8d4b33f016a0358ab33a61a53be27b775979a15719e2168d66bae6a7a598d2e1

Analysis

max time kernel
122s
max time network
152s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe
Size

18.0MB
MD5

b87558f9dafbbb8ec1101ea9cdfcd5bd
SHA1

78fdb6b2808a8797f00f5bf41f619f2620cc7600
SHA256

cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1
SHA512

c357bcc8f29869ab00abc7ebfde5325dc1df50a7c29381b73b1009eeb7ef7decd37b16b0c65dd33c92a2d919014bbd93f9e135dabf78080e9c584d662921f00c
SSDEEP

6144:tvcXK+rhXT2Ef5YTe6VlWT8b9qHVKIGJG3qVbgVSLh:VsFyEf5KPVle8oY1GT

Score

10^/10

persistence privilege_escalation

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Public\\Documents\\xdwdMicrosoft Security Essentials.exe"	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\xdwdfghfghfg = "C:\\Users\\Public\\Pictures\\xdwdRainmeter.exe"	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
48	pastebin.com
87	pastebin.com
106	pastebin.com
158	pastebin.com
172	pastebin.com
30	pastebin.com
112	pastebin.com
32	pastebin.com
42	pastebin.com
72	pastebin.com
145	pastebin.com
153	pastebin.com
4	pastebin.com
8	pastebin.com
23	pastebin.com
24	pastebin.com
61	pastebin.com
115	pastebin.com
138	pastebin.com
143	pastebin.com
12	pastebin.com
37	pastebin.com
58	pastebin.com
148	pastebin.com
171	pastebin.com
174	pastebin.com
18	pastebin.com
103	pastebin.com
159	pastebin.com
43	pastebin.com
69	pastebin.com
73	pastebin.com
82	pastebin.com
85	pastebin.com
86	pastebin.com
114	pastebin.com
20	pastebin.com
40	pastebin.com
62	pastebin.com
64	pastebin.com
67	pastebin.com
166	pastebin.com
10	pastebin.com
28	pastebin.com
90	pastebin.com
92	pastebin.com
133	pastebin.com
151	pastebin.com
163	pastebin.com
107	pastebin.com
108	pastebin.com
9	pastebin.com
45	pastebin.com
120	pastebin.com
131	pastebin.com
135	pastebin.com
156	pastebin.com
140	pastebin.com
147	pastebin.com
36	pastebin.com
74	pastebin.com
83	pastebin.com
105	pastebin.com
121	pastebin.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\xdwd.dll	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 43 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2792	schtasks.exe
2360	schtasks.exe
1536	schtasks.exe
1500	schtasks.exe
2476	schtasks.exe
1516	schtasks.exe
2064	schtasks.exe
1688	schtasks.exe
2608	schtasks.exe
2228	schtasks.exe
1112	schtasks.exe
1700	schtasks.exe
2984	schtasks.exe
2632	schtasks.exe
2892	schtasks.exe
2612	schtasks.exe
1484	schtasks.exe
2688	schtasks.exe
2064	schtasks.exe
1832	schtasks.exe
956	schtasks.exe
1040	schtasks.exe
3068	schtasks.exe
1848	schtasks.exe
2672	schtasks.exe
1716	schtasks.exe
1604	schtasks.exe
2724	schtasks.exe
3020	schtasks.exe
2888	schtasks.exe
352	schtasks.exe
2044	schtasks.exe
1740	schtasks.exe
2520	schtasks.exe
2672	schtasks.exe
2824	schtasks.exe
1584	schtasks.exe
2284	schtasks.exe
1832	schtasks.exe
1668	schtasks.exe
2636	schtasks.exe
2568	schtasks.exe
2988	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2636	schtasks.exe
2916	CMD.exe
2824	schtasks.exe
1568	CMD.exe
352	schtasks.exe
2228	CMD.exe
2044	schtasks.exe
1096	CMD.exe
956	schtasks.exe
632	CMD.exe
1584	schtasks.exe
556	CMD.exe
2360	schtasks.exe
2428	CMD.exe
2984	schtasks.exe
2612	CMD.exe
2632	schtasks.exe
1856	CMD.exe
1716	schtasks.exe
340	CMD.exe
1740	schtasks.exe
1044	CMD.exe
1040	schtasks.exe
1140	CMD.exe
1604	schtasks.exe
2284	CMD.exe
1536	schtasks.exe
1076	CMD.exe
1500	schtasks.exe
1520	CMD.exe
2520	schtasks.exe
2740	CMD.exe
2892	schtasks.exe
1668	CMD.exe
2612	schtasks.exe
1712	CMD.exe
3068	schtasks.exe
2192	CMD.exe
1688	schtasks.exe
2224	CMD.exe
2568	schtasks.exe
1140	CMD.exe
2724	schtasks.exe
1464	CMD.exe
2476	schtasks.exe
812	CMD.exe
1484	schtasks.exe
1632	CMD.exe
2688	schtasks.exe
1888	CMD.exe
2608	schtasks.exe
2580	CMD.exe
2284	schtasks.exe
840	CMD.exe
1832	schtasks.exe
1268	CMD.exe
2064	schtasks.exe
948	CMD.exe
2228	schtasks.exe
1308	CMD.exe
1848	schtasks.exe
896	CMD.exe
3020	schtasks.exe
2004	CMD.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1644	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 2712	1644	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	31
PID 1644 wrote to memory of 2712	1644	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	31
PID 1644 wrote to memory of 2712	1644	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	31
PID 2712 wrote to memory of 2792	2712	CMD.exe	33
