f08d555b265bc840ef4d7904f37de7886b276d3b2f85180bb63b0e29445e02b1

Analysis

max time kernel
150s
max time network
159s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8b8a4b9ce02eacd35169b19611d51762d5cb5de0b8fd57fb2188360e330e0ee.exe
Size

563KB
MD5

9d134d599e0c51fa5bb43572c9f01f58
SHA1

3783aa19e6a211eb295ea5148aa13853cf32ab7a
SHA256

c8b8a4b9ce02eacd35169b19611d51762d5cb5de0b8fd57fb2188360e330e0ee
SHA512

bae3246910321639519ca513b52c566424ab7a483cbd7cefd5c65b6483b188bf3b1495748ea67de9cae27862bb33d786e3b8979c3c5eb9682a154b64ca49f2fe
SSDEEP

6144:B3L2ItqTVSkKIufce6VlWT8b99ixkBg+1emkVUgaOMbNz390W:VLBHZI7PVle8XiYgDjCF95

Score

10^/10

persistence privilege_escalation

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Program Files\\xdwdTrello Host.exe"	c8b8a4b9ce02eacd35169b19611d51762d5cb5de0b8fd57fb2188360e330e0ee.exe

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\cheat.exe = "C:\\Users\\Admin\\Documents\\xdwdSpybot - Search & Destroy.exe"	c8b8a4b9ce02eacd35169b19611d51762d5cb5de0b8fd57fb2188360e330e0ee.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\xdwdTrello Host.exe	c8b8a4b9ce02eacd35169b19611d51762d5cb5de0b8fd57fb2188360e330e0ee.exe
File opened for modification	C:\Program Files\xdwdTrello Host.exe	c8b8a4b9ce02eacd35169b19611d51762d5cb5de0b8fd57fb2188360e330e0ee.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\xdwd.dll	c8b8a4b9ce02eacd35169b19611d51762d5cb5de0b8fd57fb2188360e330e0ee.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 44 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2280	schtasks.exe
1992	schtasks.exe
1668	schtasks.exe
2044	schtasks.exe
1928	schtasks.exe
2080	schtasks.exe
608	schtasks.exe
2928	schtasks.exe
2188	schtasks.exe
236	schtasks.exe
1968	schtasks.exe
808	schtasks.exe
2972	schtasks.exe
1904	schtasks.exe
2336	schtasks.exe
2836	schtasks.exe
2124	schtasks.exe
2416	schtasks.exe
2180	schtasks.exe
812	schtasks.exe
1516	schtasks.exe
1972	schtasks.exe
2092	schtasks.exe
2396	schtasks.exe
1840	schtasks.exe
2284	schtasks.exe
1528	schtasks.exe
2016	schtasks.exe
924	schtasks.exe
1452	schtasks.exe
1804	schtasks.exe
580	schtasks.exe
1304	schtasks.exe
2596	schtasks.exe
1168	schtasks.exe
2308	schtasks.exe
484	schtasks.exe
2804	schtasks.exe
1452	schtasks.exe
2968	schtasks.exe
264	schtasks.exe
2856	schtasks.exe
556	schtasks.exe
2456	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2552	CMD.exe
2280	schtasks.exe
2276	CMD.exe
580	schtasks.exe
436	CMD.exe
2188	schtasks.exe
1956	CMD.exe
1972	schtasks.exe
908	CMD.exe
1992	schtasks.exe
1676	CMD.exe
2968	schtasks.exe
2728	CMD.exe
2224	CMD.exe
2016	schtasks.exe
2832	CMD.exe
2092	schtasks.exe
2936	CMD.exe
264	schtasks.exe
2232	CMD.exe
2396	schtasks.exe
836	CMD.exe
808	schtasks.exe
2496	CMD.exe
1840	schtasks.exe
2076	CMD.exe
1668	schtasks.exe
2052	CMD.exe
1304	schtasks.exe
2756	CMD.exe
2972	schtasks.exe
2096	CMD.exe
2596	schtasks.exe
