f79f7559f4e81f94e86a9a97b697411c698258b8974e39363f553f7db90f2496

Analysis

max time kernel
59s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f79f7559f4e81f94e86a9a97b697411c698258b8974e39363f553f7db90f2496.exe
Size

2.1MB
MD5

2cfd38f60aabd75b54fc4429ac2e6ed2
SHA1

62ff3eb009fff0b4082ab3502dd3f6b68930d930
SHA256

f79f7559f4e81f94e86a9a97b697411c698258b8974e39363f553f7db90f2496
SHA512

2e8af4c711f8a89c57e7c94968ac6e0f911a6590f562e2e47388f0d22a8029fb76b019a3ef716972b5981ecfbf919abb1863563b554a1d364a6a53ee8c30b4e0
SSDEEP

49152:Z3j90hvaUXFba4v8AmA+CqQzSEJHZDUq:Zx0hvRXFpv8Az+CPRJH

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

Processes:

8a684ae6-8e3d-41eb-9995-89e6ce348b0a.exeInterface(2).exesvchost.exesvchost.exesvchost.exe

pid process

320 8a684ae6-8e3d-41eb-9995-89e6ce348b0a.exe
1908 Interface(2).exe
784 svchost.exe
788 svchost.exe
1556 svchost.exe

Loads dropped DLL 4 IoCs

Processes:

f79f7559f4e81f94e86a9a97b697411c698258b8974e39363f553f7db90f2496.exesvchost.exe

pid	process
1620	f79f7559f4e81f94e86a9a97b697411c698258b8974e39363f553f7db90f2496.exe
1620	f79f7559f4e81f94e86a9a97b697411c698258b8974e39363f553f7db90f2496.exe
784	svchost.exe
784	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nvidia = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\3fa930df-403b-42a6-a353-3abad2a95701\\svchost.exe\" -foobar"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nvidia = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\3fa930df-403b-42a6-a353-3abad2a95701\\svchost.exe\" -foobar"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exef79f7559f4e81f94e86a9a97b697411c698258b8974e39363f553f7db90f2496.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	f79f7559f4e81f94e86a9a97b697411c698258b8974e39363f553f7db90f2496.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	f79f7559f4e81f94e86a9a97b697411c698258b8974e39363f553f7db90f2496.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

f79f7559f4e81f94e86a9a97b697411c698258b8974e39363f553f7db90f2496.exesvchost.exe

description	pid	process	target process
PID 1620 set thread context of 1996	1620	f79f7559f4e81f94e86a9a97b697411c698258b8974e39363f553f7db90f2496.exe	f79f7559f4e81f94e86a9a97b697411c698258b8974e39363f553f7db90f2496.exe
PID 784 set thread context of 788	784	svchost.exe	svchost.exe
PID 784 set thread context of 1556	784	svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

304 1996 WerFault.exe f79f7559f4e81f94e86a9a97b697411c698258b8974e39363f553f7db90f2496.exe

pid	pid_target	process	target process
304	1996	WerFault.exe	f79f7559f4e81f94e86a9a97b697411c698258b8974e39363f553f7db90f2496.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

8a684ae6-8e3d-41eb-9995-89e6ce348b0a.exesvchost.exe

pid	process
320	8a684ae6-8e3d-41eb-9995-89e6ce348b0a.exe
784	svchost.exe
784	svchost.exe
784	svchost.exe
784	svchost.exe
784	svchost.exe
784	svchost.exe
784	svchost.exe
784	svchost.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

f79f7559f4e81f94e86a9a97b697411c698258b8974e39363f553f7db90f2496.exesvchost.exe

pid process

1620 f79f7559f4e81f94e86a9a97b697411c698258b8974e39363f553f7db90f2496.exe
784 svchost.exe
784 svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

f79f7559f4e81f94e86a9a97b697411c698258b8974e39363f553f7db90f2496.exe8a684ae6-8e3d-41eb-9995-89e6ce348b0a.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1620	f79f7559f4e81f94e86a9a97b697411c698258b8974e39363f553f7db90f2496.exe
Token: SeDebugPrivilege	320	8a684ae6-8e3d-41eb-9995-89e6ce348b0a.exe
Token: SeDebugPrivilege	784	svchost.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

f79f7559f4e81f94e86a9a97b697411c698258b8974e39363f553f7db90f2496.exe8a684ae6-8e3d-41eb-9995-89e6ce348b0a.exef79f7559f4e81f94e86a9a97b697411c698258b8974e39363f553f7db90f2496.exeWScript.exesvchost.exe

