ramnit | a75de2f837b69fb96a86fcc6d47174ea515ca1f72da3b2b2812613e15456e53c

Analysis

max time kernel
130s
max time network
131s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 00:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

621386281658de98aecbf33c60186d7eJaffaCakes118.html
Size

157KB
MD5

621386281658de98aecbf33c60186d7e
SHA1

7ce5e57138f7cbd6cc58ee974a83adc933845292
SHA256

a75de2f837b69fb96a86fcc6d47174ea515ca1f72da3b2b2812613e15456e53c
SHA512

f3d2f907563a160de7d6f8f308b847cd82ea206e61bc15e7392ffd67ab5fdcafd7fb9fce740b5cec96ab10fa2c30ce26cf2b23c1f79b709b2fa499a19952bd1b
SSDEEP

3072:imgtujNex7S4o+MyfkMY+BES09JXAnyrZalI+YQ:img0jNeu+xsMYod+X3oI+YQ

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 2 IoCs

Processes:

svchost.exeDesktopLayer.exe

pid process

1652 svchost.exe
936 DesktopLayer.exe
Loads dropped DLL 2 IoCs

Processes:

IEXPLORE.EXEsvchost.exe

pid process

2580 IEXPLORE.EXE
1652 svchost.exe

pid	process
1652	svchost.exe
936	DesktopLayer.exe

pid	process
2580	IEXPLORE.EXE
1652	svchost.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\svchost.exe	upx
behavioral1/memory/1652-436-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/936-443-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/936-447-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\pxF6DD.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{46809C71-189B-11EF-B023-6200E4292AD7} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422585933"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

DesktopLayer.exe

pid process

936 DesktopLayer.exe
936 DesktopLayer.exe
936 DesktopLayer.exe
936 DesktopLayer.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

1920 iexplore.exe
1920 iexplore.exe

pid	process
936	DesktopLayer.exe
936	DesktopLayer.exe
936	DesktopLayer.exe
936	DesktopLayer.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
1920	iexplore.exe
1920	iexplore.exe
2580	IEXPLORE.EXE
2580	IEXPLORE.EXE
2580	IEXPLORE.EXE
2580	IEXPLORE.EXE
1920	iexplore.exe
1920	iexplore.exe
1708	IEXPLORE.EXE
1708	IEXPLORE.EXE
1708	IEXPLORE.EXE
1708	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

iexplore.exeIEXPLORE.EXEsvchost.exeDesktopLayer.exe

description	pid	process	target process
PID 1920 wrote to memory of 2580	1920	iexplore.exe	IEXPLORE.EXE
PID 1920 wrote to memory of 2580	1920	iexplore.exe	IEXPLORE.EXE
PID 1920 wrote to memory of 2580	1920	iexplore.exe	IEXPLORE.EXE
PID 1920 wrote to memory of 2580	1920	iexplore.exe	IEXPLORE.EXE
PID 2580 wrote to memory of 1652	2580	IEXPLORE.EXE	svchost.exe
PID 2580 wrote to memory of 1652	2580	IEXPLORE.EXE	svchost.exe
PID 2580 wrote to memory of 1652	2580	IEXPLORE.EXE	svchost.exe
PID 2580 wrote to memory of 1652	2580	IEXPLORE.EXE	svchost.exe
PID 1652 wrote to memory of 936	1652	svchost.exe	DesktopLayer.exe
PID 1652 wrote to memory of 936	1652	svchost.exe	DesktopLayer.exe
PID 1652 wrote to memory of 936	1652	svchost.exe	DesktopLayer.exe
PID 1652 wrote to memory of 936	1652	svchost.exe	DesktopLayer.exe
PID 936 wrote to memory of 2064	936	DesktopLayer.exe	iexplore.exe
PID 936 wrote to memory of 2064	936	DesktopLayer.exe	iexplore.exe
PID 936 wrote to memory of 2064	936	DesktopLayer.exe	iexplore.exe
PID 936 wrote to memory of 2064	936	DesktopLayer.exe	iexplore.exe
PID 1920 wrote to memory of 1708	1920	iexplore.exe	IEXPLORE.EXE
PID 1920 wrote to memory of 1708	1920	iexplore.exe	IEXPLORE.EXE
PID 1920 wrote to memory of 1708	1920	iexplore.exe	IEXPLORE.EXE
PID 1920 wrote to memory of 1708	1920	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\621386281658de98aecbf33c60186d7eJaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1920

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1920 CREDAT:275457 /prefetch:2
2⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2580

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1652

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:936

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:2064

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1920 CREDAT:275475 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1708

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
efeec21a2bc570ebe2508fc1f66e3727

SHA1
fa5e57b8ec75d27b488b8c9f2e579ef0a21ac252

SHA256
dd1eec5b89e55d1b6b0f82f5502403fd9519b80670beadd98f03756a544f8411

SHA512
dc482b3e5f09d50ca91c89db59d892a72aff8ed05824ad0eaf6a45b27657d9e0d9899b0455f730a5cedbe9f2be2e10c97462db8105ba01570e5ae245885b3c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
97281b5a72e71cc5ff1ce49fc2da34e9

SHA1
5b76d6fd164193d9e09738322fd02755645bc786

SHA256
16c8cc8f8ea5e68aaefbda03b3091cb43c4f21998ea9e9b3d77442cdc748cdc0

SHA512
f246f77240304b72bbb415e7e8423d4ae0df572a893a4d0461329f6f8b7c3eb16978704e83a289687defb7efaf75fe318f4cd9b2eb7ee9fef86d81f73d50f33b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
afec149c67871e5a2cf02faaf3309752

