b7fbeee8821d37ceb5de947817cda5429ea37d96c887af7d6e4c8965868e2c8f

Analysis

max time kernel
142s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
17/02/2024, 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

javaw.exe
Size

732KB
MD5

496f004d2dae6f88919d39e15a22aae0
SHA1

030503f8731b1a45d5cb46e907ee158ac6e1a344
SHA256

b7fbeee8821d37ceb5de947817cda5429ea37d96c887af7d6e4c8965868e2c8f
SHA512

bdd3dfd57977f84e9d1603457d4f1f8341de288567a777d80f259dae1e9c42c5d665c609264a8c66e4275f48c07e6c798ed1a9b67411c78b67243ca0bfd03bde
SSDEEP

12288:3vYj+CYxSS3/2lj4nPVle8imLjW8mcVZ1/2sVP96PBKY:3vlCMSS3/I+W8R5oPBKY

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Windows\\Media\\xdwdCli3nt.exe"	javaw.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	javaw.exe

Executes dropped EXE 1 IoCs

pid	Process
2184	g02zl3eg.lpo.exe

Loads dropped DLL 53 IoCs

pid	Process
3348	Process not Found
2844	Process not Found
4368	Process not Found
4792	Process not Found
1596	Process not Found
3980	WmiApSrv.exe
4484	Process not Found
3564	Process not Found
1124	Process not Found
4044	Process not Found
2604	Process not Found
1176	Process not Found
4292	Process not Found
3920	Process not Found
3960	Process not Found
4136	Process not Found
2792	Process not Found
688	Process not Found
4792	Process not Found
1596	Process not Found
2224	Process not Found
4088	Process not Found
3728	Process not Found
2324	Process not Found
4036	Process not Found
2200	Process not Found
2912	Process not Found
3700	Process not Found
4140	Process not Found
1796	Process not Found
3332	Process not Found
4804	Process not Found
2972	Process not Found
4476	powershell.exe
688	Process not Found
5068	Process not Found
4000	Process not Found
1596	Process not Found
2384	Process not Found
3600	Process not Found
852	Process not Found
3588	Process not Found
4872	vlc.exe
1160	vlc.exe
3012	vlc.exe
1772	mspaint.exe
4656	Process not Found
4500	svchost.exe
4792	Process not Found
5112	Process not Found
4896	vlc.exe
760	vlc.exe
4232	vlc.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000300000000070f-850.dat	autoit_exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Media\xdwdCli3nt.exe	javaw.exe
File created	C:\Windows\Nvidia\xdwdWichD0g.exe	javaw.exe
File opened for modification	C:\Windows\Nvidia\xdwdWichD0g.exe	javaw.exe
File created	C:\Windows\xdwd.dll	javaw.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File created	C:\Windows\Media\xdwdCli3nt.exe	javaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 43 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4348	schtasks.exe
3872	schtasks.exe
1012	schtasks.exe
2316	schtasks.exe
712	schtasks.exe
2720	schtasks.exe
2340	schtasks.exe
4968	schtasks.exe
4244	schtasks.exe
5064	schtasks.exe
3064	schtasks.exe
2704	schtasks.exe
5104	schtasks.exe
1792	schtasks.exe
3980	schtasks.exe
4908	schtasks.exe
4536	schtasks.exe
3564	schtasks.exe
6048	schtasks.exe
2452	schtasks.exe
1312	schtasks.exe
4432	schtasks.exe
4808	schtasks.exe
1444	schtasks.exe
540	schtasks.exe
2792	schtasks.exe
2160	schtasks.exe
508	schtasks.exe
5484	schtasks.exe
2748	schtasks.exe
3748	schtasks.exe
3200	schtasks.exe
3648	schtasks.exe
3568	schtasks.exe
4424	schtasks.exe
3896	schtasks.exe
2972	schtasks.exe
1292	schtasks.exe
6080	schtasks.exe
4064	schtasks.exe
2228	schtasks.exe
4804	schtasks.exe
4740	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1160	vlc.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

