ramnit | d0838f8688dd42d6441c63f1cc18f135996b4b37c240e26cec3b102aee20a52b

Analysis

max time kernel
147s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 01:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0838f8688dd42d6441c63f1cc18f135996b4b37c240e26cec3b102aee20a52b.dll
Size

622KB
MD5

0410cb071b28551a84b14f8fd635131f
SHA1

b4e952344d2ed614c6c88c1fdff8382a58e4e790
SHA256

d0838f8688dd42d6441c63f1cc18f135996b4b37c240e26cec3b102aee20a52b
SHA512

afbe2b9cc7d1176463d29d067c99832d2fa72337d5f11e0046299c045e4fe398cad677e481fb319652e16d5f378665f9c17acae65789671e858c0467285dd84d
SSDEEP

12288:8h8fZLyb9PzVMBC/HVMOp4PkxHLCYwZckMQMNRTiJJ3tSOK8:88F+Pzr/Hfp4MIYwZckMQmRPOK8

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 3 IoCs

pid	Process
4356	rundll32mgr.exe
3752	rundll32mgrmgr.exe
4964	WaterMark.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4356-145-0x0000000000400000-0x00000000004C7000-memory.dmp	upx
behavioral2/memory/3752-144-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3752-147-0x0000000000400000-0x00000000004AF000-memory.dmp	upx
behavioral2/memory/3752-148-0x0000000000400000-0x00000000004AF000-memory.dmp	upx
behavioral2/memory/4356-149-0x0000000000400000-0x00000000004C7000-memory.dmp	upx
behavioral2/memory/4356-150-0x0000000000400000-0x00000000004C7000-memory.dmp	upx
behavioral2/memory/3752-151-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3752-153-0x0000000000400000-0x00000000004AF000-memory.dmp	upx
behavioral2/memory/4356-154-0x0000000000400000-0x00000000004C7000-memory.dmp	upx
behavioral2/memory/4356-155-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3752-158-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4964-166-0x0000000000400000-0x00000000004AF000-memory.dmp	upx
behavioral2/memory/4964-167-0x0000000000400000-0x00000000004AF000-memory.dmp	upx
behavioral2/memory/4964-169-0x0000000000400000-0x00000000004AF000-memory.dmp	upx
behavioral2/memory/4964-168-0x0000000000400000-0x00000000004AF000-memory.dmp	upx
behavioral2/memory/4964-172-0x0000000000400000-0x00000000004AF000-memory.dmp	upx
behavioral2/memory/4964-173-0x0000000000400000-0x00000000004AF000-memory.dmp	upx
behavioral2/memory/4964-174-0x0000000000400000-0x00000000004AF000-memory.dmp	upx
behavioral2/memory/4964-175-0x0000000000400000-0x00000000004AF000-memory.dmp	upx
behavioral2/memory/4964-176-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgrmgr.exe	rundll32mgr.exe
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32mgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxAD8A.tmp	rundll32mgrmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32mgrmgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32mgrmgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxAD9A.tmp	rundll32mgr.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2836	4908	WerFault.exe	85

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377180626"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{87D62FDE-7629-11ED-B696-FA09CB65A760} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{87DADA6B-7629-11ED-B696-FA09CB65A760} = "0"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4964	WaterMark.exe
4964	WaterMark.exe
4964	WaterMark.exe
4964	WaterMark.exe
4964	WaterMark.exe
4964	WaterMark.exe
4964	WaterMark.exe
4964	WaterMark.exe
4964	WaterMark.exe
4964	WaterMark.exe
4964	WaterMark.exe
4964	WaterMark.exe
4964	WaterMark.exe
4964	WaterMark.exe
4964	WaterMark.exe
4964	WaterMark.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1028	iexplore.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4964	WaterMark.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1316	iexplore.exe
1028	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1028	iexplore.exe
1028	iexplore.exe
1316	iexplore.exe
1316	iexplore.exe
1512	IEXPLORE.EXE
1512	IEXPLORE.EXE
1464	IEXPLORE.EXE
1464	IEXPLORE.EXE
1512	IEXPLORE.EXE
1512	IEXPLORE.EXE

