revengerat | 1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe

Analysis

max time kernel
144s
max time network
50s
platform
windows7_x64
resource
win7-20220414-en
submitted
08-07-2022 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exe
Size

3.4MB
MD5

7ddaf6c0ccdf99faced8f866a3670206
SHA1

08f5844c6413dbcc5d1b765247c93d4c13c97914
SHA256

1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe
SHA512

3321c6c6f9982cd179597dfa7b0612b81358b594a7e216a1bfde0dd638d4324a90b9f373f5be9681de9324c363193dd7c5fd565cc57e7766ffe1fb077b4bdf02

Score

10^/10

revengerat persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 10 IoCs

stealer

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Server.exe	revengerat
\Users\Admin\AppData\Local\Temp\Server.exe	revengerat
C:\Users\Admin\AppData\Local\Temp\Server.exe	revengerat
C:\Users\Admin\AppData\Local\Temp\Server.exe	revengerat
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe	revengerat
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe	revengerat
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe	revengerat
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe	revengerat
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe	revengerat
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	revengerat

Executes dropped EXE 3 IoCs

Processes:

TempDev.exeServer.exesvchost.exe

pid process

2036 TempDev.exe
908 Server.exe
1616 svchost.exe

pid	process
2036	TempDev.exe
908	Server.exe
1616	svchost.exe

Drops startup file 6 IoCs

Processes:

svchost.exevbc.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.vbs	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.js	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	vbc.exe

Loads dropped DLL 6 IoCs

Processes:

1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exeTempDev.exeServer.exesvchost.exe

pid	process
1808	1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exe
2036	TempDev.exe
2036	TempDev.exe
908	Server.exe
908	Server.exe
1616	svchost.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

1220 vlc.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

1220 vlc.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

Server.exeAUDIODG.EXEvlc.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	908	Server.exe
Token: 33	1956	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1956	AUDIODG.EXE
Token: 33	1956	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1956	AUDIODG.EXE
Token: 33	1220	vlc.exe
Token: SeIncBasePriorityPrivilege	1220	vlc.exe
Token: SeDebugPrivilege	1616	svchost.exe

Suspicious use of FindShellTrayWindow 24 IoCs

Processes:

vlc.exe

pid	process
1220	vlc.exe
1220	vlc.exe
1220	vlc.exe
1220	vlc.exe
1220	vlc.exe
1220	vlc.exe
1220	vlc.exe
1220	vlc.exe
1220	vlc.exe
1220	vlc.exe
1220	vlc.exe
1220	vlc.exe
1220	vlc.exe
1220	vlc.exe
1220	vlc.exe
1220	vlc.exe
1220	vlc.exe
1220	vlc.exe
1220	vlc.exe
1220	vlc.exe
1220	vlc.exe
1220	vlc.exe
1220	vlc.exe
1220	vlc.exe

Suspicious use of SendNotifyMessage 5 IoCs

Processes:

vlc.exe

pid process

1220 vlc.exe
1220 vlc.exe
1220 vlc.exe
1220 vlc.exe
1220 vlc.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vlc.exe

pid process

1220 vlc.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exeTempDev.exeServer.exesvchost.exevbc.exe

description	pid	process	target process
PID 1808 wrote to memory of 2036	1808	1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exe	TempDev.exe
PID 1808 wrote to memory of 2036	1808	1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exe	TempDev.exe
PID 1808 wrote to memory of 2036	1808	1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exe	TempDev.exe
PID 1808 wrote to memory of 2036	1808	1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exe	TempDev.exe
PID 1808 wrote to memory of 1220	1808	1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exe	vlc.exe
PID 1808 wrote to memory of 1220	1808	1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exe	vlc.exe
PID 1808 wrote to memory of 1220	1808	1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exe	vlc.exe
PID 1808 wrote to memory of 1220	1808	1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exe	vlc.exe
PID 2036 wrote to memory of 908	2036	TempDev.exe	Server.exe
PID 2036 wrote to memory of 908	2036	TempDev.exe	Server.exe
PID 2036 wrote to memory of 908	2036	TempDev.exe	Server.exe
PID 2036 wrote to memory of 908	2036	TempDev.exe	Server.exe
PID 908 wrote to memory of 1616	908	Server.exe	svchost.exe
PID 908 wrote to memory of 1616	908	Server.exe	svchost.exe
PID 908 wrote to memory of 1616	908	Server.exe	svchost.exe
PID 908 wrote to memory of 1616	908	Server.exe	svchost.exe
PID 1616 wrote to memory of 2016	1616	svchost.exe	vbc.exe
PID 1616 wrote to memory of 2016	1616	svchost.exe	vbc.exe
PID 1616 wrote to memory of 2016	1616	svchost.exe	vbc.exe
PID 1616 wrote to memory of 2016	1616	svchost.exe	vbc.exe
PID 2016 wrote to memory of 1424	2016	vbc.exe	cvtres.exe
PID 2016 wrote to memory of 1424	2016	vbc.exe	cvtres.exe
PID 2016 wrote to memory of 1424	2016	vbc.exe	cvtres.exe
PID 2016 wrote to memory of 1424	2016	vbc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exe
"C:\Users\Admin\AppData\Local\Temp\1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1808

