5e807de88a43edb7b341ed17b4e218f35c3204bf5dc969c131792b0a23e9ddc1

Analysis

max time kernel
150s
max time network
161s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e37cf808045aeb5b8ffe33d0e6a47444ac10956adad4d307c948a20dd8e53de0.exe
Size

563KB
MD5

2b846d776f1a6fbe1ec811a245da8143
SHA1

ecc293b1fc5be7e85f69f423817dbbcb090d76c2
SHA256

e37cf808045aeb5b8ffe33d0e6a47444ac10956adad4d307c948a20dd8e53de0
SHA512

ea5640d2abf98c22415b443ea1debb71bc218c8f02ae1f86444d57e0ca524b04158c6e91f0ea3b80b4fddc1687d77c954e4f6f7f6bf533774a17e1f642beaa56
SSDEEP

6144:+mLrULcs2P7uZA3j41e6VlWT8b9EheZw/uzQ7Ozl449NYI0VxWRbX12Vvz:3+N8+1PVle8RZB4OY1Wr

Score

10^/10

credential_access persistence privilege_escalation spyware stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\Videos\\xdwdSpybot - Search & Destroy.exe"	e37cf808045aeb5b8ffe33d0e6a47444ac10956adad4d307c948a20dd8e53de0.exe

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Users\\Admin\\AppData\\Roaming\\xdwdUnreal Engine.exe"	e37cf808045aeb5b8ffe33d0e6a47444ac10956adad4d307c948a20dd8e53de0.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\xdwd.dll	e37cf808045aeb5b8ffe33d0e6a47444ac10956adad4d307c948a20dd8e53de0.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
544	schtasks.exe
2216	schtasks.exe
268	schtasks.exe
1716	schtasks.exe
1228	schtasks.exe
2512	schtasks.exe
1456	schtasks.exe
2288	schtasks.exe
852	schtasks.exe
2536	schtasks.exe
3040	schtasks.exe
2388	schtasks.exe
1732	schtasks.exe
2540	schtasks.exe
1404	schtasks.exe
2788	schtasks.exe
2012	schtasks.exe
1244	schtasks.exe
2992	schtasks.exe
944	schtasks.exe
1344	schtasks.exe
1084	schtasks.exe
2696	schtasks.exe
944	schtasks.exe
1152	schtasks.exe
2588	schtasks.exe
2764	schtasks.exe
1500	schtasks.exe
1056	schtasks.exe
1756	schtasks.exe
2456	schtasks.exe
2700	schtasks.exe
1944	schtasks.exe
1900	schtasks.exe
1540	schtasks.exe
2588	schtasks.exe
2732	schtasks.exe
2864	schtasks.exe
376	schtasks.exe
2120	schtasks.exe
2224	schtasks.exe
916	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2540	schtasks.exe
2464	CMD.exe
1732	schtasks.exe
1644	CMD.exe
944	schtasks.exe
3004	CMD.exe
1228	schtasks.exe
2364	CMD.exe
916	schtasks.exe
1588	CMD.exe
1056	schtasks.exe
2972	CMD.exe
1756	schtasks.exe
2020	CMD.exe
2732	schtasks.exe
2648	CMD.exe
2588	schtasks.exe
1508	CMD.exe
2512	schtasks.exe
2332	CMD.exe
1404	schtasks.exe
772	CMD.exe
2864	schtasks.exe
1340	CMD.exe
376	schtasks.exe
2232	CMD.exe
1456	schtasks.exe
2408	CMD.exe
2456	schtasks.exe
2212	CMD.exe
2788	schtasks.exe
2724	CMD.exe
2700	schtasks.exe
3012	CMD.exe
2288	schtasks.exe
1968	CMD.exe
544	schtasks.exe
2860	CMD.exe
852	schtasks.exe
924	CMD.exe
1944	schtasks.exe
2712	CMD.exe
1344	schtasks.exe
2976	CMD.exe
2120	schtasks.exe
1612	CMD.exe
2216	schtasks.exe
2832	CMD.exe
