revengerat | d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a

Analysis

max time kernel
140s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
14-03-2022 03:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe
Size

7.4MB
MD5

377a699b9cbc4b8928b16de46abf920f
SHA1

f2ab02632aef4141d13c3880973bc1003d1102ef
SHA256

d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a
SHA512

4f916a51ec32d0c609d3c69a9b5f9c905c7c37850fdc77063db349fe4bb0ca24a9cea6180ebc59ee3754736947dafc8b54b831444b6bc585bd5a43e46bcb4ba5

Score

10^/10

revengerat persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	MailPassView
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	WebBrowserPassView

Nirsoft 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	Nirsoft

RevengeRat Executable 2 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe	revengerat
C:\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe	revengerat

Executes dropped EXE 6 IoCs

Processes:

._cache_d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exeSynaptics.exe1.exe2.exeGerenciador de audio HD Realltek.exeWindows Explorer.exe

pid	process
4204	._cache_d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe
1264	Synaptics.exe
4148	1.exe
5060	2.exe
5064	Gerenciador de audio HD Realltek.exe
2824	Windows Explorer.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

._cache_d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe1.exed6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	._cache_d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 1 IoCs

Processes:

d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1288 EXCEL.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

2.exe

description pid process

Token: SeDebugPrivilege 5060 2.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXE

pid process

1288 EXCEL.EXE
1288 EXCEL.EXE
1288 EXCEL.EXE
1288 EXCEL.EXE
1288 EXCEL.EXE

pid	process
1288	EXCEL.EXE

description	pid	process
Token: SeDebugPrivilege	5060	2.exe

pid	process
1288	EXCEL.EXE
1288	EXCEL.EXE
1288	EXCEL.EXE
1288	EXCEL.EXE
1288	EXCEL.EXE

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe._cache_d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe1.exeGerenciador de audio HD Realltek.exeWindows Explorer.exe2.exefondue.exefondue.exe

description	pid	process	target process
PID 4240 wrote to memory of 4204	4240	d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe	._cache_d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe
PID 4240 wrote to memory of 4204	4240	d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe	._cache_d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe
PID 4240 wrote to memory of 4204	4240	d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe	._cache_d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe
PID 4240 wrote to memory of 1264	4240	d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe	Synaptics.exe
PID 4240 wrote to memory of 1264	4240	d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe	Synaptics.exe
PID 4240 wrote to memory of 1264	4240	d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe	Synaptics.exe
PID 4204 wrote to memory of 4148	4204	._cache_d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe	1.exe
PID 4204 wrote to memory of 4148	4204	._cache_d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe	1.exe
PID 4204 wrote to memory of 4148	4204	._cache_d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe	1.exe
PID 4204 wrote to memory of 5060	4204	._cache_d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe	2.exe
PID 4204 wrote to memory of 5060	4204	._cache_d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe	2.exe
PID 4148 wrote to memory of 5064	4148	1.exe	Gerenciador de audio HD Realltek.exe
PID 4148 wrote to memory of 5064	4148	1.exe	Gerenciador de audio HD Realltek.exe
PID 4148 wrote to memory of 5064	4148	1.exe	Gerenciador de audio HD Realltek.exe
PID 5064 wrote to memory of 808	5064	Gerenciador de audio HD Realltek.exe	fondue.exe
PID 5064 wrote to memory of 808	5064	Gerenciador de audio HD Realltek.exe	fondue.exe
PID 5064 wrote to memory of 808	5064	Gerenciador de audio HD Realltek.exe	fondue.exe
PID 4148 wrote to memory of 2824	4148	1.exe	Windows Explorer.exe
PID 4148 wrote to memory of 2824	4148	1.exe	Windows Explorer.exe
PID 4148 wrote to memory of 2824	4148	1.exe	Windows Explorer.exe
PID 2824 wrote to memory of 4720	2824	Windows Explorer.exe	fondue.exe
PID 2824 wrote to memory of 4720	2824	Windows Explorer.exe	fondue.exe
PID 2824 wrote to memory of 4720	2824	Windows Explorer.exe	fondue.exe
PID 5060 wrote to memory of 2184	5060	2.exe	arp.exe
PID 5060 wrote to memory of 2184	5060	2.exe	arp.exe
PID 4720 wrote to memory of 1764	4720	fondue.exe	FonDUE.EXE
PID 4720 wrote to memory of 1764	4720	fondue.exe	FonDUE.EXE
PID 808 wrote to memory of 372	808	fondue.exe	FonDUE.EXE
PID 808 wrote to memory of 372	808	fondue.exe	FonDUE.EXE
PID 5060 wrote to memory of 2752	5060	2.exe	arp.exe
PID 5060 wrote to memory of 2752	5060	2.exe	arp.exe
PID 5060 wrote to memory of 1984	5060	2.exe	arp.exe
PID 5060 wrote to memory of 1984	5060	2.exe	arp.exe

C:\Users\Admin\AppData\Local\Temp\d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe
"C:\Users\Admin\AppData\Local\Temp\d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4240