description	pid	process	target process
PID 1620 wrote to memory of 1996	1620	f79f7559f4e81f94e86a9a97b697411c698258b8974e39363f553f7db90f2496.exe	f79f7559f4e81f94e86a9a97b697411c698258b8974e39363f553f7db90f2496.exe
PID 1620 wrote to memory of 1996	1620	f79f7559f4e81f94e86a9a97b697411c698258b8974e39363f553f7db90f2496.exe	f79f7559f4e81f94e86a9a97b697411c698258b8974e39363f553f7db90f2496.exe
PID 1620 wrote to memory of 1996	1620	f79f7559f4e81f94e86a9a97b697411c698258b8974e39363f553f7db90f2496.exe	f79f7559f4e81f94e86a9a97b697411c698258b8974e39363f553f7db90f2496.exe
PID 1620 wrote to memory of 1996	1620	f79f7559f4e81f94e86a9a97b697411c698258b8974e39363f553f7db90f2496.exe	f79f7559f4e81f94e86a9a97b697411c698258b8974e39363f553f7db90f2496.exe
PID 1620 wrote to memory of 1996	1620	f79f7559f4e81f94e86a9a97b697411c698258b8974e39363f553f7db90f2496.exe	f79f7559f4e81f94e86a9a97b697411c698258b8974e39363f553f7db90f2496.exe
PID 1620 wrote to memory of 320	1620	f79f7559f4e81f94e86a9a97b697411c698258b8974e39363f553f7db90f2496.exe	8a684ae6-8e3d-41eb-9995-89e6ce348b0a.exe
PID 1620 wrote to memory of 320	1620	f79f7559f4e81f94e86a9a97b697411c698258b8974e39363f553f7db90f2496.exe	8a684ae6-8e3d-41eb-9995-89e6ce348b0a.exe
PID 1620 wrote to memory of 320	1620	f79f7559f4e81f94e86a9a97b697411c698258b8974e39363f553f7db90f2496.exe	8a684ae6-8e3d-41eb-9995-89e6ce348b0a.exe
PID 1620 wrote to memory of 320	1620	f79f7559f4e81f94e86a9a97b697411c698258b8974e39363f553f7db90f2496.exe	8a684ae6-8e3d-41eb-9995-89e6ce348b0a.exe
PID 320 wrote to memory of 1516	320	8a684ae6-8e3d-41eb-9995-89e6ce348b0a.exe	WScript.exe
PID 320 wrote to memory of 1516	320	8a684ae6-8e3d-41eb-9995-89e6ce348b0a.exe	WScript.exe
PID 320 wrote to memory of 1516	320	8a684ae6-8e3d-41eb-9995-89e6ce348b0a.exe	WScript.exe
PID 1996 wrote to memory of 304	1996	f79f7559f4e81f94e86a9a97b697411c698258b8974e39363f553f7db90f2496.exe	WerFault.exe
PID 1996 wrote to memory of 304	1996	f79f7559f4e81f94e86a9a97b697411c698258b8974e39363f553f7db90f2496.exe	WerFault.exe
PID 1996 wrote to memory of 304	1996	f79f7559f4e81f94e86a9a97b697411c698258b8974e39363f553f7db90f2496.exe	WerFault.exe
PID 1996 wrote to memory of 304	1996	f79f7559f4e81f94e86a9a97b697411c698258b8974e39363f553f7db90f2496.exe	WerFault.exe
PID 1516 wrote to memory of 1908	1516	WScript.exe	Interface(2).exe
PID 1516 wrote to memory of 1908	1516	WScript.exe	Interface(2).exe
PID 1516 wrote to memory of 1908	1516	WScript.exe	Interface(2).exe
PID 1516 wrote to memory of 784	1516	WScript.exe	svchost.exe
PID 1516 wrote to memory of 784	1516	WScript.exe	svchost.exe
PID 1516 wrote to memory of 784	1516	WScript.exe	svchost.exe
PID 1516 wrote to memory of 784	1516	WScript.exe	svchost.exe
PID 784 wrote to memory of 788	784	svchost.exe	svchost.exe
PID 784 wrote to memory of 788	784	svchost.exe	svchost.exe
PID 784 wrote to memory of 788	784	svchost.exe	svchost.exe
PID 784 wrote to memory of 788	784	svchost.exe	svchost.exe
PID 784 wrote to memory of 788	784	svchost.exe	svchost.exe
PID 784 wrote to memory of 1556	784	svchost.exe	svchost.exe
PID 784 wrote to memory of 1556	784	svchost.exe	svchost.exe
PID 784 wrote to memory of 1556	784	svchost.exe	svchost.exe
PID 784 wrote to memory of 1556	784	svchost.exe	svchost.exe
PID 784 wrote to memory of 1556	784	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\f79f7559f4e81f94e86a9a97b697411c698258b8974e39363f553f7db90f2496.exe
"C:\Users\Admin\AppData\Local\Temp\f79f7559f4e81f94e86a9a97b697411c698258b8974e39363f553f7db90f2496.exe"
1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620

