ramnit | 2abb45ab0e2c1482e7bd80909cb4ad6cf9a3fbfe67c7e1823204ebf663cc89ee

Analysis

max time kernel
163s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23/11/2022, 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2abb45ab0e2c1482e7bd80909cb4ad6cf9a3fbfe67c7e1823204ebf663cc89ee.dll
Size

1.0MB
MD5

1ffdc5523571842b75b71dfdc86e538a
SHA1

f448e59b8545b185ade91ae0e69a3d70aff170eb
SHA256

2abb45ab0e2c1482e7bd80909cb4ad6cf9a3fbfe67c7e1823204ebf663cc89ee
SHA512

ec58434a67faa54a9ad2c46cc8542df2881d7e5540c6b813aaa84db67212894744187a8faa0ad9981cad7e317012c6e8587b4ed5e092c71da0c98554bc36f8b6
SSDEEP

24576:mNHDssXka/yPQPYlYfeZebgKEIeqmvf7a49:gXk+CekKbeqSWe

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 2 IoCs

pid	Process
224	regsvr32mgr.exe
4152	WaterMark.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/224-138-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/224-139-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/224-142-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4152-150-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/4152-151-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/4152-152-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/4152-153-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/4152-154-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/4152-155-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/4152-156-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\regsvr32mgr.exe	regsvr32.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\px35B.tmp	regsvr32mgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	regsvr32mgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	regsvr32mgr.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1788	4868	WerFault.exe	86

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376007657"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{82742095-6B7E-11ED-BF5F-D2F35ABB710A} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{8273F985-6B7E-11ED-BF5F-D2F35ABB710A} = "0"	iexplore.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c0164c20-33c8-4f60-bfd1-557e08a93f58}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c0164c20-33c8-4f60-bfd1-557e08a93f58}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2abb45ab0e2c1482e7bd80909cb4ad6cf9a3fbfe67c7e1823204ebf663cc89ee.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ec48db94-98df-4c2f-932f-bbc28af0a316}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2abb45ab0e2c1482e7bd80909cb4ad6cf9a3fbfe67c7e1823204ebf663cc89ee.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ec48db94-98df-4c2f-932f-bbc28af0a316}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ec48db94-98df-4c2f-932f-bbc28af0a316}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c0164c20-33c8-4f60-bfd1-557e08a93f58}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c0164c20-33c8-4f60-bfd1-557e08a93f58}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ec48db94-98df-4c2f-932f-bbc28af0a316}\InprocServer32	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4152	WaterMark.exe
4152	WaterMark.exe
4152	WaterMark.exe
4152	WaterMark.exe
4152	WaterMark.exe
4152	WaterMark.exe
4152	WaterMark.exe
4152	WaterMark.exe
4152	WaterMark.exe
4152	WaterMark.exe
4152	WaterMark.exe
4152	WaterMark.exe
4152	WaterMark.exe
4152	WaterMark.exe
4152	WaterMark.exe
4152	WaterMark.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1964	iexplore.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4152	WaterMark.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4596	iexplore.exe
1964	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4596	iexplore.exe
4596	iexplore.exe
1964	iexplore.exe
1964	iexplore.exe
3128	IEXPLORE.EXE
3128	IEXPLORE.EXE
4896	IEXPLORE.EXE
4896	IEXPLORE.EXE
3128	IEXPLORE.EXE
3128	IEXPLORE.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
224	regsvr32mgr.exe
4152	WaterMark.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4652 wrote to memory of 3148	4652	regsvr32.exe	83
PID 4652 wrote to memory of 3148	4652	regsvr32.exe	83
PID 4652 wrote to memory of 3148	4652	regsvr32.exe	83
PID 3148 wrote to memory of 224	3148	regsvr32.exe	84
PID 3148 wrote to memory of 224	3148	regsvr32.exe	84
PID 3148 wrote to memory of 224	3148	regsvr32.exe	84
PID 224 wrote to memory of 4152	224	regsvr32mgr.exe	85
PID 224 wrote to memory of 4152	224	regsvr32mgr.exe	85
PID 224 wrote to memory of 4152	224	regsvr32mgr.exe	85
PID 4152 wrote to memory of 4868	4152	WaterMark.exe	86
PID 4152 wrote to memory of 4868	4152	WaterMark.exe	86
PID 4152 wrote to memory of 4868	4152	WaterMark.exe	86
PID 4152 wrote to memory of 4868	4152	WaterMark.exe	86
PID 4152 wrote to memory of 4868	4152	WaterMark.exe	86
PID 4152 wrote to memory of 4868	4152	WaterMark.exe	86
PID 4152 wrote to memory of 4868	4152	WaterMark.exe	86
PID 4152 wrote to memory of 4868	4152	WaterMark.exe	86
PID 4152 wrote to memory of 4868	4152	WaterMark.exe	86
PID 4152 wrote to memory of 1964	4152	WaterMark.exe	91
PID 4152 wrote to memory of 1964	4152	WaterMark.exe	91
PID 4152 wrote to memory of 4596	4152	WaterMark.exe	92
PID 4152 wrote to memory of 4596	4152	WaterMark.exe	92
PID 4596 wrote to memory of 4896	4596	iexplore.exe	95
PID 4596 wrote to memory of 4896	4596	iexplore.exe	95
PID 4596 wrote to memory of 4896	4596	iexplore.exe	95
PID 1964 wrote to memory of 3128	1964	iexplore.exe	94
PID 1964 wrote to memory of 3128	1964	iexplore.exe	94
PID 1964 wrote to memory of 3128	1964	iexplore.exe	94

