rms | 6e22d752ea8c85e6427bd81fcea004cb41d91210856483c772210700d983fc6d

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
24/08/2024, 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
Size

6.2MB
MD5

bec12049d6f62ae123ebfe16da23e621
SHA1

7805c1de5b986c7a6e14954ea39a474355878adb
SHA256

6e22d752ea8c85e6427bd81fcea004cb41d91210856483c772210700d983fc6d
SHA512

190e3e2306de5a054d01b89a2ad124099b6692eae9d9255d052ce76cc93bdd016d6257c058d3ea75af20811cb8922b97c1e4fe58f2fd8f86374a0e28c47c9b0f
SSDEEP

196608:5PfarYMRlp30bgwOGcjwppBR5dgI8H++:5KMMRlN0bgXGGwpj5gI8e

Score

10^/10

rms discovery persistence rat trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Windows\\System64\\1systemsmss.exe, explorer.exe"	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	1systemsmss.exe

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 7 IoCs

pid	Process
2744	1systemsmss.exe
2692	svnhost.exe
2552	svnhost.exe
2632	svnhost.exe
2972	svnhost.exe
2376	systemsmss.exe
2244	systemsmss.exe

Loads dropped DLL 6 IoCs

pid	Process
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
2744	1systemsmss.exe
2584	cmd.exe
2972	svnhost.exe
2972	svnhost.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\Zont911\Home.zip	1systemsmss.exe
File created	C:\Windows\System64\vp8decoder.dll	1systemsmss.exe
File created	C:\Windows\System64\vp8encoder.dll	1systemsmss.exe
File opened for modification	C:\Windows\System64\svnhost.exe	1systemsmss.exe
File created	C:\Windows\System64\systemsmss.exe	1systemsmss.exe
File opened for modification	C:\Windows\System64\systemsmss.exe	1systemsmss.exe
File created	C:\Windows\System64\1systemsmss.exe	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
File opened for modification	C:\Windows\System64\1systemsmss.exe	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
File created	C:\Windows\Zont911\Regedit.reg	1systemsmss.exe
File opened for modification	C:\Windows\System64\vp8encoder.dll	1systemsmss.exe
File created	C:\Windows\Zont911\Tupe.bat	1systemsmss.exe
File opened for modification	C:\Windows\System64\vp8decoder.dll	1systemsmss.exe
File created	C:\Windows\System64\svnhost.exe	1systemsmss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemsmss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1systemsmss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svnhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svnhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svnhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svnhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemsmss.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2816	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2692	svnhost.exe
Token: SeDebugPrivilege	2632	svnhost.exe
Token: SeTakeOwnershipPrivilege	2972	svnhost.exe
Token: SeTcbPrivilege	2972	svnhost.exe
Token: SeTcbPrivilege	2972	svnhost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2692	svnhost.exe
2552	svnhost.exe
2632	svnhost.exe
2972	svnhost.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 2744	1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe	30
PID 1848 wrote to memory of 2744	1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe	30
PID 1848 wrote to memory of 2744	1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe	30
PID 1848 wrote to memory of 2744	1848	bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe	30
PID 2744 wrote to memory of 2816	2744	1systemsmss.exe	31
PID 2744 wrote to memory of 2816	2744	1systemsmss.exe	31
PID 2744 wrote to memory of 2816	2744	1systemsmss.exe	31
PID 2744 wrote to memory of 2816	2744	1systemsmss.exe	31
PID 2744 wrote to memory of 2584	2744	1systemsmss.exe	32
PID 2744 wrote to memory of 2584	2744	1systemsmss.exe	32
PID 2744 wrote to memory of 2584	2744	1systemsmss.exe	32
PID 2744 wrote to memory of 2584	2744	1systemsmss.exe	32
PID 2584 wrote to memory of 2768	2584	cmd.exe	34
PID 2584 wrote to memory of 2768	2584	cmd.exe	34
PID 2584 wrote to memory of 2768	2584	cmd.exe	34
PID 2584 wrote to memory of 2768	2584	cmd.exe	34
PID 2584 wrote to memory of 2692	2584	cmd.exe	35
PID 2584 wrote to memory of 2692	2584	cmd.exe	35
PID 2584 wrote to memory of 2692	2584	cmd.exe	35
PID 2584 wrote to memory of 2692	2584	cmd.exe	35
PID 2584 wrote to memory of 2552	2584	cmd.exe	36
PID 2584 wrote to memory of 2552	2584	cmd.exe	36
PID 2584 wrote to memory of 2552	2584	cmd.exe	36
PID 2584 wrote to memory of 2552	2584	cmd.exe	36
PID 2584 wrote to memory of 2632	2584	cmd.exe	37
PID 2584 wrote to memory of 2632	2584	cmd.exe	37
PID 2584 wrote to memory of 2632	2584	cmd.exe	37
PID 2584 wrote to memory of 2632	2584	cmd.exe	37
PID 2972 wrote to memory of 2376	2972	svnhost.exe	39
PID 2972 wrote to memory of 2376	2972	svnhost.exe	39
PID 2972 wrote to memory of 2376	2972	svnhost.exe	39
PID 2972 wrote to memory of 2376	2972	svnhost.exe	39
PID 2972 wrote to memory of 2244	2972	svnhost.exe	40
PID 2972 wrote to memory of 2244	2972	svnhost.exe	40
PID 2972 wrote to memory of 2244	2972	svnhost.exe	40
PID 2972 wrote to memory of 2244	2972	svnhost.exe	40

