rms | ceff28e5f3c11405d484f4da1c7ef0a89364b0e924efa16dfc89bf126edf90cb

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12-06-2024 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
Size

5.0MB
MD5

a130eb93419de9f19d0c66aeaaf184d5
SHA1

033f9d97a55a7ff64209cb60ba14afc50d5f707b
SHA256

ceff28e5f3c11405d484f4da1c7ef0a89364b0e924efa16dfc89bf126edf90cb
SHA512

536a8e6b0d9f5cadb0a857aaf092fe73c88dedfa61ba7ff79212a1e14c8c7ba9216c08ef3afdfbfce2159cf92e39e9ad3d079fcdf0b93cd8ebfe3e3075030f53
SSDEEP

98304:4Pcea/pZHvMwvRwCOg/XZtDpDJVWSp11YOrGpQ9OsZqjntStnOs2ac9Y5D9c:4PfaR6w5hOyNNqSpdO2HZqjnWOslSY5+

Score

10^/10

rms persistence rat trojan upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Windows\\System64\\1svnhost.exe, explorer.exe"	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	1svnhost.exe

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	1svnhost.exe

Executes dropped EXE 8 IoCs

pid	Process
2784	1svnhost.exe
3636	rutserv.exe
1132	rfusclient.exe
3140	rutserv.exe
5028	rutserv.exe
1492	rutserv.exe
2868	rfusclient.exe
3216	rfusclient.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023400-27.dat	upx
behavioral2/files/0x0007000000023401-33.dat	upx
behavioral2/memory/3636-35-0x0000000000400000-0x0000000000ABA000-memory.dmp	upx
behavioral2/memory/1132-36-0x0000000000400000-0x00000000009B3000-memory.dmp	upx
behavioral2/memory/3636-38-0x0000000000400000-0x0000000000ABA000-memory.dmp	upx
behavioral2/memory/3140-40-0x0000000000400000-0x0000000000ABA000-memory.dmp	upx
behavioral2/memory/3140-41-0x0000000000400000-0x0000000000ABA000-memory.dmp	upx
behavioral2/memory/5028-43-0x0000000000400000-0x0000000000ABA000-memory.dmp	upx
behavioral2/memory/2868-51-0x0000000000400000-0x00000000009B3000-memory.dmp	upx
behavioral2/memory/3216-52-0x0000000000400000-0x00000000009B3000-memory.dmp	upx
behavioral2/memory/5028-54-0x0000000000400000-0x0000000000ABA000-memory.dmp	upx
behavioral2/memory/1492-57-0x0000000000400000-0x0000000000ABA000-memory.dmp	upx
behavioral2/memory/1492-59-0x0000000000400000-0x0000000000ABA000-memory.dmp	upx
behavioral2/memory/1492-60-0x0000000000400000-0x0000000000ABA000-memory.dmp	upx
behavioral2/memory/1492-63-0x0000000000400000-0x0000000000ABA000-memory.dmp	upx
behavioral2/memory/1492-65-0x0000000000400000-0x0000000000ABA000-memory.dmp	upx
behavioral2/memory/1492-67-0x0000000000400000-0x0000000000ABA000-memory.dmp	upx
behavioral2/memory/1492-70-0x0000000000400000-0x0000000000ABA000-memory.dmp	upx
behavioral2/memory/1492-72-0x0000000000400000-0x0000000000ABA000-memory.dmp	upx
behavioral2/memory/1492-74-0x0000000000400000-0x0000000000ABA000-memory.dmp	upx
behavioral2/memory/1492-76-0x0000000000400000-0x0000000000ABA000-memory.dmp	upx
behavioral2/memory/1492-78-0x0000000000400000-0x0000000000ABA000-memory.dmp	upx
behavioral2/memory/1492-82-0x0000000000400000-0x0000000000ABA000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\exe\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\symbols\exe\rutserv.pdb	rutserv.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System64\1svnhost.exe	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
File created	C:\Windows\System64\rfusclient.exe	1svnhost.exe
File opened for modification	C:\Windows\System64\rutserv.exe	1svnhost.exe
File opened for modification	C:\Windows\System64\vp8decoder.dll	1svnhost.exe
File opened for modification	C:\Windows\System64\vp8encoder.dll	1svnhost.exe
File created	C:\Windows\Zont911\Tupe.bat	1svnhost.exe
File created	C:\Windows\System64\1svnhost.exe	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
File created	C:\Windows\System64\rutserv.exe	1svnhost.exe
File created	C:\Windows\System64\vp8encoder.dll	1svnhost.exe
File created	C:\Windows\System64\svnhost.exe	cmd.exe
File created	C:\Windows\Zont911\Regedit.reg	1svnhost.exe
File opened for modification	C:\Windows\System64\svnhost.exe	cmd.exe
File created	C:\Windows\System64\vp8decoder.dll	1svnhost.exe
File opened for modification	C:\Windows\System64\rfusclient.exe	1svnhost.exe
File opened for modification	C:\Windows\System64\rutserv.pdb	rutserv.exe
File created	C:\Windows\Zont911\hostbb.zip	1svnhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs .reg file with regedit 1 IoCs

