69407fac757dd2d155a461498f4556de75aaf3e7970208b9d5dab4613057bc59

Analysis

max time kernel
149s
max time network
148s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
13-06-2024 09:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient (1).exe
Size

519KB
MD5

b9cff0db386629b0877477e559b39232
SHA1

644851c9693db4349972682b7a323ff8fa04e3e5
SHA256

69407fac757dd2d155a461498f4556de75aaf3e7970208b9d5dab4613057bc59
SHA512

667b152ab828f19ab8018957e11460638a6aaec5a0a33ce2556ee2171a2bd2bfd07affc11245c805cd9b29697dd34e56a1f4a4c0fc8dc3f31e47220e38871524
SSDEEP

12288:j5trQoCPjZ3WFsMIPVle81fApDHgj75Jz5pMnW:9tZCPV3WFsapDA

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

XClient (1).exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\xdwdFL Studio.exe"	XClient (1).exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

XClient (1).exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\seeT = "C:\\Users\\Admin\\Videos\\xdwdMicrosoft Word Host.exe"	XClient (1).exe

Drops file in Windows directory 1 IoCs

Processes:

XClient (1).exe

description ioc process

File created C:\Windows\xdwd.dll XClient (1).exe

description	ioc	process
File created	C:\Windows\xdwd.dll	XClient (1).exe

Creates scheduled task(s) 1 TTPs 43 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2116	schtasks.exe
1720	schtasks.exe
1372	schtasks.exe
2876	schtasks.exe
620	schtasks.exe
1588	schtasks.exe
1096	schtasks.exe
2084	schtasks.exe
1920	schtasks.exe
1940	schtasks.exe
536	schtasks.exe
1984	schtasks.exe
2244	schtasks.exe
1604	schtasks.exe
1980	schtasks.exe
2512	schtasks.exe
2404	schtasks.exe
2592	schtasks.exe
632	schtasks.exe
2428	schtasks.exe
2544	schtasks.exe
1688	schtasks.exe
1000	schtasks.exe
2996	schtasks.exe
2576	schtasks.exe
2376	schtasks.exe
2920	schtasks.exe
1596	schtasks.exe
2016	schtasks.exe
1960	schtasks.exe
2808	schtasks.exe
1248	schtasks.exe
1868	schtasks.exe
2404	schtasks.exe
2400	schtasks.exe
700	schtasks.exe
2920	schtasks.exe
2500	schtasks.exe
2776	schtasks.exe
2344	schtasks.exe
2908	schtasks.exe
2212	schtasks.exe
804	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

schtasks.exeCMD.exeschtasks.exeCMD.exeschtasks.exeCMD.exeschtasks.exeCMD.exeschtasks.exeCMD.exeschtasks.exeCMD.exeschtasks.exeCMD.exeschtasks.exeCMD.exeschtasks.exeCMD.exeschtasks.exeCMD.exeschtasks.exeCMD.exeschtasks.exeCMD.exeschtasks.exeCMD.exeschtasks.exeCMD.exeschtasks.exeCMD.exeschtasks.exeCMD.exeschtasks.exeCMD.exeschtasks.exeCMD.exeschtasks.exeCMD.exeschtasks.exeCMD.exeschtasks.exeCMD.exeschtasks.exeCMD.exeschtasks.exeCMD.exeschtasks.exeCMD.exeschtasks.exeCMD.exeschtasks.exeschtasks.exeCMD.exeschtasks.exeCMD.exeschtasks.exeCMD.exeschtasks.exeCMD.exeschtasks.exeCMD.exeschtasks.exeCMD.exeschtasks.exe