C:\Users\Admin\AppData\Local\Temp\._cache_d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4204

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4148

C:\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe
"C:\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064

C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
5⤵
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
6⤵
PID:372

C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824

C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5060

C:\Windows\System32\arp.exe
"C:\Windows\System32\arp.exe" -a
4⤵
PID:2184

C:\Windows\System32\arp.exe
"C:\Windows\System32\arp.exe" -a
4⤵
PID:2752

C:\Windows\System32\arp.exe
"C:\Windows\System32\arp.exe" -a
4⤵
PID:1984

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
2⤵
- Executes dropped EXE
PID:1264

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1288

C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4720

C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
2⤵
PID:1764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe
MD5
6344cb4cdf62d7e060d8a02fb0586ea1

SHA1
2e3882753e2b5293454487d3323c4403fb4ca6e5

SHA256
b4e1de9e2e1312ff886b59bf7fd24798f5ed5f8b40d627ca3e7b37214085e18b

SHA512
2f304c1f4a293128c8764966436cad033979871801718952a6448aa18e9767f57c70ae4970919381d2aff8c182b80c095d00d624f92d5eab478c589085addee4

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
MD5
6344cb4cdf62d7e060d8a02fb0586ea1

SHA1
2e3882753e2b5293454487d3323c4403fb4ca6e5

SHA256
b4e1de9e2e1312ff886b59bf7fd24798f5ed5f8b40d627ca3e7b37214085e18b

SHA512
2f304c1f4a293128c8764966436cad033979871801718952a6448aa18e9767f57c70ae4970919381d2aff8c182b80c095d00d624f92d5eab478c589085addee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe
MD5
dc70508f10ea72c1ad810c72b179bf28

SHA1
5c7ef633b20ad47c1a9967a181ebf42a5094c07d

SHA256
aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e

SHA512
8dc1d9ef4c4b9b4fef91c55734a0e813b1a8a4582fab36b7b52c3b2c0d217a25dce3dbc1d364d438766c1fa8fc1f64498c2f779848a5208f2ea7ce06ed43f06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_d6415fde1549f0b7fae0d67319f7ff78967b2de99e6b9dc9666953e1be2c064a.exe
MD5
dc70508f10ea72c1ad810c72b179bf28

SHA1
5c7ef633b20ad47c1a9967a181ebf42a5094c07d

SHA256
aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e

SHA512
8dc1d9ef4c4b9b4fef91c55734a0e813b1a8a4582fab36b7b52c3b2c0d217a25dce3dbc1d364d438766c1fa8fc1f64498c2f779848a5208f2ea7ce06ed43f06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe
MD5
a302f849f03f9d0986062f4eb4032824

SHA1
15848e1df366bf37158cc70ab13f01a693a733f0

SHA256
3b163eddf849e4c53923fe275b320081e31badc3f1b42b239bd6efbdbed93e3d

SHA512
46154fc25ce18e92d0c360d9bb8a323304824bb6ae6a0c73a6dad64721d4891a2536b3f40b5c0ac76013a9ed3877dbc38470a0d956b8b79ad565d5052731ea36

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe
MD5
a302f849f03f9d0986062f4eb4032824

SHA1
15848e1df366bf37158cc70ab13f01a693a733f0

SHA256
3b163eddf849e4c53923fe275b320081e31badc3f1b42b239bd6efbdbed93e3d

SHA512
46154fc25ce18e92d0c360d9bb8a323304824bb6ae6a0c73a6dad64721d4891a2536b3f40b5c0ac76013a9ed3877dbc38470a0d956b8b79ad565d5052731ea36

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe
MD5
b829a00948c61c7f278c5820150cfae2

SHA1
63affca7cab301cc1086738e2dde76fe0685ee13

SHA256
b416aa42e9384b4d8b038438c86d9e56f6d614b19c478a09c3e41e2a9839d7ea

SHA512
27afd7ecf75726757247846fff47453cf6b4f605324a2902464b2ae4deeb1b084007f919ea25e9f1fdd0d6ae5324afeff976a67fb7e5a36a1eefb614e6b0af86

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe
MD5
b829a00948c61c7f278c5820150cfae2

SHA1
63affca7cab301cc1086738e2dde76fe0685ee13

SHA256
b416aa42e9384b4d8b038438c86d9e56f6d614b19c478a09c3e41e2a9839d7ea

SHA512
27afd7ecf75726757247846fff47453cf6b4f605324a2902464b2ae4deeb1b084007f919ea25e9f1fdd0d6ae5324afeff976a67fb7e5a36a1eefb614e6b0af86

Download Submit
C:\Users\Admin\AppData\Local\Temp\5tqa3QVP.xlsm
MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe
MD5
cc19874b2b87478ed80aeb0db2786904

SHA1
04169b414112d5fc80f8ec01eed4e7edeed77e27

SHA256
7be748b35266e003d5eacffaf8274fd041bfb31bfc678f66acfdd9a96014e71e

SHA512
2db0b362f294fbd4de5fd192ed3120774e0cf2fcd151ffadcc22237e0c477b043fb0aef404210dfe0fb908c4f577658f827e2e0a7810bb5c2d6c2e595f774ef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe
MD5
cc19874b2b87478ed80aeb0db2786904

