7e71c79883eb025596762b4e0bf86b447039079dfe510ccf13a383b612575fa6

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe
Size

218.5MB
MD5

d86b4e05d449d68ae457d3bf780eb2ab
SHA1

eb7e026cb99fa53ed05e7814497910b67140cda0
SHA256

3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4
SHA512

b3d9f94429cfeabd616a4624589a1da05d5e3b33244b92d49bdc0345a50cbea524b37d2305c93e4c381cf8f03214b3844f4cc2a56d7f7ea68fb3a1f21fcb1318
SSDEEP

6144:tvcXK+rhXT2Ef5YTe6VlWT8b9qHVKIGJG3qVbgVSLh:VsFyEf5KPVle8oY1GT

Score

10^/10

persistence privilege_escalation

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Public\\Documents\\xdwdMicrosoft Security Essentials.exe"	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\xdwdfghfghfg = "C:\\Users\\Public\\Pictures\\xdwdRainmeter.exe"	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
104	pastebin.com
50	pastebin.com
141	pastebin.com
151	pastebin.com
179	pastebin.com
33	pastebin.com
67	pastebin.com
74	pastebin.com
91	pastebin.com
109	pastebin.com
47	pastebin.com
113	pastebin.com
152	pastebin.com
169	pastebin.com
5	pastebin.com
87	pastebin.com
89	pastebin.com
129	pastebin.com
131	pastebin.com
144	pastebin.com
149	pastebin.com
30	pastebin.com
38	pastebin.com
132	pastebin.com
143	pastebin.com
164	pastebin.com
46	pastebin.com
78	pastebin.com
120	pastebin.com
20	pastebin.com
23	pastebin.com
53	pastebin.com
70	pastebin.com
84	pastebin.com
105	pastebin.com
128	pastebin.com
163	pastebin.com
27	pastebin.com
111	pastebin.com
127	pastebin.com
161	pastebin.com
10	pastebin.com
59	pastebin.com
75	pastebin.com
162	pastebin.com
167	pastebin.com
170	pastebin.com
19	pastebin.com
65	pastebin.com
39	pastebin.com
6	pastebin.com
18	pastebin.com
150	pastebin.com
154	pastebin.com
178	pastebin.com
42	pastebin.com
117	pastebin.com
123	pastebin.com
8	pastebin.com
22	pastebin.com
28	pastebin.com
88	pastebin.com
135	pastebin.com
160	pastebin.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\xdwd.dll	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
596	schtasks.exe
1960	schtasks.exe
1004	schtasks.exe
2120	schtasks.exe
856	schtasks.exe
1028	schtasks.exe
2408	schtasks.exe
276	schtasks.exe
1388	schtasks.exe
2520	schtasks.exe
2824	schtasks.exe
2612	schtasks.exe
2664	schtasks.exe
2896	schtasks.exe
1012	schtasks.exe
2292	schtasks.exe
856	schtasks.exe
380	schtasks.exe
2476	schtasks.exe
916	schtasks.exe
1896	schtasks.exe
1616	schtasks.exe
828	schtasks.exe
2620	schtasks.exe
2156	schtasks.exe
2152	schtasks.exe
1264	schtasks.exe
2940	schtasks.exe
1748	schtasks.exe
2384	schtasks.exe
2900	schtasks.exe
2504	schtasks.exe
1784	schtasks.exe
2948	schtasks.exe
2892	schtasks.exe
2564	schtasks.exe
2452	schtasks.exe
2536	schtasks.exe
1428	schtasks.exe
1912	schtasks.exe
1000	schtasks.exe
2532	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2240	CMD.exe
1428	schtasks.exe
1900	CMD.exe
276	schtasks.exe
2948	CMD.exe
1912	schtasks.exe
1440	CMD.exe
2384	schtasks.exe
1272	CMD.exe
2156	schtasks.exe
2984	CMD.exe
380	schtasks.exe
1968	CMD.exe
2476	schtasks.exe
3056	CMD.exe
1388	schtasks.exe
2888	CMD.exe
2900	schtasks.exe
1616	CMD.exe
856	schtasks.exe
2640	CMD.exe
1748	schtasks.exe
2304	CMD.exe
2408	schtasks.exe
944	CMD.exe
916	schtasks.exe
2012	CMD.exe
2504	schtasks.exe
792	CMD.exe
2520	schtasks.exe
2152	CMD.exe
1784	schtasks.exe
2356	CMD.exe
2824	schtasks.exe
1188	CMD.exe
2612	schtasks.exe
2880	CMD.exe
596	schtasks.exe
704	CMD.exe
2948	schtasks.exe
1536	CMD.exe
1000	schtasks.exe
1448	CMD.exe
1896	schtasks.exe
2472	CMD.exe
1012	schtasks.exe
1232	CMD.exe
2292	schtasks.exe
2060	CMD.exe
2152	schtasks.exe
2500	CMD.exe
2892	schtasks.exe
644	CMD.exe
1616	schtasks.exe
2816	CMD.exe
2532	schtasks.exe
2104	CMD.exe
1960	schtasks.exe
1000	CMD.exe
1004	schtasks.exe
2684	CMD.exe
828	schtasks.exe
1012	CMD.exe
2452	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2680	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 1600	2680	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	32
PID 2680 wrote to memory of 1600	2680	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	32
PID 2680 wrote to memory of 1600	2680	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	32
PID 1600 wrote to memory of 2564	1600	CMD.exe	34
PID 1600 wrote to memory of 2564	1600	CMD.exe	34