pid	process
2920	schtasks.exe
2568	CMD.exe
1868	schtasks.exe
1916	CMD.exe
632	schtasks.exe
2400	CMD.exe
1720	schtasks.exe
2844	CMD.exe
1688	schtasks.exe
3052	CMD.exe
1372	schtasks.exe
2280	CMD.exe
2876	schtasks.exe
2888	CMD.exe
1596	schtasks.exe
2788	CMD.exe
2404	schtasks.exe
2904	CMD.exe
1940	schtasks.exe
2892	CMD.exe
1000	schtasks.exe
632	CMD.exe
536	schtasks.exe
308	CMD.exe
620	schtasks.exe
1688	CMD.exe
2996	schtasks.exe
108	CMD.exe
1984	schtasks.exe
3056	CMD.exe
2344	schtasks.exe
2120	CMD.exe
2244	schtasks.exe
2744	CMD.exe
2404	schtasks.exe
2592	CMD.exe
2908	schtasks.exe
752	CMD.exe
2016	schtasks.exe
1552	CMD.exe
1604	schtasks.exe
596	CMD.exe
2428	schtasks.exe
2328	CMD.exe
2400	schtasks.exe
3004	CMD.exe
1096	schtasks.exe
344	CMD.exe
1960	schtasks.exe
860	CMD.exe
2084	schtasks.exe
1588	schtasks.exe
2620	CMD.exe
2808	schtasks.exe
2924	CMD.exe
2592	schtasks.exe
2752	CMD.exe
1920	schtasks.exe
2716	CMD.exe
2212	schtasks.exe
1040	CMD.exe
804	schtasks.exe
2468	CMD.exe
2376	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

XClient (1).exe

description pid process

Token: SeDebugPrivilege 2104 XClient (1).exe

description	pid	process
Token: SeDebugPrivilege	2104	XClient (1).exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

XClient (1).exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exe

description	pid	process	target process
PID 2104 wrote to memory of 2836	2104	XClient (1).exe	CMD.exe
PID 2104 wrote to memory of 2836	2104	XClient (1).exe	CMD.exe
PID 2104 wrote to memory of 2836	2104	XClient (1).exe	CMD.exe
PID 2836 wrote to memory of 2776	2836	CMD.exe	schtasks.exe
PID 2836 wrote to memory of 2776	2836	CMD.exe	schtasks.exe
PID 2836 wrote to memory of 2776	2836	CMD.exe	schtasks.exe
PID 2104 wrote to memory of 1668	2104	XClient (1).exe	CMD.exe
PID 2104 wrote to memory of 1668	2104	XClient (1).exe	CMD.exe
PID 2104 wrote to memory of 1668	2104	XClient (1).exe	CMD.exe
PID 1668 wrote to memory of 2512	1668	CMD.exe	schtasks.exe
PID 1668 wrote to memory of 2512	1668	CMD.exe	schtasks.exe
PID 1668 wrote to memory of 2512	1668	CMD.exe	schtasks.exe
PID 2104 wrote to memory of 2960	2104	XClient (1).exe	CMD.exe
PID 2104 wrote to memory of 2960	2104	XClient (1).exe	CMD.exe
PID 2104 wrote to memory of 2960	2104	XClient (1).exe	CMD.exe
PID 2960 wrote to memory of 2920	2960	CMD.exe	schtasks.exe
PID 2960 wrote to memory of 2920	2960	CMD.exe	schtasks.exe
PID 2960 wrote to memory of 2920	2960	CMD.exe	schtasks.exe
PID 2104 wrote to memory of 2568	2104	XClient (1).exe	CMD.exe
PID 2104 wrote to memory of 2568	2104	XClient (1).exe	CMD.exe
PID 2104 wrote to memory of 2568	2104	XClient (1).exe	CMD.exe
PID 2568 wrote to memory of 1868	2568	CMD.exe	schtasks.exe
PID 2568 wrote to memory of 1868	2568	CMD.exe	schtasks.exe
PID 2568 wrote to memory of 1868	2568	CMD.exe	schtasks.exe
PID 2104 wrote to memory of 1916	2104	XClient (1).exe	CMD.exe
PID 2104 wrote to memory of 1916	2104	XClient (1).exe	CMD.exe
PID 2104 wrote to memory of 1916	2104	XClient (1).exe	CMD.exe
PID 1916 wrote to memory of 632	1916	CMD.exe	schtasks.exe
PID 1916 wrote to memory of 632	1916	CMD.exe	schtasks.exe
PID 1916 wrote to memory of 632	1916	CMD.exe	schtasks.exe
PID 2104 wrote to memory of 2400	2104	XClient (1).exe	CMD.exe
PID 2104 wrote to memory of 2400	2104	XClient (1).exe	CMD.exe
PID 2104 wrote to memory of 2400	2104	XClient (1).exe	CMD.exe
PID 2400 wrote to memory of 1720	2400	CMD.exe	schtasks.exe
PID 2400 wrote to memory of 1720	2400	CMD.exe	schtasks.exe
PID 2400 wrote to memory of 1720	2400	CMD.exe	schtasks.exe
PID 2104 wrote to memory of 2844	2104	XClient (1).exe	CMD.exe
PID 2104 wrote to memory of 2844	2104	XClient (1).exe	CMD.exe
PID 2104 wrote to memory of 2844	2104	XClient (1).exe	CMD.exe
PID 2844 wrote to memory of 1688	2844	CMD.exe	schtasks.exe
PID 2844 wrote to memory of 1688	2844	CMD.exe	schtasks.exe
PID 2844 wrote to memory of 1688	2844	CMD.exe	schtasks.exe
PID 2104 wrote to memory of 3052	2104	XClient (1).exe	CMD.exe
PID 2104 wrote to memory of 3052	2104	XClient (1).exe	CMD.exe
PID 2104 wrote to memory of 3052	2104	XClient (1).exe	CMD.exe
PID 3052 wrote to memory of 1372	3052	CMD.exe	schtasks.exe
PID 3052 wrote to memory of 1372	3052	CMD.exe	schtasks.exe
PID 3052 wrote to memory of 1372	3052	CMD.exe	schtasks.exe
PID 2104 wrote to memory of 2280	2104	XClient (1).exe	CMD.exe
PID 2104 wrote to memory of 2280	2104	XClient (1).exe	CMD.exe
PID 2104 wrote to memory of 2280	2104	XClient (1).exe	CMD.exe
PID 2280 wrote to memory of 2876	2280	CMD.exe	schtasks.exe
PID 2280 wrote to memory of 2876	2280	CMD.exe	schtasks.exe
PID 2280 wrote to memory of 2876	2280	CMD.exe	schtasks.exe
PID 2104 wrote to memory of 2888	2104	XClient (1).exe	CMD.exe
PID 2104 wrote to memory of 2888	2104	XClient (1).exe	CMD.exe
PID 2104 wrote to memory of 2888	2104	XClient (1).exe	CMD.exe
PID 2888 wrote to memory of 1596	2888	CMD.exe	schtasks.exe
PID 2888 wrote to memory of 1596	2888	CMD.exe	schtasks.exe
PID 2888 wrote to memory of 1596	2888	CMD.exe	schtasks.exe
PID 2104 wrote to memory of 2788	2104	XClient (1).exe	CMD.exe
PID 2104 wrote to memory of 2788	2104	XClient (1).exe	CMD.exe
PID 2104 wrote to memory of 2788	2104	XClient (1).exe	CMD.exe
PID 2788 wrote to memory of 2404	2788	CMD.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XClient (1).exe
"C:\Users\Admin\AppData\Local\Temp\XClient (1).exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104