pid	Process
4884	javaw.exe
4884	javaw.exe
4884	javaw.exe
4884	javaw.exe
4884	javaw.exe
4884	javaw.exe
4884	javaw.exe
4884	javaw.exe
4884	javaw.exe
4884	javaw.exe
4884	javaw.exe
4884	javaw.exe
4884	javaw.exe
4884	javaw.exe
4884	javaw.exe
4884	javaw.exe
4884	javaw.exe
4884	javaw.exe
4884	javaw.exe
4884	javaw.exe
4884	javaw.exe
4884	javaw.exe
4884	javaw.exe
4884	javaw.exe
4884	javaw.exe
4884	javaw.exe
4884	javaw.exe
3980	WmiApSrv.exe
3980	WmiApSrv.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4872	vlc.exe
4872	vlc.exe
1160	vlc.exe
1160	vlc.exe
3012	vlc.exe
3012	vlc.exe
1772	mspaint.exe
1772	mspaint.exe
1772	mspaint.exe
1772	mspaint.exe
4500	svchost.exe
4500	svchost.exe
4896	vlc.exe
4896	vlc.exe
760	vlc.exe
760	vlc.exe
4232	vlc.exe
4232	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2184	g02zl3eg.lpo.exe
1160	vlc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4884	javaw.exe
Token: SeDebugPrivilege	4476	powershell.exe

Suspicious use of FindShellTrayWindow 17 IoCs

pid	Process
1160	vlc.exe
1160	vlc.exe
1160	vlc.exe
1160	vlc.exe
1160	vlc.exe
1160	vlc.exe
1160	vlc.exe
1160	vlc.exe
1160	vlc.exe
1160	vlc.exe
1160	vlc.exe
1160	vlc.exe
1160	vlc.exe
1160	vlc.exe
1160	vlc.exe
1160	vlc.exe
1160	vlc.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
1160	vlc.exe
1160	vlc.exe
1160	vlc.exe
1160	vlc.exe
1160	vlc.exe
1160	vlc.exe
1160	vlc.exe
1160	vlc.exe
1160	vlc.exe
1160	vlc.exe
1160	vlc.exe
1160	vlc.exe
1160	vlc.exe
1160	vlc.exe
1160	vlc.exe
1160	vlc.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1772	mspaint.exe
1160	vlc.exe
1772	mspaint.exe
1772	mspaint.exe
1772	mspaint.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 1756	4884	javaw.exe	91
PID 4884 wrote to memory of 1756	4884	javaw.exe	91
PID 1756 wrote to memory of 4244	1756	CMD.exe	93
PID 1756 wrote to memory of 4244	1756	CMD.exe	93
PID 4884 wrote to memory of 4472	4884	javaw.exe	94
PID 4884 wrote to memory of 4472	4884	javaw.exe	94
PID 4884 wrote to memory of 4340	4884	javaw.exe	96
PID 4884 wrote to memory of 4340	4884	javaw.exe	96
PID 4472 wrote to memory of 2748	4472	CMD.exe	98
PID 4472 wrote to memory of 2748	4472	CMD.exe	98
PID 4340 wrote to memory of 2160	4340	CMD.exe	99
PID 4340 wrote to memory of 2160	4340	CMD.exe	99
PID 4884 wrote to memory of 1860	4884	javaw.exe	102
PID 4884 wrote to memory of 1860	4884	javaw.exe	102
PID 1860 wrote to memory of 4536	1860	CMD.exe	104
PID 1860 wrote to memory of 4536	1860	CMD.exe	104
PID 4884 wrote to memory of 5004	4884	javaw.exe	106
PID 4884 wrote to memory of 5004	4884	javaw.exe	106
PID 5004 wrote to memory of 4968	5004	CMD.exe	108
PID 5004 wrote to memory of 4968	5004	CMD.exe	108
PID 4884 wrote to memory of 2120	4884	javaw.exe	109
PID 4884 wrote to memory of 2120	4884	javaw.exe	109
PID 2120 wrote to memory of 3896	2120	CMD.exe	111
PID 2120 wrote to memory of 3896	2120	CMD.exe	111
PID 4884 wrote to memory of 2200	4884	javaw.exe	113
PID 4884 wrote to memory of 2200	4884	javaw.exe	113
PID 2200 wrote to memory of 4740	2200	CMD.exe	115
PID 2200 wrote to memory of 4740	2200	CMD.exe	115
PID 4884 wrote to memory of 3924	4884	javaw.exe	116
PID 4884 wrote to memory of 3924	4884	javaw.exe	116
PID 3924 wrote to memory of 4064	3924	CMD.exe	118
PID 3924 wrote to memory of 4064	3924	CMD.exe	118
PID 4884 wrote to memory of 968	4884	javaw.exe	119
PID 4884 wrote to memory of 968	4884	javaw.exe	119
PID 968 wrote to memory of 5064	968	CMD.exe	121
PID 968 wrote to memory of 5064	968	CMD.exe	121
PID 4884 wrote to memory of 4656	4884	javaw.exe	122
PID 4884 wrote to memory of 4656	4884	javaw.exe	122
PID 4656 wrote to memory of 4348	4656	CMD.exe	124
PID 4656 wrote to memory of 4348	4656	CMD.exe	124
PID 4884 wrote to memory of 2412	4884	javaw.exe	125
PID 4884 wrote to memory of 2412	4884	javaw.exe	125
PID 2412 wrote to memory of 1312	2412	CMD.exe	127
PID 2412 wrote to memory of 1312	2412	CMD.exe	127
PID 4884 wrote to memory of 232	4884	javaw.exe	128
PID 4884 wrote to memory of 232	4884	javaw.exe	128
PID 232 wrote to memory of 2972	232	CMD.exe	130
PID 232 wrote to memory of 2972	232	CMD.exe	130
PID 4884 wrote to memory of 3836	4884	javaw.exe	131
PID 4884 wrote to memory of 3836	4884	javaw.exe	131
PID 3836 wrote to memory of 3064	3836	CMD.exe	133
PID 3836 wrote to memory of 3064	3836	CMD.exe	133
PID 4884 wrote to memory of 4784	4884	javaw.exe	134
PID 4884 wrote to memory of 4784	4884	javaw.exe	134
PID 4784 wrote to memory of 2704	4784	CMD.exe	136
PID 4784 wrote to memory of 2704	4784	CMD.exe	136
PID 4884 wrote to memory of 1272	4884	javaw.exe	137
PID 4884 wrote to memory of 1272	4884	javaw.exe	137
PID 1272 wrote to memory of 3748	1272	CMD.exe	139
PID 1272 wrote to memory of 3748	1272	CMD.exe	139
PID 4884 wrote to memory of 3360	4884	javaw.exe	140
PID 4884 wrote to memory of 3360	4884	javaw.exe	140
PID 3360 wrote to memory of 2228	3360	CMD.exe	142
PID 3360 wrote to memory of 2228	3360	CMD.exe	142

