Overview

overview

10

Static

static

3

Nursultan 3.0.exe

windows10-1703-x64

1

Nursultan 3.0.exe

windows7-x64

10

Nursultan 3.0.exe

windows10-2004-x64

10

Nursultan 3.0.exe

windows11-21h2-x64

10

Nursultan 3.0.exe

macos-10.15-amd64

4

Resubmissions

25-07-2024 14:37

240725-rzbyvatfmn 10

25-07-2024 14:37

240725-ry8lesxarg 10

25-07-2024 14:37

240725-ry4mgaxarb 10

25-07-2024 14:36

240725-ryx5paxaqd 10

25-07-2024 14:36

240725-rytr9stfkj 10

25-07-2024 14:36

240725-ryqqlstfjq 10

25-07-2024 14:36

240725-rymc7axand 10

25-07-2024 14:35

240725-rydfaaterk 10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    25-07-2024 14:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Nursultan 3.0.exe

  • Size

    347KB

  • MD5

    3500fc8f168c23e6170117e6b779ed52

  • SHA1

    0109abb6ff102e3b8f17bfac07f599d787af8663

  • SHA256

    ed2be8c7b8aa15f1e3bc399b9aaadbdbb16374e0be30d0200d4f39998f1f25a8

  • SHA512

    3d1e2600f1e2b077ab24ed017dee2313f14b34a7c193d8db19a93bb3cc6cd95b620b50c2ab300e958afbeea1fa1d133758664282f60b97b583d748baf056e85f

