ramnit | d4975c23a357e8c162b119162a83493a75f808b9bf8e21319d9a144be0aa8a64

Analysis

max time kernel
120s
max time network
72s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-11-2024 04:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4975c23a357e8c162b119162a83493a75f808b9bf8e21319d9a144be0aa8a64N.dll
Size

1.8MB
MD5

ef1a0fdec5f39d901ad0f933984ac6d0
SHA1

3ccfd034c5f8f0d6ae6b5c299c9ae18490ebd801
SHA256

d4975c23a357e8c162b119162a83493a75f808b9bf8e21319d9a144be0aa8a64
SHA512

7a235aefe2c74d85252303d6c1bc3447d31c1fe3fa531fdda4a854fb567992096bd756efbd1f010c2a14d8ad01c41ff79fc9f84e99cf530710c0470305db7edf
SSDEEP

24576:87IY7a9IRCRqRPkHQo411810cNScGKJydXTZDwmzRMo3DP7x5nbiQjs:8IY5RMHMf810Knor5zqo3zNJuQj

Score

10^/10

ramnit banker discovery persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 4 IoCs

pid	Process
2912	rundll32Srv.exe
2120	rundll32Srv.exe
2688	WaterMark.exe
2704	WaterMark.exe

Loads dropped DLL 6 IoCs

pid	Process
1660	rundll32.exe
1660	rundll32.exe
2912	rundll32Srv.exe
2120	rundll32Srv.exe
2120	rundll32Srv.exe
2688	WaterMark.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32Srv.exe	rundll32.exe
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2912 set thread context of 2120	2912	rundll32Srv.exe	33
PID 2688 set thread context of 2704	2688	WaterMark.exe	35

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2120-17-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2120-24-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2120-22-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2120-21-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2704-48-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2704-70-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2704-76-0x0000000000400000-0x0000000000418000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\System\ado\msadrh15.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\about.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\visualization\libglspectrum_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tpcps.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfxwebkit.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.RunTime.Serialization.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libscreen_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\glib-lite.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-string-l1-1-0.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libnuv_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msadcs.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\sawindbg.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\WindowsAccessBridge-64.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\d3dcompiler_47.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\libxslt.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Utilities.v3.5.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libwingdi_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\MemoryAnalyzer.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfr.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libaribcam_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dtplugin\deployJava1.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jsound.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuvp_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libposterize_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Linq.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\libvlc.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libscaletempo_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jli.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l1-2-0.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_gather_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_vc1_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\IpsPlugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mshwjpn.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msdarem.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libaribsub_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libh26x_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libmft_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\perf_nt.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\PresentationFramework.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Engine.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Xml.Linq.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libmod_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_ts_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libmicrodns_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\vk_swiftshader.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\PresentationBuildTasks.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Management.Instrumentation.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libremap_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_concat_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libflaschen_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\wordpad.exe	svchost.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1780	1660	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32Srv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32Srv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2704	WaterMark.exe
2704	WaterMark.exe
2704	WaterMark.exe
2704	WaterMark.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2704	WaterMark.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2912	rundll32Srv.exe
2688	WaterMark.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 1660	2280	rundll32.exe	30
PID 2280 wrote to memory of 1660	2280	rundll32.exe	30
PID 2280 wrote to memory of 1660	2280	rundll32.exe	30
PID 2280 wrote to memory of 1660	2280	rundll32.exe	30
PID 2280 wrote to memory of 1660	2280	rundll32.exe	30
PID 2280 wrote to memory of 1660	2280	rundll32.exe	30
PID 2280 wrote to memory of 1660	2280	rundll32.exe	30
PID 1660 wrote to memory of 2912	1660	rundll32.exe	31
PID 1660 wrote to memory of 2912	1660	rundll32.exe	31
PID 1660 wrote to memory of 2912	1660	rundll32.exe	31
PID 1660 wrote to memory of 2912	1660	rundll32.exe	31
PID 1660 wrote to memory of 1780	1660	rundll32.exe	32
PID 1660 wrote to memory of 1780	1660	rundll32.exe	32
PID 1660 wrote to memory of 1780	1660	rundll32.exe	32
PID 1660 wrote to memory of 1780	1660	rundll32.exe	32
PID 2912 wrote to memory of 2120	2912	rundll32Srv.exe	33
PID 2912 wrote to memory of 2120	2912	rundll32Srv.exe	33
PID 2912 wrote to memory of 2120	2912	rundll32Srv.exe	33
PID 2912 wrote to memory of 2120	2912	rundll32Srv.exe	33
PID 2912 wrote to memory of 2120	2912	rundll32Srv.exe	33
PID 2912 wrote to memory of 2120	2912	rundll32Srv.exe	33
PID 2912 wrote to memory of 2120	2912	rundll32Srv.exe	33
PID 2912 wrote to memory of 2120	2912	rundll32Srv.exe	33
PID 2912 wrote to memory of 2120	2912	rundll32Srv.exe	33
PID 2120 wrote to memory of 2688	2120	rundll32Srv.exe	34
PID 2120 wrote to memory of 2688	2120	rundll32Srv.exe	34
PID 2120 wrote to memory of 2688	2120	rundll32Srv.exe	34
PID 2120 wrote to memory of 2688	2120	rundll32Srv.exe	34
PID 2688 wrote to memory of 2704	2688	WaterMark.exe	35
PID 2688 wrote to memory of 2704	2688	WaterMark.exe	35
PID 2688 wrote to memory of 2704	2688	WaterMark.exe	35
PID 2688 wrote to memory of 2704	2688	WaterMark.exe	35
PID 2688 wrote to memory of 2704	2688	WaterMark.exe	35
PID 2688 wrote to memory of 2704	2688	WaterMark.exe	35
PID 2688 wrote to memory of 2704	2688	WaterMark.exe	35
PID 2688 wrote to memory of 2704	2688	WaterMark.exe	35
PID 2688 wrote to memory of 2704	2688	WaterMark.exe	35
PID 2704 wrote to memory of 2616	2704	WaterMark.exe	36
PID 2704 wrote to memory of 2616	2704	WaterMark.exe	36
PID 2704 wrote to memory of 2616	2704	WaterMark.exe	36
PID 2704 wrote to memory of 2616	2704	WaterMark.exe	36
PID 2704 wrote to memory of 2616	2704	WaterMark.exe	36
PID 2704 wrote to memory of 2616	2704	WaterMark.exe	36
PID 2704 wrote to memory of 2616	2704	WaterMark.exe	36
PID 2704 wrote to memory of 2616	2704	WaterMark.exe	36
PID 2704 wrote to memory of 2616	2704	WaterMark.exe	36
PID 2704 wrote to memory of 2616	2704	WaterMark.exe	36