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\javaw.exe
"C:\Users\Admin\AppData\Local\Temp\javaw.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Windows Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Windows Update" /tr "C:\Windows\Media\xdwdCli3nt.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4244
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4472
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2748
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "resmon" /tr "C:\Windows\Nvidia\xdwdWichD0g.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4340
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo 5 /tn "resmon" /tr "C:\Windows\Nvidia\xdwdWichD0g.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2160
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1860
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4536
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5004
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4968
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3896
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4740
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3924
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4064
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:968
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:5064
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4656
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4348
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1312
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:232
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2972
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3836
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3064
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2704
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1272
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3748
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3360
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2228
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  PID:1012
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4432
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  PID:3036
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:5104
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  PID:3924
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1792
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  PID:1232
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3980
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  PID:4032
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4908
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  PID:760
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4808
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  PID:852
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4804
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  PID:5040
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3200
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  PID:4000
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3872
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  PID:3644
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3648
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  PID:4792
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1444
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  PID:2096
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1292
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  PID:3600
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:540
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  PID:4544
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3568
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  PID:4460
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2452
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\g02zl3eg.lpo.exe"' & exit
  2⤵
  PID:4896
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\g02zl3eg.lpo.exe"'
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4476
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\g02zl3eg.lpo.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\g02zl3eg.lpo.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      PID:2184
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  PID:3692
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4424
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  PID:3356
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1012
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  PID:4988
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:508
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  PID:1292
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2316
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  PID:4072
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:712
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  PID:4864
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3564
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  PID:3332
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2792
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  PID:4000
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2720
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  PID:456
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2340
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  PID:5996
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:5484
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  PID:5460
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:6048
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  PID:5688
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:6080

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3980

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\UnregisterPush.wmv"
1⤵
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1160

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\UnregisterPush.wmv"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3012

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\RegisterEnable.wmf"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1772

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\UnregisterPush.wmv"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4500

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\PublishGrant.3gp"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4896

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\PublishGrant.3gp"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:760