  • SSDEEP

    6144:igpFNojFilyzigCEcL6hl9he6VlWT8b9G3T8JUKvDbwmb0h6XW:T8Ri4h3hPVle84AWcIeXW

Score
10/10
credential_accesspersistenceprivilege_escalationspywarestealer

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    persistenceprivilege_escalation
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 43 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Nursultan 3.0.exe
    "C:\Users\Admin\AppData\Local\Temp\Nursultan 3.0.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1596
    • C:\Windows\system32\CMD.exe
      "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Discord" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2724
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Discord" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2060
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1704
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2508
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Oracle VirtualBox" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdMicrosoft Project.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2500
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo 5 /tn "Oracle VirtualBox" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdMicrosoft Project.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1980
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2788
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:1112
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1160
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:2096
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1600
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:1392
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1520
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1868
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3032
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2216
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1696
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2704
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2592
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2668
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3012
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1880
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
      2⤵
        PID:1072
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:1480
      • C:\Windows\system32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
        2⤵
          PID:1648
          • C:\Windows\system32\schtasks.exe
            SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
            3⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2352
        • C:\Windows\system32\CMD.exe
          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
          2⤵
            PID:772
            • C:\Windows\system32\schtasks.exe
              SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
              3⤵
              • Scheduled Task/Job: Scheduled Task
              PID:1808
          • C:\Windows\system32\CMD.exe
            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
            2⤵
              PID:2288
              • C:\Windows\system32\schtasks.exe
                SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
                3⤵
                • Scheduled Task/Job: Scheduled Task
                PID:2888
            • C:\Windows\system32\CMD.exe
              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
              2⤵
                PID:1968
                • C:\Windows\system32\schtasks.exe
                  SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
                  3⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:2228
              • C:\Windows\system32\CMD.exe
                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
                2⤵
                  PID:1700
                  • C:\Windows\system32\schtasks.exe
                    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
                    3⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:2696
                • C:\Windows\system32\CMD.exe
                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
                  2⤵
                    PID:2576
                    • C:\Windows\system32\schtasks.exe
                      SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
                      3⤵
                      • Scheduled Task/Job: Scheduled Task
                      PID:2616
                  • C:\Windows\system32\CMD.exe
                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
                    2⤵
                      PID:2996
                      • C:\Windows\system32\schtasks.exe
                        SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
                        3⤵
                        • Scheduled Task/Job: Scheduled Task
                        PID:1088
                    • C:\Windows\system32\CMD.exe
                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
                      2⤵
                        PID:2612
                        • C:\Windows\system32\schtasks.exe
                          SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
                          3⤵
                          • Scheduled Task/Job: Scheduled Task
                          PID:2776
                      • C:\Windows\system32\CMD.exe
                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
                        2⤵
                          PID:2316
                          • C:\Windows\system32\schtasks.exe
                            SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
                            3⤵
                            • Scheduled Task/Job: Scheduled Task
                            PID:2176
                        • C:\Windows\system32\CMD.exe
                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
                          2⤵
                            PID:1872
                            • C:\Windows\system32\schtasks.exe
                              SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
                              3⤵
                              • Scheduled Task/Job: Scheduled Task
                              PID:1392
                          • C:\Windows\system32\CMD.exe
                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
                            2⤵
                              PID:1796
                              • C:\Windows\system32\schtasks.exe
                                SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
                                3⤵
                                • Scheduled Task/Job: Scheduled Task
                                PID:2312
                            • C:\Windows\system32\CMD.exe
                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
                              2⤵
                                PID:3048
                                • C:\Windows\system32\schtasks.exe
                                  SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
                                  3⤵
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1956
                              • C:\Windows\system32\CMD.exe
                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
                                2⤵
                                  PID:2444
                                  • C:\Windows\system32\schtasks.exe
                                    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
                                    3⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:300
                                • C:\Windows\system32\CMD.exe
                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
                                  2⤵
                                    PID:2564
                                    • C:\Windows\system32\schtasks.exe
                                      SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
                                      3⤵
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2668
                                  • C:\Windows\system32\CMD.exe
                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
                                    2⤵
                                      PID:1460
                                      • C:\Windows\system32\schtasks.exe
                                        SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
                                        3⤵
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2376
                                    • C:\Windows\system32\CMD.exe
                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
                                      2⤵
                                        PID:752
                                        • C:\Windows\system32\schtasks.exe
                                          SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
                                          3⤵
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1476
                                      • C:\Windows\system32\CMD.exe
                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
                                        2⤵
                                          PID:768
                                          • C:\Windows\system32\schtasks.exe
                                            SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
                                            3⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1932
                                        • C:\Windows\system32\CMD.exe
                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
                                          2⤵
                                            PID:2120
                                            • C:\Windows\system32\schtasks.exe
                                              SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
                                              3⤵
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1852
                                          • C:\Windows\system32\CMD.exe
                                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
                                            2⤵
                                              PID:1184
                                              • C:\Windows\system32\schtasks.exe
                                                SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
                                                3⤵
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1600
                                            • C:\Windows\system32\CMD.exe
                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
                                              2⤵
                                                PID:2288
                                                • C:\Windows\system32\schtasks.exe
                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
                                                  3⤵
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1056
                                              • C:\Windows\system32\CMD.exe
                                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
                                                2⤵
                                                  PID:1496
                                                  • C:\Windows\system32\schtasks.exe
                                                    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
                                                    3⤵
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2408
                                                • C:\Windows\system32\CMD.exe
                                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
                                                  2⤵
                                                    PID:2504
                                                    • C:\Windows\system32\schtasks.exe
                                                      SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
                                                      3⤵
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2300
                                                  • C:\Windows\system32\CMD.exe
                                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
                                                    2⤵
                                                      PID:2668
                                                      • C:\Windows\system32\schtasks.exe
                                                        SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
                                                        3⤵
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2592
                                                    • C:\Windows\system32\CMD.exe
                                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
                                                      2⤵
                                                        PID:2376
                                                        • C:\Windows\system32\schtasks.exe
                                                          SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
                                                          3⤵
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:2820
                                                      • C:\Windows\system32\CMD.exe
                                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
                                                        2⤵
                                                          PID:2648
                                                          • C:\Windows\system32\schtasks.exe
                                                            SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
                                                            3⤵
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:2892
                                                        • C:\Windows\system32\CMD.exe
                                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
                                                          2⤵
                                                            PID:2160
                                                            • C:\Windows\system32\schtasks.exe
                                                              SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
                                                              3⤵
                                                              • Scheduled Task/Job: Scheduled Task
                                                              PID:1160
                                                          • C:\Windows\system32\CMD.exe
                                                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
                                                            2⤵
                                                              PID:1736
                                                              • C:\Windows\system32\schtasks.exe
                                                                SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
                                                                3⤵
                                                                • Scheduled Task/Job: Scheduled Task
                                                                PID:904
                                                            • C:\Windows\system32\CMD.exe
                                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
                                                              2⤵
                                                                PID:1600
                                                                • C:\Windows\system32\schtasks.exe
                                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
                                                                  3⤵
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:1712
                                                              • C:\Windows\system32\CMD.exe
                                                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
                                                                2⤵
                                                                  PID:2484
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
                                                                    3⤵
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:1332
                                                                • C:\Windows\system32\CMD.exe
                                                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
                                                                  2⤵
                                                                    PID:2292
                                                                    • C:\Windows\system32\schtasks.exe
                                                                      SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
                                                                      3⤵
                                                                      • Scheduled Task/Job: Scheduled Task
                                                                      PID:1744
                                                                  • C:\Windows\system32\CMD.exe
                                                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
                                                                    2⤵
                                                                      PID:1700
                                                                      • C:\Windows\system32\schtasks.exe
                                                                        SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
                                                                        3⤵
                                                                        • Scheduled Task/Job: Scheduled Task
                                                                        PID:1452
                                                                  • C:\Windows\system32\wbem\WmiApSrv.exe
                                                                    C:\Windows\system32\wbem\WmiApSrv.exe
                                                                    1⤵
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    PID:2640