PID 2712 wrote to memory of 2792	2712	CMD.exe	33
PID 2712 wrote to memory of 2792	2712	CMD.exe	33
PID 1644 wrote to memory of 1900	1644	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	34
PID 1644 wrote to memory of 1900	1644	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	34
PID 1644 wrote to memory of 1900	1644	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	34
PID 1900 wrote to memory of 2672	1900	CMD.exe	36
PID 1900 wrote to memory of 2672	1900	CMD.exe	36
PID 1900 wrote to memory of 2672	1900	CMD.exe	36
PID 1644 wrote to memory of 2580	1644	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	37
PID 1644 wrote to memory of 2580	1644	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	37
PID 1644 wrote to memory of 2580	1644	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	37
PID 2580 wrote to memory of 2636	2580	CMD.exe	39
PID 2580 wrote to memory of 2636	2580	CMD.exe	39
PID 2580 wrote to memory of 2636	2580	CMD.exe	39
PID 1644 wrote to memory of 2916	1644	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	41
PID 1644 wrote to memory of 2916	1644	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	41
PID 1644 wrote to memory of 2916	1644	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	41
PID 2916 wrote to memory of 2824	2916	CMD.exe	43
PID 2916 wrote to memory of 2824	2916	CMD.exe	43
PID 2916 wrote to memory of 2824	2916	CMD.exe	43
PID 1644 wrote to memory of 1568	1644	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	44
PID 1644 wrote to memory of 1568	1644	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	44
PID 1644 wrote to memory of 1568	1644	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	44
PID 1568 wrote to memory of 352	1568	CMD.exe	46
PID 1568 wrote to memory of 352	1568	CMD.exe	46
PID 1568 wrote to memory of 352	1568	CMD.exe	46
PID 1644 wrote to memory of 2228	1644	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	47
PID 1644 wrote to memory of 2228	1644	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	47
PID 1644 wrote to memory of 2228	1644	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	47
PID 2228 wrote to memory of 2044	2228	CMD.exe	49
PID 2228 wrote to memory of 2044	2228	CMD.exe	49
PID 2228 wrote to memory of 2044	2228	CMD.exe	49
PID 1644 wrote to memory of 1096	1644	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	50
PID 1644 wrote to memory of 1096	1644	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	50
PID 1644 wrote to memory of 1096	1644	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	50
PID 1096 wrote to memory of 956	1096	CMD.exe	52
PID 1096 wrote to memory of 956	1096	CMD.exe	52
PID 1096 wrote to memory of 956	1096	CMD.exe	52
PID 1644 wrote to memory of 632	1644	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	53
PID 1644 wrote to memory of 632	1644	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	53
PID 1644 wrote to memory of 632	1644	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	53
PID 632 wrote to memory of 1584	632	CMD.exe	55
PID 632 wrote to memory of 1584	632	CMD.exe	55
PID 632 wrote to memory of 1584	632	CMD.exe	55
PID 1644 wrote to memory of 556	1644	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	56
PID 1644 wrote to memory of 556	1644	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	56
PID 1644 wrote to memory of 556	1644	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	56
PID 556 wrote to memory of 2360	556	CMD.exe	58
PID 556 wrote to memory of 2360	556	CMD.exe	58
PID 556 wrote to memory of 2360	556	CMD.exe	58
PID 1644 wrote to memory of 2428	1644	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	59
PID 1644 wrote to memory of 2428	1644	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	59
PID 1644 wrote to memory of 2428	1644	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	59
PID 2428 wrote to memory of 2984	2428	CMD.exe	61
PID 2428 wrote to memory of 2984	2428	CMD.exe	61
PID 2428 wrote to memory of 2984	2428	CMD.exe	61
PID 1644 wrote to memory of 2612	1644	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	62
PID 1644 wrote to memory of 2612	1644	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	62
PID 1644 wrote to memory of 2612	1644	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	62
PID 2612 wrote to memory of 2632	2612	CMD.exe	64

