300c2f8d161a87eb3824f5a2d07d35149d2a5df9af1965b06f41cdf5bdf7c538

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23-12-2024 20:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SolaraV3.exe
Size

10.9MB
MD5

0dbd97ccfcc12bb2afc685628233b84c
SHA1

37b1f356ce34ab5cf6dcf341ec93734aae0acdec
SHA256

300c2f8d161a87eb3824f5a2d07d35149d2a5df9af1965b06f41cdf5bdf7c538
SHA512

22e40f1e6f851e7ebfecbff0db07eb1b57fd9cd9efdf03acf248d5280e2ea09b58c507b02008d24ef4c625428a8b2701f72d7c37691ffc94239f7a7287174d4f
SSDEEP

196608:Eczw0gUNG1JqVaGui0DerER8+kmd0BDZa/I7gNeu17PKkjKOe4aXp7NrT:9p1GvqVb0BkTBDAgkNeiukjKZBpVT

Score

10^/10

credential_access execution persistence privilege_escalation pyinstaller spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\xdwdTrello Host.exe"	Clientr.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2548	powershell.exe
2892	powershell.exe

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Executes dropped EXE 3 IoCs

pid	Process
2872	Clientr.exe
2932	Fixer.exe
1868	Fixer.exe

Loads dropped DLL 3 IoCs

pid	Process
2260	SolaraV3.exe
2932	Fixer.exe
1868	Fixer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fixer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Fixer.exe"	SolaraV3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\xdwdfghfghfg = "C:\\Users\\Admin\\AppData\\Roaming\\xdwdSpybot - Search & Destroy.exe"	Clientr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Clientr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Clientr.exe"	SolaraV3.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001a404-76.dat	upx
behavioral1/memory/1868-78-0x000007FEF2020000-0x000007FEF2608000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\xdwd.dll	Clientr.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000a000000016ace-27.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 40 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2848	schtasks.exe
1172	schtasks.exe
2096	schtasks.exe
1716	schtasks.exe
2636	schtasks.exe
1012	schtasks.exe
2696	schtasks.exe
1504	schtasks.exe
1604	schtasks.exe
1900	schtasks.exe
3060	schtasks.exe
1812	schtasks.exe
2056	schtasks.exe
2320	schtasks.exe
3048	schtasks.exe
2456	schtasks.exe
2572	schtasks.exe
2776	schtasks.exe
1288	schtasks.exe
2636	schtasks.exe
2776	schtasks.exe
1744	schtasks.exe
1720	schtasks.exe
2124	schtasks.exe
2672	schtasks.exe
1348	schtasks.exe
2044	schtasks.exe
1148	schtasks.exe
1596	schtasks.exe
2912	schtasks.exe
1948	schtasks.exe
3000	schtasks.exe
2660	schtasks.exe
1648	schtasks.exe
2464	schtasks.exe
2112	schtasks.exe
1284	schtasks.exe
1064	schtasks.exe
2700	schtasks.exe
2744	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2548	powershell.exe
2892	powershell.exe
2872	Clientr.exe
3060	CMD.exe
1148	schtasks.exe
2872	Clientr.exe
2872	Clientr.exe
2872	Clientr.exe
2872	Clientr.exe
2872	Clientr.exe
2872	Clientr.exe
2872	Clientr.exe
2872	Clientr.exe
2872	Clientr.exe
2872	Clientr.exe
2872	Clientr.exe
2872	Clientr.exe
2872	Clientr.exe
2872	Clientr.exe
2872	Clientr.exe
2872	Clientr.exe
2872	Clientr.exe
2872	Clientr.exe
1744	WmiApSrv.exe
2872	Clientr.exe
2872	Clientr.exe
2872	Clientr.exe
2872	Clientr.exe
1412	CMD.exe
2320	schtasks.exe
2872	Clientr.exe
2872	Clientr.exe
2872	Clientr.exe
2872	Clientr.exe
2872	Clientr.exe
2872	Clientr.exe
2872	Clientr.exe
2872	Clientr.exe
2872	Clientr.exe
2872	Clientr.exe
2872	Clientr.exe
2872	Clientr.exe
2872	Clientr.exe
1952	CMD.exe
1596	schtasks.exe
2872	Clientr.exe
2872	Clientr.exe
2872	Clientr.exe
2872	Clientr.exe
2872	Clientr.exe
2872	Clientr.exe
2872	Clientr.exe
2872	Clientr.exe
2872	Clientr.exe