1084	schtasks.exe
2668	CMD.exe
2536	schtasks.exe
592	CMD.exe
2012	schtasks.exe
1624	CMD.exe
1244	schtasks.exe
2392	CMD.exe
268	schtasks.exe
2916	CMD.exe
2224	schtasks.exe
2364	CMD.exe
3040	schtasks.exe
980	CMD.exe
1900	schtasks.exe
2684	CMD.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1792	e37cf808045aeb5b8ffe33d0e6a47444ac10956adad4d307c948a20dd8e53de0.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 2668	1792	e37cf808045aeb5b8ffe33d0e6a47444ac10956adad4d307c948a20dd8e53de0.exe	32
PID 1792 wrote to memory of 2668	1792	e37cf808045aeb5b8ffe33d0e6a47444ac10956adad4d307c948a20dd8e53de0.exe	32
PID 1792 wrote to memory of 2668	1792	e37cf808045aeb5b8ffe33d0e6a47444ac10956adad4d307c948a20dd8e53de0.exe	32
PID 2668 wrote to memory of 2388	2668	CMD.exe	34
PID 2668 wrote to memory of 2388	2668	CMD.exe	34
PID 2668 wrote to memory of 2388	2668	CMD.exe	34
PID 1792 wrote to memory of 2752	1792	e37cf808045aeb5b8ffe33d0e6a47444ac10956adad4d307c948a20dd8e53de0.exe	35
PID 1792 wrote to memory of 2752	1792	e37cf808045aeb5b8ffe33d0e6a47444ac10956adad4d307c948a20dd8e53de0.exe	35
PID 1792 wrote to memory of 2752	1792	e37cf808045aeb5b8ffe33d0e6a47444ac10956adad4d307c948a20dd8e53de0.exe	35
PID 2752 wrote to memory of 2588	2752	CMD.exe	37
PID 2752 wrote to memory of 2588	2752	CMD.exe	37
PID 2752 wrote to memory of 2588	2752	CMD.exe	37
PID 1792 wrote to memory of 1060	1792	e37cf808045aeb5b8ffe33d0e6a47444ac10956adad4d307c948a20dd8e53de0.exe	38
PID 1792 wrote to memory of 1060	1792	e37cf808045aeb5b8ffe33d0e6a47444ac10956adad4d307c948a20dd8e53de0.exe	38
PID 1792 wrote to memory of 1060	1792	e37cf808045aeb5b8ffe33d0e6a47444ac10956adad4d307c948a20dd8e53de0.exe	38
PID 1060 wrote to memory of 2540	1060	CMD.exe	40
PID 1060 wrote to memory of 2540	1060	CMD.exe	40
PID 1060 wrote to memory of 2540	1060	CMD.exe	40
PID 1792 wrote to memory of 2464	1792	e37cf808045aeb5b8ffe33d0e6a47444ac10956adad4d307c948a20dd8e53de0.exe	41
PID 1792 wrote to memory of 2464	1792	e37cf808045aeb5b8ffe33d0e6a47444ac10956adad4d307c948a20dd8e53de0.exe	41
PID 1792 wrote to memory of 2464	1792	e37cf808045aeb5b8ffe33d0e6a47444ac10956adad4d307c948a20dd8e53de0.exe	41
PID 2464 wrote to memory of 1732	2464	CMD.exe	43
PID 2464 wrote to memory of 1732	2464	CMD.exe	43
PID 2464 wrote to memory of 1732	2464	CMD.exe	43
PID 1792 wrote to memory of 1644	1792	e37cf808045aeb5b8ffe33d0e6a47444ac10956adad4d307c948a20dd8e53de0.exe	44
PID 1792 wrote to memory of 1644	1792	e37cf808045aeb5b8ffe33d0e6a47444ac10956adad4d307c948a20dd8e53de0.exe	44
PID 1792 wrote to memory of 1644	1792	e37cf808045aeb5b8ffe33d0e6a47444ac10956adad4d307c948a20dd8e53de0.exe	44
PID 1644 wrote to memory of 944	1644	CMD.exe	46
PID 1644 wrote to memory of 944	1644	CMD.exe	46
PID 1644 wrote to memory of 944	1644	CMD.exe	46
