Analysis

  • max time kernel
    150s
  • max time network
    142s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    04-10-2024 12:30

General

  • Target

    main.ps1

  • Size

    1KB

  • MD5

    3192d090b51a7619bc9efba00478eb83

  • SHA1

    cd449bd5957d6f51a4a05150b9ba732bbb38314f

  • SHA256

    458d463a638840beb8ba3de4af72fa733373c004b83c32158277027b66dbeba4

  • SHA512

    82d8859ffc18525bd80b5c0ec995b31886d3cba31f09f87aca8a986cb4f2f4683b876caedd2a2da133a657f2d7465a51c5cd31f75b6f668e92800efec78bdf37

Malware Config

Signatures

  • Possible privilege escalation attempt 16 IoCs
  • Modifies file permissions 1 TTPs 16 IoCs
  • File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
  • Drops file in System32 directory 5 IoCs
  • Drops file in Windows directory 4 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\main.ps1
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:132
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\explorer.exe" /A /R /D Y
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2420
      • C:\Windows\system32\takeown.exe
        takeown /F "C:\Windows\explorer.exe" /A /R /D Y
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:3940
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\explorer.exe" /grant administrators:F /T
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5040
      • C:\Windows\system32\icacls.exe
        icacls "C:\Windows\explorer.exe" /grant administrators:F /T
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:3920
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\System32\taskmgr.exe" /A /R /D Y
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3832
      • C:\Windows\system32\takeown.exe
        takeown /F "C:\Windows\System32\taskmgr.exe" /A /R /D Y
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2184
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\System32\taskmgr.exe" /grant administrators:F /T
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3800
      • C:\Windows\system32\icacls.exe
        icacls "C:\Windows\System32\taskmgr.exe" /grant administrators:F /T
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:488
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\System32\cmd.exe" /A /R /D Y
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4572
      • C:\Windows\system32\takeown.exe
        takeown /F "C:\Windows\System32\cmd.exe" /A /R /D Y
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:4716
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\System32\cmd.exe" /grant administrators:F /T
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2800
      • C:\Windows\system32\icacls.exe
        icacls "C:\Windows\System32\cmd.exe" /grant administrators:F /T
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:3524
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\regedit.exe" /A /R /D Y
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3460
      • C:\Windows\system32\takeown.exe
        takeown /F "C:\Windows\regedit.exe" /A /R /D Y
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:4344
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\regedit.exe" /grant administrators:F /T
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3120
      • C:\Windows\system32\icacls.exe
        icacls "C:\Windows\regedit.exe" /grant administrators:F /T
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:3236
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\notepad.exe" /A /R /D Y
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3196
      • C:\Windows\system32\takeown.exe
        takeown /F "C:\Windows\notepad.exe" /A /R /D Y
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2968
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\notepad.exe" /grant administrators:F /T
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3208
      • C:\Windows\system32\icacls.exe
        icacls "C:\Windows\notepad.exe" /grant administrators:F /T
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:4028
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\System32\control.exe" /A /R /D Y
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1824
      • C:\Windows\system32\takeown.exe
        takeown /F "C:\Windows\System32\control.exe" /A /R /D Y
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2532
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\System32\control.exe" /grant administrators:F /T
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2588
      • C:\Windows\system32\icacls.exe
        icacls "C:\Windows\System32\control.exe" /grant administrators:F /T
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2960
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\System32\msconfig.exe" /A /R /D Y
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4140
      • C:\Windows\system32\takeown.exe
        takeown /F "C:\Windows\System32\msconfig.exe" /A /R /D Y
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1884
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\System32\msconfig.exe" /grant administrators:F /T
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:696
      • C:\Windows\system32\icacls.exe
        icacls "C:\Windows\System32\msconfig.exe" /grant administrators:F /T
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:3292
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\System32\regedt32.exe" /A /R /D Y
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3700
      • C:\Windows\system32\takeown.exe
        takeown /F "C:\Windows\System32\regedt32.exe" /A /R /D Y
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2924
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\System32\regedt32.exe" /grant administrators:F /T
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1476
      • C:\Windows\system32\icacls.exe
        icacls "C:\Windows\System32\regedt32.exe" /grant administrators:F /T
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:4888
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1592
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe"
      1⤵
      • Drops file in Windows directory
      • Enumerates system info in registry
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2020
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffde544cc40,0x7ffde544cc4c,0x7ffde544cc58
        2⤵
          PID:4908
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1852,i,17907026513461649610,17520004158712331024,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1848 /prefetch:2
          2⤵
            PID:4532
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2136,i,17907026513461649610,17520004158712331024,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2140 /prefetch:3
            2⤵
              PID:2712
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,17907026513461649610,17520004158712331024,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2196 /prefetch:8
              2⤵
                PID:1900
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,17907026513461649610,17520004158712331024,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3268 /prefetch:1
                2⤵
                  PID:3324
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3172,i,17907026513461649610,17520004158712331024,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3296 /prefetch:1
                  2⤵
                    PID:712
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3588,i,17907026513461649610,17520004158712331024,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4428 /prefetch:1
                    2⤵
                      PID:2584
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4676,i,17907026513461649610,17520004158712331024,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4628 /prefetch:8
                      2⤵
                        PID:5084
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4728,i,17907026513461649610,17520004158712331024,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4736 /prefetch:8
                        2⤵
                          PID:1736
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4296,i,17907026513461649610,17520004158712331024,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4696 /prefetch:8
                          2⤵
                            PID:3100
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4944,i,17907026513461649610,17520004158712331024,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4932 /prefetch:8
                            2⤵
                              PID:2032
                          • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                            "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                            1⤵
                              PID:1752
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                              1⤵
                                PID:3224