C:\Users\Admin\AppData\Local\Temp\bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Windows\System64\1systemsmss.exe
  "C:\Windows\System64\1systemsmss.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "C:\Windows\Zont911\Regedit.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    - Runs .reg file with regedit
    PID:2816
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\Zont911\Tupe.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\SysWOW64\chcp.com
      Chcp 1251
      4⤵
      System Location Discovery: System Language Discovery
      PID:2768
  - - C:\Windows\System64\svnhost.exe
      "C:\Windows\System64\svnhost.exe" /silentinstall
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2692
  - - C:\Windows\System64\svnhost.exe
      "C:\Windows\System64\svnhost.exe" /firewall
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2552
  - - C:\Windows\System64\svnhost.exe
      "C:\Windows\System64\svnhost.exe" /start
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2632

C:\Windows\System64\svnhost.exe
C:\Windows\System64\svnhost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\System64\systemsmss.exe
  C:\Windows\System64\systemsmss.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2376
- C:\Windows\System64\systemsmss.exe
  C:\Windows\System64\systemsmss.exe /tray
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System64\systemsmss.exe

Filesize
5.1MB

MD5
bd458a26931f960f13958510e88a61a8

SHA1
be9fff29f269d649688e941e97ac03e669571837

SHA256
d295538301a5513d3e605e43586e48504ec22f87666a31ef06f697b5c9b611f3

SHA512
afe9e6209ade2846f31efb7b9977d42b28cd082eb0a4b9c4ba4b9c91d528afbc7efe748be0c78c938d042dc9d200c23d2f0552a7498ab23becac828df53245e7

Download Submit
C:\Windows\System64\vp8decoder.dll

Filesize
378KB

MD5
d43fa82fab5337ce20ad14650085c5d9

SHA1
678aa092075ff65b6815ffc2d8fdc23af8425981

SHA256
c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b

SHA512
103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

Download Submit
C:\Windows\System64\vp8encoder.dll

Filesize
1.6MB

MD5
dab4646806dfca6d0e0b4d80fa9209d6

SHA1
8244dfe22ec2090eee89dad103e6b2002059d16a

SHA256
cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587

SHA512
aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

Download Submit
C:\Windows\Zont911\Regedit.reg

Filesize
11KB

MD5
4803ac63a1fa3104bfb5a47e7d9cb491

SHA1
73a4b0ed984b08c72f517230b7e65847f5f1061b

SHA256
5e13554c986d006ec1a272ccec4cd02b4da2f538cc13e9ab35fa997ff4aa2d29

SHA512
c7dcef96a84d05b7a105dcb7dad75ac04dae201f5437289b8b5913796cff927c4a5296adcca1aa3171ed7e0d5a1e80ec970fedfb0e75248789cb3e661c9abc3f

Download Submit
C:\Windows\Zont911\Tupe.bat

Filesize
281B

MD5
691f040de6d335962416b319dcd416dc

SHA1
db49109c0917910f7fce8b6de690a1c7e2026226

SHA256
605d0b9c2fd1972c4ee60d8eefd336be636884dcdf54a4e5f2829c46e80fdcea

SHA512
f34ba36bdeaa43a1265ec69acfa0f199f2b4d5d90b4ea890327478f4f48ec7597d660b922dd1e149de3a1ff9b48c79e4c9c53e8a482b4cb5842bc0976f93bf89

Download Submit
\Windows\System64\1systemsmss.exe

Filesize
6.2MB

MD5
bec12049d6f62ae123ebfe16da23e621

SHA1
7805c1de5b986c7a6e14954ea39a474355878adb

SHA256
6e22d752ea8c85e6427bd81fcea004cb41d91210856483c772210700d983fc6d

SHA512
190e3e2306de5a054d01b89a2ad124099b6692eae9d9255d052ce76cc93bdd016d6257c058d3ea75af20811cb8922b97c1e4fe58f2fd8f86374a0e28c47c9b0f

Download Submit
\Windows\System64\svnhost.exe

Filesize
6.0MB

MD5
e437e8730f2163cba2552a5a374a885a

SHA1
514497f668ae7b80a698bd8cda6de2dcf104e450

SHA256
dde1cc7b34ad434fb515b4b315c2ec22a74e3b1b4d50fe83421fab4d6055b3a6

SHA512
e924929176c60f00bfd45f0ec991279d4bbb96be4f5f270e636594d4faad681c318cbc9374dd2126170e18f7b4e9db54b193c147b452655c2806921d8c76c445

Download Submit
memory/1848-10-0x0000000000400000-0x0000000000A3F000-memory.dmp

Filesize
6.2MB

Download
memory/1848-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2244-76-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/2244-67-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/2244-62-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/2244-85-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/2244-58-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/2376-57-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/2552-41-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2632-53-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2692-39-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2744-45-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2744-44-0x0000000000400000-0x0000000000A3F000-memory.dmp

Filesize
6.2MB

Download
memory/2744-11-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2972-56-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2972-59-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2972-64-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2972-69-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2972-74-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2972-82-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2972-96-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download