C:\Users\Admin\AppData\Local\TempDev.exe
"C:\Users\Admin\AppData\Local\TempDev.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:908

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
4⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mrxcyggp.cmdline"
5⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2B66.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2B65.tmp"
6⤵
PID:1424

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Tempskype.mp4"
2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1220

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1d4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempDev.exe
Filesize
191KB

MD5
b077a236e6cb4f710626b9ef56df8e8a

SHA1
ab7b6f4b9af0919f55dfb64a090630c4e7b191fd

SHA256
65a6a2d2702b3a6e81ad3ee7c3bcc7a40d99fe16c166bd554bfa07c1b7e29ba8

SHA512
88bba2ee188e5b10377e123fbfb178f15987b9341b750fda8daa15b9d27e9c3257c8dcdea700631c5c3325da466964ea439bbb5f847ddceb2f068b989ffa3400

Download Submit
C:\Users\Admin\AppData\Local\TempDev.exe
Filesize
191KB

MD5
b077a236e6cb4f710626b9ef56df8e8a

SHA1
ab7b6f4b9af0919f55dfb64a090630c4e7b191fd

SHA256
65a6a2d2702b3a6e81ad3ee7c3bcc7a40d99fe16c166bd554bfa07c1b7e29ba8

SHA512
88bba2ee188e5b10377e123fbfb178f15987b9341b750fda8daa15b9d27e9c3257c8dcdea700631c5c3325da466964ea439bbb5f847ddceb2f068b989ffa3400

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2B66.tmp
Filesize
1KB

MD5
256a705d396d52ccc273a2c1c5401541

SHA1
eb50fca533e9456ce9a454ee1b2476693b52c49c

SHA256
8ea81b8b81c94453e545af274794e59fa6d022707bfe24ec71d377731c78d46a

SHA512
18c6d03b288c1d7127f4741237c2377247fdc6d7bd8cc43f5138e3b52b487283d758ecf6e8f38279243f35e775bfce9f61cca1b9c90f46a413ed5847f8ca806c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
53KB

MD5
ee2798ed9616f341959ffa8b191c012f

SHA1
060ee139042e6e45e5faf38c826e8ae019d785a2

SHA256
f7a76d4cfa1b187a48d34e497f4defed10e11962d8cf138fa7ab8268e0c32de4

SHA512
ef93efd176632a8c5fe88e6da05693512169fd13f2e42122b01f7d3bd0fd0e4bd629b274f6a600a92b0d64d1243b514c91f5a85881e5bda3c6f9f682a6c2c7e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
53KB

MD5
ee2798ed9616f341959ffa8b191c012f

SHA1
060ee139042e6e45e5faf38c826e8ae019d785a2

SHA256
f7a76d4cfa1b187a48d34e497f4defed10e11962d8cf138fa7ab8268e0c32de4

SHA512
ef93efd176632a8c5fe88e6da05693512169fd13f2e42122b01f7d3bd0fd0e4bd629b274f6a600a92b0d64d1243b514c91f5a85881e5bda3c6f9f682a6c2c7e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrxcyggp.0.vb
Filesize
179B