PID 1600 wrote to memory of 2564	1600	CMD.exe	34
PID 2680 wrote to memory of 1908	2680	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	35
PID 2680 wrote to memory of 1908	2680	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	35
PID 2680 wrote to memory of 1908	2680	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	35
PID 1908 wrote to memory of 2896	1908	CMD.exe	37
PID 1908 wrote to memory of 2896	1908	CMD.exe	37
PID 1908 wrote to memory of 2896	1908	CMD.exe	37
PID 2680 wrote to memory of 2240	2680	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	38
PID 2680 wrote to memory of 2240	2680	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	38
PID 2680 wrote to memory of 2240	2680	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	38
PID 2240 wrote to memory of 1428	2240	CMD.exe	40
PID 2240 wrote to memory of 1428	2240	CMD.exe	40
PID 2240 wrote to memory of 1428	2240	CMD.exe	40
PID 2680 wrote to memory of 1900	2680	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	41
PID 2680 wrote to memory of 1900	2680	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	41
PID 2680 wrote to memory of 1900	2680	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	41
PID 1900 wrote to memory of 276	1900	CMD.exe	43
PID 1900 wrote to memory of 276	1900	CMD.exe	43
PID 1900 wrote to memory of 276	1900	CMD.exe	43
PID 2680 wrote to memory of 2948	2680	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	44
PID 2680 wrote to memory of 2948	2680	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	44
PID 2680 wrote to memory of 2948	2680	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	44
PID 2948 wrote to memory of 1912	2948	CMD.exe	46
PID 2948 wrote to memory of 1912	2948	CMD.exe	46
PID 2948 wrote to memory of 1912	2948	CMD.exe	46
PID 2680 wrote to memory of 1440	2680	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	47
PID 2680 wrote to memory of 1440	2680	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	47
PID 2680 wrote to memory of 1440	2680	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	47
PID 1440 wrote to memory of 2384	1440	CMD.exe	49
PID 1440 wrote to memory of 2384	1440	CMD.exe	49
PID 1440 wrote to memory of 2384	1440	CMD.exe	49
PID 2680 wrote to memory of 1272	2680	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	50
PID 2680 wrote to memory of 1272	2680	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	50
PID 2680 wrote to memory of 1272	2680	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	50
PID 1272 wrote to memory of 2156	1272	CMD.exe	52
PID 1272 wrote to memory of 2156	1272	CMD.exe	52
PID 1272 wrote to memory of 2156	1272	CMD.exe	52
PID 2680 wrote to memory of 2984	2680	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	53
PID 2680 wrote to memory of 2984	2680	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	53
PID 2680 wrote to memory of 2984	2680	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	53
PID 2984 wrote to memory of 380	2984	CMD.exe	55
PID 2984 wrote to memory of 380	2984	CMD.exe	55
PID 2984 wrote to memory of 380	2984	CMD.exe	55
PID 2680 wrote to memory of 1968	2680	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	56
PID 2680 wrote to memory of 1968	2680	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	56
PID 2680 wrote to memory of 1968	2680	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	56
PID 1968 wrote to memory of 2476	1968	CMD.exe	58
PID 1968 wrote to memory of 2476	1968	CMD.exe	58
PID 1968 wrote to memory of 2476	1968	CMD.exe	58
PID 2680 wrote to memory of 3056	2680	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	59
PID 2680 wrote to memory of 3056	2680	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	59
PID 2680 wrote to memory of 3056	2680	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	59
PID 3056 wrote to memory of 1388	3056	CMD.exe	61
PID 3056 wrote to memory of 1388	3056	CMD.exe	61
PID 3056 wrote to memory of 1388	3056	CMD.exe	61
PID 2680 wrote to memory of 2888	2680	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	62
PID 2680 wrote to memory of 2888	2680	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	62
PID 2680 wrote to memory of 2888	2680	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	62
PID 2888 wrote to memory of 2900	2888	CMD.exe	64

