rundll32Srv.exe	13
PID 5084 wrote to memory of 768	5084	rundll32Srv.exe	13
PID 5084 wrote to memory of 768	5084	rundll32Srv.exe	13
PID 5084 wrote to memory of 780	5084	rundll32Srv.exe	12
PID 5084 wrote to memory of 780	5084	rundll32Srv.exe	12
PID 5084 wrote to memory of 780	5084	rundll32Srv.exe	12
PID 5084 wrote to memory of 780	5084	rundll32Srv.exe	12
PID 5084 wrote to memory of 780	5084	rundll32Srv.exe	12
PID 5084 wrote to memory of 780	5084	rundll32Srv.exe	12
PID 5084 wrote to memory of 880	5084	rundll32Srv.exe	11
PID 5084 wrote to memory of 880	5084	rundll32Srv.exe	11
PID 5084 wrote to memory of 880	5084	rundll32Srv.exe	11
PID 5084 wrote to memory of 880	5084	rundll32Srv.exe	11
PID 5084 wrote to memory of 880	5084	rundll32Srv.exe	11
PID 5084 wrote to memory of 880	5084	rundll32Srv.exe	11
PID 5084 wrote to memory of 932	5084	rundll32Srv.exe	10
PID 5084 wrote to memory of 932	5084	rundll32Srv.exe	10
PID 5084 wrote to memory of 932	5084	rundll32Srv.exe	10
PID 5084 wrote to memory of 932	5084	rundll32Srv.exe	10
PID 5084 wrote to memory of 932	5084	rundll32Srv.exe	10
PID 5084 wrote to memory of 932	5084	rundll32Srv.exe	10
PID 5084 wrote to memory of 1012	5084	rundll32Srv.exe	9
PID 5084 wrote to memory of 1012	5084	rundll32Srv.exe	9
PID 5084 wrote to memory of 1012	5084	rundll32Srv.exe	9
PID 5084 wrote to memory of 1012	5084	rundll32Srv.exe	9
PID 5084 wrote to memory of 1012	5084	rundll32Srv.exe	9
PID 5084 wrote to memory of 1012	5084	rundll32Srv.exe	9
PID 5084 wrote to memory of 440	5084	rundll32Srv.exe	8
PID 5084 wrote to memory of 440	5084	rundll32Srv.exe	8
PID 5084 wrote to memory of 440	5084	rundll32Srv.exe	8
PID 5084 wrote to memory of 440	5084	rundll32Srv.exe	8
PID 5084 wrote to memory of 440	5084	rundll32Srv.exe	8
PID 5084 wrote to memory of 440	5084	rundll32Srv.exe	8
PID 5084 wrote to memory of 688	5084	rundll32Srv.exe	81
PID 5084 wrote to memory of 688	5084	rundll32Srv.exe	81
PID 5084 wrote to memory of 688	5084	rundll32Srv.exe	81
PID 5084 wrote to memory of 688	5084	rundll32Srv.exe	81

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:664

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:576
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1012
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:780
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3428
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3368
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3276
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:1596
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe
  2⤵
  PID:1688
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:1464
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
  2⤵
  PID:2864
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4748
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:4412
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3652
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:3528

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
1⤵
PID:3004

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:3360

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:4492
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5084 -ip 5084
  2⤵
  PID:1228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4512

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:4260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:2260

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3024

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:760
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\53de53007ecd2497d183c9184d74fe1ac165d096ed8e83287ea1ec510fa43d1d.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5040
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\53de53007ecd2497d183c9184d74fe1ac165d096ed8e83287ea1ec510fa43d1d.dll,#1
    3⤵
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:5012
  - - C:\Windows\SysWOW64\rundll32Srv.exe
      C:\Windows\SysWOW64\rundll32Srv.exe
      4⤵
      Modifies firewall policy service
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5084
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 576
        5⤵
        Program crash
        
        PID:1508

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2852

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2832

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2452

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2356

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2108

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2072

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1420

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1948

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1904

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1784

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
1⤵
PID:1648

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1456

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1248

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1156

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:644

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\SysWOW64\RUNDLL32SRV.EXE

Filesize
84KB

MD5
15e43cf7d67b779f26b0f7941dad5b93

SHA1
b590d4bb8826335a20ccb02e45d407421a6de85f

SHA256
382110f26a7a225baf2f1f67bcb470910170cdc511c56fdda368e376ea6782f8

SHA512
ab54b18f732a9bd8e11c845c45b60fcdf8abacc8f4f4b50b4347b37405436732c49bec34409dbc1726cadf939e8ddd02bab1d5bb9ae1c43ac80eaa86d6f42da6

Download Submit
C:\Windows\SysWOW64\rundll32Srv.exe

Filesize
84KB

MD5
15e43cf7d67b779f26b0f7941dad5b93

SHA1
b590d4bb8826335a20ccb02e45d407421a6de85f

SHA256
382110f26a7a225baf2f1f67bcb470910170cdc511c56fdda368e376ea6782f8

SHA512
ab54b18f732a9bd8e11c845c45b60fcdf8abacc8f4f4b50b4347b37405436732c49bec34409dbc1726cadf939e8ddd02bab1d5bb9ae1c43ac80eaa86d6f42da6

Download Submit
memory/5012-135-0x00000000751D0000-0x0000000075249000-memory.dmp

Filesize
484KB

Download
memory/5084-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5084-138-0x00000000005F0000-0x00000000005FF000-memory.dmp

Filesize
60KB

Download
memory/5084-139-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download