MD5
89923fa6e5d214f70f33024fbcec55da

SHA1
f3cdb3b25a010fd74381fb7dc2a51fa7381ac168

SHA256
fba87273861c2b2f7b37784013bdf4de9694e303151b46b48a0a8e9b9fe0be0e

SHA512
54d829ff58eb032612e39e3853516d2a074a1e213485d07242807a01633457560cc57e0860857fb09d14324415924bcfffa82f87464af2857397d9557f4125d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrxcyggp.cmdline
Filesize
195B

MD5
22fa4b4b93ae0109bde60e33b1423144

SHA1
9394e585492cff79eac445eef487a7785b861036

SHA256
19e1b20094dd90f4aef5fe83f5cb93b835cda2fa81920253e9aec6dbcbcb45a5

SHA512
93b41e1cae7639006719f13cc0b4e32083cfc5dde78378d60ef34838d9aa38c9f030539be04d199e66401c9427ed129256d715fa5976b7b2434b2ade6ca4ce34

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2B65.tmp
Filesize
644B

MD5
2a1292826a47da43a7f430c4fd2022ec

SHA1
aa05c2f60651842c7b16a741169945f611c5fc64

SHA256
5cb8cedbc321cc29521008679cc737965557e4c8f3a787d7679939ffd6c21b5b

SHA512
4b90c6b158175a7ec812f97f106bf50e9d7a2b7e96f01aa23a3bd4561a6e8e6a43b29914b1bc0b92773e585add738026910cd9df8359d7c0d4be08319dc7636a

Download Submit
C:\Users\Admin\AppData\Local\Tempskype.mp4
Filesize
3.2MB

MD5
c964e27a154347bfd7ec916ab7d3013b

SHA1
f18253fbf190248dbcf27724223252523bf38922

SHA256
ef82ac9c6ea1141b85dfe6ecf24392046f54b505d71da9c4547aeaada5878447

SHA512
b9e17b0243c486d76df0c472126fd201174dbf3cc2f45adfea0c9227493dec6774fdfa8d2018cdd4280a91af934f43ea073b07210ed84dcf84df8b06cd998627

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
Filesize
53KB

MD5
ee2798ed9616f341959ffa8b191c012f

SHA1
060ee139042e6e45e5faf38c826e8ae019d785a2

SHA256
f7a76d4cfa1b187a48d34e497f4defed10e11962d8cf138fa7ab8268e0c32de4

SHA512
ef93efd176632a8c5fe88e6da05693512169fd13f2e42122b01f7d3bd0fd0e4bd629b274f6a600a92b0d64d1243b514c91f5a85881e5bda3c6f9f682a6c2c7e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
Filesize
53KB

MD5
ee2798ed9616f341959ffa8b191c012f

SHA1
060ee139042e6e45e5faf38c826e8ae019d785a2

SHA256
f7a76d4cfa1b187a48d34e497f4defed10e11962d8cf138fa7ab8268e0c32de4

SHA512
ef93efd176632a8c5fe88e6da05693512169fd13f2e42122b01f7d3bd0fd0e4bd629b274f6a600a92b0d64d1243b514c91f5a85881e5bda3c6f9f682a6c2c7e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
Filesize
53KB

MD5
ee2798ed9616f341959ffa8b191c012f

SHA1
060ee139042e6e45e5faf38c826e8ae019d785a2

SHA256
f7a76d4cfa1b187a48d34e497f4defed10e11962d8cf138fa7ab8268e0c32de4

SHA512
ef93efd176632a8c5fe88e6da05693512169fd13f2e42122b01f7d3bd0fd0e4bd629b274f6a600a92b0d64d1243b514c91f5a85881e5bda3c6f9f682a6c2c7e6

Download Submit
\Users\Admin\AppData\Local\TempDev.exe
Filesize
191KB

MD5
b077a236e6cb4f710626b9ef56df8e8a

SHA1
ab7b6f4b9af0919f55dfb64a090630c4e7b191fd

SHA256
65a6a2d2702b3a6e81ad3ee7c3bcc7a40d99fe16c166bd554bfa07c1b7e29ba8

SHA512
88bba2ee188e5b10377e123fbfb178f15987b9341b750fda8daa15b9d27e9c3257c8dcdea700631c5c3325da466964ea439bbb5f847ddceb2f068b989ffa3400

