ramnit | 69407fac757dd2d155a461498f4556de75aaf3e7970208b9d5dab4613057bc59

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
13-06-2024 09:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient (1).exe
Size

519KB
MD5

b9cff0db386629b0877477e559b39232
SHA1

644851c9693db4349972682b7a323ff8fa04e3e5
SHA256

69407fac757dd2d155a461498f4556de75aaf3e7970208b9d5dab4613057bc59
SHA512

667b152ab828f19ab8018957e11460638a6aaec5a0a33ce2556ee2171a2bd2bfd07affc11245c805cd9b29697dd34e56a1f4a4c0fc8dc3f31e47220e38871524
SSDEEP

12288:j5trQoCPjZ3WFsMIPVle81fApDHgj75Jz5pMnW:9tZCPV3WFsapDA

Score

10^/10

ramnit banker execution persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

XClient (1).exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\xdwdFL Studio.exe"	XClient (1).exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

XClient (1).exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	XClient (1).exe

Executes dropped EXE 4 IoCs

Processes:

jan44ndp.ej0.exejan44ndp.ej0Srv.exeDesktopLayer.exevpht3fs0.i4c.exe

pid process

3156 jan44ndp.ej0.exe
2328 jan44ndp.ej0Srv.exe
3088 DesktopLayer.exe
5068 vpht3fs0.i4c.exe

Loads dropped DLL 58 IoCs

Processes:

WmiApSrv.exepowershell.exeiexplore.exechrome.exechrome.exechrome.exeelevation_service.exechrome.exechrome.exepowershell.exeAUDIODG.EXEchrome.exe

pid	process
720
3976
4048	WmiApSrv.exe
968
3592
4196
3828
1280
4336
3316
3224
2376
2544
1628
2720
3676
2424
2216
3356
920
4992
5044	powershell.exe
3596	iexplore.exe
2212
1380
3036
1560
2708
2028
2212
2668
2968
5028
408	chrome.exe
4428	chrome.exe
3544	chrome.exe
1612	elevation_service.exe
5044
3220	chrome.exe
4408	chrome.exe
1052
4192
4192
5036
3632
4992
3988
824	powershell.exe
3460
404	AUDIODG.EXE
4184
2324
1860
3064
3960
4384
1652
1744	chrome.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\jan44ndp.ej0Srv.exe	upx
behavioral2/memory/2328-572-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/3088-578-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

XClient (1).exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seeT = "C:\\Users\\Admin\\Videos\\xdwdMicrosoft Word Host.exe"	XClient (1).exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Start PowerShell.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

5044 powershell.exe
824 powershell.exe

pid	process
5044	powershell.exe
824	powershell.exe

Drops file in Program Files directory 3 IoCs

Processes:

jan44ndp.ej0Srv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px59F2.tmp	jan44ndp.ej0Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	jan44ndp.ej0Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	jan44ndp.ej0Srv.exe

Drops file in Windows directory 1 IoCs

Processes:

XClient (1).exe

description ioc process

File created C:\Windows\xdwd.dll XClient (1).exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\xdwd.dll	XClient (1).exe

Creates scheduled task(s) 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3928	schtasks.exe
3536	schtasks.exe
4292	schtasks.exe
2068	schtasks.exe
4532	schtasks.exe
3940	schtasks.exe
1580	schtasks.exe
4224	schtasks.exe
1600	schtasks.exe
3100	schtasks.exe
2580	schtasks.exe
3212	schtasks.exe
644	schtasks.exe
1928	schtasks.exe
2324	schtasks.exe
1236	schtasks.exe
4660	schtasks.exe
5028	schtasks.exe
2160	schtasks.exe
4340	schtasks.exe
4920	schtasks.exe
4832	schtasks.exe
548	schtasks.exe
3460	schtasks.exe
3924	schtasks.exe
4848	schtasks.exe
4844	schtasks.exe
4920	schtasks.exe
3604	schtasks.exe
696	schtasks.exe
2208	schtasks.exe
452	schtasks.exe
3676	schtasks.exe
5028	schtasks.exe
4084	schtasks.exe
5064	schtasks.exe
3224	schtasks.exe
4596	schtasks.exe
4464	schtasks.exe
3908	schtasks.exe
4608	schtasks.exe
3264	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 15 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{BF340FAE-2967-11EF-9D11-66F8B04B242D} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133627447406220555"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