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\PublishGrant.3gp"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
PID:1232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff8881546f8,0x7ff888154708,0x7ff888154718
  2⤵
  PID:2876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,17719605831752465352,3593213924081534284,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
  2⤵
  PID:5704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,17719605831752465352,3593213924081534284,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
  2⤵
  PID:5696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
PID:4316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8881546f8,0x7ff888154708,0x7ff888154718
  2⤵
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,11606981995384954026,13486488852147557329,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,11606981995384954026,13486488852147557329,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,11606981995384954026,13486488852147557329,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:4688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11606981995384954026,13486488852147557329,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:3820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11606981995384954026,13486488852147557329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:3256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11606981995384954026,13486488852147557329,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:1
  2⤵
  PID:5328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11606981995384954026,13486488852147557329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:5268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11606981995384954026,13486488852147557329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:5368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11606981995384954026,13486488852147557329,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:6024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11606981995384954026,13486488852147557329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:5788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
PID:1768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0x74,0x78,0x7ff8881546f8,0x7ff888154708,0x7ff888154718
  2⤵
  PID:2792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,10600122717412441418,8492472898950247964,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  PID:2232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,10600122717412441418,8492472898950247964,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:2
  2⤵
  PID:3652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
PID:1740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8881546f8,0x7ff888154708,0x7ff888154718
  2⤵
  PID:2480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,18214567311705862022,187766881832142148,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
  2⤵
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,18214567311705862022,187766881832142148,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  PID:920

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"
1⤵
PID:2316

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5336

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5912

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\PopRevoke.aifc"
1⤵
PID:5560

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\PopRevoke.aifc"
1⤵
PID:5152

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\PopRevoke.aifc"
1⤵
PID:5144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
51ccd7d9a9392ebca4c1ae898d683d2f

SHA1
f4943c31cc7f0ca3078e57e0ebea424fbd9691c4

SHA256
e36c7d688cd7d187eacc4fc1ccdd2968de91cee60f15ecb0e0d874da07be7665

SHA512
e3773c19314c66f09c0f556ade29cd63d84cc778be64060a570eed8f6c7918b7d09d2694d9e2d379bdaecb4e20cb140749a8111ef267c67a620d64cb598e0619

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7a5862a0ca86c0a4e8e0b30261858e1f

SHA1
ee490d28e155806d255e0f17be72509be750bf97

SHA256
92b4c004a9ec97ccf7a19955926982bac099f3b438cd46063bb9bf5ac7814a4b

SHA512
0089df12ed908b4925ba838e07128987afe1c9235097b62855122a03ca6d34d7c75fe4c30e68581c946b77252e7edf1dd66481e20c0a9cccd37e0a4fe4f0a6fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
180B

MD5
00a455d9d155394bfb4b52258c97c5e5

SHA1
2761d0c955353e1982a588a3df78f2744cfaa9df

SHA256
45a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed

SHA512
9553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
37b3b37ec161942f3bb3bde66d21f294

SHA1
0a086752a597b9202f2d885ea6c30721e7759267

SHA256
882e6f60a34444abe38f18ee60aff2fdd63cbbe7f6ce4a7e8b30d13a36408bfe

SHA512
aa19aca93344082c7454ec8f1b2524a7ea8270ca87cf8b62a37a8e4e635673b661848893a9ce55e706f9e77255ecb1dd1a0ed2c4446506ebcff033dbbe375a23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f29c7a2216034bdf36400cf9aba52ae7

SHA1
60e065f8e54b4c85f44365559424ba1631fe4f1e

SHA256
1c890d09b4665e02dafe21412de215e10e574245525b8328ca21b54fefeaf0e5

SHA512
6a9650cfbbf35b28e591434d5d5f5583212bcba88fb66c08da0965bfa621180b9ef2053787b5c5442a404a739d60ca6cb1f13fd93080ed424c1806bd37d6b51b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
85b3b5ae2dac70a2f05cd9dfa3a558d2

SHA1
552648e11680ebd63004c5ece68495d43e809632

SHA256
45116884651a3b4cea003dc66d332e5cf5e83b1c17449f9dea92955e84dbb90e

SHA512
a9624465a3ad4805c39aa36d705891a056c3a008f49bc810dca419a92824604760d05fbdd99dd12b199c583eb33d2bf5db1ed3cabe283950ce1669d5adc64bed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
17a163636b05e3f4c70cb8c6b5f6d340

SHA1
647b0ef5fdefb8b0146c0a972fc0814253044857

SHA256
9e38cb999c7f02d1523f2708032b3a26f8b72401d92254681f3e55905e0bc3f7

SHA512
d4ca573acef87d687c6a488ecfcb724057d4872d6f39937f541d134c3034208b050a81dee8f240ce0dbc6371ee4bf1d3a5fcd18443cb4ec5d1716face2659767

