ramnit | 2ce0b6461c8e68ab43fc51d9e0b71e8709db9a30f5dfa7cea845e4ad5ee8ac1a

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16/01/2025, 06:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6dcfa9e1f6477356a7e6986c692abaee.exe
Size

112KB
MD5

6dcfa9e1f6477356a7e6986c692abaee
SHA1

d0ec609fd686286e818d78d163137e3854743b6d
SHA256

2ce0b6461c8e68ab43fc51d9e0b71e8709db9a30f5dfa7cea845e4ad5ee8ac1a
SHA512

74bdfdfd625843eb274a221a861362702f5660f581bc199b31b1689b0462edc40e72718e3fd44700a435fedd73020f02196a13be2c744e5717942186324d99d3
SSDEEP

1536:lVZnxm6MG9xgfrvEaoiT/GyphjXDYjKwttoswRmhApEjD0N9Y6js+uTAbeP:1nxwgxgfR/DVG7wBpEsNDj4AU

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 1 IoCs

pid	Process
4268	WaterMark.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2624-4-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/2624-11-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/2624-9-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/2624-8-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/2624-14-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4268-30-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4268-27-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/2624-3-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/2624-2-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4268-37-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4268-38-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral2/memory/4268-39-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\px6F73.tmp	JaffaCakes118_6dcfa9e1f6477356a7e6986c692abaee.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	JaffaCakes118_6dcfa9e1f6477356a7e6986c692abaee.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	JaffaCakes118_6dcfa9e1f6477356a7e6986c692abaee.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3768	1204	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6dcfa9e1f6477356a7e6986c692abaee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe

Modifies Internet Explorer settings 1 TTPs 45 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31156191"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E1165EC5-D3D2-11EF-ADF2-CA65FB447F0B} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3045996568"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3045996568"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31156191"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E118C121-D3D2-11EF-ADF2-CA65FB447F0B} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443773789"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31156191"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3047559550"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3047559550"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31156191"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4268	WaterMark.exe
4268	WaterMark.exe
4268	WaterMark.exe
4268	WaterMark.exe
4268	WaterMark.exe
4268	WaterMark.exe
4268	WaterMark.exe
4268	WaterMark.exe
4268	WaterMark.exe
4268	WaterMark.exe
4268	WaterMark.exe
4268	WaterMark.exe
4268	WaterMark.exe
4268	WaterMark.exe
4268	WaterMark.exe
4268	WaterMark.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4268	WaterMark.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3764	iexplore.exe
3928	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3928	iexplore.exe
3928	iexplore.exe
3764	iexplore.exe
3764	iexplore.exe
436	IEXPLORE.EXE
436	IEXPLORE.EXE
1256	IEXPLORE.EXE
1256	IEXPLORE.EXE
436	IEXPLORE.EXE
436	IEXPLORE.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2624	JaffaCakes118_6dcfa9e1f6477356a7e6986c692abaee.exe
4268	WaterMark.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 4268	2624	JaffaCakes118_6dcfa9e1f6477356a7e6986c692abaee.exe	82
PID 2624 wrote to memory of 4268	2624	JaffaCakes118_6dcfa9e1f6477356a7e6986c692abaee.exe	82
PID 2624 wrote to memory of 4268	2624	JaffaCakes118_6dcfa9e1f6477356a7e6986c692abaee.exe	82
PID 4268 wrote to memory of 1204	4268	WaterMark.exe	83
PID 4268 wrote to memory of 1204	4268	WaterMark.exe	83
PID 4268 wrote to memory of 1204	4268	WaterMark.exe	83
PID 4268 wrote to memory of 1204	4268	WaterMark.exe	83
PID 4268 wrote to memory of 1204	4268	WaterMark.exe	83
PID 4268 wrote to memory of 1204	4268	WaterMark.exe	83
PID 4268 wrote to memory of 1204	4268	WaterMark.exe	83
PID 4268 wrote to memory of 1204	4268	WaterMark.exe	83
PID 4268 wrote to memory of 1204	4268	WaterMark.exe	83
PID 4268 wrote to memory of 3764	4268	WaterMark.exe	87
PID 4268 wrote to memory of 3764	4268	WaterMark.exe	87
PID 4268 wrote to memory of 3928	4268	WaterMark.exe	88
PID 4268 wrote to memory of 3928	4268	WaterMark.exe	88
PID 3764 wrote to memory of 436	3764	iexplore.exe	90
PID 3764 wrote to memory of 436	3764	iexplore.exe	90
PID 3764 wrote to memory of 436	3764	iexplore.exe	90
PID 3928 wrote to memory of 1256	3928	iexplore.exe	89
PID 3928 wrote to memory of 1256	3928	iexplore.exe	89
PID 3928 wrote to memory of 1256	3928	iexplore.exe	89