XClient (1).exeWmiApSrv.exepowershell.exeDesktopLayer.exeiexplore.exechrome.exechrome.exechrome.exeelevation_service.exechrome.exechrome.exepowershell.exeAUDIODG.EXE

pid	process
3352	XClient (1).exe
3352	XClient (1).exe
3352	XClient (1).exe
3352	XClient (1).exe
3352	XClient (1).exe
3352	XClient (1).exe
3352	XClient (1).exe
3352	XClient (1).exe
3352	XClient (1).exe
3352	XClient (1).exe
3352	XClient (1).exe
3352	XClient (1).exe
3352	XClient (1).exe
3352	XClient (1).exe
3352	XClient (1).exe
3352	XClient (1).exe
3352	XClient (1).exe
3352	XClient (1).exe
3352	XClient (1).exe
3352	XClient (1).exe
3352	XClient (1).exe
3352	XClient (1).exe
3352	XClient (1).exe
3352	XClient (1).exe
3352	XClient (1).exe
3352	XClient (1).exe
4048	WmiApSrv.exe
4048	WmiApSrv.exe
5044	powershell.exe
5044	powershell.exe
5044	powershell.exe
5044	powershell.exe
3088	DesktopLayer.exe
3088	DesktopLayer.exe
3088	DesktopLayer.exe
3088	DesktopLayer.exe
3088	DesktopLayer.exe
3088	DesktopLayer.exe
3088	DesktopLayer.exe
3088	DesktopLayer.exe
3596	iexplore.exe
3596	iexplore.exe
408	chrome.exe
408	chrome.exe
4428	chrome.exe
4428	chrome.exe
3544	chrome.exe
3544	chrome.exe
4428	chrome.exe
4428	chrome.exe
1612	elevation_service.exe
1612	elevation_service.exe
3220	chrome.exe
3220	chrome.exe
4408	chrome.exe
4408	chrome.exe
824	powershell.exe
824	powershell.exe
824	powershell.exe
824	powershell.exe
824	powershell.exe
404	AUDIODG.EXE
404	AUDIODG.EXE
3352	XClient (1).exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

4428 chrome.exe
4428 chrome.exe
4428 chrome.exe
4428 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

XClient (1).exepowershell.exechrome.exepowershell.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	3352	XClient (1).exe
Token: SeDebugPrivilege	5044	powershell.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeDebugPrivilege	824	powershell.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: 33	404	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	404	AUDIODG.EXE
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe

Suspicious use of FindShellTrayWindow 29 IoCs

Processes:

jan44ndp.ej0.exeiexplore.exechrome.exe

pid	process
3156	jan44ndp.ej0.exe
3596	iexplore.exe
3156	jan44ndp.ej0.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3596 iexplore.exe
3596 iexplore.exe
3948 IEXPLORE.EXE
3948 IEXPLORE.EXE
3948 IEXPLORE.EXE
3948 IEXPLORE.EXE

pid	process
3596	iexplore.exe
3596	iexplore.exe
3948	IEXPLORE.EXE
3948	IEXPLORE.EXE
3948	IEXPLORE.EXE
3948	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