2120	CMD.exe
2284	schtasks.exe
1472	CMD.exe
1904	schtasks.exe
1624	CMD.exe
1168	schtasks.exe
1316	CMD.exe
2336	schtasks.exe
2204	CMD.exe
2308	schtasks.exe
2820	CMD.exe
484	schtasks.exe
1080	CMD.exe
236	schtasks.exe
2332	CMD.exe
2836	schtasks.exe
2904	CMD.exe
924	schtasks.exe
2800	CMD.exe
1452	schtasks.exe
1212	CMD.exe
2856	schtasks.exe
2616	CMD.exe
2044	schtasks.exe
688	CMD.exe
1928	schtasks.exe
2084	CMD.exe
2080	schtasks.exe
1768	CMD.exe
2456	schtasks.exe
1268	CMD.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2380	c8b8a4b9ce02eacd35169b19611d51762d5cb5de0b8fd57fb2188360e330e0ee.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2252	2380	c8b8a4b9ce02eacd35169b19611d51762d5cb5de0b8fd57fb2188360e330e0ee.exe	31
PID 2380 wrote to memory of 2252	2380	c8b8a4b9ce02eacd35169b19611d51762d5cb5de0b8fd57fb2188360e330e0ee.exe	31
PID 2380 wrote to memory of 2252	2380	c8b8a4b9ce02eacd35169b19611d51762d5cb5de0b8fd57fb2188360e330e0ee.exe	31
PID 2252 wrote to memory of 2928	2252	CMD.exe	33
PID 2252 wrote to memory of 2928	2252	CMD.exe	33
PID 2252 wrote to memory of 2928	2252	CMD.exe	33
PID 2380 wrote to memory of 2840	2380	c8b8a4b9ce02eacd35169b19611d51762d5cb5de0b8fd57fb2188360e330e0ee.exe	34
PID 2380 wrote to memory of 2840	2380	c8b8a4b9ce02eacd35169b19611d51762d5cb5de0b8fd57fb2188360e330e0ee.exe	34
PID 2380 wrote to memory of 2840	2380	c8b8a4b9ce02eacd35169b19611d51762d5cb5de0b8fd57fb2188360e330e0ee.exe	34
PID 2840 wrote to memory of 812	2840	CMD.exe	36
PID 2840 wrote to memory of 812	2840	CMD.exe	36
PID 2840 wrote to memory of 812	2840	CMD.exe	36
PID 2380 wrote to memory of 2492	2380	c8b8a4b9ce02eacd35169b19611d51762d5cb5de0b8fd57fb2188360e330e0ee.exe	37
PID 2380 wrote to memory of 2492	2380	c8b8a4b9ce02eacd35169b19611d51762d5cb5de0b8fd57fb2188360e330e0ee.exe	37
PID 2380 wrote to memory of 2492	2380	c8b8a4b9ce02eacd35169b19611d51762d5cb5de0b8fd57fb2188360e330e0ee.exe	37
PID 2492 wrote to memory of 1516	2492	CMD.exe	39
PID 2492 wrote to memory of 1516	2492	CMD.exe	39
PID 2492 wrote to memory of 1516	2492	CMD.exe	39
PID 2380 wrote to memory of 2552	2380	c8b8a4b9ce02eacd35169b19611d51762d5cb5de0b8fd57fb2188360e330e0ee.exe	40
PID 2380 wrote to memory of 2552	2380	c8b8a4b9ce02eacd35169b19611d51762d5cb5de0b8fd57fb2188360e330e0ee.exe	40
PID 2380 wrote to memory of 2552	2380	c8b8a4b9ce02eacd35169b19611d51762d5cb5de0b8fd57fb2188360e330e0ee.exe	40
PID 2552 wrote to memory of 2280	2552	CMD.exe	42
PID 2552 wrote to memory of 2280	2552	CMD.exe	42
PID 2552 wrote to memory of 2280	2552	CMD.exe	42
PID 2380 wrote to memory of 2276	2380	c8b8a4b9ce02eacd35169b19611d51762d5cb5de0b8fd57fb2188360e330e0ee.exe	43
PID 2380 wrote to memory of 2276	2380	c8b8a4b9ce02eacd35169b19611d51762d5cb5de0b8fd57fb2188360e330e0ee.exe	43
PID 2380 wrote to memory of 2276	2380	c8b8a4b9ce02eacd35169b19611d51762d5cb5de0b8fd57fb2188360e330e0ee.exe	43