C:\Users\Admin\AppData\Local\Temp\f79f7559f4e81f94e86a9a97b697411c698258b8974e39363f553f7db90f2496.exe
"C:\Users\Admin\AppData\Local\Temp\f79f7559f4e81f94e86a9a97b697411c698258b8974e39363f553f7db90f2496.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 436
3⤵
- Program crash
PID:304

C:\Users\Admin\AppData\Local\Temp\8a684ae6-8e3d-41eb-9995-89e6ce348b0a.exe
"C:\Users\Admin\AppData\Local\Temp\8a684ae6-8e3d-41eb-9995-89e6ce348b0a.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:320

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fa930df-403b-42a6-a353-3abad2a95701\1771089989.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1516

C:\Users\Admin\AppData\Local\Temp\3fa930df-403b-42a6-a353-3abad2a95701\Interface(2).exe
"C:\Users\Admin\AppData\Local\Temp\3fa930df-403b-42a6-a353-3abad2a95701\Interface(2).exe"
4⤵
- Executes dropped EXE
PID:1908

C:\Users\Admin\AppData\Local\Temp\3fa930df-403b-42a6-a353-3abad2a95701\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\3fa930df-403b-42a6-a353-3abad2a95701\svchost.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:784

C:\Users\Admin\AppData\Local\Temp\3fa930df-403b-42a6-a353-3abad2a95701\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\3fa930df-403b-42a6-a353-3abad2a95701\svchost.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:788

C:\Users\Admin\AppData\Local\Temp\3fa930df-403b-42a6-a353-3abad2a95701\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\3fa930df-403b-42a6-a353-3abad2a95701\svchost.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3fa930df-403b-42a6-a353-3abad2a95701\1771089989.vbs
Filesize
511B

MD5
b78d84d98549910a6b639196988d73d9

SHA1
43c620c32b923e54e7b27a700836939e952fe226

SHA256
10b2e6313460af7d99911e21de85096d553bb80c23a89491031fe03867737314

SHA512
a5256f57e7f81736c212e35f77d56fd5f7c31b16591ba7e237a7c4291435bdbe7e20bc02afbf3526c92e36d7f522c0078cefdb3e4c30ad210a1a52603d333ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\3fa930df-403b-42a6-a353-3abad2a95701\Interface(2).exe
Filesize
714KB

MD5
dea6a377797865a1e336b755578be133

SHA1
f5eeac373de26460b4c03c35c9cc9af4c3193c43

SHA256
066b13ae2d95268291f9ca4d61f3fcf7033246e2492d51eb99667d404a3d856f

SHA512
1dffb457965477056368b7934358f6851a862cda54c88884684d471c75f962497b4c0095bfd25e18c1e85099e02348c4d63c760202db16a69371b1eaee76b1c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\3fa930df-403b-42a6-a353-3abad2a95701\Interface(2).exe
Filesize
714KB

MD5
dea6a377797865a1e336b755578be133

SHA1
f5eeac373de26460b4c03c35c9cc9af4c3193c43

SHA256
066b13ae2d95268291f9ca4d61f3fcf7033246e2492d51eb99667d404a3d856f

SHA512
1dffb457965477056368b7934358f6851a862cda54c88884684d471c75f962497b4c0095bfd25e18c1e85099e02348c4d63c760202db16a69371b1eaee76b1c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\3fa930df-403b-42a6-a353-3abad2a95701\svchost.exe
Filesize
507KB

MD5
dbd4767b786af34c17fd30c04c04bacd

SHA1
c21f1141e4b1f73975b0ab0ce60ac575b639ff89

SHA256
028c2e849514ce7e67fd52914fbabfb39d1e167b375628026a72ab3b5817d4d4

SHA512
f31cda719af336c325eb9f6b852c0ec1787921c97347a53c9151aab4befa779c975af987f2ea6a9eb4dfc7ad59506ca7b20bdbd307361fa185b6e2761e8b54c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3fa930df-403b-42a6-a353-3abad2a95701\svchost.exe
Filesize
507KB