XClient (1).exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exe

description	pid	process	target process
PID 3352 wrote to memory of 4484	3352	XClient (1).exe	CMD.exe
PID 3352 wrote to memory of 4484	3352	XClient (1).exe	CMD.exe
PID 4484 wrote to memory of 5064	4484	CMD.exe	schtasks.exe
PID 4484 wrote to memory of 5064	4484	CMD.exe	schtasks.exe
PID 3352 wrote to memory of 1984	3352	XClient (1).exe	CMD.exe
PID 3352 wrote to memory of 1984	3352	XClient (1).exe	CMD.exe
PID 1984 wrote to memory of 696	1984	CMD.exe	schtasks.exe
PID 1984 wrote to memory of 696	1984	CMD.exe	schtasks.exe
PID 3352 wrote to memory of 4212	3352	XClient (1).exe	CMD.exe
PID 3352 wrote to memory of 4212	3352	XClient (1).exe	CMD.exe
PID 4212 wrote to memory of 644	4212	CMD.exe	schtasks.exe
PID 4212 wrote to memory of 644	4212	CMD.exe	schtasks.exe
PID 3352 wrote to memory of 5040	3352	XClient (1).exe	CMD.exe
PID 3352 wrote to memory of 5040	3352	XClient (1).exe	CMD.exe
PID 5040 wrote to memory of 1928	5040	CMD.exe	schtasks.exe
PID 5040 wrote to memory of 1928	5040	CMD.exe	schtasks.exe
PID 3352 wrote to memory of 3232	3352	XClient (1).exe	CMD.exe
PID 3352 wrote to memory of 3232	3352	XClient (1).exe	CMD.exe
PID 3232 wrote to memory of 3224	3232	CMD.exe	schtasks.exe
PID 3232 wrote to memory of 3224	3232	CMD.exe	schtasks.exe
PID 3352 wrote to memory of 4612	3352	XClient (1).exe	CMD.exe
PID 3352 wrote to memory of 4612	3352	XClient (1).exe	CMD.exe
PID 4612 wrote to memory of 4340	4612	CMD.exe	schtasks.exe
PID 4612 wrote to memory of 4340	4612	CMD.exe	schtasks.exe
PID 3352 wrote to memory of 4084	3352	XClient (1).exe	CMD.exe
PID 3352 wrote to memory of 4084	3352	XClient (1).exe	CMD.exe
PID 4084 wrote to memory of 2068	4084	CMD.exe	schtasks.exe
PID 4084 wrote to memory of 2068	4084	CMD.exe	schtasks.exe
PID 3352 wrote to memory of 2224	3352	XClient (1).exe	CMD.exe
PID 3352 wrote to memory of 2224	3352	XClient (1).exe	CMD.exe
PID 2224 wrote to memory of 4920	2224	CMD.exe	schtasks.exe
PID 2224 wrote to memory of 4920	2224	CMD.exe	schtasks.exe
PID 3352 wrote to memory of 4576	3352	XClient (1).exe	CMD.exe
PID 3352 wrote to memory of 4576	3352	XClient (1).exe	CMD.exe
PID 4576 wrote to memory of 2208	4576	CMD.exe	schtasks.exe
PID 4576 wrote to memory of 2208	4576	CMD.exe	schtasks.exe
PID 3352 wrote to memory of 3816	3352	XClient (1).exe	CMD.exe
PID 3352 wrote to memory of 3816	3352	XClient (1).exe	CMD.exe
PID 3816 wrote to memory of 4532	3816	CMD.exe	schtasks.exe
PID 3816 wrote to memory of 4532	3816	CMD.exe	schtasks.exe
PID 3352 wrote to memory of 1400	3352	XClient (1).exe	CMD.exe
PID 3352 wrote to memory of 1400	3352	XClient (1).exe	CMD.exe
PID 1400 wrote to memory of 4832	1400	CMD.exe	schtasks.exe
PID 1400 wrote to memory of 4832	1400	CMD.exe	schtasks.exe
PID 3352 wrote to memory of 860	3352	XClient (1).exe	CMD.exe
PID 3352 wrote to memory of 860	3352	XClient (1).exe	CMD.exe
PID 860 wrote to memory of 2324	860	CMD.exe	schtasks.exe
PID 860 wrote to memory of 2324	860	CMD.exe	schtasks.exe
PID 3352 wrote to memory of 3900	3352	XClient (1).exe	CMD.exe
PID 3352 wrote to memory of 3900	3352	XClient (1).exe	CMD.exe
PID 3900 wrote to memory of 548	3900	CMD.exe	schtasks.exe
PID 3900 wrote to memory of 548	3900	CMD.exe	schtasks.exe
PID 3352 wrote to memory of 2148	3352	XClient (1).exe	CMD.exe
PID 3352 wrote to memory of 2148	3352	XClient (1).exe	CMD.exe
PID 2148 wrote to memory of 4596	2148	CMD.exe	schtasks.exe
PID 2148 wrote to memory of 4596	2148	CMD.exe	schtasks.exe
PID 3352 wrote to memory of 4440	3352	XClient (1).exe	CMD.exe
PID 3352 wrote to memory of 4440	3352	XClient (1).exe	CMD.exe
PID 4440 wrote to memory of 4464	4440	CMD.exe	schtasks.exe
PID 4440 wrote to memory of 4464	4440	CMD.exe	schtasks.exe
PID 3352 wrote to memory of 2620	3352	XClient (1).exe	CMD.exe
PID 3352 wrote to memory of 2620	3352	XClient (1).exe	CMD.exe
PID 2620 wrote to memory of 452	2620	CMD.exe	schtasks.exe
PID 2620 wrote to memory of 452	2620	CMD.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XClient (1).exe
"C:\Users\Admin\AppData\Local\Temp\XClient (1).exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3352