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f980636e89a6eb52f16ceddabbc2335d

SHA1
7fbab2ce2207f1646fe9ae86635e1b17214dfa77

SHA256
4d4bd141daccb4ce177ee48be9b48857c3a1aee14fd3e2756cb04545549d2477

SHA512
95512f77e4266180fd8dc07819388c42937d6d7af0cf90bfaaa899c7d2be1a26480eae4f01c8e8c043374c9c7bba8f31f7510c3a432c22d238cfdc9a5e3f961a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
842c6d53ecbd8add7f814b32af638073

SHA1
659d7e7dd7ad37aca5edeed8a84c96404f8c1a2c

SHA256
c934ef8d4607f8e220403805c191be68ea9788de1701a3845e3d6854dbd66718

SHA512
410050bbd5e5483abd87f3bf926621027df1022b3a578cf55cfa769f16e54874a421d6261772895564510dfc27f10734c9b51b6d91ffb557169ec74122abe619

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
98d8a7b41bb5c078ff9c929e4aa2d0c8

SHA1
bf6d284262a4254bb340562da6e14d15a001f2a5

SHA256
13a03a709b77a965001a67624aef169d9b05e0e2b73b171e0cf40de09de9754f

SHA512
24c85300a3ec8a31e83b61f99a68a6a40bda809fb8cd617692529404a241179671e507b92ccac3b54d35480148717d03264b61a3c9d37f2f6e19f95d9f8f118b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l5sjarcn.ays.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\g02zl3eg.lpo.exe

Filesize
844KB

MD5
7ecfc8cd7455dd9998f7dad88f2a8a9d

SHA1
1751d9389adb1e7187afa4938a3559e58739dce6

SHA256
2e67d5e7d96aec62a9dda4c0259167a44908af863c2b3af2a019723205abba9e

SHA512
cb05e82b17c0f7444d1259b661f0c1e6603d8a959da7475f35078a851d528c630366916c17a37db1a2490af66e5346309177c9e31921d09e7e795492868e678d

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.lock

Filesize
18B

MD5
0224554cfe0d573259eec7d8cd6cd8a7

SHA1
f802c91f60837d9c6bb4828182c127eddcb87be8

SHA256
2414fb4d2e3392bd5bdec9ed541fabf28065bc6d05acc8115a7f55c284c26df7

SHA512
923fd802ce91a02688ebe53e3e652f36c7e2034f84f4cf0dca3d147b698bd93c8505ab6114109c47f4feb55a511b283a6349d680189122ec781872bee901541d

Download Submit
C:\Windows\Media\xdwdCli3nt.exe

Filesize
4KB

MD5
d608619cee710e0590c90416a82433b5

SHA1
752618a64af4755bc90a792679d1686f01e52b26

SHA256
19ca2b3de37e44467e02cec38d7c1f0025f4993db3722c9ab95c78bf64a7fc40

SHA512
2e6dca76e4c3e6d4efc43d4b023eda2d2c1971b9992bb3ef8f731c049e0af0a2986776cf81ab865838aa52cd0c2887f5eddbbb7b835b546903a3ac59cd519293

Download Submit
C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/760-1119-0x00007FF8A4650000-0x00007FF8A4661000-memory.dmp