Download Submit
\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
53KB

MD5
ee2798ed9616f341959ffa8b191c012f

SHA1
060ee139042e6e45e5faf38c826e8ae019d785a2

SHA256
f7a76d4cfa1b187a48d34e497f4defed10e11962d8cf138fa7ab8268e0c32de4

SHA512
ef93efd176632a8c5fe88e6da05693512169fd13f2e42122b01f7d3bd0fd0e4bd629b274f6a600a92b0d64d1243b514c91f5a85881e5bda3c6f9f682a6c2c7e6

Download Submit
\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
53KB

MD5
ee2798ed9616f341959ffa8b191c012f

SHA1
060ee139042e6e45e5faf38c826e8ae019d785a2

SHA256
f7a76d4cfa1b187a48d34e497f4defed10e11962d8cf138fa7ab8268e0c32de4

SHA512
ef93efd176632a8c5fe88e6da05693512169fd13f2e42122b01f7d3bd0fd0e4bd629b274f6a600a92b0d64d1243b514c91f5a85881e5bda3c6f9f682a6c2c7e6

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
Filesize
53KB

MD5
ee2798ed9616f341959ffa8b191c012f

SHA1
060ee139042e6e45e5faf38c826e8ae019d785a2

SHA256
f7a76d4cfa1b187a48d34e497f4defed10e11962d8cf138fa7ab8268e0c32de4

SHA512
ef93efd176632a8c5fe88e6da05693512169fd13f2e42122b01f7d3bd0fd0e4bd629b274f6a600a92b0d64d1243b514c91f5a85881e5bda3c6f9f682a6c2c7e6

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
Filesize
53KB

MD5
ee2798ed9616f341959ffa8b191c012f

SHA1
060ee139042e6e45e5faf38c826e8ae019d785a2

SHA256
f7a76d4cfa1b187a48d34e497f4defed10e11962d8cf138fa7ab8268e0c32de4

SHA512
ef93efd176632a8c5fe88e6da05693512169fd13f2e42122b01f7d3bd0fd0e4bd629b274f6a600a92b0d64d1243b514c91f5a85881e5bda3c6f9f682a6c2c7e6

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
Filesize
53KB

MD5
ee2798ed9616f341959ffa8b191c012f

SHA1
060ee139042e6e45e5faf38c826e8ae019d785a2

SHA256
f7a76d4cfa1b187a48d34e497f4defed10e11962d8cf138fa7ab8268e0c32de4

SHA512
ef93efd176632a8c5fe88e6da05693512169fd13f2e42122b01f7d3bd0fd0e4bd629b274f6a600a92b0d64d1243b514c91f5a85881e5bda3c6f9f682a6c2c7e6

Download Submit
memory/908-81-0x0000000073F50000-0x00000000744FB000-memory.dmp

Filesize
5.7MB

Download
memory/908-71-0x0000000073F50000-0x00000000744FB000-memory.dmp

Filesize
5.7MB

Download
memory/908-73-0x0000000073F50000-0x00000000744FB000-memory.dmp

Filesize
5.7MB

Download
memory/908-65-0x0000000000000000-mapping.dmp

Download
memory/1220-69-0x000007FEFB671000-0x000007FEFB673000-memory.dmp

Filesize
8KB

Download
memory/1220-61-0x0000000000000000-mapping.dmp

Download
memory/1424-89-0x0000000000000000-mapping.dmp

Download
memory/1616-82-0x0000000073F50000-0x00000000744FB000-memory.dmp

Filesize
5.7MB

Download
memory/1616-83-0x0000000073F50000-0x00000000744FB000-memory.dmp

Filesize
5.7MB

Download
memory/1616-77-0x0000000000000000-mapping.dmp

Download
memory/1808-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1808-62-0x0000000073F50000-0x00000000744FB000-memory.dmp

Filesize
5.7MB

Download
memory/1808-55-0x0000000073F50000-0x00000000744FB000-memory.dmp

Filesize
5.7MB

Download
memory/2016-85-0x0000000000000000-mapping.dmp

Download
memory/2036-72-0x0000000073F50000-0x00000000744FB000-memory.dmp

Filesize
5.7MB

Download
memory/2036-74-0x0000000073F50000-0x00000000744FB000-memory.dmp

Filesize
5.7MB

Download
memory/2036-57-0x0000000000000000-mapping.dmp

Download