asyncrat | 9586be184264c169c7e865f6b954aed24cce3547e479e4c38b13753588b5a083

Analysis

max time kernel
109s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17/01/2025, 14:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9586be184264c169c7e865f6b954aed24cce3547e479e4c38b13753588b5a083N.exe
Size

937KB
MD5

739120c1f7c118f14b10afab34c9a380
SHA1

2b62139bd0e2187b5379da0283f21675ecc5fdbb
SHA256

9586be184264c169c7e865f6b954aed24cce3547e479e4c38b13753588b5a083
SHA512

e9600c458c851cb6264a35ea0c18bcba828a1d986cbc99c4a50104c930d0f103d9b7dac4905a96506fe42f1d3539cc4ca70db6adbeb6123edd1cdbb525b0879e
SSDEEP

24576:jNA3R5drXm1bYf1c4xt6fLdf+s77ZpwWdBO2JLZULqLfO:O52EfyJWs77ZOAO2Gqi

Score

10^/10

asyncrat default02 discovery rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default02

woolingbrin.sytes.net:8747

woolingbrin.sytes.net:7477

87.120.121.160:8747

87.120.121.160:7477

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
15
install
true
install_file
vtc.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Executes dropped EXE 11 IoCs

pid	Process
2976	bzfuble.sfx.exe
1612	bzfuble.exe
2152	dthgdxs.sfx.exe
1556	dthgdxs.exe
856	dthgdxs.exe
2292	dthgdxs.exe
1572	dthgdxs.exe
2476	vtc.exe
2688	vtc.exe
1904	vtc.exe
2592	vtc.exe

Loads dropped DLL 10 IoCs

pid	Process
2672	cmd.exe
2976	bzfuble.sfx.exe
2976	bzfuble.sfx.exe
2976	bzfuble.sfx.exe
1600	cmd.exe
2152	dthgdxs.sfx.exe
2152	dthgdxs.sfx.exe
2152	dthgdxs.sfx.exe
2152	dthgdxs.sfx.exe
1656	cmd.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 1556 set thread context of 856	1556	dthgdxs.exe	39
PID 1556 set thread context of 2292	1556	dthgdxs.exe	40
PID 1556 set thread context of 1572	1556	dthgdxs.exe	41
PID 2476 set thread context of 2688	2476	vtc.exe	50
PID 2476 set thread context of 1904	2476	vtc.exe	51
PID 2476 set thread context of 2592	2476	vtc.exe	52

