ramnit | 52fe23c277e28799c50afb344f5bd09b79ef6734bd485be208d191c27dc5fffa

Analysis

max time kernel
78s
max time network
92s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12/06/2024, 16:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/System.dll
Size

124KB
MD5

a5aba2154379a3272c28df43ad342017
SHA1

caaa0fdb1e6aa4369a6b2c751f7bed89f7fd5d8d
SHA256

ab8e9bff458b2e07c0d8ea42b473303b6a6199a9d549401049006b0bc807a9e2
SHA512

530121bacbfc8c08bc214f434a2e6e4a8e7b48078c771456f8d0f00b8a07b86de2a248e7cbc8f10f0fc4354519cc990a93ae3b1beae00426cecfb63a037b9d29
SSDEEP

1536:xIfbm6gv1TPn3QvVIaoAsvVSeSesAdHXjgGkP/jCKQmF3FYkcnvTY1rM:+finznHXxSe7znkD5p5FYtbY1o

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 4 IoCs

pid	Process
3524	rundll32Srv.exe
2944	rundll32SrvSrv.exe
1648	DesktopLayer.exe
4928	DesktopLayerSrv.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral16/files/0x000600000002326f-3.dat	upx
behavioral16/memory/3524-5-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral16/memory/3524-12-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral16/files/0x00080000000233d8-25.dat	upx
behavioral16/memory/4928-31-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral16/memory/1648-30-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral16/memory/1648-24-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral16/memory/2944-13-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral16/memory/2944-17-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral16/memory/2944-16-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32Srv.exe	rundll32.exe
File created	C:\Windows\SysWOW64\rundll32SrvSrv.exe	rundll32Srv.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	rundll32Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px705D.tmp	rundll32SrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	rundll32SrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	DesktopLayer.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px70AC.tmp	DesktopLayerSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DesktopLayerSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px704E.tmp	rundll32Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	rundll32Srv.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4048	5016	WerFault.exe	80

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{AFADCBE2-28DA-11EF-BA70-E659512317F8} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{AFA906E0-28DA-11EF-BA70-E659512317F8} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{AFB29079-28DA-11EF-BA70-E659512317F8} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424372398"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2944	rundll32SrvSrv.exe
2944	rundll32SrvSrv.exe
2944	rundll32SrvSrv.exe
2944	rundll32SrvSrv.exe
2944	rundll32SrvSrv.exe
2944	rundll32SrvSrv.exe
2944	rundll32SrvSrv.exe
2944	rundll32SrvSrv.exe
1648	DesktopLayer.exe
1648	DesktopLayer.exe
1648	DesktopLayer.exe
1648	DesktopLayer.exe
1648	DesktopLayer.exe
1648	DesktopLayer.exe
1648	DesktopLayer.exe
1648	DesktopLayer.exe
4928	DesktopLayerSrv.exe
4928	DesktopLayerSrv.exe
4928	DesktopLayerSrv.exe
4928	DesktopLayerSrv.exe
4928	DesktopLayerSrv.exe
4928	DesktopLayerSrv.exe
4928	DesktopLayerSrv.exe
4928	DesktopLayerSrv.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2920	iexplore.exe
4960	iexplore.exe
3468	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
3468	iexplore.exe
3468	iexplore.exe
4960	iexplore.exe
4960	iexplore.exe
2920	iexplore.exe
2920	iexplore.exe
3036	IEXPLORE.EXE
3036	IEXPLORE.EXE
4428	IEXPLORE.EXE
4428	IEXPLORE.EXE
1952	IEXPLORE.EXE
1952	IEXPLORE.EXE
3036	IEXPLORE.EXE
3036	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 5016	1016	rundll32.exe	80
PID 1016 wrote to memory of 5016	1016	rundll32.exe	80
PID 1016 wrote to memory of 5016	1016	rundll32.exe	80
PID 5016 wrote to memory of 3524	5016	rundll32.exe	81
PID 5016 wrote to memory of 3524	5016	rundll32.exe	81
PID 5016 wrote to memory of 3524	5016	rundll32.exe	81
PID 3524 wrote to memory of 2944	3524	rundll32Srv.exe	82
PID 3524 wrote to memory of 2944	3524	rundll32Srv.exe	82
PID 3524 wrote to memory of 2944	3524	rundll32Srv.exe	82
PID 3524 wrote to memory of 1648	3524	rundll32Srv.exe	84
PID 3524 wrote to memory of 1648	3524	rundll32Srv.exe	84
PID 3524 wrote to memory of 1648	3524	rundll32Srv.exe	84
PID 2944 wrote to memory of 2920	2944	rundll32SrvSrv.exe	85
PID 2944 wrote to memory of 2920	2944	rundll32SrvSrv.exe	85
PID 1648 wrote to memory of 4928	1648	DesktopLayer.exe	86
PID 1648 wrote to memory of 4928	1648	DesktopLayer.exe	86
PID 1648 wrote to memory of 4928	1648	DesktopLayer.exe	86
PID 1648 wrote to memory of 3468	1648	DesktopLayer.exe	87
PID 1648 wrote to memory of 3468	1648	DesktopLayer.exe	87
PID 4928 wrote to memory of 4960	4928	DesktopLayerSrv.exe	88
PID 4928 wrote to memory of 4960	4928	DesktopLayerSrv.exe	88
PID 3468 wrote to memory of 1952	3468	iexplore.exe	90
PID 3468 wrote to memory of 1952	3468	iexplore.exe	90
PID 3468 wrote to memory of 1952	3468	iexplore.exe	90
PID 4960 wrote to memory of 4428	4960	iexplore.exe	92
PID 4960 wrote to memory of 4428	4960	iexplore.exe	92
PID 4960 wrote to memory of 4428	4960	iexplore.exe	92
PID 2920 wrote to memory of 3036	2920	iexplore.exe	93
PID 2920 wrote to memory of 3036	2920	iexplore.exe	93
PID 2920 wrote to memory of 3036	2920	iexplore.exe	93