pid	Process
5116	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3636	rutserv.exe
Token: SeDebugPrivilege	5028	rutserv.exe
Token: SeTakeOwnershipPrivilege	1492	rutserv.exe
Token: SeTcbPrivilege	1492	rutserv.exe
Token: SeTcbPrivilege	1492	rutserv.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3636	rutserv.exe
3140	rutserv.exe
5028	rutserv.exe
1492	rutserv.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4120 wrote to memory of 2784	4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe	85
PID 4120 wrote to memory of 2784	4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe	85
PID 4120 wrote to memory of 2784	4120	a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe	85
PID 2784 wrote to memory of 5116	2784	1svnhost.exe	86
PID 2784 wrote to memory of 5116	2784	1svnhost.exe	86
PID 2784 wrote to memory of 5116	2784	1svnhost.exe	86
PID 2784 wrote to memory of 4304	2784	1svnhost.exe	87
PID 2784 wrote to memory of 4304	2784	1svnhost.exe	87
PID 2784 wrote to memory of 4304	2784	1svnhost.exe	87
PID 4304 wrote to memory of 2244	4304	cmd.exe	89
PID 4304 wrote to memory of 2244	4304	cmd.exe	89
PID 4304 wrote to memory of 2244	4304	cmd.exe	89
PID 4304 wrote to memory of 3636	4304	cmd.exe	90
PID 4304 wrote to memory of 3636	4304	cmd.exe	90
PID 4304 wrote to memory of 3636	4304	cmd.exe	90
PID 2784 wrote to memory of 1132	2784	1svnhost.exe	91
PID 2784 wrote to memory of 1132	2784	1svnhost.exe	91
PID 2784 wrote to memory of 1132	2784	1svnhost.exe	91
PID 4304 wrote to memory of 3140	4304	cmd.exe	92
PID 4304 wrote to memory of 3140	4304	cmd.exe	92
PID 4304 wrote to memory of 3140	4304	cmd.exe	92
PID 4304 wrote to memory of 5028	4304	cmd.exe	93
PID 4304 wrote to memory of 5028	4304	cmd.exe	93
PID 4304 wrote to memory of 5028	4304	cmd.exe	93
PID 1492 wrote to memory of 2868	1492	rutserv.exe	95
PID 1492 wrote to memory of 2868	1492	rutserv.exe	95
PID 1492 wrote to memory of 2868	1492	rutserv.exe	95
PID 1492 wrote to memory of 3216	1492	rutserv.exe	96
PID 1492 wrote to memory of 3216	1492	rutserv.exe	96
PID 1492 wrote to memory of 3216	1492	rutserv.exe	96