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dthgdxs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vtc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9586be184264c169c7e865f6b954aed24cce3547e479e4c38b13753588b5a083N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dthgdxs.sfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bzfuble.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vtc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bzfuble.sfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dthgdxs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dthgdxs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vtc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dthgdxs.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2816	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2544	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2292	dthgdxs.exe
2292	dthgdxs.exe
2292	dthgdxs.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1556	dthgdxs.exe
Token: SeDebugPrivilege	2292	dthgdxs.exe
Token: SeDebugPrivilege	2476	vtc.exe
Token: SeDebugPrivilege	2688	vtc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2168	DllHost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2168	DllHost.exe
2168	DllHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2672	2884	9586be184264c169c7e865f6b954aed24cce3547e479e4c38b13753588b5a083N.exe	30
PID 2884 wrote to memory of 2672	2884	9586be184264c169c7e865f6b954aed24cce3547e479e4c38b13753588b5a083N.exe	30
PID 2884 wrote to memory of 2672	2884	9586be184264c169c7e865f6b954aed24cce3547e479e4c38b13753588b5a083N.exe	30
PID 2884 wrote to memory of 2672	2884	9586be184264c169c7e865f6b954aed24cce3547e479e4c38b13753588b5a083N.exe	30
PID 2672 wrote to memory of 2976	2672	cmd.exe	32
PID 2672 wrote to memory of 2976	2672	cmd.exe	32
PID 2672 wrote to memory of 2976	2672	cmd.exe	32
PID 2672 wrote to memory of 2976	2672	cmd.exe	32
PID 2976 wrote to memory of 1612	2976	bzfuble.sfx.exe	33
PID 2976 wrote to memory of 1612	2976	bzfuble.sfx.exe	33
PID 2976 wrote to memory of 1612	2976	bzfuble.sfx.exe	33
PID 2976 wrote to memory of 1612	2976	bzfuble.sfx.exe	33
PID 1612 wrote to memory of 1600	1612	bzfuble.exe	34
PID 1612 wrote to memory of 1600	1612	bzfuble.exe	34
PID 1612 wrote to memory of 1600	1612	bzfuble.exe	34
PID 1612 wrote to memory of 1600	1612	bzfuble.exe	34
PID 1600 wrote to memory of 2152	1600	cmd.exe	36
PID 1600 wrote to memory of 2152	1600	cmd.exe	36
PID 1600 wrote to memory of 2152	1600	cmd.exe	36
PID 1600 wrote to memory of 2152	1600	cmd.exe	36
PID 2152 wrote to memory of 1556	2152	dthgdxs.sfx.exe	38
PID 2152 wrote to memory of 1556	2152	dthgdxs.sfx.exe	38
PID 2152 wrote to memory of 1556	2152	dthgdxs.sfx.exe	38
PID 2152 wrote to memory of 1556	2152	dthgdxs.sfx.exe	38
PID 1556 wrote to memory of 856	1556	dthgdxs.exe	39
PID 1556 wrote to memory of 856	1556	dthgdxs.exe	39
PID 1556 wrote to memory of 856	1556	dthgdxs.exe	39
PID 1556 wrote to memory of 856	1556	dthgdxs.exe	39
PID 1556 wrote to memory of 856	1556	dthgdxs.exe	39
PID 1556 wrote to memory of 856	1556	dthgdxs.exe	39
PID 1556 wrote to memory of 856	1556	dthgdxs.exe	39
PID 1556 wrote to memory of 856	1556	dthgdxs.exe	39
PID 1556 wrote to memory of 856	1556	dthgdxs.exe	39
PID 1556 wrote to memory of 2292	1556	dthgdxs.exe	40
PID 1556 wrote to memory of 2292	1556	dthgdxs.exe	40
PID 1556 wrote to memory of 2292	1556	dthgdxs.exe	40
PID 1556 wrote to memory of 2292	1556	dthgdxs.exe	40
PID 1556 wrote to memory of 2292	1556	dthgdxs.exe	40
PID 1556 wrote to memory of 2292	1556	dthgdxs.exe	40
PID 1556 wrote to memory of 2292	1556	dthgdxs.exe	40
PID 1556 wrote to memory of 2292	1556	dthgdxs.exe	40
PID 1556 wrote to memory of 2292	1556	dthgdxs.exe	40
PID 1556 wrote to memory of 1572	1556	dthgdxs.exe	41
PID 1556 wrote to memory of 1572	1556	dthgdxs.exe	41
PID 1556 wrote to memory of 1572	1556	dthgdxs.exe	41
PID 1556 wrote to memory of 1572	1556	dthgdxs.exe	41
PID 1556 wrote to memory of 1572	1556	dthgdxs.exe	41
PID 1556 wrote to memory of 1572	1556	dthgdxs.exe	41
PID 1556 wrote to memory of 1572	1556	dthgdxs.exe	41
PID 1556 wrote to memory of 1572	1556	dthgdxs.exe	41
PID 1556 wrote to memory of 1572	1556	dthgdxs.exe	41
PID 2292 wrote to memory of 2776	2292	dthgdxs.exe	43
PID 2292 wrote to memory of 2776	2292	dthgdxs.exe	43
PID 2292 wrote to memory of 2776	2292	dthgdxs.exe	43
PID 2292 wrote to memory of 2776	2292	dthgdxs.exe	43
PID 2292 wrote to memory of 1656	2292	dthgdxs.exe	45
PID 2292 wrote to memory of 1656	2292	dthgdxs.exe	45
PID 2292 wrote to memory of 1656	2292	dthgdxs.exe	45
PID 2292 wrote to memory of 1656	2292	dthgdxs.exe	45
PID 2776 wrote to memory of 2544	2776	cmd.exe	47
PID 2776 wrote to memory of 2544	2776	cmd.exe	47
PID 2776 wrote to memory of 2544	2776	cmd.exe	47
PID 2776 wrote to memory of 2544	2776	cmd.exe	47
PID 1656 wrote to memory of 2816	1656	cmd.exe	48