C:\Windows\system32\CMD.exe
"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Bitdefender Antivirus" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2836

C:\Windows\system32\schtasks.exe
SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Bitdefender Antivirus" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe"
3⤵
- Creates scheduled task(s)
PID:2776

C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:2512

C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Autodesk AutoCAD Update" /tr "C:\Users\Admin\Videos\xdwdMicrosoft Word Host.exe" /RL HIGHEST & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2960

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo 5 /tn "Autodesk AutoCAD Update" /tr "C:\Users\Admin\Videos\xdwdMicrosoft Word Host.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:2920

C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2568

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:1868

C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:632

C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2400

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:1720

C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2844

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:1688

C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3052

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:1372

C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2280

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:2876

C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2888

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:1596

C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2788

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:2404

C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2904

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:1940

C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2892

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:1000

C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:632

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:536

C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:308

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:620

C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1688

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:2996

C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:108

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:1984

C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3056

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:2344

C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2120

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:2244

C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2744

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:2404

C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2592

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:2908

C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:752

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:2016

C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1552

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:1604

C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:596

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:2428

C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2328

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:2400

C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3004

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:1096

C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:344

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:1960

C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:860

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:2084

C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
PID:1768

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:1588

C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2620

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:2808

C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2924

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:2592

C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2752

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:1920

C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2716

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:2212

C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1040

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:804

C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2468

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:2376

C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
PID:2712

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:700

C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
PID:1872

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:1980

C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
PID:568

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:2500

C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
PID:1700

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:2116

C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
PID:2720

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:2544

C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
PID:932

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:2576

C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
PID:1564

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:2920

C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
PID:1072

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:1248

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\xdwd.dll
Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/108-487-0x000007FEF7720000-0x000007FEF7742000-memory.dmp