PID 2276 wrote to memory of 580	2276	CMD.exe	45
PID 2276 wrote to memory of 580	2276	CMD.exe	45
PID 2276 wrote to memory of 580	2276	CMD.exe	45
PID 2380 wrote to memory of 436	2380	c8b8a4b9ce02eacd35169b19611d51762d5cb5de0b8fd57fb2188360e330e0ee.exe	46
PID 2380 wrote to memory of 436	2380	c8b8a4b9ce02eacd35169b19611d51762d5cb5de0b8fd57fb2188360e330e0ee.exe	46
PID 2380 wrote to memory of 436	2380	c8b8a4b9ce02eacd35169b19611d51762d5cb5de0b8fd57fb2188360e330e0ee.exe	46
PID 436 wrote to memory of 2188	436	CMD.exe	48
PID 436 wrote to memory of 2188	436	CMD.exe	48
PID 436 wrote to memory of 2188	436	CMD.exe	48
PID 2380 wrote to memory of 1956	2380	c8b8a4b9ce02eacd35169b19611d51762d5cb5de0b8fd57fb2188360e330e0ee.exe	49
PID 2380 wrote to memory of 1956	2380	c8b8a4b9ce02eacd35169b19611d51762d5cb5de0b8fd57fb2188360e330e0ee.exe	49
PID 2380 wrote to memory of 1956	2380	c8b8a4b9ce02eacd35169b19611d51762d5cb5de0b8fd57fb2188360e330e0ee.exe	49
PID 1956 wrote to memory of 1972	1956	CMD.exe	51
PID 1956 wrote to memory of 1972	1956	CMD.exe	51
PID 1956 wrote to memory of 1972	1956	CMD.exe	51
PID 2380 wrote to memory of 908	2380	c8b8a4b9ce02eacd35169b19611d51762d5cb5de0b8fd57fb2188360e330e0ee.exe	52
PID 2380 wrote to memory of 908	2380	c8b8a4b9ce02eacd35169b19611d51762d5cb5de0b8fd57fb2188360e330e0ee.exe	52
PID 2380 wrote to memory of 908	2380	c8b8a4b9ce02eacd35169b19611d51762d5cb5de0b8fd57fb2188360e330e0ee.exe	52
PID 908 wrote to memory of 1992	908	CMD.exe	54
PID 908 wrote to memory of 1992	908	CMD.exe	54
PID 908 wrote to memory of 1992	908	CMD.exe	54
PID 2380 wrote to memory of 1676	2380	c8b8a4b9ce02eacd35169b19611d51762d5cb5de0b8fd57fb2188360e330e0ee.exe	55
PID 2380 wrote to memory of 1676	2380	c8b8a4b9ce02eacd35169b19611d51762d5cb5de0b8fd57fb2188360e330e0ee.exe	55
PID 2380 wrote to memory of 1676	2380	c8b8a4b9ce02eacd35169b19611d51762d5cb5de0b8fd57fb2188360e330e0ee.exe	55
PID 1676 wrote to memory of 2968	1676	CMD.exe	57
PID 1676 wrote to memory of 2968	1676	CMD.exe	57
PID 1676 wrote to memory of 2968	1676	CMD.exe	57
PID 2380 wrote to memory of 2728	2380	c8b8a4b9ce02eacd35169b19611d51762d5cb5de0b8fd57fb2188360e330e0ee.exe	58
PID 2380 wrote to memory of 2728	2380	c8b8a4b9ce02eacd35169b19611d51762d5cb5de0b8fd57fb2188360e330e0ee.exe	58
PID 2380 wrote to memory of 2728	2380	c8b8a4b9ce02eacd35169b19611d51762d5cb5de0b8fd57fb2188360e330e0ee.exe	58
PID 2728 wrote to memory of 556	2728	CMD.exe	60
PID 2728 wrote to memory of 556	2728	CMD.exe	60
PID 2728 wrote to memory of 556	2728	CMD.exe	60
PID 2380 wrote to memory of 2224	2380	c8b8a4b9ce02eacd35169b19611d51762d5cb5de0b8fd57fb2188360e330e0ee.exe	61
PID 2380 wrote to memory of 2224	2380	c8b8a4b9ce02eacd35169b19611d51762d5cb5de0b8fd57fb2188360e330e0ee.exe	61
PID 2380 wrote to memory of 2224	2380	c8b8a4b9ce02eacd35169b19611d51762d5cb5de0b8fd57fb2188360e330e0ee.exe	61
PID 2224 wrote to memory of 2016	2224	CMD.exe	63