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe
"C:\Users\Admin\AppData\Local\Temp\3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Windows\system32\CMD.exe
  "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "HandBrake" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "HandBrake" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2564
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2896
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Evernote" /tr "C:\Users\Public\Pictures\xdwdRainmeter.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo 5 /tn "Evernote" /tr "C:\Users\Public\Pictures\xdwdRainmeter.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1428
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:276
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1912
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2384
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1272
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2156
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:380
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2476
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1388
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2900
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1616
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:856
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2640
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1748
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2304
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2408
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:944
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:916
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2012
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2504
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:792
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2520
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2152
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1784
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2356
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2824
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1188
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2612
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2880
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:596
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:704
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2948
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1536
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1000
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1448
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1896
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2472
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1012
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1232
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2292
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2060
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2152
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2500
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2892
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:644
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1616
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2816
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2532
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2104
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1960
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1000
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1004
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2684
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:828
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1012
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2452
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:2016
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2120
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:2840
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2664
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:2908
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1264
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:1624
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:856
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:1748
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2536
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:2096
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2940
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:2516
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2620
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:376
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/276-73-0x000007FEF7FD0000-0x000007FEF7FF2000-memory.dmp

Filesize
136KB

Download
memory/380-201-0x000007FEF7FD0000-0x000007FEF7FF2000-memory.dmp

Filesize
136KB

Download
memory/596-619-0x000007FEF8030000-0x000007FEF8052000-memory.dmp