SHA1
882274570c77851d4abeabfbe9ae784a389624a5

SHA256
d2b42b5ab1971fa0556fbe375bd717c75d0c14bedeef373fec9a5be7bf60ae3c

SHA512
36fcd2224ca7d0ad67c2312a8d02b0fc6ac49ff1d0f7f27e5e0b5d1a57f625486983fcf8135f168bff85eb274771bb1a7433dca2ca93b5f2408e329199505c99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
e2e56e207fb5e071cd4f2a54d7117a0c

SHA1
c51adecae8e075b1ab8903513c7c450e303990de

SHA256
d09a64cc6e03015497f6e37974f7af346efe62502782750104bef5df229d18dc

SHA512
769f4796761af07096af3aa253a2ece30fcf0fc4ed5d212ac160c001836a7b5c5ef32b438281ded643c7be9280ff8cd9ca3deb8959e63ae8170349b7ac8191c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7c2427553a0a5478f3112cf30053fd82

SHA1
072e277b7f8da4b93448b6b416909cd5f229c73a

SHA256
09a7989256f68a545148174e497a22359e1909b3937aa03c400fb8dcf9109468

SHA512
13aa2f4d20ac7b35cfab007723094cd80502149fb0f601982d80fe1de91d495e6731e62e30226c8db021bc71bcea3ad0ac4db32e6270d5ec5d9d7803c43b22ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
14f386eac44001a5f49f66efa091c77d

SHA1
c7dfe0a95c9302e81bfca36dfa5502eaf0ea609e

SHA256
37d75d572df5334b633bd5f5a813498610a6b4e1b754d92268b1310bc3ff736f

SHA512
f4a8152d2462029ba00bb3be74b22ce9fedb0714aa41a1b529f1e7f9fd05091263b1589e724dbeb6ba406c8e5b9472b38af6930f8d5caa55c18c42c91f32c781

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9e6ca7fd6a584db0934140477d3c8239

SHA1
e050cd94fa0ec9bb1f140dd5de4e08a57c4a677f

SHA256
0aed395067262a5a48075830560550f47a9c414cb8b07e174ef3f383fcdb656c

SHA512
01dcb2140086c42e8ff72e7ffebfefa01efeee5760f0c8aaee0e992b9206ce3f1375c2503b7920ecdcaf446b7d0702cb32ed4913b9543b198f38d0ce14b817eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9ce39b923c47ac39dfb132dd47b2795a

SHA1
b2d387361b2a2a391bcde1e80fdf355de11ed64b

SHA256
401137c72b5ea12562bf203abd89309fa30edfd21603cab8baab718634db1493

SHA512
6790f105471112ddf4fdf84f103b7093143e3f182c32a352c9ce9cd0e490417334eecd9cfd455223cdf98c1ee10cee4cb3808e309b052fcc881866d2591bf099

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
2b89fa963f9f743ff36e74ce92109a2d

SHA1
fb95e07c14aa0e81c2c113b07753420c4b346cd4

SHA256
e78b811de10f375f3647735bc7249efe1b9d1208b6a797af928dd6fd82c3ff7a

SHA512
1ef5744ae998dea05808d5626f16bce66fce57fae72902d2a17a30e7cc21af71a210aa5e32e929d7171113c3567f7363e0d5a5cccc8d3eb18eca6696d41c045e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
4596b074b3f0800d5aaa06f40387d136

SHA1
c3ce26368f8ef301f51cc17df79d22df0784a438

SHA256
f3a13eab81e24374157dca1299756034eeae07d5f014e74bdbd6c0e6a3636d25

SHA512
44a63f034dbbd6b66a7e2bb331a816dc76bb5c9816cbdf3519d53149e08fa353e1ef0392d4b5bef4761def8aed50085e447cc4c3a0c3893a8897afca5a9b239a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
667dddf2e2c06c8b8364a33881c0e00e

SHA1
7637905e714bb75b5af349ee3aea92062ccc762f

SHA256
95acb17feacb2066708db6952870a69c66dce051e94de246464ab3a9e85c3895

SHA512
1435f34a9385a99caa648bc6eab8fe4246747bde21a906e3a2eddc4c07f160cb68330f283993e07010fb8ca9d97a044b74a042ce9913e438538f149dd13eb545

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c4b93e699f2e5c6fc05d8029d18f1fc9

SHA1
b662a59e664304692a4b974e5cdad0ea320efeaa

SHA256
41800633fadc9f058014794163569bbe9945886e9d5ff20667849c4030692ccc

SHA512
095e2ea21ae51c3818c827918b67801941f95dcfc4ad83af6c0f49c0f8ec4345ef2f5a64ed273604f5ee5cb843eb9ff84c13faeab0dd2b15f2c3daa56afcd282

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
65d3c38e461312942c8b4a5947fad404

SHA1
bd7faac576e53ef982eb4f780cbedf855242a08c

SHA256
20affb206a51f48e6f42191ccbe8800eb7ac07f95394317bc4f62625fb9f4e41

SHA512
8a399804d4c2d4017d8e306a30d5e1e57bdc265432d85dc3f0a518b853dfe36efed21abcd9ddf52d53fe50df3bb50584976477b6a05cbb468463df4a1020c9ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab144E.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar14CD.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/936-447-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/936-443-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/936-445-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1652-437-0x00000000001C0000-0x00000000001CF000-memory.dmp

Filesize
60KB

Download
memory/1652-436-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download