Filesize
136KB

Download
memory/308-421-0x000007FEF7720000-0x000007FEF7742000-memory.dmp

Filesize
136KB

Download
memory/344-807-0x000007FEF7720000-0x000007FEF7742000-memory.dmp

Filesize
136KB

Download
memory/536-385-0x000007FEF7720000-0x000007FEF7742000-memory.dmp

Filesize
136KB

Download
memory/596-706-0x000007FEF7720000-0x000007FEF7742000-memory.dmp

Filesize
136KB

Download
memory/620-417-0x000007FEF7720000-0x000007FEF7742000-memory.dmp

Filesize
136KB

Download
memory/632-95-0x000007FEFA8E0000-0x000007FEFA902000-memory.dmp

Filesize
136KB

Download
memory/632-386-0x000007FEF7720000-0x000007FEF7742000-memory.dmp

Filesize
136KB

Download
memory/752-642-0x000007FEF7720000-0x000007FEF7742000-memory.dmp

Filesize
136KB

Download
memory/804-1025-0x000007FEF7720000-0x000007FEF7742000-memory.dmp

Filesize
136KB

Download
memory/860-834-0x000007FEF7720000-0x000007FEF7742000-memory.dmp

Filesize
136KB

Download
memory/1000-356-0x000007FEF7720000-0x000007FEF7742000-memory.dmp

Filesize
136KB

Download
memory/1040-1027-0x000007FEF7720000-0x000007FEF7742000-memory.dmp

Filesize
136KB

Download
memory/1096-769-0x000007FEF7720000-0x000007FEF7742000-memory.dmp

Filesize
136KB

Download
memory/1372-192-0x000007FEF7750000-0x000007FEF7772000-memory.dmp

Filesize
136KB

Download
memory/1552-679-0x000007FEF7720000-0x000007FEF7742000-memory.dmp

Filesize
136KB

Download
memory/1588-865-0x000007FEF7720000-0x000007FEF7742000-memory.dmp

Filesize
136KB

Download
memory/1596-256-0x000007FEF7750000-0x000007FEF7772000-memory.dmp

Filesize
136KB

Download
memory/1604-673-0x000007FEF7720000-0x000007FEF7742000-memory.dmp

Filesize
136KB

Download
memory/1688-159-0x000007FEFA8E0000-0x000007FEFA902000-memory.dmp

Filesize
136KB

Download
memory/1688-450-0x000007FEF7720000-0x000007FEF7742000-memory.dmp

Filesize
136KB

Download
memory/1720-127-0x000007FEF7750000-0x000007FEF7772000-memory.dmp

Filesize
136KB

Download
memory/1768-871-0x000007FEF7720000-0x000007FEF7742000-memory.dmp

Filesize
136KB

Download
memory/1868-62-0x000007FEF7750000-0x000007FEF7772000-memory.dmp

Filesize
136KB

Download
memory/1916-99-0x000007FEFA8E0000-0x000007FEFA902000-memory.dmp

Filesize
136KB

Download
memory/1920-961-0x000007FEF7720000-0x000007FEF7742000-memory.dmp

Filesize
136KB

Download
memory/1940-321-0x000007FEF7720000-0x000007FEF7742000-memory.dmp

Filesize
136KB

Download
memory/1960-801-0x000007FEF7720000-0x000007FEF7742000-memory.dmp

Filesize
136KB

Download
memory/1984-486-0x000007FEF7720000-0x000007FEF7742000-memory.dmp

Filesize
136KB

Download
memory/2016-641-0x000007FEF7720000-0x000007FEF7742000-memory.dmp

Filesize
136KB

Download
memory/2084-833-0x000007FEF7720000-0x000007FEF7742000-memory.dmp

Filesize
136KB

Download
memory/2104-173-0x000007FEF5AC0000-0x000007FEF64AC000-memory.dmp

Filesize
9.9MB

Download
memory/2104-41-0x000007FEF5AC0000-0x000007FEF64AC000-memory.dmp

Filesize
9.9MB

Download
memory/2104-42-0x000007FEF5AC3000-0x000007FEF5AC4000-memory.dmp

Filesize
4KB

Download
memory/2104-0-0x000007FEF5AC3000-0x000007FEF5AC4000-memory.dmp

Filesize
4KB

Download
memory/2104-1-0x0000000000320000-0x00000000003A8000-memory.dmp

Filesize
544KB

Download
memory/2120-551-0x000007FEF7720000-0x000007FEF7742000-memory.dmp