C:\Windows\SYSTEM32\CMD.exe
"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Bitdefender Antivirus" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4484

C:\Windows\system32\schtasks.exe
SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Bitdefender Antivirus" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe"
3⤵
- Creates scheduled task(s)
PID:5064

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:696

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Autodesk AutoCAD Update" /tr "C:\Users\Admin\Videos\xdwdMicrosoft Word Host.exe" /RL HIGHEST & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4212

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo 5 /tn "Autodesk AutoCAD Update" /tr "C:\Users\Admin\Videos\xdwdMicrosoft Word Host.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:644

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:5040

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:1928

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:3232

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:3224

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4612

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:4340

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4084

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:2068

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2224

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:4920

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4576

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:2208

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:3816

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:4532

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1400

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:4832

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:2324

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:3900

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:548

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2148

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:4596

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4440

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:4464

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:452

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
PID:1916

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:1236

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
PID:4808

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:3908

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
PID:872

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:3940

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\jan44ndp.ej0.exe"' & exit
2⤵
PID:3900

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\jan44ndp.ej0.exe"'
3⤵
- Loads dropped DLL
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5044

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\jan44ndp.ej0.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\jan44ndp.ej0.exe"
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:3156

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\jan44ndp.ej0Srv.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\jan44ndp.ej0Srv.exe
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2328

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3088

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3596

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3596 CREDAT:17410 /prefetch:2
8⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3948

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
PID:4648

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:3676

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
PID:4532

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:1580

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
PID:2704

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:3928

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
PID:3460

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:4844

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
PID:232

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:4920

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
PID:400

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:4224

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
PID:3844

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:4660

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
PID:4628

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:5028

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
PID:3180

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:5028

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
PID:2236

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:1600

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
PID:3976

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:2160

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
PID:3820

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:3536

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
PID:2252

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:3212

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
PID:384

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:3460

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
PID:4408

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:4608

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vpht3fs0.i4c.exe"' & exit
2⤵
PID:900

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vpht3fs0.i4c.exe"'
3⤵
- Loads dropped DLL
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:824

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vpht3fs0.i4c.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vpht3fs0.i4c.exe"
4⤵
- Executes dropped EXE
PID:5068

