ramnit | c403531a9e542d8fba8678e592e0d18f64dbe2785ab6860c6c4c54fde5169ea5

Analysis

max time kernel
150s
max time network
143s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20/08/2024, 02:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ad9cf5648f1202a557dbf9eafbba382d_JaffaCakes118.dll
Size

120KB
MD5

ad9cf5648f1202a557dbf9eafbba382d
SHA1

e86bd842f5a4e8c9c59c206cf34c65c1ab6aad8c
SHA256

c403531a9e542d8fba8678e592e0d18f64dbe2785ab6860c6c4c54fde5169ea5
SHA512

8870f1010e4da92bab27060a297926fe9592f7e41482711f36569fcd6ae0235fcea575e3f74d358a7762b99c0348e40d84691a4ab5ac7690eb2b60db80ec854a
SSDEEP

3072:x/Xj8ntYsIdegopKgDS+Xn6vn+m5Av+3ywTZ7oWMy4Yq/:BjytYsIVIXn6/+magVWL

Score

10^/10

ramnit banker discovery persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 4 IoCs

pid	Process
2672	rundll32Srv.exe
2688	rundll32Srv.exe
2828	WaterMark.exe
2704	WaterMark.exe

Loads dropped DLL 6 IoCs

pid	Process
2416	rundll32.exe
2416	rundll32.exe
2672	rundll32Srv.exe
2688	rundll32Srv.exe
2688	rundll32Srv.exe
2828	WaterMark.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2688-25-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2688-26-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2688-24-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2688-22-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2704-48-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2704-53-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2704-55-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2704-78-0x0000000000400000-0x0000000000418000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32Srv.exe	rundll32.exe
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2672 set thread context of 2688	2672	rundll32Srv.exe	32
PID 2828 set thread context of 2704	2828	WaterMark.exe	34

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\ieproxy.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\JdbcOdbc.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfxmedia.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\JAWTAccessBridge-64.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.Speech.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.ServiceModel.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libdemux_cdg_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pencht.dll	svchost.exe
File opened for modification	C:\Program Files\DVD Maker\WMM2CLIP.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dtplugin\npdeployJava1.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationClient.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libstl_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libmotiondetect_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\slideShow.html	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\slideShow.html	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_elf.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libplaylist_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libpodcast_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libcanvas_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Utilities.v3.5.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\spu\libmosaic_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_transcode_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-filesystem-l1-1-0.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Abstractions.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\calendar.html	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.DataSetExtensions.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_wasapi_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\libhotkeys_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_dirac_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_vc1_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_mosaic_bridge_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_record_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\ITIRCL55.DLL	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\msvcr100.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Windows.Presentation.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libvobsub_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\JAWTAccessBridge-64.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\sunec.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libschroedinger_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_es_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Conversion.v3.5.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\libaudioscrobbler_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mshwgst.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\F12Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-locale-l1-1-0.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.RunTime.Serialization.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_window.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libprefetch_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Journal\JNWDRV.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\settings.html	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\weather.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEEXCH.DLL	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSSOAP30.DLL	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\decora-sse.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\fxplugins.dll	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32Srv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32Srv.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2704	WaterMark.exe
2704	WaterMark.exe
2704	WaterMark.exe
2704	WaterMark.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2704	WaterMark.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2672	rundll32Srv.exe
2828	WaterMark.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2416	2188	rundll32.exe	30
PID 2188 wrote to memory of 2416	2188	rundll32.exe	30
PID 2188 wrote to memory of 2416	2188	rundll32.exe	30
PID 2188 wrote to memory of 2416	2188	rundll32.exe	30
PID 2188 wrote to memory of 2416	2188	rundll32.exe	30
PID 2188 wrote to memory of 2416	2188	rundll32.exe	30
PID 2188 wrote to memory of 2416	2188	rundll32.exe	30
PID 2416 wrote to memory of 2672	2416	rundll32.exe	31
PID 2416 wrote to memory of 2672	2416	rundll32.exe	31
PID 2416 wrote to memory of 2672	2416	rundll32.exe	31
PID 2416 wrote to memory of 2672	2416	rundll32.exe	31
PID 2672 wrote to memory of 2688	2672	rundll32Srv.exe	32
PID 2672 wrote to memory of 2688	2672	rundll32Srv.exe	32
PID 2672 wrote to memory of 2688	2672	rundll32Srv.exe	32
PID 2672 wrote to memory of 2688	2672	rundll32Srv.exe	32
PID 2672 wrote to memory of 2688	2672	rundll32Srv.exe	32
PID 2672 wrote to memory of 2688	2672	rundll32Srv.exe	32
PID 2672 wrote to memory of 2688	2672	rundll32Srv.exe	32
PID 2672 wrote to memory of 2688	2672	rundll32Srv.exe	32
PID 2672 wrote to memory of 2688	2672	rundll32Srv.exe	32
PID 2688 wrote to memory of 2828	2688	rundll32Srv.exe	33
PID 2688 wrote to memory of 2828	2688	rundll32Srv.exe	33
PID 2688 wrote to memory of 2828	2688	rundll32Srv.exe	33
PID 2688 wrote to memory of 2828	2688	rundll32Srv.exe	33
PID 2828 wrote to memory of 2704	2828	WaterMark.exe	34
PID 2828 wrote to memory of 2704	2828	WaterMark.exe	34
PID 2828 wrote to memory of 2704	2828	WaterMark.exe	34
PID 2828 wrote to memory of 2704	2828	WaterMark.exe	34
PID 2828 wrote to memory of 2704	2828	WaterMark.exe	34
PID 2828 wrote to memory of 2704	2828	WaterMark.exe	34
PID 2828 wrote to memory of 2704	2828	WaterMark.exe	34
PID 2828 wrote to memory of 2704	2828	WaterMark.exe	34
PID 2828 wrote to memory of 2704	2828	WaterMark.exe	34
PID 2704 wrote to memory of 2608	2704	WaterMark.exe	35
PID 2704 wrote to memory of 2608	2704	WaterMark.exe	35
PID 2704 wrote to memory of 2608	2704	WaterMark.exe	35
PID 2704 wrote to memory of 2608	2704	WaterMark.exe	35
PID 2704 wrote to memory of 2608	2704	WaterMark.exe	35
PID 2704 wrote to memory of 2608	2704	WaterMark.exe	35
PID 2704 wrote to memory of 2608	2704	WaterMark.exe	35
PID 2704 wrote to memory of 2608	2704	WaterMark.exe	35
PID 2704 wrote to memory of 2608	2704	WaterMark.exe	35
PID 2704 wrote to memory of 2608	2704	WaterMark.exe	35