                                                                  Network

                                                                  MITRE ATT&CK Enterprise v15

                                                                  Reconnaissance

                                                                  Resource Development

                                                                  Initial Access

                                                                  Execution

                                                                  Scheduled Task/Job

                                                                  1
                                                                  T1053

                                                                  Scheduled Task

                                                                  1
                                                                  T1053.005

                                                                  Persistence

                                                                  Boot or Logon Autostart Execution

                                                                  2
                                                                  T1547

                                                                  Registry Run Keys / Startup Folder

                                                                  1
                                                                  T1547.001

                                                                  Winlogon Helper DLL

                                                                  1
                                                                  T1547.004

                                                                  Event Triggered Execution

                                                                  1
                                                                  T1546

                                                                  AppInit DLLs

                                                                  1
                                                                  T1546.010

                                                                  Scheduled Task/Job

                                                                  1
                                                                  T1053

                                                                  Scheduled Task

                                                                  1
                                                                  T1053.005

                                                                  Privilege Escalation

                                                                  Boot or Logon Autostart Execution

                                                                  2
                                                                  T1547

                                                                  Registry Run Keys / Startup Folder

                                                                  1
                                                                  T1547.001

                                                                  Winlogon Helper DLL

                                                                  1
                                                                  T1547.004

                                                                  Event Triggered Execution

                                                                  1
                                                                  T1546

                                                                  AppInit DLLs

                                                                  1
                                                                  T1546.010

                                                                  Scheduled Task/Job

                                                                  1
                                                                  T1053

                                                                  Scheduled Task

                                                                  1
                                                                  T1053.005

                                                                  Defense Evasion

                                                                  Modify Registry

                                                                  2
                                                                  T1112

                                                                  Credential Access

                                                                  Credentials from Password Stores

                                                                  1
                                                                  T1555

                                                                  Windows Credential Manager

                                                                  1
                                                                  T1555.004

                                                                  Unsecured Credentials

                                                                  1
                                                                  T1552

                                                                  Credentials In Files

                                                                  1
                                                                  T1552.001

                                                                  Discovery

                                                                  Query Registry

                                                                  1
                                                                  T1012

                                                                  Lateral Movement

                                                                  Collection

                                                                  Data from Local System

                                                                  1
                                                                  T1005

                                                                  Command and Control

                                                                  Exfiltration

                                                                  Impact

                                                                  Replay Monitor

                                                                  Loading Replay Monitor...

                                                                  Downloads

                                                                  • C:\Windows\xdwd.dll
                                                                    Filesize

                                                                    136KB

                                                                    MD5

                                                                    16e5a492c9c6ae34c59683be9c51fa31

                                                                    SHA1

                                                                    97031b41f5c56f371c28ae0d62a2df7d585adaba

                                                                    SHA256

                                                                    35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

                                                                    SHA512

                                                                    20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

                                                                    Download Submit

                                                                  • memory/300-738-0x000007FEF6CC0000-0x000007FEF6CE2000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/752-835-0x000007FEF6640000-0x000007FEF6662000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/768-872-0x000007FEF6CC0000-0x000007FEF6CE2000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/772-386-0x000007FEF6640000-0x000007FEF6662000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/1056-962-0x000007FEF6640000-0x000007FEF6662000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/1072-322-0x000007FEF6640000-0x000007FEF6662000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/1088-546-0x000007FEF6570000-0x000007FEF6592000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/1112-64-0x000007FEFA740000-0x000007FEFA762000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/1160-100-0x000007FEF6660000-0x000007FEF6682000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/1184-936-0x000007FEF6CC0000-0x000007FEF6CE2000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/1392-642-0x000007FEF6640000-0x000007FEF6662000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/1392-131-0x000007FEF6640000-0x000007FEF6662000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/1460-804-0x000007FEF6CC0000-0x000007FEF6CE2000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/1476-834-0x000007FEF6640000-0x000007FEF6662000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/1480-321-0x000007FEF6640000-0x000007FEF6662000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/1496-995-0x000007FEF6CC0000-0x000007FEF6CE2000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/1520-166-0x000007FEF5A50000-0x000007FEF5A72000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/1596-0-0x000007FEF4F13000-0x000007FEF4F14000-memory.dmp