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

                                Filesize

                                649B

                                MD5

                                5db14c1fc67fb5ac9211934781689e5b

                                SHA1

                                930c258efa74d7ae5d7c11d9ca4b6912c7dc59eb

                                SHA256

                                2682fdefeeb94036b974a902a4d086c577052098a35c474aa266c8f08da8ae26

                                SHA512

                                11d41e69782cea08a319d10bee874a823561dcdd0332650d15de5bb08be3592f44f6e00ec935beeb05ab46cd06f8b54f50da804fb0db7968db907f624878300a

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                                Filesize

                                2B

                                MD5

                                d751713988987e9331980363e24189ce

                                SHA1

                                97d170e1550eee4afc0af065b78cda302a97674c

                                SHA256

                                4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                SHA512

                                b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                Filesize

                                356B

                                MD5

                                05275f90b6cd8b556aaaabb5792ef96e

                                SHA1

                                642cd019dd079ee20da2ecd051afb6afa717477d

                                SHA256

                                d8a71dd99f97db3dc40bc5ccb7876d3d6e29e34e7d1e6f562a15efa003977e61

                                SHA512

                                00cd0e4b818e1d15bf7ae3a5a9f66436e9fd52b9519f7a94fcb19ad06987a8fa4a5d31091304217675cbe2ae1749d266ac8e6bb8f475df3393c98be80d9cc9d4

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                Filesize

                                9KB

                                MD5

                                c37b36ab957873b94c92890b6b0e1566

                                SHA1

                                6d52b6ecb29b66de51345bcd30d3767158ded1ce

                                SHA256

                                f3ffc6d2b85cce6204fcbc182473fd6e1da2e931e135bd6907fc12f26366cedf

                                SHA512

                                1cc15c7025bf39dd2d684b8b29a7672db2b9c7fec5dc106f0186bb8123d0baa3b9a5ada5eb4a35bb84f1c635df013bd38cbc02235f5762ff5e6f49dce3b90d5c

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                Filesize

                                9KB

                                MD5

                                3de7988e0053c68c55a8daa0e2852277

                                SHA1

                                e8476905a299b0a1a18ce12681b60719899bf530

                                SHA256

                                9edb897ecbf50402d0692bca92f228d7116e1696bc2dd7a168e5dcb84e2ae56f

                                SHA512

                                8dc4d19e3ff558b4bbffc876514a668846ae5a9c1cca25b7c8941a119baefb8bc6d06588037e938c07115dfefb3ba80ddf453f6e6ef1f508213e4cb5123ec063