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c8b8a4b9ce02eacd35169b19611d51762d5cb5de0b8fd57fb2188360e330e0ee.exe
"C:\Users\Admin\AppData\Local\Temp\c8b8a4b9ce02eacd35169b19611d51762d5cb5de0b8fd57fb2188360e330e0ee.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\system32\CMD.exe
  "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Publisher" /tr "C:\Program Files\xdwdTrello Host.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Publisher" /tr "C:\Program Files\xdwdTrello Host.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2928
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:812
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Camtasia" /tr "C:\Users\Admin\Documents\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo 5 /tn "Camtasia" /tr "C:\Users\Admin\Documents\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1516
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2280
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:580
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2188
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1972
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:908
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1992
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2968
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:556
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2016
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2832
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2092
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2936
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:264
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2232
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2396
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:836
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:808
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2496
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1840
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2076
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1668
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2052
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1304
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2756
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2972
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2096
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2596
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2120
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2284
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1472
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1904
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1624
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1168
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1316
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2336
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2204
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2308
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2820
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:484
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1080
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:236
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2332
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2836
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2904
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:924
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2800
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1452
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1212
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2856
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2616
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2044
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:688
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1928
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2084
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2080
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1768
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2456
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1268
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2124
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST & exit
  2⤵
  PID:576
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1968
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST & exit
  2⤵
  PID:2260
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2804
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST & exit
  2⤵
  PID:2780
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1452
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST & exit
  2⤵
  PID:1164
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1804
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST & exit
  2⤵
  PID:2056
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2416
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST & exit
  2⤵
  PID:1924
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2180
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST & exit
  2⤵
  PID:2360
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1528
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST & exit
  2⤵
  PID:1116
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Program Files\xdwdTrello Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/236-710-0x000007FEF7E60000-0x000007FEF7E82000-memory.dmp