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
PID:3500

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:3604

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
PID:2160

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:3924

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
PID:2160

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:3100

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
PID:3624

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:4084

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
PID:3944

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:4292

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
PID:3876

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:2580

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
PID:2376

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:4848

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
2⤵
PID:2476

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:3264

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb4b1fab58,0x7ffb4b1fab68,0x7ffb4b1fab78
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=1956,i,14273240473382618330,5559810518878693336,131072 /prefetch:2
2⤵
PID:1720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 --field-trial-handle=1956,i,14273240473382618330,5559810518878693336,131072 /prefetch:8
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2244 --field-trial-handle=1956,i,14273240473382618330,5559810518878693336,131072 /prefetch:8
2⤵
PID:3868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3136 --field-trial-handle=1956,i,14273240473382618330,5559810518878693336,131072 /prefetch:1
2⤵
PID:3248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3144 --field-trial-handle=1956,i,14273240473382618330,5559810518878693336,131072 /prefetch:1
2⤵
PID:1772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4380 --field-trial-handle=1956,i,14273240473382618330,5559810518878693336,131072 /prefetch:1
2⤵
PID:2148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4556 --field-trial-handle=1956,i,14273240473382618330,5559810518878693336,131072 /prefetch:8
2⤵
PID:1136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4688 --field-trial-handle=1956,i,14273240473382618330,5559810518878693336,131072 /prefetch:8
2⤵
PID:1188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4632 --field-trial-handle=1956,i,14273240473382618330,5559810518878693336,131072 /prefetch:8
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 --field-trial-handle=1956,i,14273240473382618330,5559810518878693336,131072 /prefetch:8
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4892 --field-trial-handle=1956,i,14273240473382618330,5559810518878693336,131072 /prefetch:8
2⤵
PID:1276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4848 --field-trial-handle=1956,i,14273240473382618330,5559810518878693336,131072 /prefetch:1
2⤵
PID:4480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 --field-trial-handle=1956,i,14273240473382618330,5559810518878693336,131072 /prefetch:8
2⤵
- Loads dropped DLL
- Modifies registry class
PID:1744

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1612

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x300 0x3d0
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:404

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
72B

MD5
7d9c3b3acfd5d535cfff4d7bf8719056

SHA1
1a614354d2721320f162d11f901ee46127879a9c

SHA256
a573b638dc5bde59269fd62f2dcdba48b286b2f26ec07b3566098c60dfc8012e

SHA512
2db0a76f11010fd0c061c9c3c022c047bda81a25c102060b9bbbb29092c6469bb45a97f2d864eb285bdc1899c5cec905b67cb9d087b7acd9bd0d292cb9975303

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
7b1b3db7dd187fed75f1971f7417c22b

SHA1
25803a5163cf01b9a12b36d9f881fe8b2a83c393

SHA256
a903e08a73086f6d22349bf2f137b7f2d5df755ea44d4d932aac1b018bc90314

SHA512
5567fac0140f0d56605e300119dbf875cec01633de9a298fb94ae5f0f291c310f1fd596da19105fbd08aaaa14200738e531316c4941263cfa6561da2c1e28a3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
5f3ae05050b977534044844084a62814

SHA1
0bc2e8b3d4f5c597aa9795c27e1c4104224242a7

SHA256
e7a075f6f86746ebf44e4910db734845209f243928aa5023aa75c78285391026

SHA512
605e5ccac85d16a43fa78fc3af8f3525bfa84e802823816812b71d3bf31905ee730ba7a713276843d3de823637b5aac7a6173b343997ed753231f17f6880f1bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
7ebb7cc786b02ceab6fbec42c8992d40

SHA1
d7b9ab26f3f0f606b3ca8fd6ea84ad2b4aa0beb4

SHA256
da78db7221c4f50a9d6ed54dbd5f90def8a76c1b9b084fd81be480a28891cb6e

SHA512
ab392e32847832fac2072f736a4a72cf87ebc1efb1345a7b15581b28a90e7fe7743d81de66a3a2926105221d7f7d0e27481ee1cd65cc07261066d9ad7db09489

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
e521f975576ce7b0fd2c78f8af81af5e

SHA1
327a8dbb950f58769bd4ed77138c63fa70704be8

SHA256
31e4d1a33f8a685160b654c903c90a96f48b658521454cc4e6505c8907e55979

SHA512
3bab7f9c3df1d9873035fb9e9973be6323d59455d440b88729792a6ba6cbbfbbb57dc835d0fcd1cda5c8c182db6810ae1612a83c6c8edfd5d0adea4687284050

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
d7767ce01059886dff900a902233e595

SHA1
a26f3506fdb3c8743a2de8244a5ce36c9549368e

SHA256
25ba46cf9b22f61d7a82960ea8e7388ba3cd85ce5a02d5f1976fc0cc9d8ccfe5

SHA512
49d7922f915fc8253a26f40d29ebc282f3037aad98ccc1072441fa445bbcd13e7f41e5a084fb3cb99894288a8f4cf3a593563833d6f4e317d5784eca625722d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
274KB