2872	Clientr.exe
2872	Clientr.exe
2872	Clientr.exe
2872	Clientr.exe
2016	CMD.exe
2912	schtasks.exe
2872	Clientr.exe
2872	Clientr.exe
2872	Clientr.exe
2872	Clientr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	2872	Clientr.exe
Token: SeDebugPrivilege	2892	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2548	2260	SolaraV3.exe	31
PID 2260 wrote to memory of 2548	2260	SolaraV3.exe	31
PID 2260 wrote to memory of 2548	2260	SolaraV3.exe	31
PID 2260 wrote to memory of 2872	2260	SolaraV3.exe	33
PID 2260 wrote to memory of 2872	2260	SolaraV3.exe	33
PID 2260 wrote to memory of 2872	2260	SolaraV3.exe	33
PID 2260 wrote to memory of 2892	2260	SolaraV3.exe	34
PID 2260 wrote to memory of 2892	2260	SolaraV3.exe	34
PID 2260 wrote to memory of 2892	2260	SolaraV3.exe	34
PID 2260 wrote to memory of 2932	2260	SolaraV3.exe	37
PID 2260 wrote to memory of 2932	2260	SolaraV3.exe	37
PID 2260 wrote to memory of 2932	2260	SolaraV3.exe	37
PID 2932 wrote to memory of 1868	2932	Fixer.exe	38
PID 2932 wrote to memory of 1868	2932	Fixer.exe	38
PID 2932 wrote to memory of 1868	2932	Fixer.exe	38
PID 2872 wrote to memory of 1920	2872	Clientr.exe	39
PID 2872 wrote to memory of 1920	2872	Clientr.exe	39
PID 2872 wrote to memory of 1920	2872	Clientr.exe	39
PID 1920 wrote to memory of 1284	1920	CMD.exe	41
PID 1920 wrote to memory of 1284	1920	CMD.exe	41
PID 1920 wrote to memory of 1284	1920	CMD.exe	41
PID 2872 wrote to memory of 1972	2872	Clientr.exe	42
PID 2872 wrote to memory of 1972	2872	Clientr.exe	42
PID 2872 wrote to memory of 1972	2872	Clientr.exe	42
PID 1972 wrote to memory of 1504	1972	CMD.exe	44
PID 1972 wrote to memory of 1504	1972	CMD.exe	44
PID 1972 wrote to memory of 1504	1972	CMD.exe	44
PID 2872 wrote to memory of 2056	2872	Clientr.exe	45
PID 2872 wrote to memory of 2056	2872	Clientr.exe	45
PID 2872 wrote to memory of 2056	2872	Clientr.exe	45
PID 2056 wrote to memory of 2096	2056	CMD.exe	47
PID 2056 wrote to memory of 2096	2056	CMD.exe	47
PID 2056 wrote to memory of 2096	2056	CMD.exe	47
PID 2872 wrote to memory of 3060	2872	Clientr.exe	48
PID 2872 wrote to memory of 3060	2872	Clientr.exe	48
PID 2872 wrote to memory of 3060	2872	Clientr.exe	48
PID 3060 wrote to memory of 1148	3060	CMD.exe	50
PID 3060 wrote to memory of 1148	3060	CMD.exe	50
PID 3060 wrote to memory of 1148	3060	CMD.exe	50
PID 2872 wrote to memory of 1412	2872	Clientr.exe	52
PID 2872 wrote to memory of 1412	2872	Clientr.exe	52
PID 2872 wrote to memory of 1412	2872	Clientr.exe	52
PID 1412 wrote to memory of 2320	1412	CMD.exe	54
PID 1412 wrote to memory of 2320	1412	CMD.exe	54
PID 1412 wrote to memory of 2320	1412	CMD.exe	54
PID 2872 wrote to memory of 1952	2872	Clientr.exe	55
PID 2872 wrote to memory of 1952	2872	Clientr.exe	55
PID 2872 wrote to memory of 1952	2872	Clientr.exe	55
PID 1952 wrote to memory of 1596	1952	CMD.exe	57
PID 1952 wrote to memory of 1596	1952	CMD.exe	57
PID 1952 wrote to memory of 1596	1952	CMD.exe	57
PID 2872 wrote to memory of 2016	2872	Clientr.exe	58
PID 2872 wrote to memory of 2016	2872	Clientr.exe	58
PID 2872 wrote to memory of 2016	2872	Clientr.exe	58
PID 2016 wrote to memory of 2912	2016	CMD.exe	60
PID 2016 wrote to memory of 2912	2016	CMD.exe	60
PID 2016 wrote to memory of 2912	2016	CMD.exe	60
PID 2872 wrote to memory of 2724	2872	Clientr.exe	61
PID 2872 wrote to memory of 2724	2872	Clientr.exe	61
PID 2872 wrote to memory of 2724	2872	Clientr.exe	61
PID 2724 wrote to memory of 2124	2724	CMD.exe	63
PID 2724 wrote to memory of 2124	2724	CMD.exe	63
PID 2724 wrote to memory of 2124	2724	CMD.exe	63
PID 2872 wrote to memory of 2600	2872	Clientr.exe	64

