rms | 0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-09-2024 04:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
Size

6.3MB
MD5

f9c019b6a0f1ce8802a8aaeea86e496d
SHA1

7f854b600823ec15cd6bb5c912ea3a28f64da16a
SHA256

0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae
SHA512

5cb690fc9524678998ad9b022cde4c9ee09e7863e7af52d1d6dab854a30036edb883b9ebe8b7613777aee6d0132a365d17697ae516fd10f88f1162c527b2afae
SSDEEP

196608:WPfaOYMRlp30bgwOGcjwppBR5dgI8H++:WKhMRlN0bgXGGwpj5gI8e

Score

10^/10

rms discovery persistence rat trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe1svnhost.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Windows\\System64\\1svnhost.exe, explorer.exe"	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	1svnhost.exe

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe1svnhost.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	1svnhost.exe

Executes dropped EXE 7 IoCs

Processes:

1svnhost.exesvnhost.exesvnhost.exesvnhost.exesvnhost.exesystemsmss.exesystemsmss.exe

pid	Process
232	1svnhost.exe
4536	svnhost.exe
2912	svnhost.exe
3016	svnhost.exe
1912	svnhost.exe
4976	systemsmss.exe
1696	systemsmss.exe

Drops file in Windows directory 13 IoCs

Processes:

1svnhost.exef9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe

description	ioc	Process
File created	C:\Windows\Zont911\Tupe.bat	1svnhost.exe
File opened for modification	C:\Windows\System64\1svnhost.exe	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
File opened for modification	C:\Windows\System64\vp8encoder.dll	1svnhost.exe
File created	C:\Windows\System64\systemsmss.exe	1svnhost.exe
File created	C:\Windows\System64\vp8decoder.dll	1svnhost.exe
File opened for modification	C:\Windows\System64\vp8decoder.dll	1svnhost.exe
File created	C:\Windows\System64\vp8encoder.dll	1svnhost.exe
File created	C:\Windows\System64\svnhost.exe	1svnhost.exe
File opened for modification	C:\Windows\System64\svnhost.exe	1svnhost.exe
File created	C:\Windows\System64\1svnhost.exe	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
File created	C:\Windows\Zont911\Regedit.reg	1svnhost.exe
File created	C:\Windows\Zont911\Home.zip	1svnhost.exe
File opened for modification	C:\Windows\System64\systemsmss.exe	1svnhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

svnhost.exesvnhost.exesystemsmss.exesystemsmss.exeregedit.exechcp.comcmd.exesvnhost.exesvnhost.exef9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe1svnhost.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svnhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svnhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemsmss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemsmss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svnhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svnhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1svnhost.exe

Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid	Process
4884	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe

pid	Process
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

svnhost.exesvnhost.exesvnhost.exe

description	pid	Process
Token: SeDebugPrivilege	4536	svnhost.exe
Token: SeDebugPrivilege	3016	svnhost.exe
Token: SeTakeOwnershipPrivilege	1912	svnhost.exe
Token: SeTcbPrivilege	1912	svnhost.exe
Token: SeTcbPrivilege	1912	svnhost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

svnhost.exesvnhost.exesvnhost.exesvnhost.exe

pid	Process
4536	svnhost.exe
2912	svnhost.exe
3016	svnhost.exe
1912	svnhost.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe1svnhost.execmd.exesvnhost.exe

description	pid	Process	procid_target
PID 5032 wrote to memory of 232	5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe	82
PID 5032 wrote to memory of 232	5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe	82
PID 5032 wrote to memory of 232	5032	f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe	82
PID 232 wrote to memory of 4884	232	1svnhost.exe	83
PID 232 wrote to memory of 4884	232	1svnhost.exe	83
PID 232 wrote to memory of 4884	232	1svnhost.exe	83
PID 232 wrote to memory of 3460	232	1svnhost.exe	84
PID 232 wrote to memory of 3460	232	1svnhost.exe	84
PID 232 wrote to memory of 3460	232	1svnhost.exe	84
PID 3460 wrote to memory of 1364	3460	cmd.exe	86
PID 3460 wrote to memory of 1364	3460	cmd.exe	86
PID 3460 wrote to memory of 1364	3460	cmd.exe	86
PID 3460 wrote to memory of 4536	3460	cmd.exe	87
PID 3460 wrote to memory of 4536	3460	cmd.exe	87
PID 3460 wrote to memory of 4536	3460	cmd.exe	87
PID 3460 wrote to memory of 2912	3460	cmd.exe	88
PID 3460 wrote to memory of 2912	3460	cmd.exe	88
PID 3460 wrote to memory of 2912	3460	cmd.exe	88
PID 3460 wrote to memory of 3016	3460	cmd.exe	89
PID 3460 wrote to memory of 3016	3460	cmd.exe	89
PID 3460 wrote to memory of 3016	3460	cmd.exe	89
PID 1912 wrote to memory of 4976	1912	svnhost.exe	94
PID 1912 wrote to memory of 4976	1912	svnhost.exe	94
PID 1912 wrote to memory of 4976	1912	svnhost.exe	94
PID 1912 wrote to memory of 1696	1912	svnhost.exe	93
PID 1912 wrote to memory of 1696	1912	svnhost.exe	93
PID 1912 wrote to memory of 1696	1912	svnhost.exe	93