MD5
a6c62cb4976f4dbf41b1ab93370cc4f0

SHA1
24aaf70f5e910302f0c4b52956aaaf54567015f5

SHA256
49e8d93990ff4b079ba0498f152df52dfc9d706c6057d91cb12fbffc92c0ddb8

SHA512
c85813ae28629823a466f8a80054c20e4d31769694f699c2abac4290c119ebe1234a40495a8c8f4cbd867e7a61b1184830bf342d03af55f27519eab43b61b74b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aer31lxs.mms.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFD8A69363BB0C2656.TMP
Filesize
16KB

MD5
d73fc92f15c2f1cd52ce7f53a608494b

SHA1
f6ff5d811c4e49b56f00db6817fef2ea4a254e85

SHA256
f011aa9d577bc19078da6c038455dac640b0e0901a611752f3fd9ff6311ab1a8

SHA512
2eef39c6383e026e346ce31de906921e2f7e10fdb4e530bed3ad76f16e2bd8c894df9abf63e0650f0be0000a097f9d1cf6b4a86bd66d806e32f750617ab6b108

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\jan44ndp.ej0.exe
Filesize
163KB

MD5
27d06a1dfc94073b72e19979b08a7b3f

SHA1
197579c745b81d1ffc7ea79269fd630eebcb7ead

SHA256
ddcd0e5afed1b0be5531e2836965a458144cab385250435471710c0e2d463f59

SHA512
6995dd0c1d45a7255699cddffe1bc888ad39aa6c8a791ea35ca3653701ee521ffbc54319775d316ce60e4740220fa7abfc64e93d15950d6018bc3b6757491443

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\jan44ndp.ej0Srv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Windows\xdwd.dll
Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
\??\pipe\crashpad_4428_EFPLIXKAQIRLTXOQ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2328-572-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3088-579-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/3088-578-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3156-675-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3156-565-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3156-845-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3352-78-0x00007FFB50C63000-0x00007FFB50C65000-memory.dmp

Filesize
8KB

Download
memory/3352-75-0x000000001D8E0000-0x000000001D956000-memory.dmp

Filesize
472KB

Download
memory/3352-1-0x0000000000DE0000-0x0000000000E68000-memory.dmp

Filesize
544KB

Download
memory/3352-360-0x0000000001730000-0x000000000173A000-memory.dmp

Filesize
40KB

Download
memory/3352-235-0x00007FFB50C60000-0x00007FFB51721000-memory.dmp

Filesize
10.8MB

Download
memory/3352-172-0x000000001E890000-0x000000001E9D6000-memory.dmp

Filesize
1.3MB

Download
memory/3352-1373-0x0000000001620000-0x000000000162A000-memory.dmp

Filesize
40KB

Download
memory/3352-77-0x0000000003180000-0x000000000319E000-memory.dmp

Filesize
120KB

Download
memory/3352-76-0x00000000017C0000-0x00000000017CC000-memory.dmp

Filesize
48KB

Download
memory/3352-0-0x00007FFB50C63000-0x00007FFB50C65000-memory.dmp

Filesize
8KB

Download
memory/3352-17-0x00007FFB50C60000-0x00007FFB51721000-memory.dmp

Filesize
10.8MB

Download
memory/3352-545-0x0000000002FA0000-0x0000000002FAC000-memory.dmp

Filesize
48KB

Download
memory/5044-558-0x0000018FE08C0000-0x0000018FE08E2000-memory.dmp

Filesize
136KB

Download
memory/5068-1173-0x00000000057E0000-0x00000000057EA000-memory.dmp

Filesize
40KB

Download
memory/5068-1159-0x0000000005870000-0x0000000005902000-memory.dmp

Filesize
584KB

Download
memory/5068-1158-0x0000000005D80000-0x0000000006324000-memory.dmp

Filesize
5.6MB

Download
memory/5068-1157-0x00000000007A0000-0x0000000000F00000-memory.dmp

Filesize
7.4MB

Download

pid	process
3156	jan44ndp.ej0.exe
2328	jan44ndp.ej0Srv.exe
3088	DesktopLayer.exe
5068	vpht3fs0.i4c.exe