Filesize
136KB

Download
memory/2212-998-0x000007FEF7720000-0x000007FEF7742000-memory.dmp

Filesize
136KB

Download
memory/2244-550-0x000007FEF7720000-0x000007FEF7742000-memory.dmp

Filesize
136KB

Download
memory/2280-230-0x000007FEFA8E0000-0x000007FEFA902000-memory.dmp

Filesize
136KB

Download
memory/2328-738-0x000007FEF7720000-0x000007FEF7742000-memory.dmp

Filesize
136KB

Download
memory/2344-513-0x000007FEF7720000-0x000007FEF7742000-memory.dmp

Filesize
136KB

Download
memory/2376-1062-0x000007FEF7720000-0x000007FEF7742000-memory.dmp

Filesize
136KB

Download
memory/2400-128-0x000007FEF7750000-0x000007FEF7772000-memory.dmp

Filesize
136KB

Download
memory/2400-737-0x000007FEF7720000-0x000007FEF7742000-memory.dmp

Filesize
136KB

Download
memory/2404-577-0x000007FEF7720000-0x000007FEF7742000-memory.dmp

Filesize
136KB

Download
memory/2404-289-0x000007FEF7720000-0x000007FEF7742000-memory.dmp

Filesize
136KB

Download
memory/2428-705-0x000007FEF7720000-0x000007FEF7742000-memory.dmp

Filesize
136KB

Download
memory/2568-61-0x00000000774D1000-0x00000000774D2000-memory.dmp

Filesize
4KB

Download
memory/2568-69-0x0000000077480000-0x0000000077629000-memory.dmp

Filesize
1.7MB

Download
memory/2568-63-0x000007FEF7750000-0x000007FEF7772000-memory.dmp

Filesize
136KB

Download
memory/2568-270-0x0000000077480000-0x0000000077629000-memory.dmp

Filesize
1.7MB

Download
memory/2592-615-0x000007FEF7720000-0x000007FEF7742000-memory.dmp

Filesize
136KB

Download
memory/2592-934-0x000007FEF7720000-0x000007FEF7742000-memory.dmp

Filesize
136KB

Download
memory/2620-898-0x000007FEF7720000-0x000007FEF7742000-memory.dmp

Filesize
136KB

Download
memory/2716-999-0x000007FEF7720000-0x000007FEF7742000-memory.dmp

Filesize
136KB

Download
memory/2744-578-0x000007FEF7720000-0x000007FEF7742000-memory.dmp

Filesize
136KB

Download
memory/2752-962-0x000007FEF7720000-0x000007FEF7742000-memory.dmp

Filesize
136KB

Download
memory/2788-290-0x000007FEF7720000-0x000007FEF7742000-memory.dmp

Filesize
136KB

Download
memory/2808-897-0x000007FEF7720000-0x000007FEF7742000-memory.dmp

Filesize
136KB

Download
memory/2844-160-0x000007FEFA8E0000-0x000007FEFA902000-memory.dmp

Filesize
136KB

Download
memory/2876-224-0x000007FEFA8E0000-0x000007FEFA902000-memory.dmp

Filesize
136KB

Download
memory/2888-257-0x000007FEF7750000-0x000007FEF7772000-memory.dmp

Filesize
136KB

Download
memory/2892-359-0x000007FEF7720000-0x000007FEF7742000-memory.dmp

Filesize
136KB

Download
memory/2904-322-0x000007FEF7720000-0x000007FEF7742000-memory.dmp

Filesize
136KB

Download
memory/2908-612-0x000007FEF7720000-0x000007FEF7742000-memory.dmp

Filesize
136KB

Download
memory/2920-40-0x000007FEFA8E0000-0x000007FEFA902000-memory.dmp

Filesize
136KB

Download
memory/2924-935-0x000007FEF7720000-0x000007FEF7742000-memory.dmp

Filesize
136KB

Download
memory/2996-449-0x000007FEF7720000-0x000007FEF7742000-memory.dmp

Filesize
136KB

Download
memory/3004-770-0x000007FEF7720000-0x000007FEF7742000-memory.dmp

Filesize
136KB

Download
memory/3052-193-0x000007FEF7750000-0x000007FEF7772000-memory.dmp

Filesize
136KB

Download
memory/3056-514-0x000007FEF7720000-0x000007FEF7742000-memory.dmp

Filesize
136KB

Download