C:\Users\Admin\AppData\Local\Temp\f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f9c019b6a0f1ce8802a8aaeea86e496d_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Windows\System64\1svnhost.exe
  "C:\Windows\System64\1svnhost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:232
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "C:\Windows\Zont911\Regedit.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    - Runs .reg file with regedit
    PID:4884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\Zont911\Tupe.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3460
  - - C:\Windows\SysWOW64\chcp.com
      Chcp 1251
      4⤵
      System Location Discovery: System Language Discovery
      PID:1364
  - - C:\Windows\System64\svnhost.exe
      "C:\Windows\System64\svnhost.exe" /silentinstall
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4536
  - - C:\Windows\System64\svnhost.exe
      "C:\Windows\System64\svnhost.exe" /firewall
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2912
  - - C:\Windows\System64\svnhost.exe
      "C:\Windows\System64\svnhost.exe" /start
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3016

C:\Windows\System64\svnhost.exe
C:\Windows\System64\svnhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Windows\System64\systemsmss.exe
  C:\Windows\System64\systemsmss.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1696
- C:\Windows\System64\systemsmss.exe
  C:\Windows\System64\systemsmss.exe /tray
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System64\1svnhost.exe

Filesize
6.3MB

MD5
f9c019b6a0f1ce8802a8aaeea86e496d

SHA1
7f854b600823ec15cd6bb5c912ea3a28f64da16a

SHA256
0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae

SHA512
5cb690fc9524678998ad9b022cde4c9ee09e7863e7af52d1d6dab854a30036edb883b9ebe8b7613777aee6d0132a365d17697ae516fd10f88f1162c527b2afae

Download Submit
C:\Windows\System64\svnhost.exe

Filesize
6.0MB

MD5
e437e8730f2163cba2552a5a374a885a

SHA1
514497f668ae7b80a698bd8cda6de2dcf104e450

SHA256
dde1cc7b34ad434fb515b4b315c2ec22a74e3b1b4d50fe83421fab4d6055b3a6

SHA512
e924929176c60f00bfd45f0ec991279d4bbb96be4f5f270e636594d4faad681c318cbc9374dd2126170e18f7b4e9db54b193c147b452655c2806921d8c76c445

Download Submit
C:\Windows\System64\systemsmss.exe

Filesize
5.1MB

MD5
bd458a26931f960f13958510e88a61a8

SHA1
be9fff29f269d649688e941e97ac03e669571837

SHA256
d295538301a5513d3e605e43586e48504ec22f87666a31ef06f697b5c9b611f3

SHA512
afe9e6209ade2846f31efb7b9977d42b28cd082eb0a4b9c4ba4b9c91d528afbc7efe748be0c78c938d042dc9d200c23d2f0552a7498ab23becac828df53245e7

Download Submit
C:\Windows\System64\vp8decoder.dll

Filesize
378KB

MD5
d43fa82fab5337ce20ad14650085c5d9

SHA1
678aa092075ff65b6815ffc2d8fdc23af8425981

SHA256
c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b

SHA512
103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

Download Submit
C:\Windows\System64\vp8encoder.dll

Filesize
1.6MB

MD5
dab4646806dfca6d0e0b4d80fa9209d6

SHA1
8244dfe22ec2090eee89dad103e6b2002059d16a

SHA256
cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587

SHA512
aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

Download Submit
C:\Windows\Zont911\Regedit.reg

Filesize
11KB

MD5
44e6200c79b9f46a3d07ad377f5518e9

SHA1
242c27b3e44bec53a770baba126fc8ec1dd0c066

SHA256
2bbb7428d9666fd7fbfa86d01c7c1512016c72eb1a05bf5d6a4589f1c1de1700

SHA512
33e4504feacceab47a159123f9d241ff128676dbfd20ce51eae94c12a82faae52566008fc45dd02bc71d5477ca7cd8b6349986e8d727594d52a2f9cb9c75effb

Download Submit
C:\Windows\Zont911\Tupe.bat

Filesize
278B

MD5
bc3fb74a6cbcbb208a35ef91ef1eddf9

SHA1
b9e97c0863038d2506123ae53534d2803954a89d

SHA256
e351c2afdfe0a3555ce0da5b09913ed353a331e2454cbe0cb9b3ebe3c6fd8f69

SHA512
4e91e3ac2bc312a2fe76296012626a2d580848a67f8f358cf78a2d8c29d65d3961f62867d113ba109f138af91209d163f589556e1d291a98fe672ff13d8ab674

Download Submit
memory/232-10-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/232-44-0x0000000000400000-0x0000000000A50000-memory.dmp

Filesize
6.3MB

Download
memory/232-45-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/1696-47-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/1912-46-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/1912-103-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/1912-64-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/1912-94-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/1912-85-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/1912-50-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/1912-76-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/1912-55-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/1912-70-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/1912-59-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2912-33-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3016-40-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/4536-31-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/4976-66-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/4976-57-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/4976-52-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/4976-78-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/4976-48-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/5032-0-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/5032-9-0x0000000000400000-0x0000000000A50000-memory.dmp

Filesize
6.3MB

Download