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\SolaraV3.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraV3.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Clientr.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2548
- C:\Users\Admin\AppData\Local\Temp\Clientr.exe
  "C:\Users\Admin\AppData\Local\Temp\Clientr.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\system32\CMD.exe
    "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "nigger" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1920
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "nigger" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1284
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1504
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Camtasia" /tr "C:\Users\Admin\AppData\Roaming\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2056
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo 5 /tn "Camtasia" /tr "C:\Users\Admin\AppData\Roaming\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2096
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      Suspicious behavior: EnumeratesProcesses
      PID:1148
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1412
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      Suspicious behavior: EnumeratesProcesses
      PID:2320
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1952
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      Suspicious behavior: EnumeratesProcesses
      PID:1596
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2016
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      Suspicious behavior: EnumeratesProcesses
      PID:2912
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2124
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST & exit
    3⤵
    PID:2600
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3000
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST & exit
    3⤵
    PID:2836
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2636
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST & exit
    3⤵
    PID:1896
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2660
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST & exit
    3⤵
    PID:1504
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1064
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST & exit
    3⤵
    PID:972
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1716
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST & exit
    3⤵
    PID:1524
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2700
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST & exit
    3⤵
    PID:1360
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1604
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST & exit
    3⤵
    PID:2036
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2776
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST & exit
    3⤵
    PID:3012
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2672
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST & exit
    3⤵
    PID:2088
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1648
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST & exit
    3⤵
    PID:1916
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1948
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST & exit
    3⤵
    PID:2204
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1900
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST & exit
    3⤵
    PID:936
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1348
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST & exit
    3⤵
    PID:1800
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3060
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST & exit
    3⤵
    PID:1060
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2044
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST & exit
    3⤵
    PID:672
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3048
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST & exit
    3⤵
    PID:916
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2456
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST & exit
    3⤵
    PID:2824
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2744
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST & exit
    3⤵
    PID:3012
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2112
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST & exit
    3⤵
    PID:2804
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2636
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST & exit
    3⤵
    PID:2796
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2572
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST & exit
    3⤵
    PID:2988
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1812
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST & exit
    3⤵
    PID:1920
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2056
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST & exit
    3⤵
    PID:1644
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1744
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST & exit
    3⤵
    PID:1232
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1012
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST & exit
    3⤵
    PID:804
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1720
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST & exit
    3⤵
    PID:2000
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2776
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST & exit
    3⤵
    PID:1192
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2696
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST & exit
    3⤵
    PID:2576
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2464
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST & exit
    3⤵
    PID:2840
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2848
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST & exit
    3⤵
    PID:1408
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1288
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST & exit
    3⤵
    PID:2024
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\xdwdTrello Host.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Fixer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2892
- C:\Users\Admin\AppData\Local\Temp\Fixer.exe
  "C:\Users\Admin\AppData\Local\Temp\Fixer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Users\Admin\AppData\Local\Temp\Fixer.exe
    "C:\Users\Admin\AppData\Local\Temp\Fixer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1868

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Clientr.exe

Filesize
563KB

MD5
aa5bed1e2284e846ddda8cd938bab8cc

SHA1
aee23cef726c77a02545eec11605d182ff680ae0

SHA256
4ab7e28f21444b63c66cfb13e8e758c1f50e05a90edf88674be37c41948cb036

SHA512
b8aac8ea2c3c8088afd0ccb18a3332af0c03d3c8cf3244db6818c7e5361bee59a2c0e5ddf65966bf1e7cfcb9d6692c9cde479e374557f5f71cf69439907a4864

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fixer.exe

Filesize
15.8MB

MD5
cec3477be8a4ac213854c0eadf736370

SHA1
41458ecaa2cfc5852ffe1d1cebccc5064ec7f17d

SHA256
3f57bc232c64ea56d75a31c837cb2ae9aa9791ec2ecd9822158738bea987bdf4

SHA512
15aaee50aa988e2df1e80b75a341057482368a63833a0f51486c77ac5f3821f1f425f3608522abf8f22ff778bb16054b04a97f3842d020aaeef194677b36385d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29322\python311.dll

