rms | ceff28e5f3c11405d484f4da1c7ef0a89364b0e924efa16dfc89bf126edf90cb

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
12-06-2024 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
Size

5.0MB
MD5

a130eb93419de9f19d0c66aeaaf184d5
SHA1

033f9d97a55a7ff64209cb60ba14afc50d5f707b
SHA256

ceff28e5f3c11405d484f4da1c7ef0a89364b0e924efa16dfc89bf126edf90cb
SHA512

536a8e6b0d9f5cadb0a857aaf092fe73c88dedfa61ba7ff79212a1e14c8c7ba9216c08ef3afdfbfce2159cf92e39e9ad3d079fcdf0b93cd8ebfe3e3075030f53
SSDEEP

98304:4Pcea/pZHvMwvRwCOg/XZtDpDJVWSp11YOrGpQ9OsZqjntStnOs2ac9Y5D9c:4PfaR6w5hOyNNqSpdO2HZqjnWOslSY5+

Score

10^/10

rms persistence rat trojan upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Windows\\System64\\1svnhost.exe, explorer.exe"	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	1svnhost.exe

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 8 IoCs

pid	Process
2300	1svnhost.exe
2568	rfusclient.exe
752	rutserv.exe
3048	rutserv.exe
1296	rutserv.exe
2228	rutserv.exe
1736	rfusclient.exe
2304	rfusclient.exe

Loads dropped DLL 5 IoCs

pid	Process
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2300	1svnhost.exe
1828	cmd.exe
2300	1svnhost.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000013a1a-35.dat	upx
behavioral1/files/0x00090000000143a0-40.dat	upx
behavioral1/memory/2568-46-0x0000000000400000-0x00000000009B3000-memory.dmp	upx
behavioral1/memory/752-47-0x0000000000400000-0x0000000000ABA000-memory.dmp	upx
behavioral1/memory/752-48-0x0000000000400000-0x0000000000ABA000-memory.dmp	upx
behavioral1/memory/3048-50-0x0000000000400000-0x0000000000ABA000-memory.dmp	upx
behavioral1/memory/3048-52-0x0000000000400000-0x0000000000ABA000-memory.dmp	upx
behavioral1/memory/1296-54-0x0000000000400000-0x0000000000ABA000-memory.dmp	upx
behavioral1/memory/2228-56-0x0000000000400000-0x0000000000ABA000-memory.dmp	upx
behavioral1/memory/1736-61-0x0000000000400000-0x00000000009B3000-memory.dmp	upx
behavioral1/memory/1736-60-0x0000000000400000-0x00000000009B3000-memory.dmp	upx
behavioral1/memory/1296-64-0x0000000000400000-0x0000000000ABA000-memory.dmp	upx
behavioral1/memory/2228-67-0x0000000000400000-0x0000000000ABA000-memory.dmp	upx
behavioral1/memory/2228-69-0x0000000000400000-0x0000000000ABA000-memory.dmp	upx
behavioral1/memory/2228-74-0x0000000000400000-0x0000000000ABA000-memory.dmp	upx
behavioral1/memory/2228-76-0x0000000000400000-0x0000000000ABA000-memory.dmp	upx
behavioral1/memory/2228-80-0x0000000000400000-0x0000000000ABA000-memory.dmp	upx
behavioral1/memory/2228-86-0x0000000000400000-0x0000000000ABA000-memory.dmp	upx