PID 1792 wrote to memory of 3004	1792	e37cf808045aeb5b8ffe33d0e6a47444ac10956adad4d307c948a20dd8e53de0.exe	47
PID 1792 wrote to memory of 3004	1792	e37cf808045aeb5b8ffe33d0e6a47444ac10956adad4d307c948a20dd8e53de0.exe	47
PID 1792 wrote to memory of 3004	1792	e37cf808045aeb5b8ffe33d0e6a47444ac10956adad4d307c948a20dd8e53de0.exe	47
PID 3004 wrote to memory of 1228	3004	CMD.exe	49
PID 3004 wrote to memory of 1228	3004	CMD.exe	49
PID 3004 wrote to memory of 1228	3004	CMD.exe	49
PID 1792 wrote to memory of 2364	1792	e37cf808045aeb5b8ffe33d0e6a47444ac10956adad4d307c948a20dd8e53de0.exe	50
PID 1792 wrote to memory of 2364	1792	e37cf808045aeb5b8ffe33d0e6a47444ac10956adad4d307c948a20dd8e53de0.exe	50
PID 1792 wrote to memory of 2364	1792	e37cf808045aeb5b8ffe33d0e6a47444ac10956adad4d307c948a20dd8e53de0.exe	50
PID 2364 wrote to memory of 916	2364	CMD.exe	52
PID 2364 wrote to memory of 916	2364	CMD.exe	52
PID 2364 wrote to memory of 916	2364	CMD.exe	52
PID 1792 wrote to memory of 1588	1792	e37cf808045aeb5b8ffe33d0e6a47444ac10956adad4d307c948a20dd8e53de0.exe	53
PID 1792 wrote to memory of 1588	1792	e37cf808045aeb5b8ffe33d0e6a47444ac10956adad4d307c948a20dd8e53de0.exe	53
PID 1792 wrote to memory of 1588	1792	e37cf808045aeb5b8ffe33d0e6a47444ac10956adad4d307c948a20dd8e53de0.exe	53
PID 1588 wrote to memory of 1056	1588	CMD.exe	55
PID 1588 wrote to memory of 1056	1588	CMD.exe	55
PID 1588 wrote to memory of 1056	1588	CMD.exe	55
PID 1792 wrote to memory of 2972	1792	e37cf808045aeb5b8ffe33d0e6a47444ac10956adad4d307c948a20dd8e53de0.exe	56
PID 1792 wrote to memory of 2972	1792	e37cf808045aeb5b8ffe33d0e6a47444ac10956adad4d307c948a20dd8e53de0.exe	56
PID 1792 wrote to memory of 2972	1792	e37cf808045aeb5b8ffe33d0e6a47444ac10956adad4d307c948a20dd8e53de0.exe	56
PID 2972 wrote to memory of 1756	2972	CMD.exe	58
PID 2972 wrote to memory of 1756	2972	CMD.exe	58
PID 2972 wrote to memory of 1756	2972	CMD.exe	58
PID 1792 wrote to memory of 2020	1792	e37cf808045aeb5b8ffe33d0e6a47444ac10956adad4d307c948a20dd8e53de0.exe	59
PID 1792 wrote to memory of 2020	1792	e37cf808045aeb5b8ffe33d0e6a47444ac10956adad4d307c948a20dd8e53de0.exe	59
PID 1792 wrote to memory of 2020	1792	e37cf808045aeb5b8ffe33d0e6a47444ac10956adad4d307c948a20dd8e53de0.exe	59
PID 2020 wrote to memory of 2732	2020	CMD.exe	61
PID 2020 wrote to memory of 2732	2020	CMD.exe	61
PID 2020 wrote to memory of 2732	2020	CMD.exe	61
PID 1792 wrote to memory of 2648	1792	e37cf808045aeb5b8ffe33d0e6a47444ac10956adad4d307c948a20dd8e53de0.exe	62
PID 1792 wrote to memory of 2648	1792	e37cf808045aeb5b8ffe33d0e6a47444ac10956adad4d307c948a20dd8e53de0.exe	62
PID 1792 wrote to memory of 2648	1792	e37cf808045aeb5b8ffe33d0e6a47444ac10956adad4d307c948a20dd8e53de0.exe	62
PID 2648 wrote to memory of 2588	2648	CMD.exe	64