Filesize
1.6MB

MD5
db09c9bbec6134db1766d369c339a0a1

SHA1
c156d9f2d0e80b4cf41794cd9b8b1e8a352e0a0b

SHA256
b1aac1e461174bbae952434e4dac092590d72b9832a04457c94bd9bb7ee8ad79

SHA512
653a7fff6a2b6bffb9ea2c0b72ddb83c9c53d555e798eea47101b0d932358180a01af2b9dab9c27723057439c1eaffb8d84b9b41f6f9cd1c3c934f1794104d45

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5f13275c802007b6d5af8c55c4497345

SHA1
433f050d366fcd073944df576281f0c363161ce7

SHA256
20cc392b4c0ac07bc13515de125156a0f8072442cb6ef2d51f59435efd444511

SHA512
64010d471b0e47c2eb2ae96e08b4208cad787d23d6ecaa7a8084e2ed4e22b453f713ea94cfb0e3d409b0e5b2f1bf2edd408bc65a8e2389bf6b0248cf16197f7c

Download Submit
C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/672-712-0x000007FEFAEE0000-0x000007FEFAF02000-memory.dmp

Filesize
136KB

Download
memory/916-740-0x000007FEF6820000-0x000007FEF6842000-memory.dmp

Filesize
136KB

Download
memory/936-627-0x000007FEF6820000-0x000007FEF6842000-memory.dmp

Filesize
136KB

Download
memory/972-399-0x000007FEF1D90000-0x000007FEF1DB2000-memory.dmp

Filesize
136KB

Download
memory/1060-682-0x000007FEF6820000-0x000007FEF6842000-memory.dmp

Filesize
136KB

Download
memory/1064-368-0x000007FEF1F00000-0x000007FEF1F22000-memory.dmp

Filesize
136KB

Download
memory/1148-141-0x000007FEFB010000-0x000007FEFB032000-memory.dmp

Filesize
136KB

Download
memory/1348-626-0x000007FEF6820000-0x000007FEF6842000-memory.dmp

Filesize
136KB

Download
memory/1360-456-0x000007FEF1F00000-0x000007FEF1F22000-memory.dmp

Filesize
136KB

Download
memory/1412-172-0x000007FEF1FA0000-0x000007FEF1FC2000-memory.dmp

Filesize
136KB

Download
memory/1504-369-0x000007FEF1F00000-0x000007FEF1F22000-memory.dmp

Filesize
136KB

Download
memory/1524-428-0x000007FEFAEE0000-0x000007FEFAF02000-memory.dmp

Filesize
136KB

Download
memory/1596-198-0x000007FEF1F00000-0x000007FEF1F22000-memory.dmp

Filesize
136KB

Download
memory/1604-455-0x000007FEF1F00000-0x000007FEF1F22000-memory.dmp

Filesize
136KB

Download
memory/1648-539-0x000007FEFAEE0000-0x000007FEFAF02000-memory.dmp

Filesize
136KB

Download
memory/1716-398-0x000007FEF1D90000-0x000007FEF1DB2000-memory.dmp

Filesize
136KB

Download
memory/1744-144-0x000007FEF1BB0000-0x000007FEF1BD2000-memory.dmp

Filesize
136KB

Download
memory/1800-655-0x000007FEFAEE0000-0x000007FEFAF02000-memory.dmp

Filesize
136KB

Download
memory/1812-879-0x000007FEFAEE0000-0x000007FEFAF02000-memory.dmp

Filesize
136KB

Download
memory/1868-78-0x000007FEF2020000-0x000007FEF2608000-memory.dmp

Filesize
5.9MB

Download
memory/1896-343-0x000007FEF1D90000-0x000007FEF1DB2000-memory.dmp

Filesize
136KB

Download
memory/1900-598-0x000007FEFAEE0000-0x000007FEFAF02000-memory.dmp

Filesize
136KB

Download
memory/1916-570-0x000007FEF6820000-0x000007FEF6842000-memory.dmp

Filesize
136KB

Download
memory/1948-569-0x000007FEF6820000-0x000007FEF6842000-memory.dmp

Filesize
136KB

Download
memory/1952-199-0x000007FEF1F00000-0x000007FEF1F22000-memory.dmp

Filesize
136KB

Download
memory/2016-229-0x000007FEF1D90000-0x000007FEF1DB2000-memory.dmp

Filesize
136KB

Download
memory/2036-483-0x000007FEFAEE0000-0x000007FEFAF02000-memory.dmp

Filesize
136KB

Download
memory/2044-681-0x000007FEF6820000-0x000007FEF6842000-memory.dmp

Filesize
136KB