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ad9cf5648f1202a557dbf9eafbba382d_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\ad9cf5648f1202a557dbf9eafbba382d_JaffaCakes118.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\SysWOW64\rundll32Srv.exe
    C:\Windows\SysWOW64\rundll32Srv.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\SysWOW64\rundll32Srv.exe
      "C:\Windows\SysWOW64\rundll32Srv.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2828
      - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        7⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html

Filesize
151KB

MD5
8f91179e0d119bb413ed77f27127342b

SHA1
2ce532228678c0be8f3fa1b8996872fc8f9eeea9

SHA256
1006a05a1bff9bee4edee6ddf2889a9fc2b64e4d7fd6a4acd757ea0ae0d715af

SHA512
8e0c4f5cc999bb6c9436acf60de876c15db69102a2f34bbb60def41f3f1a60740d2efa3a3c3e91a9697f88fbfd5220336adc4cf12301021fa0c5c6c2e5990bf1

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html

Filesize
148KB

MD5
4095157371434b5efce5eacceb3cac49

SHA1
e843b7f54f4e6caa37291cec42b840082bd31c31

SHA256
6c02ffdbfd9969fd5cb984bba8d84bb07bac13ef0d5fafbfa68c5c50b9806031

SHA512
ff589847446d43f524239174e02c01648a1c9c05ef7d43bbf54245a4f5707c141232a0235818a2480e96a4e2f5ae9a998d4ce09505e81b0815815ef575396e11

Download Submit
C:\Windows\SysWOW64\rundll32Srv.exe

Filesize
69KB

MD5
3284b0d95ae1f80355da5e04e79a6be1

SHA1
642bbb026f238a4eed9931772869b637621d98c8

SHA256
f2cf33052bb9ed658351e1ff0687d0602a1f619e0976cd45852d3eb109aacf60

SHA512
13712a19409818ecb66ecb2bb045a5800e4362f0ff0e9b2d158590fd501c35861ceae195f8171301ef6e72dd3b6f28184af31188836d92c171bfa6bedeb98547

Download Submit
memory/2416-1-0x0000000061000000-0x0000000061023000-memory.dmp

Filesize
140KB

Download
memory/2416-0-0x0000000061000000-0x0000000061023000-memory.dmp

Filesize
140KB

Download
memory/2416-11-0x0000000000660000-0x00000000006B9000-memory.dmp

Filesize
356KB

Download
memory/2416-39-0x0000000061000000-0x0000000061023000-memory.dmp

Filesize
140KB

Download
memory/2416-80-0x0000000000660000-0x0000000000662000-memory.dmp

Filesize
8KB

Download
memory/2416-2-0x0000000061000000-0x0000000061023000-memory.dmp

Filesize
140KB

Download
memory/2608-70-0x0000000020010000-0x0000000020020000-memory.dmp

Filesize
64KB

Download
memory/2608-81-0x0000000020010000-0x0000000020020000-memory.dmp

Filesize
64KB

Download
memory/2608-65-0x0000000020010000-0x0000000020020000-memory.dmp

Filesize
64KB

Download
memory/2608-57-0x0000000020010000-0x0000000020020000-memory.dmp

Filesize
64KB

Download
memory/2608-76-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2608-74-0x0000000020010000-0x0000000020020000-memory.dmp

Filesize
64KB

Download
memory/2608-64-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2608-63-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2608-59-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2672-21-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2672-12-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2672-13-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2688-26-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2688-30-0x0000000000B60000-0x0000000000BB9000-memory.dmp

Filesize
356KB

Download
memory/2688-22-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2688-24-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2688-25-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2704-55-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2704-53-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2704-54-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2704-48-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2704-78-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2828-46-0x0000000000460000-0x00000000004B9000-memory.dmp

Filesize
356KB

Download
memory/2828-52-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2828-38-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download