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2abb45ab0e2c1482e7bd80909cb4ad6cf9a3fbfe67c7e1823204ebf663cc89ee.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4652
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\2abb45ab0e2c1482e7bd80909cb4ad6cf9a3fbfe67c7e1823204ebf663cc89ee.dll
  2⤵
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3148
- - C:\Windows\SysWOW64\regsvr32mgr.exe
    C:\Windows\SysWOW64\regsvr32mgr.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:224
  - - C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:4152
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        
        PID:4868
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 204
        6⤵
        Program crash
        
        PID:1788
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1964
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1964 CREDAT:17410 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3128
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4596
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4596 CREDAT:17410 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4868 -ip 4868
1⤵
PID:3600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
119KB

MD5
9d5d609dc8e2554054733d19eed45c5c

SHA1
ce72453fca9f477940a9def32bd8463549c6e1e4

SHA256
7a85b3db04beb0c4b6a8929fdf79726bcf1084efab0a9f04a8ebaa0a2bc9e0b1

SHA512
012cabde17ed1c1d1a48b5bc136591ff9c8e261e5da8bc7f67d0bd235a32150f63274362cdeef2376d2d5a38dfb0c9acc7cd3aa5244c1858b88b183f8cbe550b

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
119KB

MD5
9d5d609dc8e2554054733d19eed45c5c

SHA1
ce72453fca9f477940a9def32bd8463549c6e1e4

SHA256
7a85b3db04beb0c4b6a8929fdf79726bcf1084efab0a9f04a8ebaa0a2bc9e0b1

SHA512
012cabde17ed1c1d1a48b5bc136591ff9c8e261e5da8bc7f67d0bd235a32150f63274362cdeef2376d2d5a38dfb0c9acc7cd3aa5244c1858b88b183f8cbe550b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8273F985-6B7E-11ED-BF5F-D2F35ABB710A}.dat

Filesize
5KB

MD5
2cf7d40d730e5324b312f3b659d59862

SHA1
a6114c32b8771599ccc71c2356dae0bbedffd0ca

SHA256
bda82b6042c2c5da5c72218fa65df9a56138e326d8de04b81383b985c965d139

SHA512
6a722f138fdd827de10e1abf0505af1c1f5d8f26fc402d6aa91b6fdd20817e20c89fcc16be6cec7174d01308efeef35cbc193a18e6b7e8073e1ca609cb40a964

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{82742095-6B7E-11ED-BF5F-D2F35ABB710A}.dat

Filesize
5KB

MD5
66763074c7ea965e6ea07f3762c6e74f

SHA1
486b49e0a6d6eb0a79c4008027732019670ef853

SHA256
cc01a7b6ba6997eb0b25e4e5a52d5fa332fe3400f89dd47e3651d43a4d6a40cc

SHA512
10d330822e746864409888235084347e9501ab0f77319609cc41afeb5188db0e3b85d5add852d8ab0bd58788aba525d39d66e5a63c772698fd127ddbd3b8a2b9

Download Submit
C:\Windows\SysWOW64\regsvr32mgr.exe

Filesize
119KB

MD5
9d5d609dc8e2554054733d19eed45c5c

SHA1
ce72453fca9f477940a9def32bd8463549c6e1e4

SHA256
7a85b3db04beb0c4b6a8929fdf79726bcf1084efab0a9f04a8ebaa0a2bc9e0b1

SHA512
012cabde17ed1c1d1a48b5bc136591ff9c8e261e5da8bc7f67d0bd235a32150f63274362cdeef2376d2d5a38dfb0c9acc7cd3aa5244c1858b88b183f8cbe550b

Download Submit
C:\Windows\SysWOW64\regsvr32mgr.exe

Filesize
119KB

MD5
9d5d609dc8e2554054733d19eed45c5c

SHA1
ce72453fca9f477940a9def32bd8463549c6e1e4

SHA256
7a85b3db04beb0c4b6a8929fdf79726bcf1084efab0a9f04a8ebaa0a2bc9e0b1

SHA512
012cabde17ed1c1d1a48b5bc136591ff9c8e261e5da8bc7f67d0bd235a32150f63274362cdeef2376d2d5a38dfb0c9acc7cd3aa5244c1858b88b183f8cbe550b

Download Submit
memory/224-138-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/224-139-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/224-142-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4152-154-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4152-151-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4152-152-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4152-153-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4152-150-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4152-155-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4152-156-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download