MD5
dbd4767b786af34c17fd30c04c04bacd

SHA1
c21f1141e4b1f73975b0ab0ce60ac575b639ff89

SHA256
028c2e849514ce7e67fd52914fbabfb39d1e167b375628026a72ab3b5817d4d4

SHA512
f31cda719af336c325eb9f6b852c0ec1787921c97347a53c9151aab4befa779c975af987f2ea6a9eb4dfc7ad59506ca7b20bdbd307361fa185b6e2761e8b54c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3fa930df-403b-42a6-a353-3abad2a95701\svchost.exe
Filesize
507KB

MD5
dbd4767b786af34c17fd30c04c04bacd

SHA1
c21f1141e4b1f73975b0ab0ce60ac575b639ff89

SHA256
028c2e849514ce7e67fd52914fbabfb39d1e167b375628026a72ab3b5817d4d4

SHA512
f31cda719af336c325eb9f6b852c0ec1787921c97347a53c9151aab4befa779c975af987f2ea6a9eb4dfc7ad59506ca7b20bdbd307361fa185b6e2761e8b54c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3fa930df-403b-42a6-a353-3abad2a95701\svchost.exe
Filesize
507KB

MD5
dbd4767b786af34c17fd30c04c04bacd

SHA1
c21f1141e4b1f73975b0ab0ce60ac575b639ff89

SHA256
028c2e849514ce7e67fd52914fbabfb39d1e167b375628026a72ab3b5817d4d4

SHA512
f31cda719af336c325eb9f6b852c0ec1787921c97347a53c9151aab4befa779c975af987f2ea6a9eb4dfc7ad59506ca7b20bdbd307361fa185b6e2761e8b54c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\8a684ae6-8e3d-41eb-9995-89e6ce348b0a.exe
Filesize
965KB

MD5
1099573a7abe1006e36887eba491545d

SHA1
0f1a1f14bf59decc11fdaada05a899cfc70e4b88

SHA256
69880920587b82e50b80d672b542eddf52ca11d107886b4674b87c78d0bea6e7

SHA512
1e852c43d8914531a3c59fc8c4163b855719634e7dba65475cebd0ce84a99fd4fbce3c69ec8ece1f9c01fe58f265e43159b481596587b5277c8f2a114b1f1448

Download Submit
C:\Users\Admin\AppData\Local\Temp\8a684ae6-8e3d-41eb-9995-89e6ce348b0a.exe
Filesize
965KB

MD5
1099573a7abe1006e36887eba491545d

SHA1
0f1a1f14bf59decc11fdaada05a899cfc70e4b88

SHA256
69880920587b82e50b80d672b542eddf52ca11d107886b4674b87c78d0bea6e7

SHA512
1e852c43d8914531a3c59fc8c4163b855719634e7dba65475cebd0ce84a99fd4fbce3c69ec8ece1f9c01fe58f265e43159b481596587b5277c8f2a114b1f1448

Download Submit
\Users\Admin\AppData\Local\Temp\3fa930df-403b-42a6-a353-3abad2a95701\svchost.exe
Filesize
507KB

MD5
dbd4767b786af34c17fd30c04c04bacd

SHA1
c21f1141e4b1f73975b0ab0ce60ac575b639ff89

SHA256
028c2e849514ce7e67fd52914fbabfb39d1e167b375628026a72ab3b5817d4d4

SHA512
f31cda719af336c325eb9f6b852c0ec1787921c97347a53c9151aab4befa779c975af987f2ea6a9eb4dfc7ad59506ca7b20bdbd307361fa185b6e2761e8b54c1

Download Submit
\Users\Admin\AppData\Local\Temp\3fa930df-403b-42a6-a353-3abad2a95701\svchost.exe
Filesize
507KB

MD5
dbd4767b786af34c17fd30c04c04bacd

SHA1
c21f1141e4b1f73975b0ab0ce60ac575b639ff89

SHA256
028c2e849514ce7e67fd52914fbabfb39d1e167b375628026a72ab3b5817d4d4

SHA512
f31cda719af336c325eb9f6b852c0ec1787921c97347a53c9151aab4befa779c975af987f2ea6a9eb4dfc7ad59506ca7b20bdbd307361fa185b6e2761e8b54c1

Download Submit
\Users\Admin\AppData\Local\Temp\8a684ae6-8e3d-41eb-9995-89e6ce348b0a.exe
Filesize
965KB

MD5
1099573a7abe1006e36887eba491545d

SHA1
0f1a1f14bf59decc11fdaada05a899cfc70e4b88

SHA256
69880920587b82e50b80d672b542eddf52ca11d107886b4674b87c78d0bea6e7

SHA512
1e852c43d8914531a3c59fc8c4163b855719634e7dba65475cebd0ce84a99fd4fbce3c69ec8ece1f9c01fe58f265e43159b481596587b5277c8f2a114b1f1448