Filesize
68KB

Download
memory/760-1107-0x00007FF8A82B0000-0x00007FF8A82E4000-memory.dmp

Filesize
208KB

Download
memory/760-1111-0x00007FF8906C0000-0x00007FF890974000-memory.dmp

Filesize
2.7MB

Download
memory/760-1105-0x00007FF8B1E50000-0x00007FF8B2045000-memory.dmp

Filesize
2.0MB

Download
memory/760-1114-0x00007FF8AAF70000-0x00007FF8AAF88000-memory.dmp

Filesize
96KB

Download
memory/760-1104-0x00007FF688420000-0x00007FF688518000-memory.dmp

Filesize
992KB

Download
memory/760-1117-0x00007FF8A8560000-0x00007FF8A8577000-memory.dmp

Filesize
92KB

Download
memory/1160-1292-0x00007FF8A2D60000-0x00007FF8A2D90000-memory.dmp

Filesize
192KB

Download
memory/1160-1278-0x00007FF88B090000-0x00007FF88B290000-memory.dmp

Filesize
2.0MB

Download
memory/1160-1296-0x00007FF890650000-0x00007FF8906BF000-memory.dmp

Filesize
444KB

Download
memory/1160-1295-0x00007FF890D80000-0x00007FF890DE7000-memory.dmp

Filesize
412KB

Download
memory/1160-1033-0x00007FF8B1E50000-0x00007FF8B2045000-memory.dmp

Filesize
2.0MB

Download
memory/1160-1034-0x00007FF8B1E50000-0x00007FF8B2045000-memory.dmp

Filesize
2.0MB

Download
memory/1160-1561-0x00007FF8B1E50000-0x00007FF8B2045000-memory.dmp

Filesize
2.0MB

Download
memory/1160-1277-0x00007FF8A4610000-0x00007FF8A4621000-memory.dmp

Filesize
68KB

Download
memory/1160-1556-0x00007FF8B1E50000-0x00007FF8B2045000-memory.dmp

Filesize
2.0MB

Download
memory/1160-1302-0x00007FF890D50000-0x00007FF890D74000-memory.dmp

Filesize
144KB

Download
memory/1160-1291-0x00007FF8A2E60000-0x00007FF8A2E78000-memory.dmp

Filesize
96KB

Download
memory/1160-1290-0x00007FF8A2E80000-0x00007FF8A2E91000-memory.dmp

Filesize
68KB

Download
memory/1160-1289-0x00007FF8A2EA0000-0x00007FF8A2EBB000-memory.dmp

Filesize
108KB

Download
memory/1160-1288-0x00007FF8A2F00000-0x00007FF8A2F11000-memory.dmp

Filesize
68KB

Download
memory/1160-1287-0x00007FF8A3670000-0x00007FF8A3681000-memory.dmp

Filesize
68KB

Download
memory/1160-1286-0x00007FF8A3690000-0x00007FF8A36A1000-memory.dmp

Filesize
68KB

Download
memory/1160-1285-0x00007FF8A36B0000-0x00007FF8A36C8000-memory.dmp

Filesize
96KB

Download
memory/1160-1284-0x00007FF8A3A70000-0x00007FF8A3A91000-memory.dmp

Filesize
132KB

Download
memory/1160-1281-0x00007FF8A3E90000-0x00007FF8A3EAD000-memory.dmp

Filesize
116KB

Download
memory/1160-1283-0x00007FF8A3AD0000-0x00007FF8A3B0F000-memory.dmp

Filesize
252KB

Download
memory/1160-1282-0x00007FF8A3E70000-0x00007FF8A3E81000-memory.dmp

Filesize
68KB

Download
memory/1160-1298-0x00007FF8905F0000-0x00007FF890646000-memory.dmp

Filesize
344KB

Download
memory/1160-1273-0x00007FF8A4630000-0x00007FF8A4647000-memory.dmp

Filesize
92KB

Download
memory/1160-1270-0x00007FF8A4650000-0x00007FF8A4661000-memory.dmp

Filesize
68KB

Download
memory/1160-1269-0x00007FF8A8560000-0x00007FF8A8577000-memory.dmp

Filesize
92KB

Download
memory/1160-1268-0x00007FF8AAF70000-0x00007FF8AAF88000-memory.dmp

Filesize
96KB

Download
memory/1160-1303-0x00007FF8905C0000-0x00007FF8905E8000-memory.dmp

Filesize
160KB

Download
memory/1160-1297-0x00007FF8A2E40000-0x00007FF8A2E51000-memory.dmp

Filesize
68KB

Download
memory/1160-1304-0x00007FF8A2D40000-0x00007FF8A2D57000-memory.dmp

Filesize
92KB

Download
memory/1160-1265-0x00007FF8906C0000-0x00007FF890974000-memory.dmp

Filesize
2.7MB

Download