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e37cf808045aeb5b8ffe33d0e6a47444ac10956adad4d307c948a20dd8e53de0.exe
"C:\Users\Admin\AppData\Local\Temp\e37cf808045aeb5b8ffe33d0e6a47444ac10956adad4d307c948a20dd8e53de0.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Windows\system32\CMD.exe
  "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Project" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Project" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2388
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2588
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Dropbox" /tr "C:\Users\Admin\AppData\Roaming\xdwdUnreal Engine.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1060
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo 5 /tn "Dropbox" /tr "C:\Users\Admin\AppData\Roaming\xdwdUnreal Engine.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2540
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1732
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:944
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1228
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:916
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1056
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1756
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2732
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2588
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1508
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2512
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2332
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1404
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:772
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2864
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1340
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:376
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2232
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1456
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2408
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2456
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2212
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2788
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2724
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2700
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3012
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2288
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1968
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:544
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2860
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:852
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:924
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1944
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2712
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1344
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2976
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2120
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1612
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2216
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2832
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1084
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2668
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2536
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:592
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2012
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1624
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1244
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2392
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:268
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2916
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2224
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2364
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:3040
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:980
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1900
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2684
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2764
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST & exit
  2⤵
  PID:1492
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2696
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST & exit
  2⤵
  PID:2708
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2992
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST & exit
  2⤵
  PID:2012
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1500
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST & exit
  2⤵
  PID:752
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:944
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST & exit
  2⤵
  PID:2632
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1152
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST & exit
  2⤵
  PID:756
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1716
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST & exit
  2⤵
  PID:2112
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\Admin\Videos\xdwdSpybot - Search & Destroy.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/268-930-0x000007FEF6A20000-0x000007FEF6A42000-memory.dmp