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe
"C:\Users\Admin\AppData\Local\Temp\cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Windows\system32\CMD.exe
  "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "HandBrake" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "HandBrake" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2792
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2672
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Evernote" /tr "C:\Users\Public\Pictures\xdwdRainmeter.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo 5 /tn "Evernote" /tr "C:\Users\Public\Pictures\xdwdRainmeter.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2636
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2824
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:352
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2044
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:956
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:632
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1584
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:556
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2360
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2984
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2632
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1856
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1716
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:340
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1740
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1044
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1040
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1140
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1604
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2284
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1536
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1076
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1500
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1520
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2520
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2740
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2892
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1668
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2612
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1712
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:3068
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2192
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1688
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2224
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2568
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1140
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2724
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1464
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2476
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:812
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1484
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1632
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2688
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1888
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2608
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2580
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2284
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:840
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1832
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1268
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2064
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:948
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2228
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1308
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1848
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:896
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:3020
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2004
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1516
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:844
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2888
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:2924
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2672
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:2276
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1668
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:2956
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1832
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:992
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2064
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:2568
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1112
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:1876
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1700
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:988
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/340-354-0x000007FEF6870000-0x000007FEF6892000-memory.dmp

Filesize
136KB

Download
memory/352-95-0x000007FEF6820000-0x000007FEF6842000-memory.dmp

Filesize
136KB

Download
memory/556-229-0x000007FEF6820000-0x000007FEF6842000-memory.dmp

Filesize
136KB

Download
memory/632-200-0x000007FEF6F10000-0x000007FEF6F32000-memory.dmp

Filesize
136KB

Download
memory/812-775-0x000007FEF6F10000-0x000007FEF6F32000-memory.dmp

Filesize
136KB

Download
memory/840-898-0x000007FEF6F10000-0x000007FEF6F32000-memory.dmp

Filesize
136KB

Download
memory/896-1026-0x000007FEF6F10000-0x000007FEF6F32000-memory.dmp

Filesize
136KB

Download
memory/948-968-0x000007FEF6F10000-0x000007FEF6F32000-memory.dmp

Filesize
136KB

Download
memory/956-161-0x000007FEF6820000-0x000007FEF6842000-memory.dmp

Filesize
136KB

Download
memory/1040-390-0x000007FEF6F10000-0x000007FEF6F32000-memory.dmp

Filesize
136KB

Download
memory/1044-392-0x000007FEF6F10000-0x000007FEF6F32000-memory.dmp

Filesize
136KB

Download
memory/1076-487-0x000007FEF6870000-0x000007FEF6892000-memory.dmp

Filesize
136KB

Download
memory/1096-162-0x000007FEF6820000-0x000007FEF6842000-memory.dmp

Filesize
136KB

Download
memory/1140-419-0x000007FEF6870000-0x000007FEF6892000-memory.dmp

Filesize
136KB

Download
memory/1140-711-0x000007FEF6F10000-0x000007FEF6F32000-memory.dmp

Filesize
136KB

Download
memory/1268-930-0x000007FEF6DC0000-0x000007FEF6DE2000-memory.dmp

Filesize
136KB

Download
memory/1308-996-0x000007FEF6DC0000-0x000007FEF6DE2000-memory.dmp

Filesize
136KB

Download
memory/1464-738-0x000007FEF6DC0000-0x000007FEF6DE2000-memory.dmp

Filesize
136KB

Download
memory/1484-774-0x000007FEF6F10000-0x000007FEF6F32000-memory.dmp

Filesize
136KB

Download
memory/1500-486-0x000007FEF6870000-0x000007FEF6892000-memory.dmp

Filesize
136KB

Download
memory/1516-1057-0x000007FEF6DC0000-0x000007FEF6DE2000-memory.dmp

Filesize
136KB

Download
memory/1520-514-0x000007FEF6F10000-0x000007FEF6F32000-memory.dmp

Filesize
136KB

Download
memory/1536-454-0x000007FEF6F10000-0x000007FEF6F32000-memory.dmp

Filesize
136KB

Download
memory/1568-96-0x000007FEF6820000-0x000007FEF6842000-memory.dmp

Filesize
136KB

Download
memory/1584-198-0x000007FEF6F10000-0x000007FEF6F32000-memory.dmp

Filesize
136KB

Download
memory/1604-418-0x000007FEF6870000-0x000007FEF6892000-memory.dmp

Filesize
136KB

Download
memory/1632-807-0x000007FEF6DC0000-0x000007FEF6DE2000-memory.dmp

Filesize
136KB

Download
memory/1644-109-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp

Filesize
9.9MB

Download
memory/1644-0-0x000007FEF5903000-0x000007FEF5904000-memory.dmp

Filesize
4KB

Download
memory/1644-42-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp