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6dcfa9e1f6477356a7e6986c692abaee.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6dcfa9e1f6477356a7e6986c692abaee.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Program Files (x86)\Microsoft\WaterMark.exe
  "C:\Program Files (x86)\Microsoft\WaterMark.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4268
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:1204
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 208
      4⤵
      Program crash
      PID:3768
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3764
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3764 CREDAT:17410 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:436
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3928
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3928 CREDAT:17410 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1204 -ip 1204
1⤵
PID:3208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
112KB

MD5
6dcfa9e1f6477356a7e6986c692abaee

SHA1
d0ec609fd686286e818d78d163137e3854743b6d

SHA256
2ce0b6461c8e68ab43fc51d9e0b71e8709db9a30f5dfa7cea845e4ad5ee8ac1a

SHA512
74bdfdfd625843eb274a221a861362702f5660f581bc199b31b1689b0462edc40e72718e3fd44700a435fedd73020f02196a13be2c744e5717942186324d99d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
9e22a9c34466faf7bc9cf642444b3f30

SHA1
0ac45262532cce40083cc9049fb12d4efb06c01f

SHA256
57569469879a3144b391cf9def258ad9ef29d7fd1d3d70a28cfb506443d7a119

SHA512
c60649fb0ecdd14c9a6d8f9ea7ac4356b24a5e1a238705bbc8294b72ea2fda21965af200746ae20dd5f45e386fc30e2189de6007e08ff3d7ec72b8dfc39435fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
73f9b0ed2c3d3ac130615bf6a684f27e

SHA1
71ba303e99623424e9fef9aafd0bb7dabd758850

SHA256
c14dc12e0168fd5cafb3e79a357dd0cf6fd88b6383e783fbbae3f95a2c7b5972

SHA512
6c40b50b34e585962adcd294429c6d163372bb26b874d061be80878d938fd8f3dd362686622253bc0091057ee7bdae098a2212d6b2c4c756ce9bb12aa3842251

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E1165EC5-D3D2-11EF-ADF2-CA65FB447F0B}.dat

Filesize
5KB

MD5
6cc4c2115ee73f98aa06ac923cd0c2eb

SHA1
8abb0bfec058d8367258623a8e2575716140483a

SHA256
012bccd3217a3a820efaeb4c96b4c30bae67e531dc3b8b703ddba1c9907f9fcc

SHA512
f13dd33db459b3573a3bde6968ea0d4bac678a21a9f9cc6cd434691722b273c67d6424a8a2af42e8791f48c91a338573d374feb0c17fdc4af01a1144200aa658

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E118C121-D3D2-11EF-ADF2-CA65FB447F0B}.dat

Filesize
3KB

MD5
67c9b108b7d243af95c9ff53292a82f8

SHA1
ab595a6ca5a8f7cf099d5368d8a4014e5c93afe3

SHA256
fd3b5edf3e6d61b1b8704e1cf23460f8ba8058dd94c613c23e6a2f02644e8dac

SHA512
d6b2c909e7253de4797979000d28cfe27f4ba294be50160b33670b9c90f60b95fd90de4bbf9194bd92301e6623901362b4d7eccdc488d5a595ce7343158054cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PGH3GSHW\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
memory/1204-32-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download
memory/1204-31-0x00000000010F0000-0x00000000010F1000-memory.dmp

Filesize
4KB

Download
memory/2624-7-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2624-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2624-1-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/2624-4-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2624-11-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2624-9-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2624-0-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2624-6-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2624-3-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2624-2-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2624-8-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4268-28-0x0000000077192000-0x0000000077193000-memory.dmp

Filesize
4KB

Download
memory/4268-33-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/4268-34-0x0000000077192000-0x0000000077193000-memory.dmp

Filesize
4KB

Download
memory/4268-30-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4268-18-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/4268-37-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4268-38-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/4268-39-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4268-25-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/4268-26-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/4268-27-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download