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:5016
- - C:\Windows\SysWOW64\rundll32Srv.exe
    C:\Windows\SysWOW64\rundll32Srv.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:3524
  - - C:\Windows\SysWOW64\rundll32SrvSrv.exe
      C:\Windows\SysWOW64\rundll32SrvSrv.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2944
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2920
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2920 CREDAT:17410 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3036
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1648
    - - C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
        
        "C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4928
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4960 CREDAT:17410 /prefetch:2
        7⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4428
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3468
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3468 CREDAT:17410 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1952
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 620
    3⤵
    - Program crash
    PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5016 -ip 5016
1⤵
PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{AFA906E0-28DA-11EF-BA70-E659512317F8}.dat

Filesize
5KB

MD5
8421054041c760fba1c200a3a43c4c81

SHA1
55be6b5247b40c773bb855d998a5adb9b92ba8e1

SHA256
44dd862f9bdb1563af429238d0b62a5e89ca03a7d5e5a5ec9b77248b2432aaa1

SHA512
e3ba7d2ad2c50b3824dee0acfbf0c8591632229ce5c1bf7abefb1c864f38201a90f57b5a4849e150429e0c266251702458c9af97a7dc653063c0192c270b0467

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{AFADCBE2-28DA-11EF-BA70-E659512317F8}.dat

Filesize
3KB

MD5
2072c1890914682d64a08394a9d09968

SHA1
c6d7a9844b8d6315e3941c45225f72248563d32e

SHA256
af31c4215e30914e44a1cf75c3e298bb1d7e8429582563d121dac5bf3f2d0aa5

SHA512
16e8ba0d25f3d35360cc811b0e80ab4c0b6f7e538af779c001d1946422d9e69c0a0c1e719105c2e51f42ba13dc2effb3ab63cd993f351f9f8799fd1b09841e18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{AFB29079-28DA-11EF-BA70-E659512317F8}.dat

Filesize
5KB

MD5
2572cff95161dd3969619ff1218d396c

SHA1
3586f87a345cddda685afdfc6a2ac194745ee4a0

SHA256
6da9d98759bcd8da9f8c52a097afa931c624fec7c2a6496dcf6f68ccc9283fa8

SHA512
a61002b515fc60ace21b5ec4cb7055d75b41eec5b982fac101c9a836b6e1e161d1f9a42023521fd32c9c171db1f671ac699d1ec1816565158bf3a998e3ce6167

Download Submit
C:\Windows\SysWOW64\rundll32Srv.exe

Filesize
111KB

MD5
309d79d766e9b9025d15adc1aa5ecf52

SHA1
cd2b67a54850229ea8b1e8b82270ccdf0bb088e8

SHA256
3d3a07dcc43505b2ecafaa8fc4164a70f66a234c894a7f902444a6fa82e07868

SHA512
63cfcfe9ebfd634a1a248eca12d174854c5d828d2e610fb3f65e9a5d5106969f212ec466933e4d6afee2e5e4cd31998ea844c0c1f4ccdd78fa10a24650567308

Download Submit
memory/1648-30-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1648-24-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1648-23-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2944-17-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2944-13-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2944-16-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2944-15-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/3524-11-0x0000000000570000-0x000000000057F000-memory.dmp

Filesize
60KB

Download
memory/3524-12-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3524-5-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4928-28-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/4928-31-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5016-1-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download
memory/5016-33-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download