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\Zont911\Regedit.reg	1svnhost.exe
File created	C:\Windows\Zont911\hostbb.zip	1svnhost.exe
File created	C:\Windows\System64\rutserv.exe	1svnhost.exe
File created	C:\Windows\System64\1svnhost.exe	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
File created	C:\Windows\System64\rfusclient.exe	1svnhost.exe
File created	C:\Windows\System64\vp8encoder.dll	1svnhost.exe
File opened for modification	C:\Windows\System64\svnhost.exe	cmd.exe
File opened for modification	C:\Windows\System64\1svnhost.exe	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
File opened for modification	C:\Windows\System64\rfusclient.exe	1svnhost.exe
File opened for modification	C:\Windows\System64\vp8decoder.dll	1svnhost.exe
File opened for modification	C:\Windows\System64\vp8encoder.dll	1svnhost.exe
File created	C:\Windows\Zont911\Tupe.bat	1svnhost.exe
File opened for modification	C:\Windows\System64\rutserv.exe	1svnhost.exe
File created	C:\Windows\System64\vp8decoder.dll	1svnhost.exe
File created	C:\Windows\System64\svnhost.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs .reg file with regedit 1 IoCs

pid	Process
2756	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	752	rutserv.exe
Token: SeDebugPrivilege	1296	rutserv.exe
Token: SeTakeOwnershipPrivilege	2228	rutserv.exe
Token: SeTcbPrivilege	2228	rutserv.exe
Token: SeTcbPrivilege	2228	rutserv.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
752	rutserv.exe
3048	rutserv.exe
1296	rutserv.exe
2228	rutserv.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2300	2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe	28
PID 2648 wrote to memory of 2300	2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe	28
PID 2648 wrote to memory of 2300	2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe	28
PID 2648 wrote to memory of 2300	2648	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe	28
PID 2300 wrote to memory of 2756	2300	1svnhost.exe	29
PID 2300 wrote to memory of 2756	2300	1svnhost.exe	29
PID 2300 wrote to memory of 2756	2300	1svnhost.exe	29
PID 2300 wrote to memory of 2756	2300	1svnhost.exe	29
PID 2300 wrote to memory of 1828	2300	1svnhost.exe	30
PID 2300 wrote to memory of 1828	2300	1svnhost.exe	30
PID 2300 wrote to memory of 1828	2300	1svnhost.exe	30
PID 2300 wrote to memory of 1828	2300	1svnhost.exe	30
PID 1828 wrote to memory of 2704	1828	cmd.exe	32
PID 1828 wrote to memory of 2704	1828	cmd.exe	32
PID 1828 wrote to memory of 2704	1828	cmd.exe	32
PID 1828 wrote to memory of 2704	1828	cmd.exe	32
PID 1828 wrote to memory of 752	1828	cmd.exe	33
PID 1828 wrote to memory of 752	1828	cmd.exe	33
PID 1828 wrote to memory of 752	1828	cmd.exe	33
PID 1828 wrote to memory of 752	1828	cmd.exe	33
PID 2300 wrote to memory of 2568	2300	1svnhost.exe	34
PID 2300 wrote to memory of 2568	2300	1svnhost.exe	34
PID 2300 wrote to memory of 2568	2300	1svnhost.exe	34
PID 2300 wrote to memory of 2568	2300	1svnhost.exe	34
PID 1828 wrote to memory of 3048	1828	cmd.exe	35
PID 1828 wrote to memory of 3048	1828	cmd.exe	35
PID 1828 wrote to memory of 3048	1828	cmd.exe	35
PID 1828 wrote to memory of 3048	1828	cmd.exe	35
PID 1828 wrote to memory of 1296	1828	cmd.exe	36
PID 1828 wrote to memory of 1296	1828	cmd.exe	36
PID 1828 wrote to memory of 1296	1828	cmd.exe	36
PID 1828 wrote to memory of 1296	1828	cmd.exe	36
PID 2228 wrote to memory of 1736	2228	rutserv.exe	38
PID 2228 wrote to memory of 1736	2228	rutserv.exe	38
PID 2228 wrote to memory of 1736	2228	rutserv.exe	38
PID 2228 wrote to memory of 1736	2228	rutserv.exe	38
PID 2228 wrote to memory of 2304	2228	rutserv.exe	39
PID 2228 wrote to memory of 2304	2228	rutserv.exe	39
PID 2228 wrote to memory of 2304	2228	rutserv.exe	39
PID 2228 wrote to memory of 2304	2228	rutserv.exe	39