Filesize
9.9MB

Download
memory/1644-2-0x000007FEF5903000-0x000007FEF5904000-memory.dmp

Filesize
4KB

Download
memory/1644-1-0x00000000011F0000-0x000000000124A000-memory.dmp

Filesize
360KB

Download
memory/1668-583-0x000007FEF6F10000-0x000007FEF6F32000-memory.dmp

Filesize
136KB

Download
memory/1688-646-0x000007FEF6F10000-0x000007FEF6F32000-memory.dmp

Filesize
136KB

Download
memory/1712-610-0x000007FEF6870000-0x000007FEF6892000-memory.dmp

Filesize
136KB

Download
memory/1716-326-0x000007FEF6F10000-0x000007FEF6F32000-memory.dmp

Filesize
136KB

Download
memory/1740-353-0x000007FEF6870000-0x000007FEF6892000-memory.dmp

Filesize
136KB

Download
memory/1832-897-0x000007FEF6F10000-0x000007FEF6F32000-memory.dmp

Filesize
136KB

Download
memory/1848-994-0x000007FEF6DC0000-0x000007FEF6DE2000-memory.dmp

Filesize
136KB

Download
memory/1856-327-0x000007FEF6F10000-0x000007FEF6F32000-memory.dmp

Filesize
136KB

Download
memory/1888-834-0x000007FEF6F10000-0x000007FEF6F32000-memory.dmp

Filesize
136KB

Download
memory/2044-128-0x000007FEF6820000-0x000007FEF6842000-memory.dmp

Filesize
136KB

Download
memory/2064-929-0x000007FEF6DC0000-0x000007FEF6DE2000-memory.dmp

Filesize
136KB

Download
memory/2192-648-0x000007FEF6F10000-0x000007FEF6F32000-memory.dmp

Filesize
136KB

Download
memory/2224-674-0x000007FEF6870000-0x000007FEF6892000-memory.dmp

Filesize
136KB

Download
memory/2228-966-0x000007FEF6F10000-0x000007FEF6F32000-memory.dmp

Filesize
136KB

Download
memory/2228-129-0x000007FEF6820000-0x000007FEF6842000-memory.dmp

Filesize
136KB

Download
memory/2284-865-0x000007FEF6DC0000-0x000007FEF6DE2000-memory.dmp

Filesize
136KB

Download
memory/2284-455-0x000007FEF6F10000-0x000007FEF6F32000-memory.dmp

Filesize
136KB

Download
memory/2360-227-0x000007FEF6820000-0x000007FEF6842000-memory.dmp

Filesize
136KB

Download
memory/2428-263-0x000007FEF6F10000-0x000007FEF6F32000-memory.dmp

Filesize
136KB

Download
memory/2476-737-0x000007FEF6DC0000-0x000007FEF6DE2000-memory.dmp

Filesize
136KB

Download
memory/2520-513-0x000007FEF6F10000-0x000007FEF6F32000-memory.dmp

Filesize
136KB

Download
memory/2568-673-0x000007FEF6870000-0x000007FEF6892000-memory.dmp

Filesize
136KB

Download
memory/2580-866-0x000007FEF6DC0000-0x000007FEF6DE2000-memory.dmp

Filesize
136KB

Download
memory/2608-833-0x000007FEF6F10000-0x000007FEF6F32000-memory.dmp

Filesize
136KB

Download
memory/2612-290-0x000007FEF6820000-0x000007FEF6842000-memory.dmp

Filesize
136KB

Download
memory/2612-580-0x000007FEF6F10000-0x000007FEF6F32000-memory.dmp

Filesize
136KB

Download
memory/2632-289-0x000007FEF6820000-0x000007FEF6842000-memory.dmp

Filesize
136KB

Download
memory/2636-41-0x000007FEF6F10000-0x000007FEF6F32000-memory.dmp

Filesize
136KB

Download
memory/2688-806-0x000007FEF6DC0000-0x000007FEF6DE2000-memory.dmp

Filesize
136KB

Download
memory/2724-710-0x000007FEF6F10000-0x000007FEF6F32000-memory.dmp

Filesize
136KB

Download
memory/2740-546-0x000007FEF6870000-0x000007FEF6892000-memory.dmp

Filesize
136KB

Download
memory/2824-62-0x000007FEF6820000-0x000007FEF6842000-memory.dmp

Filesize
136KB

Download
memory/2892-545-0x000007FEF6870000-0x000007FEF6892000-memory.dmp

Filesize
136KB

Download
memory/2916-64-0x0000000077060000-0x0000000077209000-memory.dmp

Filesize
1.7MB

Download
memory/2916-63-0x000007FEF6820000-0x000007FEF6842000-memory.dmp

Filesize
136KB

Download
memory/2916-61-0x00000000770B1000-0x00000000770B2000-memory.dmp

Filesize
4KB

Download
memory/2916-142-0x0000000077060000-0x0000000077209000-memory.dmp

Filesize
1.7MB

Download
memory/2984-262-0x000007FEF6F10000-0x000007FEF6F32000-memory.dmp

Filesize
136KB

Download
memory/3020-1025-0x000007FEF6F10000-0x000007FEF6F32000-memory.dmp

Filesize
136KB

Download
memory/3068-609-0x000007FEF6870000-0x000007FEF6892000-memory.dmp

Filesize
136KB

Download