Filesize
136KB

Download
memory/376-417-0x000007FEFA8F0000-0x000007FEFA912000-memory.dmp

Filesize
136KB

Download
memory/544-617-0x000007FEFA8F0000-0x000007FEFA912000-memory.dmp

Filesize
136KB

Download
memory/592-866-0x000007FEF6A20000-0x000007FEF6A42000-memory.dmp

Filesize
136KB

Download
memory/772-392-0x000007FEF66B0000-0x000007FEF66D2000-memory.dmp

Filesize
136KB

Download
memory/852-646-0x000007FEF6A20000-0x000007FEF6A42000-memory.dmp

Filesize
136KB

Download
memory/916-161-0x000007FEFA8F0000-0x000007FEFA912000-memory.dmp

Filesize
136KB

Download
memory/924-680-0x000007FEFA8F0000-0x000007FEFA912000-memory.dmp

Filesize
136KB

Download
memory/944-97-0x000007FEFA8F0000-0x000007FEFA912000-memory.dmp

Filesize
136KB

Download
memory/980-1031-0x000007FEF6A20000-0x000007FEF6A42000-memory.dmp

Filesize
136KB

Download
memory/1056-193-0x000007FEF66B0000-0x000007FEF66D2000-memory.dmp

Filesize
136KB

Download
memory/1084-802-0x000007FEF6A20000-0x000007FEF6A42000-memory.dmp

Filesize
136KB

Download
memory/1228-129-0x000007FEF66B0000-0x000007FEF66D2000-memory.dmp

Filesize
136KB

Download
memory/1244-900-0x000007FEF6A20000-0x000007FEF6A42000-memory.dmp

Filesize
136KB

Download
memory/1340-420-0x000007FEFA8F0000-0x000007FEFA912000-memory.dmp

Filesize
136KB

Download
memory/1344-710-0x000007FEF6A20000-0x000007FEF6A42000-memory.dmp

Filesize
136KB

Download
memory/1404-353-0x000007FEFA8F0000-0x000007FEFA912000-memory.dmp

Filesize
136KB

Download
memory/1456-449-0x000007FEF6A20000-0x000007FEF6A42000-memory.dmp

Filesize
136KB

Download
memory/1508-322-0x000007FEF66B0000-0x000007FEF66D2000-memory.dmp

Filesize
136KB

Download
memory/1588-194-0x000007FEF66B0000-0x000007FEF66D2000-memory.dmp

Filesize
136KB

Download
memory/1612-775-0x000007FEF6A20000-0x000007FEF6A42000-memory.dmp

Filesize
136KB

Download
memory/1624-903-0x000007FEF6A20000-0x000007FEF6A42000-memory.dmp

Filesize
136KB

Download
memory/1644-101-0x000007FEFA8F0000-0x000007FEFA912000-memory.dmp

Filesize
136KB

Download
memory/1732-65-0x000007FEF66B0000-0x000007FEF66D2000-memory.dmp

Filesize
136KB

Download
memory/1756-226-0x000007FEFA8F0000-0x000007FEFA912000-memory.dmp

Filesize
136KB

Download
memory/1792-0-0x000007FEF5813000-0x000007FEF5814000-memory.dmp

Filesize
4KB

Download
memory/1792-78-0x000007FEF5810000-0x000007FEF61FC000-memory.dmp

Filesize
9.9MB

Download
memory/1792-42-0x000007FEF5810000-0x000007FEF61FC000-memory.dmp

Filesize
9.9MB

Download
memory/1792-2-0x000007FEF5813000-0x000007FEF5814000-memory.dmp

Filesize
4KB

Download
memory/1792-1-0x0000000000860000-0x00000000008F4000-memory.dmp

Filesize
592KB

Download
memory/1900-1030-0x000007FEF6A20000-0x000007FEF6A42000-memory.dmp

Filesize
136KB

Download
memory/1944-679-0x000007FEFA8F0000-0x000007FEFA912000-memory.dmp

Filesize
136KB

Download
memory/1968-618-0x000007FEFA8F0000-0x000007FEFA912000-memory.dmp

Filesize
136KB

Download
memory/2012-865-0x000007FEF6A20000-0x000007FEF6A42000-memory.dmp

Filesize
136KB

Download
memory/2020-258-0x000007FEF66B0000-0x000007FEF66D2000-memory.dmp

Filesize
136KB

Download
memory/2120-738-0x000007FEF6A20000-0x000007FEF6A42000-memory.dmp

Filesize
136KB

Download
memory/2212-515-0x000007FEF6A20000-0x000007FEF6A42000-memory.dmp