Suspicious use of UnmapMainImage 3 IoCs

pid	Process
3752	rundll32mgrmgr.exe
4356	rundll32mgr.exe
4964	WaterMark.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 3212 wrote to memory of 1880	3212	rundll32.exe	81
PID 3212 wrote to memory of 1880	3212	rundll32.exe	81
PID 3212 wrote to memory of 1880	3212	rundll32.exe	81
PID 1880 wrote to memory of 4356	1880	rundll32.exe	82
PID 1880 wrote to memory of 4356	1880	rundll32.exe	82
PID 1880 wrote to memory of 4356	1880	rundll32.exe	82
PID 4356 wrote to memory of 3752	4356	rundll32mgr.exe	83
PID 4356 wrote to memory of 3752	4356	rundll32mgr.exe	83
PID 4356 wrote to memory of 3752	4356	rundll32mgr.exe	83
PID 3752 wrote to memory of 4964	3752	rundll32mgrmgr.exe	84
PID 3752 wrote to memory of 4964	3752	rundll32mgrmgr.exe	84
PID 3752 wrote to memory of 4964	3752	rundll32mgrmgr.exe	84
PID 4964 wrote to memory of 4908	4964	WaterMark.exe	85
PID 4964 wrote to memory of 4908	4964	WaterMark.exe	85
PID 4964 wrote to memory of 4908	4964	WaterMark.exe	85
PID 4964 wrote to memory of 4908	4964	WaterMark.exe	85
PID 4964 wrote to memory of 4908	4964	WaterMark.exe	85
PID 4964 wrote to memory of 4908	4964	WaterMark.exe	85
PID 4964 wrote to memory of 4908	4964	WaterMark.exe	85
PID 4964 wrote to memory of 4908	4964	WaterMark.exe	85
PID 4964 wrote to memory of 4908	4964	WaterMark.exe	85
PID 4964 wrote to memory of 1028	4964	WaterMark.exe	89
PID 4964 wrote to memory of 1028	4964	WaterMark.exe	89
PID 4964 wrote to memory of 1316	4964	WaterMark.exe	90
PID 4964 wrote to memory of 1316	4964	WaterMark.exe	90
PID 1028 wrote to memory of 1512	1028	iexplore.exe	92
PID 1028 wrote to memory of 1512	1028	iexplore.exe	92
PID 1028 wrote to memory of 1512	1028	iexplore.exe	92
PID 1316 wrote to memory of 1464	1316	iexplore.exe	91
PID 1316 wrote to memory of 1464	1316	iexplore.exe	91
PID 1316 wrote to memory of 1464	1316	iexplore.exe	91

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d0838f8688dd42d6441c63f1cc18f135996b4b37c240e26cec3b102aee20a52b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3212
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\d0838f8688dd42d6441c63f1cc18f135996b4b37c240e26cec3b102aee20a52b.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:4356
  - - C:\Windows\SysWOW64\rundll32mgrmgr.exe
      C:\Windows\SysWOW64\rundll32mgrmgr.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:3752
    - - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:4964
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 204
        7⤵
        Program crash
        
        PID:2836
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        Modifies Internet Explorer settings
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1028 CREDAT:17410 /prefetch:2
        7⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1512
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1316 CREDAT:17410 /prefetch:2
        7⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4908 -ip 4908
1⤵
PID:1524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
92KB

MD5
f6830df60354eff567ac1906e9db1ae6

SHA1
be512d8136aace9ec6d74cd96bd0f0d970a427e3

SHA256
5f0102011f16261efdbb31df52316e2307d4c9a3a3bc9b3a462f07191432d616

SHA512
80a33e363ccec283a47254a13b3ac3d7784c2e672c5843de8ddd01630722c72b2e25745331a6f8eee240e7407ced6ae56bd4dbf9ac92b2dde9406217a4c8f483

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
92KB

MD5
f6830df60354eff567ac1906e9db1ae6

SHA1
be512d8136aace9ec6d74cd96bd0f0d970a427e3

SHA256
5f0102011f16261efdbb31df52316e2307d4c9a3a3bc9b3a462f07191432d616

SHA512
80a33e363ccec283a47254a13b3ac3d7784c2e672c5843de8ddd01630722c72b2e25745331a6f8eee240e7407ced6ae56bd4dbf9ac92b2dde9406217a4c8f483