C:\Users\Admin\AppData\Local\Temp\9586be184264c169c7e865f6b954aed24cce3547e479e4c38b13753588b5a083N.exe
"C:\Users\Admin\AppData\Local\Temp\9586be184264c169c7e865f6b954aed24cce3547e479e4c38b13753588b5a083N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\bdxfhxtr.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Users\Admin\AppData\Roaming\bzfuble.sfx.exe
    bzfuble.sfx.exe -dC:\Users\Admin\AppData\Roaming -pfhmxvazfugywidasdfHbgnmeUtyRhdepoufslvqxfofnglfyjfodyehal
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Users\Admin\AppData\Roaming\bzfuble.exe
      "C:\Users\Admin\AppData\Roaming\bzfuble.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1612
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\dtuysfgdf.bat" "
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1600
      - C:\Users\Admin\AppData\Roaming\dthgdxs.sfx.exe
        
        dthgdxs.sfx.exe -dC:\Users\Admin\AppData\Roaming -pdcsyRgeygfgfgjdghjdguipbohhyjdfgyjuthmyopeafuszhvqxsdfHbghkgh
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Users\Admin\AppData\Roaming\dthgdxs.exe
        
        "C:\Users\Admin\AppData\Roaming\dthgdxs.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Users\Admin\AppData\Roaming\dthgdxs.exe
        
        C:\Users\Admin\AppData\Roaming\dthgdxs.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:856
        
        C:\Users\Admin\AppData\Roaming\dthgdxs.exe
        
        C:\Users\Admin\AppData\Roaming\dthgdxs.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "vtc" /tr '"C:\Users\Admin\AppData\Roaming\vtc.exe"' & exit
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "vtc" /tr '"C:\Users\Admin\AppData\Roaming\vtc.exe"'
        10⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3811.tmp.bat""
        9⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        10⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2816
        
        C:\Users\Admin\AppData\Roaming\vtc.exe
        
        "C:\Users\Admin\AppData\Roaming\vtc.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2476
        
        C:\Users\Admin\AppData\Roaming\vtc.exe
        
        C:\Users\Admin\AppData\Roaming\vtc.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
        
        C:\Users\Admin\AppData\Roaming\vtc.exe
        
        C:\Users\Admin\AppData\Roaming\vtc.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1904
        
        C:\Users\Admin\AppData\Roaming\vtc.exe
        
        C:\Users\Admin\AppData\Roaming\vtc.exe
        11⤵
        Executes dropped EXE
        
        PID:2592
        
        C:\Users\Admin\AppData\Roaming\dthgdxs.exe
        
        C:\Users\Admin\AppData\Roaming\dthgdxs.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1572

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3811.tmp.bat

Filesize
147B

MD5
1324a79d2a2209afce99eb7abd09e3b5

SHA1
a513122c3be005d2c35ba6ebd436f9fb6b970702

SHA256
99d522a1a5c35166d7b21bf5e2a239627498c51ce3ca6004b5276cbc6d7c0939

SHA512
5cf189d167d15973ab20e3221172acf74ed1099e6824efd43d274ef2660687a256fa95bcadab11c78b56798a60feb559341fb8c9b36b96df8c0a9b2e76d2cff8

Download Submit
C:\Users\Admin\AppData\Roaming\Invoice_Payment.png

Filesize
123KB

MD5
4d26ad5e04f77affc6b54242ee8a3855

SHA1
e5c880c8f63712ff461d94c21fc241708226e937

SHA256
f5f2e61307a858dc8e39f6a11ee49e36b3cf791adb6710603f10813e916f047b

SHA512
1724467a085aac5338e89aadc8c9c565268ad622a4d71129d6fb8c58a3240be9c83eb64f951d0fd4c4928aa0c0a68c45ccb1110391f086299b9f980290a76974