Download
memory/2088-540-0x000007FEFAEE0000-0x000007FEFAF02000-memory.dmp

Filesize
136KB

Download
memory/2112-796-0x000007FEF6820000-0x000007FEF6842000-memory.dmp

Filesize
136KB

Download
memory/2124-257-0x000007FEF1F00000-0x000007FEF1F22000-memory.dmp

Filesize
136KB

Download
memory/2204-599-0x000007FEFAEE0000-0x000007FEFAF02000-memory.dmp

Filesize
136KB

Download
memory/2260-0-0x000007FEF58E3000-0x000007FEF58E4000-memory.dmp

Filesize
4KB

Download
memory/2260-1-0x0000000000F20000-0x0000000001A14000-memory.dmp

Filesize
11.0MB

Download
memory/2320-171-0x000007FEF1FA0000-0x000007FEF1FC2000-memory.dmp

Filesize
136KB

Download
memory/2456-739-0x000007FEF6820000-0x000007FEF6842000-memory.dmp

Filesize
136KB

Download
memory/2548-6-0x00000000026C0000-0x0000000002740000-memory.dmp

Filesize
512KB

Download
memory/2548-8-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download
memory/2548-7-0x000000001B2D0000-0x000000001B5B2000-memory.dmp

Filesize
2.9MB

Download
memory/2572-851-0x000007FEFAEE0000-0x000007FEFAF02000-memory.dmp

Filesize
136KB

Download
memory/2600-286-0x000007FEF1D90000-0x000007FEF1DB2000-memory.dmp

Filesize
136KB

Download
memory/2636-310-0x000007FEF1F00000-0x000007FEF1F22000-memory.dmp

Filesize
136KB

Download
memory/2636-824-0x000007FEFAEE0000-0x000007FEFAF02000-memory.dmp

Filesize
136KB

Download
memory/2660-342-0x000007FEF1D90000-0x000007FEF1DB2000-memory.dmp

Filesize
136KB

Download
memory/2672-513-0x000007FEF6820000-0x000007FEF6842000-memory.dmp

Filesize
136KB

Download
memory/2700-427-0x000007FEFAEE0000-0x000007FEFAF02000-memory.dmp

Filesize
136KB

Download
memory/2724-258-0x000007FEF1F00000-0x000007FEF1F22000-memory.dmp

Filesize
136KB

Download
memory/2744-768-0x000007FEFAEE0000-0x000007FEFAF02000-memory.dmp

Filesize
136KB

Download
memory/2776-482-0x000007FEFAEE0000-0x000007FEFAF02000-memory.dmp

Filesize
136KB

Download
memory/2796-852-0x000007FEFAEE0000-0x000007FEFAF02000-memory.dmp

Filesize
136KB

Download
memory/2804-825-0x000007FEFAEE0000-0x000007FEFAF02000-memory.dmp

Filesize
136KB

Download
memory/2824-769-0x000007FEFAEE0000-0x000007FEFAF02000-memory.dmp

Filesize
136KB

Download
memory/2836-311-0x000007FEF1F00000-0x000007FEF1F22000-memory.dmp

Filesize
136KB

Download
memory/2872-14-0x0000000000CC0000-0x0000000000D52000-memory.dmp

Filesize
584KB

Download
memory/2872-173-0x00000000003C0000-0x00000000003CC000-memory.dmp

Filesize
48KB

Download
memory/2892-20-0x000000001B400000-0x000000001B6E2000-memory.dmp

Filesize
2.9MB

Download
memory/2892-21-0x0000000002560000-0x0000000002568000-memory.dmp

Filesize
32KB

Download
memory/2912-228-0x000007FEF1D90000-0x000007FEF1DB2000-memory.dmp

Filesize
136KB

Download
memory/3000-285-0x000007FEF1D90000-0x000007FEF1DB2000-memory.dmp

Filesize
136KB

Download
memory/3012-797-0x000007FEF6820000-0x000007FEF6842000-memory.dmp

Filesize
136KB

Download
memory/3012-514-0x000007FEF6820000-0x000007FEF6842000-memory.dmp

Filesize
136KB

Download
memory/3048-711-0x000007FEFAEE0000-0x000007FEFAF02000-memory.dmp

Filesize
136KB

Download
memory/3060-142-0x000007FEFB010000-0x000007FEFB032000-memory.dmp

Filesize
136KB

Download
memory/3060-654-0x000007FEFAEE0000-0x000007FEFAF02000-memory.dmp

Filesize
136KB

Download