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{87D62FDE-7629-11ED-B696-FA09CB65A760}.dat

Filesize
5KB

MD5
d91a2c9b9e3aad98e2578c7f237849e6

SHA1
847c4e3ed437489c2c5690c6d02652f28eef4f58

SHA256
24dd1ff37d3ab492e13cc463a5f150d788fe014af2026c9d747e98ead741c76b

SHA512
bfb9c5111fd61d01570db9d9ee0d199a59665f590f0b97c982eb6affbe11ecd016e3797ce4eb27afcaffbdc8c4bfa07c6f9558154d3657c51b5fbc1f4abfdef8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{87DADA6B-7629-11ED-B696-FA09CB65A760}.dat

Filesize
3KB

MD5
d3d8da79420c745e8106a3edba5c2c6d

SHA1
911b26834502a414007aa6fa3f89c9d146e28c06

SHA256
05d3ae6a5261ff407819f44901ecadb09db7638a524501c571cd03c6dd069d99

SHA512
7001de14f6adea6001d6c9e4869d7948c6df773adb4906b376ed2849d182c430468be23ff870130aa6100faf2d992d3155dee5e3e01b6fb407d4d4ef9523d26d

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
186KB

MD5
f944fdb0929660b9d7626ee746f531bf

SHA1
a5e053e6f8c3b2af2f2ce89412bf6b95e1a0f1e5

SHA256
e24a5028e40fa02f1a0e9420df48efa2b67acc4d3a2a5c45d4f6653e9334d7a8

SHA512
917a8f0b84968f6e2d0d28a2afc39088344eaf946bbc006712413905acfe07b5fbabdb28ae15acdf5c38a2cf4cf7ca1766f34fd5dc3f339d8425a43825f05a53

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
186KB

MD5
f944fdb0929660b9d7626ee746f531bf

SHA1
a5e053e6f8c3b2af2f2ce89412bf6b95e1a0f1e5

SHA256
e24a5028e40fa02f1a0e9420df48efa2b67acc4d3a2a5c45d4f6653e9334d7a8

SHA512
917a8f0b84968f6e2d0d28a2afc39088344eaf946bbc006712413905acfe07b5fbabdb28ae15acdf5c38a2cf4cf7ca1766f34fd5dc3f339d8425a43825f05a53

Download Submit
C:\Windows\SysWOW64\rundll32mgrmgr.exe

Filesize
92KB

MD5
f6830df60354eff567ac1906e9db1ae6

SHA1
be512d8136aace9ec6d74cd96bd0f0d970a427e3

SHA256
5f0102011f16261efdbb31df52316e2307d4c9a3a3bc9b3a462f07191432d616

SHA512
80a33e363ccec283a47254a13b3ac3d7784c2e672c5843de8ddd01630722c72b2e25745331a6f8eee240e7407ced6ae56bd4dbf9ac92b2dde9406217a4c8f483

Download Submit
C:\Windows\SysWOW64\rundll32mgrmgr.exe

Filesize
92KB

MD5
f6830df60354eff567ac1906e9db1ae6

SHA1
be512d8136aace9ec6d74cd96bd0f0d970a427e3

SHA256
5f0102011f16261efdbb31df52316e2307d4c9a3a3bc9b3a462f07191432d616

SHA512
80a33e363ccec283a47254a13b3ac3d7784c2e672c5843de8ddd01630722c72b2e25745331a6f8eee240e7407ced6ae56bd4dbf9ac92b2dde9406217a4c8f483

Download Submit
memory/1880-142-0x0000000010000000-0x00000000100A1000-memory.dmp

Filesize
644KB

Download
memory/3752-148-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/3752-158-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3752-147-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/3752-151-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3752-153-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/3752-144-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4356-154-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4356-145-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4356-155-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4356-150-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4356-149-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4964-168-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4964-169-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4964-167-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4964-166-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4964-172-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4964-173-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4964-174-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4964-175-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4964-176-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download