memory/1160-1263-0x00007FF8A82B0000-0x00007FF8A82E4000-memory.dmp

Filesize
208KB

Download
memory/1160-1257-0x00007FF688420000-0x00007FF688518000-memory.dmp

Filesize
992KB

Download
memory/1160-1305-0x00007FF8900A0000-0x00007FF8900C3000-memory.dmp

Filesize
140KB

Download
memory/1160-1306-0x00007FF8A23F0000-0x00007FF8A2401000-memory.dmp

Filesize
68KB

Download
memory/1160-1307-0x00007FF8905A0000-0x00007FF8905B2000-memory.dmp

Filesize
72KB

Download
memory/1160-1308-0x00007FF88DFB0000-0x00007FF88DFD1000-memory.dmp

Filesize
132KB

Download
memory/1160-1314-0x00007FF890080000-0x00007FF890093000-memory.dmp

Filesize
76KB

Download
memory/1160-1315-0x00007FF88DF90000-0x00007FF88DFA2000-memory.dmp

Filesize
72KB

Download
memory/1772-1037-0x00007FF8B1E50000-0x00007FF8B2045000-memory.dmp

Filesize
2.0MB

Download
memory/1772-1035-0x00007FF8B1E50000-0x00007FF8B2045000-memory.dmp

Filesize
2.0MB

Download
memory/1772-1564-0x00007FF8B1E50000-0x00007FF8B2045000-memory.dmp

Filesize
2.0MB

Download
memory/3012-1039-0x00007FF8B1E50000-0x00007FF8B2045000-memory.dmp

Filesize
2.0MB

Download
memory/3012-1048-0x00007FF8A8560000-0x00007FF8A8577000-memory.dmp

Filesize
92KB

Download
memory/3012-1038-0x00007FF688420000-0x00007FF688518000-memory.dmp

Filesize
992KB

Download
memory/3012-1041-0x00007FF8A82B0000-0x00007FF8A82E4000-memory.dmp

Filesize
208KB

Download
memory/3012-1043-0x00007FF8906C0000-0x00007FF890974000-memory.dmp

Filesize
2.7MB

Download
memory/3012-1046-0x00007FF8AAF70000-0x00007FF8AAF88000-memory.dmp

Filesize
96KB

Download
memory/3012-1050-0x00007FF8A4650000-0x00007FF8A4661000-memory.dmp

Filesize
68KB

Download
memory/3980-120-0x00007FF8B1E50000-0x00007FF8B2045000-memory.dmp

Filesize
2.0MB

Download
memory/3980-121-0x00007FF8B1E50000-0x00007FF8B2045000-memory.dmp

Filesize
2.0MB

Download
memory/3980-122-0x00007FF8B1E40000-0x00007FF8B1E41000-memory.dmp

Filesize
4KB

Download
memory/3980-123-0x00007FF8B1E50000-0x00007FF8B2045000-memory.dmp

Filesize
2.0MB

Download
memory/4232-1113-0x00007FF8A82B0000-0x00007FF8A82E4000-memory.dmp

Filesize
208KB

Download
memory/4232-1120-0x00007FF8AAF70000-0x00007FF8AAF88000-memory.dmp

Filesize
96KB

Download
memory/4232-1121-0x00007FF8A8560000-0x00007FF8A8577000-memory.dmp

Filesize
92KB

Download
memory/4232-1123-0x00007FF8A4650000-0x00007FF8A4661000-memory.dmp

Filesize
68KB

Download
memory/4232-1116-0x00007FF8906C0000-0x00007FF890974000-memory.dmp

Filesize
2.7MB

Download
memory/4232-1109-0x00007FF8B1E50000-0x00007FF8B2045000-memory.dmp

Filesize
2.0MB

Download
memory/4232-1110-0x00007FF688420000-0x00007FF688518000-memory.dmp

Filesize
992KB

Download
memory/4476-809-0x00007FF8B1E50000-0x00007FF8B2045000-memory.dmp

Filesize
2.0MB

Download
memory/4476-810-0x00000234560D0000-0x00000234560E0000-memory.dmp

Filesize
64KB

Download
memory/4476-812-0x00000234560D0000-0x00000234560E0000-memory.dmp

Filesize
64KB

Download
memory/4476-811-0x00007FF893DD0000-0x00007FF894891000-memory.dmp

Filesize
10.8MB

Download
memory/4476-855-0x00007FF893DD0000-0x00007FF894891000-memory.dmp

Filesize
10.8MB

Download
memory/4476-808-0x00007FF8B1E50000-0x00007FF8B2045000-memory.dmp

Filesize
2.0MB

Download
memory/4476-854-0x00007FF8B1E50000-0x00007FF8B2045000-memory.dmp

Filesize
2.0MB

Download
memory/4476-818-0x00000234561E0000-0x0000023456202000-memory.dmp