C:\Users\Admin\AppData\Local\Temp\a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\System64\1svnhost.exe
  "C:\Windows\System64\1svnhost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "C:\Windows\Zont911\Regedit.reg"
    3⤵
    - Runs .reg file with regedit
    PID:2756
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\Zont911\Tupe.bat" "
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:1828
  - - C:\Windows\SysWOW64\chcp.com
      Chcp 1251
      4⤵
      PID:2704
  - - C:\Windows\System64\rutserv.exe
      "C:\Windows\System64\rutserv.exe" /silentinstall
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:752
  - - C:\Windows\System64\rutserv.exe
      "C:\Windows\System64\rutserv.exe" /firewall
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3048
  - - C:\Windows\System64\rutserv.exe
      "C:\Windows\System64\rutserv.exe" /start
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1296
- - C:\Windows\System64\rfusclient.exe
    "C:\Windows\System64\rfusclient.exe"
    3⤵
    - Executes dropped EXE
    PID:2568

C:\Windows\System64\rutserv.exe
C:\Windows\System64\rutserv.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\System64\rfusclient.exe
  C:\Windows\System64\rfusclient.exe
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\Windows\System64\rfusclient.exe
  C:\Windows\System64\rfusclient.exe /tray
  2⤵
  - Executes dropped EXE
  PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System64\rfusclient.exe

Filesize
1.5MB

MD5
eac85a4a79a168cb47c0810e23e6d2fe

SHA1
0e053ed568dc2f07d76b0e006a9e19655797b89e

SHA256
86b9593479937ca7dfe9ef6744cc321808c0585b63312cb50952f709c498096f

SHA512
b424136d58d266ba045a2ad95efeb8cdc69d77a9442521bf196390b934a7752bf728daeaf2fb3df887abf9c719a2526a8179e368cb228603b9243e3c7148c8e0

Download Submit
C:\Windows\System64\rutserv.exe

Filesize
1.8MB

MD5
fa4b26c53cfb2661ba072cf8da181b1a

SHA1
295f19aad28e80c5e371078989815c612110229c

SHA256
3a92288781a1f411f43e59ae32ea78b89997e7a5d1b6f12771f39fb6fa345db7

SHA512
f6399c683c41f518a1096c87303758d50d6419e62317bfe2d362f66e5048f81583be12b32348dc095a34c0de0a79867376fdb8fc4677080d665e001b38cbfa64

Download Submit
C:\Windows\System64\vp8decoder.dll

Filesize
378KB

MD5
d43fa82fab5337ce20ad14650085c5d9

SHA1
678aa092075ff65b6815ffc2d8fdc23af8425981

SHA256
c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b

SHA512
103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

Download Submit
C:\Windows\System64\vp8encoder.dll

Filesize
1.6MB

MD5
dab4646806dfca6d0e0b4d80fa9209d6

SHA1
8244dfe22ec2090eee89dad103e6b2002059d16a

SHA256
cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587

SHA512
aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

Download Submit
C:\Windows\Zont911\Regedit.reg

Filesize
11KB

MD5
2594fc01ac2488b8f0edbd94575bb0e7

SHA1
6532ca1b36bbe19ba0986124b7fff81c41152afe

SHA256
915c62220b0c5c200f342ca177df76e65c5048c7b61868d32e4efc0dea4adbef

SHA512
4e44d5646c752ebef7537833e0bd4fe1c1ca3b89cb11a2a1afeb15e24e74f011c742948cee54e099bcabde3dcd157a5fe25cea0597148008831f547ab5579787