Filesize
136KB

Download
memory/264-318-0x000007FEF7E60000-0x000007FEF7E82000-memory.dmp

Filesize
136KB

Download
memory/436-122-0x000007FEF7E90000-0x000007FEF7EB2000-memory.dmp

Filesize
136KB

Download
memory/484-682-0x000007FEF7E60000-0x000007FEF7E82000-memory.dmp

Filesize
136KB

Download
memory/556-234-0x000007FEF7E90000-0x000007FEF7EB2000-memory.dmp

Filesize
136KB

Download
memory/580-92-0x000007FEF7E60000-0x000007FEF7E82000-memory.dmp

Filesize
136KB

Download
memory/688-879-0x000007FEF7E60000-0x000007FEF7E82000-memory.dmp

Filesize
136KB

Download
memory/808-374-0x000007FEF7E60000-0x000007FEF7E82000-memory.dmp

Filesize
136KB

Download
memory/836-375-0x000007FEF7E60000-0x000007FEF7E82000-memory.dmp

Filesize
136KB

Download
memory/908-179-0x000007FEF7E90000-0x000007FEF7EB2000-memory.dmp

Filesize
136KB

Download
memory/924-766-0x000007FEF7E60000-0x000007FEF7E82000-memory.dmp

Filesize
136KB

Download
memory/1080-711-0x000007FEF7E60000-0x000007FEF7E82000-memory.dmp

Filesize
136KB

Download
memory/1168-598-0x000007FEF7E60000-0x000007FEF7E82000-memory.dmp

Filesize
136KB

Download
memory/1212-823-0x000007FEF7E60000-0x000007FEF7E82000-memory.dmp

Filesize
136KB

Download
memory/1304-458-0x000007FEF7E90000-0x000007FEF7EB2000-memory.dmp

Filesize
136KB

Download
memory/1316-627-0x000007FEF7E60000-0x000007FEF7E82000-memory.dmp

Filesize
136KB

Download
memory/1452-794-0x000007FEF7E60000-0x000007FEF7E82000-memory.dmp

Filesize
136KB

Download
memory/1472-571-0x000007FEF7E60000-0x000007FEF7E82000-memory.dmp

Filesize
136KB

Download
memory/1624-599-0x000007FEF7E60000-0x000007FEF7E82000-memory.dmp

Filesize
136KB

Download
memory/1668-430-0x000007FEF7E60000-0x000007FEF7E82000-memory.dmp

Filesize
136KB

Download
memory/1676-207-0x000007FEF7E60000-0x000007FEF7E82000-memory.dmp

Filesize
136KB

Download
memory/1768-935-0x000007FEF7E60000-0x000007FEF7E82000-memory.dmp

Filesize
136KB

Download
memory/1840-402-0x000007FEF7E90000-0x000007FEF7EB2000-memory.dmp

Filesize
136KB

Download
memory/1904-570-0x000007FEF7E60000-0x000007FEF7E82000-memory.dmp

Filesize
136KB

Download
memory/1928-878-0x000007FEF7E60000-0x000007FEF7E82000-memory.dmp

Filesize
136KB

Download
memory/1956-149-0x000007FEF7E60000-0x000007FEF7E82000-memory.dmp

Filesize
136KB

Download
memory/1972-148-0x000007FEF7E60000-0x000007FEF7E82000-memory.dmp

Filesize
136KB

Download
memory/1992-178-0x000007FEF7E90000-0x000007FEF7EB2000-memory.dmp

Filesize
136KB

Download
memory/2016-262-0x000007FEF7E60000-0x000007FEF7E82000-memory.dmp

Filesize
136KB

Download
memory/2044-850-0x000007FEF7E60000-0x000007FEF7E82000-memory.dmp

Filesize
136KB

Download
memory/2052-459-0x000007FEF7E90000-0x000007FEF7EB2000-memory.dmp

Filesize
136KB

Download
memory/2076-431-0x000007FEF7E60000-0x000007FEF7E82000-memory.dmp

Filesize
136KB

Download
memory/2080-906-0x000007FEF7E60000-0x000007FEF7E82000-memory.dmp

Filesize
136KB

Download
memory/2084-907-0x000007FEF7E60000-0x000007FEF7E82000-memory.dmp

Filesize
136KB

Download
memory/2092-290-0x000007FEF7E90000-0x000007FEF7EB2000-memory.dmp

Filesize
136KB

Download
memory/2096-515-0x000007FEF7E60000-0x000007FEF7E82000-memory.dmp

Filesize
136KB

Download