Filesize
136KB

Download
memory/4500-1064-0x00007FF8B1E50000-0x00007FF8B2045000-memory.dmp

Filesize
2.0MB

Download
memory/4500-1058-0x00007FF8B1E50000-0x00007FF8B2045000-memory.dmp

Filesize
2.0MB

Download
memory/4872-1036-0x00007FF688420000-0x00007FF688518000-memory.dmp

Filesize
992KB

Download
memory/4872-1049-0x00007FF8A4650000-0x00007FF8A4661000-memory.dmp

Filesize
68KB

Download
memory/4872-1032-0x00007FF8B1E50000-0x00007FF8B2045000-memory.dmp

Filesize
2.0MB

Download
memory/4872-1044-0x00007FF8AAF70000-0x00007FF8AAF88000-memory.dmp

Filesize
96KB

Download
memory/4872-1051-0x00007FF8B1E50000-0x00007FF8B2045000-memory.dmp

Filesize
2.0MB

Download
memory/4872-1042-0x00007FF8906C0000-0x00007FF890974000-memory.dmp

Filesize
2.7MB

Download
memory/4872-1047-0x00007FF8A8560000-0x00007FF8A8577000-memory.dmp

Filesize
92KB

Download
memory/4872-1040-0x00007FF8A82B0000-0x00007FF8A82E4000-memory.dmp

Filesize
208KB

Download
memory/4872-1031-0x00007FF8B1E50000-0x00007FF8B2045000-memory.dmp

Filesize
2.0MB

Download
memory/4884-0-0x0000000000C30000-0x0000000000CEA000-memory.dmp

Filesize
744KB

Download
memory/4884-803-0x00000000014E0000-0x00000000014FE000-memory.dmp

Filesize
120KB

Download
memory/4884-1-0x00007FF893DD0000-0x00007FF894891000-memory.dmp

Filesize
10.8MB

Download
memory/4884-33-0x000000001BE70000-0x000000001BE80000-memory.dmp

Filesize
64KB

Download
memory/4884-90-0x00007FF893DD0000-0x00007FF894891000-memory.dmp

Filesize
10.8MB

Download
memory/4884-259-0x000000001BE70000-0x000000001BE80000-memory.dmp

Filesize
64KB

Download
memory/4884-801-0x000000001D2E0000-0x000000001D356000-memory.dmp

Filesize
472KB

Download
memory/4884-802-0x00000000014B0000-0x00000000014BC000-memory.dmp

Filesize
48KB

Download
memory/4896-1092-0x00007FF8B1E50000-0x00007FF8B2045000-memory.dmp

Filesize
2.0MB

Download
memory/4896-1106-0x00007FF688420000-0x00007FF688518000-memory.dmp

Filesize
992KB

Download
memory/4896-1112-0x00007FF8906C0000-0x00007FF890974000-memory.dmp

Filesize
2.7MB

Download
memory/4896-1115-0x00007FF8AAF70000-0x00007FF8AAF88000-memory.dmp

Filesize
96KB

Download
memory/4896-1090-0x00007FF8B1E50000-0x00007FF8B2045000-memory.dmp

Filesize
2.0MB

Download
memory/4896-1118-0x00007FF8A8560000-0x00007FF8A8577000-memory.dmp

Filesize
92KB

Download
memory/4896-1128-0x00007FF8B1E50000-0x00007FF8B2045000-memory.dmp

Filesize
2.0MB

Download
memory/4896-1122-0x00007FF8A4650000-0x00007FF8A4661000-memory.dmp

Filesize
68KB

Download
memory/4896-1108-0x00007FF8A82B0000-0x00007FF8A82E4000-memory.dmp

Filesize
208KB

Download
memory/5144-1566-0x00007FF8B1E50000-0x00007FF8B2045000-memory.dmp

Filesize
2.0MB

Download
memory/5152-1536-0x00007FF8B1E50000-0x00007FF8B2045000-memory.dmp

Filesize
2.0MB

Download
memory/5336-1255-0x00007FF8B1E50000-0x00007FF8B2045000-memory.dmp

Filesize
2.0MB

Download
memory/5336-1226-0x00007FF8B1E50000-0x00007FF8B2045000-memory.dmp

Filesize
2.0MB

Download
memory/5336-1225-0x00007FF8B1E50000-0x00007FF8B2045000-memory.dmp

Filesize
2.0MB

Download
memory/5560-1504-0x00007FF8B1E50000-0x00007FF8B2045000-memory.dmp

Filesize
2.0MB

Download
memory/5560-1521-0x00007FF8B1E50000-0x00007FF8B2045000-memory.dmp

Filesize
2.0MB

Download
memory/5912-1274-0x00007FF8B1E50000-0x00007FF8B2045000-memory.dmp

Filesize
2.0MB

Download