                                                                    Filesize

                                                                    4KB

                                                                    Download

                                                                  • memory/1596-76-0x000007FEF4F13000-0x000007FEF4F14000-memory.dmp

                                                                    Filesize

                                                                    4KB

                                                                    Download

                                                                  • memory/1596-1-0x0000000000C40000-0x0000000000C9C000-memory.dmp

                                                                    Filesize

                                                                    368KB

                                                                    Download

                                                                  • memory/1596-52-0x000007FEF4F10000-0x000007FEF58FC000-memory.dmp

                                                                    Filesize

                                                                    9.9MB

                                                                    Download

                                                                  • memory/1596-109-0x00000000004D0000-0x00000000004DC000-memory.dmp

                                                                    Filesize

                                                                    48KB

                                                                    Download

                                                                  • memory/1596-270-0x000007FEF4F10000-0x000007FEF58FC000-memory.dmp

                                                                    Filesize

                                                                    9.9MB

                                                                    Download

                                                                  • memory/1600-132-0x000007FEF6640000-0x000007FEF6662000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/1600-935-0x000007FEF6CC0000-0x000007FEF6CE2000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/1648-359-0x000007FEF5A50000-0x000007FEF5A72000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/1696-230-0x000007FEF5A50000-0x000007FEF5A72000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/1700-486-0x000007FEF6570000-0x000007FEF6592000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/1796-680-0x000007FEF6CC0000-0x000007FEF6CE2000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/1808-385-0x000007FEF6640000-0x000007FEF6662000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/1852-898-0x000007FEF6640000-0x000007FEF6662000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/1868-165-0x000007FEF5A50000-0x000007FEF5A72000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/1872-643-0x000007FEF6640000-0x000007FEF6662000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/1880-288-0x000007FEF5A50000-0x000007FEF5A72000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/1932-871-0x000007FEF6CC0000-0x000007FEF6CE2000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/1956-706-0x000007FEF6640000-0x000007FEF6662000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/1968-455-0x000007FEF6640000-0x000007FEF6662000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/2096-97-0x000007FEF6660000-0x000007FEF6682000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/2120-899-0x000007FEF6640000-0x000007FEF6662000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/2176-610-0x000007FEF6570000-0x000007FEF6592000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/2216-192-0x000007FEF6640000-0x000007FEF6662000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/2228-450-0x000007FEF6640000-0x000007FEF6662000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/2288-423-0x000007FEF6570000-0x000007FEF6592000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/2288-963-0x000007FEF6640000-0x000007FEF6662000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/2300-1026-0x000007FEF6640000-0x000007FEF6662000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/2312-675-0x000007FEF6CC0000-0x000007FEF6CE2000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/2316-611-0x000007FEF6570000-0x000007FEF6592000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/2352-354-0x000007FEF5A50000-0x000007FEF5A72000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/2376-802-0x000007FEF6CC0000-0x000007FEF6CE2000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/2408-994-0x000007FEF6CC0000-0x000007FEF6CE2000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/2444-744-0x000007FEF6CC0000-0x000007FEF6CE2000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/2504-1027-0x000007FEF6640000-0x000007FEF6662000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/2564-771-0x000007FEF6640000-0x000007FEF6662000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/2576-515-0x000007FEF6640000-0x000007FEF6662000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/2592-1063-0x000007FEF6CC0000-0x000007FEF6CE2000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/2592-257-0x000007FEF6640000-0x000007FEF6662000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/2612-579-0x000007FEF6640000-0x000007FEF6662000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/2616-514-0x000007FEF6640000-0x000007FEF6662000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/2640-75-0x000007FEF2070000-0x000007FEF2092000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/2668-256-0x000007FEF6640000-0x000007FEF6662000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/2668-770-0x000007FEF6640000-0x000007FEF6662000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/2696-482-0x000007FEF6570000-0x000007FEF6592000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/2704-229-0x000007FEF5A50000-0x000007FEF5A72000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/2776-578-0x000007FEF6640000-0x000007FEF6662000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/2788-67-0x0000000076FC0000-0x0000000077169000-memory.dmp

                                                                    Filesize

                                                                    1.7MB

                                                                    Download

                                                                  • memory/2788-65-0x000007FEFA740000-0x000007FEFA762000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/2788-63-0x0000000077011000-0x0000000077012000-memory.dmp

                                                                    Filesize

                                                                    4KB

                                                                    Download

                                                                  • memory/2888-422-0x000007FEF6570000-0x000007FEF6592000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/2996-547-0x000007FEF6570000-0x000007FEF6592000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/3012-289-0x000007FEF5A50000-0x000007FEF5A72000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/3032-193-0x000007FEF6640000-0x000007FEF6662000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/3048-707-0x000007FEF6640000-0x000007FEF6662000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download