Download Submit
C:\Windows\Zont911\Tupe.bat

Filesize
278B

MD5
2aae081f3acb9615cd58a9a05a24bc3f

SHA1
82386fc85643d0aedfddb39a8f628ff1f51de8be

SHA256
4438fb1637120602efbe98aca834c02365b9132fe36ffd8c26d7f5c22d9ec1bd

SHA512
47a68649c4f01e9d084fa2838a7b79fd9719c4bf1dfa35d6efac92423c7423cd01fb9944610b88c73a82a2968aeb956e127308a4b5cc39fd9d8e1ede1bbff958

Download Submit
\Windows\System64\1svnhost.exe

Filesize
5.0MB

MD5
a130eb93419de9f19d0c66aeaaf184d5

SHA1
033f9d97a55a7ff64209cb60ba14afc50d5f707b

SHA256
ceff28e5f3c11405d484f4da1c7ef0a89364b0e924efa16dfc89bf126edf90cb

SHA512
536a8e6b0d9f5cadb0a857aaf092fe73c88dedfa61ba7ff79212a1e14c8c7ba9216c08ef3afdfbfce2159cf92e39e9ad3d079fcdf0b93cd8ebfe3e3075030f53

Download Submit
memory/752-47-0x0000000000400000-0x0000000000ABA000-memory.dmp

Filesize
6.7MB

Download
memory/752-48-0x0000000000400000-0x0000000000ABA000-memory.dmp

Filesize
6.7MB

Download
memory/1296-64-0x0000000000400000-0x0000000000ABA000-memory.dmp

Filesize
6.7MB

Download
memory/1296-54-0x0000000000400000-0x0000000000ABA000-memory.dmp

Filesize
6.7MB

Download
memory/1736-60-0x0000000000400000-0x00000000009B3000-memory.dmp

Filesize
5.7MB

Download
memory/1736-61-0x0000000000400000-0x00000000009B3000-memory.dmp

Filesize
5.7MB

Download
memory/1828-42-0x0000000002570000-0x0000000002C2A000-memory.dmp

Filesize
6.7MB

Download
memory/2228-56-0x0000000000400000-0x0000000000ABA000-memory.dmp

Filesize
6.7MB

Download
memory/2228-67-0x0000000000400000-0x0000000000ABA000-memory.dmp

Filesize
6.7MB

Download
memory/2228-86-0x0000000000400000-0x0000000000ABA000-memory.dmp

Filesize
6.7MB

Download
memory/2228-80-0x0000000000400000-0x0000000000ABA000-memory.dmp

Filesize
6.7MB

Download
memory/2228-76-0x0000000000400000-0x0000000000ABA000-memory.dmp

Filesize
6.7MB

Download
memory/2228-74-0x0000000000400000-0x0000000000ABA000-memory.dmp

Filesize
6.7MB

Download
memory/2228-69-0x0000000000400000-0x0000000000ABA000-memory.dmp

Filesize
6.7MB

Download
memory/2300-66-0x0000000003F50000-0x0000000004503000-memory.dmp

Filesize
5.7MB

Download
memory/2300-65-0x0000000000400000-0x0000000000900000-memory.dmp

Filesize
5.0MB

Download
memory/2300-11-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2300-68-0x0000000000400000-0x0000000000900000-memory.dmp

Filesize
5.0MB

Download
memory/2300-73-0x0000000000400000-0x0000000000900000-memory.dmp

Filesize
5.0MB

Download
memory/2300-45-0x0000000003F50000-0x0000000004503000-memory.dmp

Filesize
5.7MB

Download
memory/2300-93-0x0000000000400000-0x0000000000900000-memory.dmp

Filesize
5.0MB

Download
memory/2568-46-0x0000000000400000-0x00000000009B3000-memory.dmp

Filesize
5.7MB

Download
memory/2648-10-0x0000000000400000-0x0000000000900000-memory.dmp

Filesize
5.0MB

Download
memory/2648-0-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/3048-52-0x0000000000400000-0x0000000000ABA000-memory.dmp

Filesize
6.7MB

Download
memory/3048-50-0x0000000000400000-0x0000000000ABA000-memory.dmp

Filesize
6.7MB

Download