ramnit | a2dcf8db6bff76d148b44ec228627a5e030b1c2bfca4954f9074b2420651ff00

Analysis

max time kernel
106s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
23/03/2025, 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_87aca5635fcc8a3c822f54de3865dbf7.dll
Size

304KB
MD5

87aca5635fcc8a3c822f54de3865dbf7
SHA1

c6ee6c3265b832e4b0bd7898fc1c29633f6a22e9
SHA256

a2dcf8db6bff76d148b44ec228627a5e030b1c2bfca4954f9074b2420651ff00
SHA512

2d08c17c47a8a89a1c644ca7828ac492bc83af994fd507a5835f8e09cf7664e86c9c90c46a42eb87d719d06d254165309ee6f71e0f7a770a0e73a2353ecdbb1c
SSDEEP

6144:AzFn4ut3Oy+2xjXfI8wWjdQ1oqhaVC338QSGsh:AzFnj3Q21wYZQGqhYC3vSGsh

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
540	regsvr32mgr.exe
5844	WaterMark.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\regsvr32mgr.exe	regsvr32.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/540-8-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/540-9-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/540-13-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/540-15-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/540-11-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/540-7-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/540-19-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/5844-29-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/5844-30-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/5844-38-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/5844-39-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/5844-42-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/5844-43-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\px82FB.tmp	regsvr32mgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	regsvr32mgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	regsvr32mgr.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4004	1472	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32mgr.exe

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E28FE092-080B-11F0-AF5D-C6CB468AE5AC} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E28B1BBF-080B-11F0-AF5D-C6CB468AE5AC} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "449515733"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
5844	WaterMark.exe
5844	WaterMark.exe
5844	WaterMark.exe
5844	WaterMark.exe
5844	WaterMark.exe
5844	WaterMark.exe
5844	WaterMark.exe
5844	WaterMark.exe
5844	WaterMark.exe
5844	WaterMark.exe
5844	WaterMark.exe
5844	WaterMark.exe
5844	WaterMark.exe
5844	WaterMark.exe
5844	WaterMark.exe
5844	WaterMark.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5844	WaterMark.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3240	iexplore.exe
1940	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3240	iexplore.exe
3240	iexplore.exe
1940	iexplore.exe
1940	iexplore.exe
444	IEXPLORE.EXE
444	IEXPLORE.EXE
3040	IEXPLORE.EXE
3040	IEXPLORE.EXE
444	IEXPLORE.EXE
444	IEXPLORE.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
540	regsvr32mgr.exe
5844	WaterMark.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 5792 wrote to memory of 5744	5792	regsvr32.exe	87
PID 5792 wrote to memory of 5744	5792	regsvr32.exe	87
PID 5792 wrote to memory of 5744	5792	regsvr32.exe	87
PID 5744 wrote to memory of 540	5744	regsvr32.exe	88
PID 5744 wrote to memory of 540	5744	regsvr32.exe	88
PID 5744 wrote to memory of 540	5744	regsvr32.exe	88
PID 540 wrote to memory of 5844	540	regsvr32mgr.exe	89
PID 540 wrote to memory of 5844	540	regsvr32mgr.exe	89
PID 540 wrote to memory of 5844	540	regsvr32mgr.exe	89
PID 5844 wrote to memory of 1472	5844	WaterMark.exe	90
PID 5844 wrote to memory of 1472	5844	WaterMark.exe	90
PID 5844 wrote to memory of 1472	5844	WaterMark.exe	90
PID 5844 wrote to memory of 1472	5844	WaterMark.exe	90
PID 5844 wrote to memory of 1472	5844	WaterMark.exe	90
PID 5844 wrote to memory of 1472	5844	WaterMark.exe	90
PID 5844 wrote to memory of 1472	5844	WaterMark.exe	90
PID 5844 wrote to memory of 1472	5844	WaterMark.exe	90
PID 5844 wrote to memory of 1472	5844	WaterMark.exe	90
PID 5844 wrote to memory of 3240	5844	WaterMark.exe	101
PID 5844 wrote to memory of 3240	5844	WaterMark.exe	101
PID 5844 wrote to memory of 1940	5844	WaterMark.exe	102
PID 5844 wrote to memory of 1940	5844	WaterMark.exe	102
PID 3240 wrote to memory of 444	3240	iexplore.exe	103
PID 3240 wrote to memory of 444	3240	iexplore.exe	103
PID 3240 wrote to memory of 444	3240	iexplore.exe	103
PID 1940 wrote to memory of 3040	1940	iexplore.exe	104
PID 1940 wrote to memory of 3040	1940	iexplore.exe	104
PID 1940 wrote to memory of 3040	1940	iexplore.exe	104