SHA1
04169b414112d5fc80f8ec01eed4e7edeed77e27

SHA256
7be748b35266e003d5eacffaf8274fd041bfb31bfc678f66acfdd9a96014e71e

SHA512
2db0b362f294fbd4de5fd192ed3120774e0cf2fcd151ffadcc22237e0c477b043fb0aef404210dfe0fb908c4f577658f827e2e0a7810bb5c2d6c2e595f774ef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
MD5
15febefbdf4118365bd8a67a1f182543

SHA1
85bd8cb479994a4f9e5e8bb0b42313bfc3a172df

SHA256
1fa314517e2dcc8502f909baed440b5f400d32a292eda292855a6c3773e71e3b

SHA512
9d7770b872dabc1662c8dedfaaf6cccd4ee0faf23d3122a110a978d507cc1c3d0d607a08abf771ae2c27f1b05320485032283c905878b01ef1ed8dc7f60adbfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
MD5
15febefbdf4118365bd8a67a1f182543

SHA1
85bd8cb479994a4f9e5e8bb0b42313bfc3a172df

SHA256
1fa314517e2dcc8502f909baed440b5f400d32a292eda292855a6c3773e71e3b

SHA512
9d7770b872dabc1662c8dedfaaf6cccd4ee0faf23d3122a110a978d507cc1c3d0d607a08abf771ae2c27f1b05320485032283c905878b01ef1ed8dc7f60adbfc

Download Submit
memory/1264-135-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/1288-160-0x00007FF911F50000-0x00007FF912145000-memory.dmp

Filesize
2.0MB

Download
memory/1288-146-0x00007FF8D1FD0000-0x00007FF8D1FE0000-memory.dmp

Filesize
64KB

Download
memory/1288-153-0x00007FF911F50000-0x00007FF912145000-memory.dmp

Filesize
2.0MB

Download
memory/1288-150-0x00007FF8D1FD0000-0x00007FF8D1FE0000-memory.dmp

Filesize
64KB

Download
memory/1288-152-0x00007FF8D1FD0000-0x00007FF8D1FE0000-memory.dmp

Filesize
64KB

Download
memory/1288-154-0x00007FF911F50000-0x00007FF912145000-memory.dmp

Filesize
2.0MB

Download
memory/1288-156-0x00007FF911F50000-0x00007FF912145000-memory.dmp

Filesize
2.0MB

Download
memory/1288-155-0x00007FF8D1FD0000-0x00007FF8D1FE0000-memory.dmp

Filesize
64KB

Download
memory/1288-145-0x00007FF911F50000-0x00007FF912145000-memory.dmp

Filesize
2.0MB

Download
memory/1288-147-0x00007FF911F50000-0x00007FF912145000-memory.dmp

Filesize
2.0MB

Download
memory/1288-167-0x00007FF911F50000-0x00007FF912145000-memory.dmp

Filesize
2.0MB

Download
memory/1288-157-0x00007FF911F50000-0x00007FF912145000-memory.dmp

Filesize
2.0MB

Download
memory/1288-158-0x00007FF911F50000-0x00007FF912145000-memory.dmp

Filesize
2.0MB

Download
memory/1288-151-0x00007FF911F50000-0x00007FF912145000-memory.dmp

Filesize
2.0MB

Download
memory/1288-159-0x00007FF911F50000-0x00007FF912145000-memory.dmp

Filesize
2.0MB

Download
memory/1288-143-0x00007FF8D1FD0000-0x00007FF8D1FE0000-memory.dmp

Filesize
64KB

Download
memory/1288-166-0x00007FF911F50000-0x00007FF912145000-memory.dmp

Filesize
2.0MB

Download
memory/1288-162-0x00007FF911F50000-0x00007FF912145000-memory.dmp

Filesize
2.0MB

Download
memory/1288-161-0x00007FF911F50000-0x00007FF912145000-memory.dmp

Filesize
2.0MB

Download
memory/1288-163-0x00007FF911F50000-0x00007FF912145000-memory.dmp

Filesize
2.0MB

Download
memory/1288-164-0x00007FF911F50000-0x00007FF912145000-memory.dmp

Filesize
2.0MB

Download
memory/1288-165-0x00007FF911F50000-0x00007FF912145000-memory.dmp

Filesize
2.0MB

Download
memory/4240-130-0x00000000028D0000-0x00000000028D1000-memory.dmp

Filesize
4KB

Download
memory/5060-144-0x00007FF8F14D0000-0x00007FF8F1F91000-memory.dmp

Filesize
10.8MB

Download
memory/5060-168-0x0000016103900000-0x0000016103902000-memory.dmp

Filesize
8KB

Download
memory/5060-140-0x00000161017B0000-0x0000016101DD8000-memory.dmp

Filesize
6.2MB

Download