C:\Users\Admin\AppData\Local\Temp\a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a130eb93419de9f19d0c66aeaaf184d5_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4120
- C:\Windows\System64\1svnhost.exe
  "C:\Windows\System64\1svnhost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "C:\Windows\Zont911\Regedit.reg"
    3⤵
    - Runs .reg file with regedit
    PID:5116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\Zont911\Tupe.bat" "
    3⤵
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:4304
  - - C:\Windows\SysWOW64\chcp.com
      Chcp 1251
      4⤵
      PID:2244
  - - C:\Windows\System64\rutserv.exe
      "C:\Windows\System64\rutserv.exe" /silentinstall
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3636
  - - C:\Windows\System64\rutserv.exe
      "C:\Windows\System64\rutserv.exe" /firewall
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3140
  - - C:\Windows\System64\rutserv.exe
      "C:\Windows\System64\rutserv.exe" /start
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:5028
- - C:\Windows\System64\rfusclient.exe
    "C:\Windows\System64\rfusclient.exe"
    3⤵
    - Executes dropped EXE
    PID:1132

C:\Windows\System64\rutserv.exe
C:\Windows\System64\rutserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Windows\System64\rfusclient.exe
  C:\Windows\System64\rfusclient.exe
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\System64\rfusclient.exe
  C:\Windows\System64\rfusclient.exe /tray
  2⤵
  - Executes dropped EXE
  PID:3216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System64\1svnhost.exe

Filesize
5.0MB

MD5
a130eb93419de9f19d0c66aeaaf184d5

SHA1
033f9d97a55a7ff64209cb60ba14afc50d5f707b

SHA256
ceff28e5f3c11405d484f4da1c7ef0a89364b0e924efa16dfc89bf126edf90cb

SHA512
536a8e6b0d9f5cadb0a857aaf092fe73c88dedfa61ba7ff79212a1e14c8c7ba9216c08ef3afdfbfce2159cf92e39e9ad3d079fcdf0b93cd8ebfe3e3075030f53

Download Submit
C:\Windows\System64\rfusclient.exe

Filesize
1.5MB

MD5
eac85a4a79a168cb47c0810e23e6d2fe

SHA1
0e053ed568dc2f07d76b0e006a9e19655797b89e

SHA256
86b9593479937ca7dfe9ef6744cc321808c0585b63312cb50952f709c498096f

SHA512
b424136d58d266ba045a2ad95efeb8cdc69d77a9442521bf196390b934a7752bf728daeaf2fb3df887abf9c719a2526a8179e368cb228603b9243e3c7148c8e0

Download Submit
C:\Windows\System64\rutserv.exe

Filesize
1.8MB

MD5
fa4b26c53cfb2661ba072cf8da181b1a

SHA1
295f19aad28e80c5e371078989815c612110229c

SHA256
3a92288781a1f411f43e59ae32ea78b89997e7a5d1b6f12771f39fb6fa345db7

SHA512
f6399c683c41f518a1096c87303758d50d6419e62317bfe2d362f66e5048f81583be12b32348dc095a34c0de0a79867376fdb8fc4677080d665e001b38cbfa64

Download Submit
C:\Windows\System64\vp8decoder.dll

Filesize
378KB

MD5
d43fa82fab5337ce20ad14650085c5d9

SHA1
678aa092075ff65b6815ffc2d8fdc23af8425981

SHA256
c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b

SHA512
103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

Download Submit
C:\Windows\System64\vp8encoder.dll

Filesize
1.6MB

MD5
dab4646806dfca6d0e0b4d80fa9209d6

SHA1
8244dfe22ec2090eee89dad103e6b2002059d16a

SHA256
cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587

SHA512
aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

Download Submit
C:\Windows\Zont911\Regedit.reg

Filesize
11KB

MD5
2594fc01ac2488b8f0edbd94575bb0e7

SHA1
6532ca1b36bbe19ba0986124b7fff81c41152afe

SHA256
915c62220b0c5c200f342ca177df76e65c5048c7b61868d32e4efc0dea4adbef

SHA512
4e44d5646c752ebef7537833e0bd4fe1c1ca3b89cb11a2a1afeb15e24e74f011c742948cee54e099bcabde3dcd157a5fe25cea0597148008831f547ab5579787