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_87aca5635fcc8a3c822f54de3865dbf7.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:5792
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_87aca5635fcc8a3c822f54de3865dbf7.dll
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5744
- - C:\Windows\SysWOW64\regsvr32mgr.exe
    C:\Windows\SysWOW64\regsvr32mgr.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:540
  - - C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:5844
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        
        PID:1472
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 208
        6⤵
        Program crash
        
        PID:4004
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3240
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3240 CREDAT:17410 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:444
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1940
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1940 CREDAT:17410 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1472 -ip 1472
1⤵
PID:4320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
471B

MD5
70f2cd5a40c53a24406bef59c4dca71a

SHA1
438a0730aab95862c097791a037678c5563c42cc

SHA256
a1c50f56a0ce0c9c0288e7a21a933e4b477de7d729666c884d3e6d734b087607

SHA512
f42fb79ad0075f05a4ad53d749a831f9d12f0d2b2d1016871734e19866b9c8406a041b84fc0085e422dcbbd17076f57ea2425e20a294124e24794d2262739e51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
412B

MD5
593c17c7ca391cd47ad09df8228f8f76

SHA1
d3f9c1d1df370f24a2eb53666135d6853ee4d666

SHA256
fcca13ba295d9885eafad0d9f0981dee9baeaa32abc25356d15b50b82074233d

SHA512
7b83fee501523c28ee3a3cef14986a92f75142b22d9c8c3c6e286e4f655e22ec716824a233c4da83c35bfcdd102082329acaa136f7e2faad05cf7b25ae68ce98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
412B

MD5
584a4b222da8717e2173e1f50859b903

SHA1
19c01117670c78e6c9d7b3ad9201987f0b21a60d

SHA256
49f771c1956e55975678caf199db780e4612aa7bf22ba4c61073a5547966fdff

SHA512
d8da34f9bc8663a3620b14a6367210497e7c2e53277114cd21859650aef7e4ad089931a4c8edec156cc93cb9a6d7ddf368bb3bda9ec4787335d25f411373de3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E28B1BBF-080B-11F0-AF5D-C6CB468AE5AC}.dat

Filesize
5KB

MD5
3deeda4498279576fd44119c04e8f819

SHA1
1d2d04f280c5daf5c48e8af34010d6bb5f3febfe

SHA256
91eb25d314eb38319cc2ac43d4ca8bf7b3260060d627592f6e7c68d3b69f479c

SHA512
de2b4f3f8c10a7f6f4933b1cb1d4c78783cc3247de774a0faea352c232b0e419e2040d4aab8327849711b92f4a713ea78994e4705ef0fdc595d442c30355755a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E28FE092-080B-11F0-AF5D-C6CB468AE5AC}.dat

Filesize
3KB

MD5
244327299f68807ec8eef51add01ab4b

SHA1
9e3953f6a5961efdf03a9375767a8098f9b88481

SHA256
64f33f7446d5ab8b9aec5d5d6da52a6adadc1834ecfd018fb4b661a0e8ab5696

SHA512
250a6cd3bfc138ff0e733ba610a76d146960f7e9f14fa672f4c6f290b297e1d056dcc6e23897f823198a18adc202a10bd23055c5630404eae07df1053aa4fde9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\463FIIFI\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Windows\SysWOW64\regsvr32mgr.exe

Filesize
123KB

MD5
c988afc113d2ce250aa98cec84c54e02

SHA1
c8dc99e3af0e63d3a0874f96edc0061885df45ad

SHA256
986eb7a5e18454ecbd9c0919ebae03b1fb7d94798a88f5767d20081fa07194d6

SHA512
54eefe322f4afd73988dc02e126a23bb61d614f5bde5f53c7aa95ad4d65f29aafb464c7063b15cfbcb2a63e329f2a662e44cf910ad55d8fe77bf4072c7d47bc1

Download Submit
memory/540-9-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/540-6-0x0000000000401000-0x0000000000405000-memory.dmp

Filesize
16KB

Download
memory/540-11-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/540-7-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/540-19-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/540-21-0x0000000000401000-0x0000000000405000-memory.dmp

Filesize
16KB

Download
memory/540-15-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/540-4-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/540-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/540-8-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/540-12-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/1472-35-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/1472-34-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/5744-0-0x0000000010000000-0x000000001004E000-memory.dmp

Filesize
312KB

Download
memory/5844-31-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/5844-39-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/5844-38-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/5844-37-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/5844-42-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/5844-43-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/5844-36-0x0000000077A72000-0x0000000077A73000-memory.dmp

Filesize
4KB

Download
memory/5844-30-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/5844-32-0x0000000077A72000-0x0000000077A73000-memory.dmp

Filesize
4KB

Download
memory/5844-29-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download