Filesize
136KB

Download
memory/2216-774-0x000007FEF6A20000-0x000007FEF6A42000-memory.dmp

Filesize
136KB

Download
memory/2224-966-0x000007FEF6A20000-0x000007FEF6A42000-memory.dmp

Filesize
136KB

Download
memory/2232-455-0x000007FEF6A20000-0x000007FEF6A42000-memory.dmp

Filesize
136KB

Download
memory/2288-577-0x000007FEF6A20000-0x000007FEF6A42000-memory.dmp

Filesize
136KB

Download
memory/2332-355-0x000007FEFA8F0000-0x000007FEFA912000-memory.dmp

Filesize
136KB

Download
memory/2364-167-0x000007FEFA8F0000-0x000007FEFA912000-memory.dmp

Filesize
136KB

Download
memory/2364-994-0x000007FEF6A20000-0x000007FEF6A42000-memory.dmp

Filesize
136KB

Download
memory/2392-931-0x000007FEF6A20000-0x000007FEF6A42000-memory.dmp

Filesize
136KB

Download
memory/2408-484-0x000007FEFA8F0000-0x000007FEFA912000-memory.dmp

Filesize
136KB

Download
memory/2456-481-0x000007FEFA8F0000-0x000007FEFA912000-memory.dmp

Filesize
136KB

Download
memory/2464-67-0x000007FEF66B0000-0x000007FEF66D2000-memory.dmp

Filesize
136KB

Download
memory/2464-71-0x0000000077490000-0x0000000077639000-memory.dmp

Filesize
1.7MB

Download
memory/2464-61-0x00000000774E1000-0x00000000774E2000-memory.dmp

Filesize
4KB

Download
memory/2464-63-0x0000000077490000-0x0000000077639000-memory.dmp

Filesize
1.7MB

Download
memory/2512-321-0x000007FEF66B0000-0x000007FEF66D2000-memory.dmp

Filesize
136KB

Download
memory/2536-838-0x000007FEF6A20000-0x000007FEF6A42000-memory.dmp

Filesize
136KB

Download
memory/2540-41-0x000007FEFA8F0000-0x000007FEFA912000-memory.dmp

Filesize
136KB

Download
memory/2588-294-0x000007FEFA8F0000-0x000007FEFA912000-memory.dmp

Filesize
136KB

Download
memory/2648-295-0x000007FEFA8F0000-0x000007FEFA912000-memory.dmp

Filesize
136KB

Download
memory/2668-839-0x000007FEF6A20000-0x000007FEF6A42000-memory.dmp

Filesize
136KB

Download
memory/2700-545-0x000007FEFA8F0000-0x000007FEFA912000-memory.dmp

Filesize
136KB

Download
memory/2712-711-0x000007FEF6A20000-0x000007FEF6A42000-memory.dmp

Filesize
136KB

Download
memory/2724-546-0x000007FEFA8F0000-0x000007FEFA912000-memory.dmp

Filesize
136KB

Download
memory/2732-257-0x000007FEF66B0000-0x000007FEF66D2000-memory.dmp

Filesize
136KB

Download
memory/2764-1057-0x000007FEF6A20000-0x000007FEF6A42000-memory.dmp

Filesize
136KB

Download
memory/2788-513-0x000007FEF6A20000-0x000007FEF6A42000-memory.dmp

Filesize
136KB

Download
memory/2832-803-0x000007FEF6A20000-0x000007FEF6A42000-memory.dmp

Filesize
136KB

Download
memory/2860-647-0x000007FEF6A20000-0x000007FEF6A42000-memory.dmp

Filesize
136KB

Download
memory/2864-391-0x000007FEF66B0000-0x000007FEF66D2000-memory.dmp

Filesize
136KB

Download
memory/2916-968-0x000007FEF6A20000-0x000007FEF6A42000-memory.dmp

Filesize
136KB

Download
memory/2972-229-0x000007FEFA8F0000-0x000007FEFA912000-memory.dmp

Filesize
136KB

Download
memory/2976-739-0x000007FEF6A20000-0x000007FEF6A42000-memory.dmp

Filesize
136KB

Download
memory/3004-130-0x000007FEF66B0000-0x000007FEF66D2000-memory.dmp

Filesize
136KB

Download
memory/3012-578-0x000007FEF6A20000-0x000007FEF6A42000-memory.dmp

Filesize
136KB

Download
memory/3040-993-0x000007FEF6A20000-0x000007FEF6A42000-memory.dmp

Filesize
136KB

Download