Download Submit
\Users\Admin\AppData\Local\Temp\8a684ae6-8e3d-41eb-9995-89e6ce348b0a.exe
Filesize
965KB

MD5
1099573a7abe1006e36887eba491545d

SHA1
0f1a1f14bf59decc11fdaada05a899cfc70e4b88

SHA256
69880920587b82e50b80d672b542eddf52ca11d107886b4674b87c78d0bea6e7

SHA512
1e852c43d8914531a3c59fc8c4163b855719634e7dba65475cebd0ce84a99fd4fbce3c69ec8ece1f9c01fe58f265e43159b481596587b5277c8f2a114b1f1448

Download Submit
memory/304-72-0x0000000000000000-mapping.dmp

Download
memory/320-64-0x0000000000000000-mapping.dmp

Download
memory/320-67-0x000007FEF4510000-0x000007FEF4F33000-memory.dmp

Filesize
10.1MB

Download
memory/320-69-0x000007FEFC161000-0x000007FEFC163000-memory.dmp

Filesize
8KB

Download
memory/784-101-0x00000000047D0000-0x00000000047D3000-memory.dmp

Filesize
12KB

Download
memory/784-81-0x0000000074A50000-0x0000000074FFB000-memory.dmp

Filesize
5.7MB

Download
memory/784-88-0x00000000047D0000-0x00000000047D3000-memory.dmp

Filesize
12KB

Download
memory/784-98-0x00000000020B6000-0x00000000020C7000-memory.dmp

Filesize
68KB

Download
memory/784-78-0x0000000000000000-mapping.dmp

Download
memory/784-97-0x0000000074A50000-0x0000000074FFB000-memory.dmp

Filesize
5.7MB

Download
memory/784-95-0x0000000004AD0000-0x0000000004B70000-memory.dmp

Filesize
640KB

Download
memory/784-102-0x0000000004AD0000-0x0000000004B70000-memory.dmp

Filesize
640KB

Download
memory/784-82-0x00000000020B6000-0x00000000020C7000-memory.dmp

Filesize
68KB

Download
memory/784-104-0x00000000020B6000-0x00000000020C7000-memory.dmp

Filesize
68KB

Download
memory/784-103-0x0000000074A50000-0x0000000074FFB000-memory.dmp

Filesize
5.7MB

Download
memory/788-86-0x0000000000089ED9-mapping.dmp

Download
memory/788-89-0x0000000000080000-0x000000000009F000-memory.dmp

Filesize
124KB

Download
memory/1516-70-0x0000000000000000-mapping.dmp

Download
memory/1556-93-0x0000000000089ED9-mapping.dmp

Download
memory/1556-96-0x0000000000080000-0x000000000009F000-memory.dmp

Filesize
124KB

Download
memory/1620-55-0x0000000074A50000-0x0000000074FFB000-memory.dmp

Filesize
5.7MB

Download
memory/1620-68-0x0000000000A76000-0x0000000000A87000-memory.dmp

Filesize
68KB

Download
memory/1620-56-0x0000000000A76000-0x0000000000A87000-memory.dmp

Filesize
68KB

Download
memory/1620-91-0x0000000004CD0000-0x0000000004CD3000-memory.dmp

Filesize
12KB

Download
memory/1620-59-0x0000000004CD0000-0x0000000004CD3000-memory.dmp

Filesize
12KB

Download
memory/1620-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1620-99-0x0000000074A50000-0x0000000074FFB000-memory.dmp

Filesize
5.7MB

Download
memory/1620-100-0x0000000000A76000-0x0000000000A87000-memory.dmp

Filesize
68KB

Download
memory/1620-61-0x0000000074A50000-0x0000000074FFB000-memory.dmp

Filesize
5.7MB

Download
memory/1908-90-0x000000001B346000-0x000000001B365000-memory.dmp

Filesize
124KB

Download
memory/1908-83-0x0000000000160000-0x0000000000218000-memory.dmp

Filesize
736KB

Download
memory/1908-75-0x0000000000000000-mapping.dmp

Download
memory/1996-57-0x000000000047C344-mapping.dmp

Download
memory/1996-60-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download

pid	process
320	8a684ae6-8e3d-41eb-9995-89e6ce348b0a.exe
1908	Interface(2).exe
784	svchost.exe
788	svchost.exe
1556	svchost.exe