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                Filesize

                                9KB

                                MD5

                                f1493fb1709cfd984de10bec1186910b

                                SHA1

                                5f40b414d625f8bf572b478854bab2aef2915b8a

                                SHA256

                                11fe7ecba873905fb4c8c93ad7a12d0ea9fdb9662aa430a0d42be6ecbf81c5c6

                                SHA512

                                6cc80207967a78fa99f113625cce48a809cf553682d3bb09c381a4888c119d189bf5ca54b4fecdd4ff9dd3f5c5d6d9be2ad3e59b382d08bf1702d59192b44476

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                Filesize

                                9KB

                                MD5

                                000f684ee1bb1b68bd240a513d2bac95

                                SHA1

                                60e1ce4741fa9d6284d15d11bcfe790f2e220409

                                SHA256

                                bf03d5133ac85ab85bae4d3849f3f1f7d10e32d98acaecc73c1fb51d66baeec7

                                SHA512

                                66014ca426ce617594c7b3ec5933a26d9feea4ead1bdc2ff300ce1b3697fc52d8c8c39e79121de02a45cfffe6aa05128534dde8c7acfb3a4b66fe63b42d82891

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\f7bc6773-0c24-41aa-8972-a8420771d3a3.tmp

                                Filesize

                                15KB

                                MD5

                                c922028acbe867154c1556ac9566dff1

                                SHA1

                                68be73aa2bcf4337e2e6ca0c59724369988526e7

                                SHA256

                                c36a49235d8c2c947bb509e32d89810db3d0f7a2a68e9d154b3972ddbf4aedf0

                                SHA512

                                22aa8656d05e1400ad8eb0851abed4dad83dc0a9562028d941ab9fa53d14fedeacb22ed7ef43d1f2b747e86b9707a721f43e0e7c15b04367ab91a2c47ca2ad7e

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                Filesize

                                211KB

                                MD5

                                1ec2e7fbad8cfce7ea4a466c502ca56b

                                SHA1

                                e5edfdb66545ae4e13b28256d95e6091768ed4e1

                                SHA256

                                8db5fd231f56dceb35aa74ba701f12e3918b6c460ab68c5d4eeec9b7223a92ac

                                SHA512

                                356f535f80fa2127297474f59475ba032dc8014342ee4ad4379633142a553884ec4395e3feb948ffdb5b7047baaf67d1449cf76f7afec39a6191c88926aefc59

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                Filesize

                                211KB

                                MD5

                                b5a5c41131159f30eb7e0109646183ab

                                SHA1

                                dcdfb628a165161ebb8faed7c72b4ea0d077df31

                                SHA256

                                081af51d0a91cd96579aeb1e507806d64e44a999d6e4eb9100d17ec266797efa

                                SHA512

                                79a173e0d0058b1a13933e02e63b3d1c73561a9072081d8b85e8e6469b3542bfeb1d1504e3cc4fb99c7216408d47427a942b825ee15600abbaa2ebf46405e5d9

                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yorizonq.yp5.ps1

                                Filesize

                                60B

                                MD5

                                d17fe0a3f47be24a6453e9ef58c94641

                                SHA1

                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                SHA256

                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                SHA512

                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                              • memory/132-15-0x00007FFDFD9B0000-0x00007FFDFE472000-memory.dmp

                                Filesize

                                10.8MB

                              • memory/132-16-0x00007FFDFD9B0000-0x00007FFDFE472000-memory.dmp

                                Filesize

                                10.8MB

                              • memory/132-14-0x00007FFDFD9B3000-0x00007FFDFD9B5000-memory.dmp

                                Filesize

                                8KB

                              • memory/132-13-0x00007FFDFD9B0000-0x00007FFDFE472000-memory.dmp

                                Filesize

                                10.8MB

                              • memory/132-12-0x00007FFDFD9B0000-0x00007FFDFE472000-memory.dmp

                                Filesize

                                10.8MB

                              • memory/132-11-0x00007FFDFD9B0000-0x00007FFDFE472000-memory.dmp

                                Filesize

                                10.8MB

                              • memory/132-0-0x00007FFDFD9B3000-0x00007FFDFD9B5000-memory.dmp

                                Filesize

                                8KB

                              • memory/132-10-0x00007FFDFD9B0000-0x00007FFDFE472000-memory.dmp

                                Filesize

                                10.8MB

                              • memory/132-9-0x00000239F3B00000-0x00000239F3B22000-memory.dmp

                                Filesize

                                136KB