Download Submit
C:\Windows\Zont911\Tupe.bat

Filesize
278B

MD5
2aae081f3acb9615cd58a9a05a24bc3f

SHA1
82386fc85643d0aedfddb39a8f628ff1f51de8be

SHA256
4438fb1637120602efbe98aca834c02365b9132fe36ffd8c26d7f5c22d9ec1bd

SHA512
47a68649c4f01e9d084fa2838a7b79fd9719c4bf1dfa35d6efac92423c7423cd01fb9944610b88c73a82a2968aeb956e127308a4b5cc39fd9d8e1ede1bbff958

Download Submit
memory/1132-36-0x0000000000400000-0x00000000009B3000-memory.dmp

Filesize
5.7MB

Download
memory/1492-82-0x0000000000400000-0x0000000000ABA000-memory.dmp

Filesize
6.7MB

Download
memory/1492-67-0x0000000000400000-0x0000000000ABA000-memory.dmp

Filesize
6.7MB

Download
memory/1492-76-0x0000000000400000-0x0000000000ABA000-memory.dmp

Filesize
6.7MB

Download
memory/1492-74-0x0000000000400000-0x0000000000ABA000-memory.dmp

Filesize
6.7MB

Download
memory/1492-72-0x0000000000400000-0x0000000000ABA000-memory.dmp

Filesize
6.7MB

Download
memory/1492-70-0x0000000000400000-0x0000000000ABA000-memory.dmp

Filesize
6.7MB

Download
memory/1492-78-0x0000000000400000-0x0000000000ABA000-memory.dmp

Filesize
6.7MB

Download
memory/1492-60-0x0000000000400000-0x0000000000ABA000-memory.dmp

Filesize
6.7MB

Download
memory/1492-59-0x0000000000400000-0x0000000000ABA000-memory.dmp

Filesize
6.7MB

Download
memory/1492-65-0x0000000000400000-0x0000000000ABA000-memory.dmp

Filesize
6.7MB

Download
memory/1492-63-0x0000000000400000-0x0000000000ABA000-memory.dmp

Filesize
6.7MB

Download
memory/1492-57-0x0000000000400000-0x0000000000ABA000-memory.dmp

Filesize
6.7MB

Download
memory/2784-56-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/2784-55-0x0000000000400000-0x0000000000900000-memory.dmp

Filesize
5.0MB

Download
memory/2784-10-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/2868-62-0x0000000000400000-0x00000000009B3000-memory.dmp

Filesize
5.7MB

Download
memory/2868-51-0x0000000000400000-0x00000000009B3000-memory.dmp

Filesize
5.7MB

Download
memory/3140-41-0x0000000000400000-0x0000000000ABA000-memory.dmp

Filesize
6.7MB

Download
memory/3140-40-0x0000000000400000-0x0000000000ABA000-memory.dmp

Filesize
6.7MB

Download
memory/3216-52-0x0000000000400000-0x00000000009B3000-memory.dmp

Filesize
5.7MB

Download
memory/3636-38-0x0000000000400000-0x0000000000ABA000-memory.dmp

Filesize
6.7MB

Download
memory/3636-35-0x0000000000400000-0x0000000000ABA000-memory.dmp

Filesize
6.7MB

Download
memory/4120-0-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/4120-9-0x0000000000400000-0x0000000000900000-memory.dmp

Filesize
5.0MB

Download
memory/5028-54-0x0000000000400000-0x0000000000ABA000-memory.dmp

Filesize
6.7MB

Download
memory/5028-43-0x0000000000400000-0x0000000000ABA000-memory.dmp

Filesize
6.7MB

Download