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d4975c23a357e8c162b119162a83493a75f808b9bf8e21319d9a144be0aa8a64N.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\d4975c23a357e8c162b119162a83493a75f808b9bf8e21319d9a144be0aa8a64N.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Windows\SysWOW64\rundll32Srv.exe
    C:\Windows\SysWOW64\rundll32Srv.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Windows\SysWOW64\rundll32Srv.exe
      "C:\Windows\SysWOW64\rundll32Srv.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2120
    - - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2688
      - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        7⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:2616
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 228
    3⤵
    - Program crash
    PID:1780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html

Filesize
151KB

MD5
8f91179e0d119bb413ed77f27127342b

SHA1
2ce532228678c0be8f3fa1b8996872fc8f9eeea9

SHA256
1006a05a1bff9bee4edee6ddf2889a9fc2b64e4d7fd6a4acd757ea0ae0d715af

SHA512
8e0c4f5cc999bb6c9436acf60de876c15db69102a2f34bbb60def41f3f1a60740d2efa3a3c3e91a9697f88fbfd5220336adc4cf12301021fa0c5c6c2e5990bf1

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html

Filesize
148KB

MD5
4095157371434b5efce5eacceb3cac49

SHA1
e843b7f54f4e6caa37291cec42b840082bd31c31

SHA256
6c02ffdbfd9969fd5cb984bba8d84bb07bac13ef0d5fafbfa68c5c50b9806031

SHA512
ff589847446d43f524239174e02c01648a1c9c05ef7d43bbf54245a4f5707c141232a0235818a2480e96a4e2f5ae9a998d4ce09505e81b0815815ef575396e11

Download Submit
\Windows\SysWOW64\rundll32Srv.exe

Filesize
69KB

MD5
3284b0d95ae1f80355da5e04e79a6be1

SHA1
642bbb026f238a4eed9931772869b637621d98c8

SHA256
f2cf33052bb9ed658351e1ff0687d0602a1f619e0976cd45852d3eb109aacf60

SHA512
13712a19409818ecb66ecb2bb045a5800e4362f0ff0e9b2d158590fd501c35861ceae195f8171301ef6e72dd3b6f28184af31188836d92c171bfa6bedeb98547

Download Submit
memory/1660-9-0x0000000010000000-0x000000001035B000-memory.dmp

Filesize
3.4MB

Download
memory/1660-10-0x0000000000660000-0x00000000006B9000-memory.dmp

Filesize
356KB

Download
memory/1660-8-0x0000000010000000-0x000000001035B000-memory.dmp

Filesize
3.4MB

Download
memory/2120-21-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2120-17-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2120-24-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2120-22-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2616-64-0x0000000020010000-0x0000000020020000-memory.dmp

Filesize
64KB

Download
memory/2616-71-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2616-78-0x0000000020010000-0x0000000020020000-memory.dmp

Filesize
64KB

Download
memory/2616-72-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2616-74-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2616-55-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2616-53-0x0000000020010000-0x0000000020020000-memory.dmp

Filesize
64KB

Download
memory/2616-59-0x0000000020010000-0x0000000020020000-memory.dmp

Filesize
64KB

Download
memory/2616-68-0x0000000020010000-0x0000000020020000-memory.dmp

Filesize
64KB

Download
memory/2688-51-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2688-47-0x0000000000390000-0x00000000003E9000-memory.dmp

Filesize
356KB

Download
memory/2688-36-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2688-37-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2704-50-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2704-70-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2704-73-0x00000000774FF000-0x0000000077500000-memory.dmp

Filesize
4KB

Download
memory/2704-48-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2704-76-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2912-26-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2912-12-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2912-11-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download