memory/2120-543-0x000007FEF7E60000-0x000007FEF7E82000-memory.dmp

Filesize
136KB

Download
memory/2188-121-0x000007FEF7E90000-0x000007FEF7EB2000-memory.dmp

Filesize
136KB

Download
memory/2204-654-0x000007FEF7E60000-0x000007FEF7E82000-memory.dmp

Filesize
136KB

Download
memory/2224-263-0x000007FEF7E60000-0x000007FEF7E82000-memory.dmp

Filesize
136KB

Download
memory/2232-347-0x000007FEF7E90000-0x000007FEF7EB2000-memory.dmp

Filesize
136KB

Download
memory/2276-93-0x000007FEF7E60000-0x000007FEF7E82000-memory.dmp

Filesize
136KB

Download
memory/2280-63-0x000007FEF7E90000-0x000007FEF7EB2000-memory.dmp

Filesize
136KB

Download
memory/2284-542-0x000007FEF7E60000-0x000007FEF7E82000-memory.dmp

Filesize
136KB

Download
memory/2308-652-0x000007FEF7E60000-0x000007FEF7E82000-memory.dmp

Filesize
136KB

Download
memory/2332-739-0x000007FEF7E60000-0x000007FEF7E82000-memory.dmp

Filesize
136KB

Download
memory/2336-626-0x000007FEF7E60000-0x000007FEF7E82000-memory.dmp

Filesize
136KB

Download
memory/2380-94-0x000007FEF6400000-0x000007FEF6DEC000-memory.dmp

Filesize
9.9MB

Download
memory/2380-2-0x000007FEF6403000-0x000007FEF6404000-memory.dmp

Filesize
4KB

Download
memory/2380-0-0x000007FEF6403000-0x000007FEF6404000-memory.dmp

Filesize
4KB

Download
memory/2380-1-0x0000000000B10000-0x0000000000BA4000-memory.dmp

Filesize
592KB

Download
memory/2380-34-0x000007FEF6400000-0x000007FEF6DEC000-memory.dmp

Filesize
9.9MB

Download
memory/2396-344-0x000007FEF7E90000-0x000007FEF7EB2000-memory.dmp

Filesize
136KB

Download
memory/2456-934-0x000007FEF7E60000-0x000007FEF7E82000-memory.dmp

Filesize
136KB

Download
memory/2496-403-0x000007FEF7E90000-0x000007FEF7EB2000-memory.dmp

Filesize
136KB

Download
memory/2552-64-0x000007FEF7E90000-0x000007FEF7EB2000-memory.dmp

Filesize
136KB

Download
memory/2552-123-0x0000000077BE0000-0x0000000077D89000-memory.dmp

Filesize
1.7MB

Download
memory/2552-62-0x0000000077C31000-0x0000000077C32000-memory.dmp

Filesize
4KB

Download
memory/2552-65-0x0000000077BE0000-0x0000000077D89000-memory.dmp

Filesize
1.7MB

Download
memory/2596-514-0x000007FEF7E60000-0x000007FEF7E82000-memory.dmp

Filesize
136KB

Download
memory/2616-851-0x000007FEF7E60000-0x000007FEF7E82000-memory.dmp

Filesize
136KB

Download
memory/2728-235-0x000007FEF7E90000-0x000007FEF7EB2000-memory.dmp

Filesize
136KB

Download
memory/2756-485-0x000007FEF7E60000-0x000007FEF7E82000-memory.dmp

Filesize
136KB

Download
memory/2800-795-0x000007FEF7E60000-0x000007FEF7E82000-memory.dmp

Filesize
136KB

Download
memory/2820-683-0x000007FEF7E60000-0x000007FEF7E82000-memory.dmp

Filesize
136KB

Download
memory/2832-291-0x000007FEF7E90000-0x000007FEF7EB2000-memory.dmp

Filesize
136KB

Download
memory/2836-738-0x000007FEF7E60000-0x000007FEF7E82000-memory.dmp

Filesize
136KB

Download
memory/2856-822-0x000007FEF7E60000-0x000007FEF7E82000-memory.dmp

Filesize
136KB

Download
memory/2904-767-0x000007FEF7E60000-0x000007FEF7E82000-memory.dmp

Filesize
136KB

Download
memory/2936-319-0x000007FEF7E60000-0x000007FEF7E82000-memory.dmp

Filesize
136KB

Download
memory/2968-206-0x000007FEF7E60000-0x000007FEF7E82000-memory.dmp

Filesize
136KB

Download
memory/2972-484-0x000007FEF7E60000-0x000007FEF7E82000-memory.dmp

Filesize
136KB

Download