Download Submit
C:\Users\Admin\AppData\Roaming\bdxfhxtr.bat

Filesize
47KB

MD5
d782793c652d72fb6560250033fba98e

SHA1
c3ef7608998c7eb7513696c942a84c892b9b21db

SHA256
a1caad0190eac698c6ec5515362f1bb53193c8a311a5ab03d0125b032b2a9b84

SHA512
f296255bded532b6c0645d2550bf32ec43631a9da54b863d2dcceda3a8df817278851e24a25d8c68d8e91fdcc3c52a58364e3d66d670c0fac128413332fce2b7

Download Submit
C:\Users\Admin\AppData\Roaming\dthgdxs.sfx.exe

Filesize
402KB

MD5
baa0a8d860ca253452c8001806b4bec2

SHA1
68425b89f27a12c2384ae9d1fb2bb1a48ad4e70f

SHA256
a9b46322e7774ac34e463f64c180b2bc290fd133cc1996a08577a7837355db55

SHA512
828f280d2cfa24f4769b8233439a46843aafff3432e00c66bb08d9ba0e7d6f908868ac941da63a71aa05aafdd4dc13b5c9b571ca9ac4ddbac0e257e8c5d23676

Download Submit
C:\Users\Admin\AppData\Roaming\dtuysfgdf.bat

Filesize
24KB

MD5
06d4cab0caa0436e4448862d4a6d31f2

SHA1
25545c772e23dd59aa1763c92a3c1c2985f34776

SHA256
129ac1bd19e7a37b53d3cc29b4a13d292dd6a9e94c8723e03f0ea3a7335b0f56

SHA512
ebcc67bbfe667f778ddc1a5341100ae3d0afb6856c134f3d17346370280236f46b06f82b9f152a20a1c63786b7b9001e2e3f7d14bad2cc1f06daf14e6b5cd7f5

Download Submit
\Users\Admin\AppData\Roaming\bzfuble.exe

Filesize
661KB

MD5
99412bef1088320fedf948ffdd40765f

SHA1
3f8617b329d2706c255b0fc4b355f225f5179f3e

SHA256
3d767c19243f1af24dfb750fe7933d7cb4eecffcd45fef48551c63f989f0d63a

SHA512
2fbf8fc734849f8a20446274720bbcc8d4c8b3c9979822a4eaf546a291520f01e8c65c368e976ce8b65b9a7f4d289c4df3d3aa01d74e207283abec2cb739a9e7

Download Submit
\Users\Admin\AppData\Roaming\bzfuble.sfx.exe

Filesize
795KB

MD5
1ca07665cdb629ec91c5acd31925c027

SHA1
b19b16ff5c2aabf895179b9bdabf18dd559dc1cc

SHA256
078871e60d2930abfdb6203b432a65d6556561b25ad077e024e1e4c4d59e678c

SHA512
3910ff449999c06b8bc7c913e29b76f94866505e8ffd20567afcc78cb0fc8bfd753cb1063d79ccb12807355bf008171a413cf954f46dc213cf6c8cad7068c95b

Download Submit
\Users\Admin\AppData\Roaming\dthgdxs.exe

Filesize
155KB

MD5
cdf47bec6d0fe4bf96c423897de91ffc

SHA1
6c257955b70ab4e30903372e924b40926f2869ae

SHA256
6ba01e4e418d76cfcb5232606fb5db91db07de15486971f1aaa4b6df9f624006

SHA512
85556a4c3dc2e50a83d2ff059954f047e0447112f27416a7639390e334a754e191f600fedf1d5142b3348080ee8c8f8cf4019f44a1aba37d71b1d2efbf695094

Download Submit
memory/856-83-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/856-89-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/856-81-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1556-78-0x00000000001E0000-0x00000000001E6000-memory.dmp

Filesize
24KB

Download
memory/1556-80-0x0000000000250000-0x0000000000256000-memory.dmp

Filesize
24KB

Download
memory/1556-79-0x0000000000200000-0x000000000022E000-memory.dmp

Filesize
184KB

Download
memory/1556-76-0x0000000000D90000-0x0000000000DBC000-memory.dmp

Filesize
176KB

Download
memory/1612-58-0x0000000000850000-0x0000000000852000-memory.dmp

Filesize
8KB

Download
memory/2168-59-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/2476-106-0x0000000001240000-0x000000000126C000-memory.dmp

Filesize
176KB

Download
memory/2688-111-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2688-109-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download