Filesize
136KB

Download
memory/644-876-0x000007FEF8030000-0x000007FEF8052000-memory.dmp

Filesize
136KB

Download
memory/704-647-0x000007FEF8030000-0x000007FEF8052000-memory.dmp

Filesize
136KB

Download
memory/792-487-0x000007FEFA9F0000-0x000007FEFAA12000-memory.dmp

Filesize
136KB

Download
memory/828-998-0x000007FEF8030000-0x000007FEF8052000-memory.dmp

Filesize
136KB

Download
memory/856-330-0x000007FEF7FD0000-0x000007FEF7FF2000-memory.dmp

Filesize
136KB

Download
memory/916-422-0x000007FEFA9F0000-0x000007FEFAA12000-memory.dmp

Filesize
136KB

Download
memory/944-423-0x000007FEFA9F0000-0x000007FEFAA12000-memory.dmp

Filesize
136KB

Download
memory/1000-967-0x000007FEF8030000-0x000007FEF8052000-memory.dmp

Filesize
136KB

Download
memory/1000-683-0x000007FEF8030000-0x000007FEF8052000-memory.dmp

Filesize
136KB

Download
memory/1004-966-0x000007FEF8030000-0x000007FEF8052000-memory.dmp

Filesize
136KB

Download
memory/1012-742-0x000007FEF8030000-0x000007FEF8052000-memory.dmp

Filesize
136KB

Download
memory/1012-1031-0x000007FEF8030000-0x000007FEF8052000-memory.dmp

Filesize
136KB

Download
memory/1188-588-0x000007FEF8030000-0x000007FEF8052000-memory.dmp

Filesize
136KB

Download
memory/1232-775-0x000007FEF8030000-0x000007FEF8052000-memory.dmp

Filesize
136KB

Download
memory/1272-167-0x000007FEFA9F0000-0x000007FEFAA12000-memory.dmp

Filesize
136KB

Download
memory/1388-262-0x000007FEF7FD0000-0x000007FEF7FF2000-memory.dmp

Filesize
136KB

Download
memory/1428-44-0x0000000077590000-0x0000000077739000-memory.dmp

Filesize
1.7MB

Download
memory/1428-46-0x0000000077590000-0x0000000077739000-memory.dmp

Filesize
1.7MB

Download
memory/1428-45-0x000007FEFA9F0000-0x000007FEFAA12000-memory.dmp

Filesize
136KB

Download
memory/1440-135-0x000007FEF7FD0000-0x000007FEF7FF2000-memory.dmp

Filesize
136KB

Download
memory/1448-711-0x000007FEF8030000-0x000007FEF8052000-memory.dmp

Filesize
136KB

Download
memory/1536-684-0x000007FEF8030000-0x000007FEF8052000-memory.dmp

Filesize
136KB

Download
memory/1616-870-0x000007FEF8030000-0x000007FEF8052000-memory.dmp

Filesize
136KB

Download
memory/1616-332-0x000007FEF7FD0000-0x000007FEF7FF2000-memory.dmp

Filesize
136KB

Download
memory/1748-358-0x000007FEFA9F0000-0x000007FEFAA12000-memory.dmp

Filesize
136KB

Download
memory/1784-523-0x000007FEF8030000-0x000007FEF8052000-memory.dmp

Filesize
136KB

Download
memory/1896-710-0x000007FEF8030000-0x000007FEF8052000-memory.dmp

Filesize
136KB

Download
memory/1900-67-0x0000000077590000-0x0000000077739000-memory.dmp

Filesize
1.7MB

Download
memory/1900-75-0x0000000077590000-0x0000000077739000-memory.dmp

Filesize
1.7MB

Download
memory/1900-74-0x000007FEF7FD0000-0x000007FEF7FF2000-memory.dmp

Filesize
136KB

Download
memory/1912-102-0x000007FEFA9F0000-0x000007FEFAA12000-memory.dmp

Filesize
136KB

Download
memory/1960-939-0x000007FEF8030000-0x000007FEF8052000-memory.dmp

Filesize
136KB

Download
memory/1968-231-0x000007FEFA9F0000-0x000007FEFAA12000-memory.dmp

Filesize
136KB

Download
memory/2012-455-0x000007FEF8030000-0x000007FEF8052000-memory.dmp

Filesize
136KB

Download
memory/2060-812-0x000007FEF8030000-0x000007FEF8052000-memory.dmp

Filesize
136KB

Download
memory/2104-940-0x000007FEF8030000-0x000007FEF8052000-memory.dmp

Filesize
136KB

Download
memory/2152-808-0x000007FEF8030000-0x000007FEF8052000-memory.dmp

Filesize
136KB

Download
memory/2152-524-0x000007FEF8030000-0x000007FEF8052000-memory.dmp

Filesize
136KB

Download
memory/2156-166-0x000007FEFA9F0000-0x000007FEFAA12000-memory.dmp

Filesize
136KB

Download
memory/2240-48-0x0000000077590000-0x0000000077739000-memory.dmp

Filesize
1.7MB

Download
memory/2240-43-0x0000000077590000-0x0000000077739000-memory.dmp

Filesize
1.7MB

Download
memory/2240-47-0x000007FEFA9F0000-0x000007FEFAA12000-memory.dmp

Filesize
136KB

Download
memory/2240-42-0x00000000775E1000-0x00000000775E2000-memory.dmp

Filesize
4KB

Download
memory/2292-774-0x000007FEF8030000-0x000007FEF8052000-memory.dmp

Filesize
136KB

Download
memory/2304-391-0x000007FEF7FD0000-0x000007FEF7FF2000-memory.dmp

Filesize
136KB

Download
memory/2356-551-0x000007FEFA9F0000-0x000007FEFAA12000-memory.dmp

Filesize
136KB

Download
memory/2384-134-0x000007FEF7FD0000-0x000007FEF7FF2000-memory.dmp

Filesize
136KB

Download
memory/2408-390-0x000007FEF7FD0000-0x000007FEF7FF2000-memory.dmp

Filesize
136KB

Download
memory/2452-1030-0x000007FEF8030000-0x000007FEF8052000-memory.dmp

Filesize
136KB

Download
memory/2472-748-0x000007FEF8030000-0x000007FEF8052000-memory.dmp

Filesize
136KB

Download
memory/2476-230-0x000007FEFA9F0000-0x000007FEFAA12000-memory.dmp

Filesize
136KB

Download
memory/2500-839-0x000007FEF8030000-0x000007FEF8052000-memory.dmp

Filesize
136KB

Download
memory/2504-454-0x000007FEF8030000-0x000007FEF8052000-memory.dmp

Filesize
136KB

Download
memory/2520-486-0x000007FEFA9F0000-0x000007FEFAA12000-memory.dmp

Filesize
136KB

Download
memory/2532-902-0x000007FEF8030000-0x000007FEF8052000-memory.dmp

Filesize
136KB

Download
memory/2612-587-0x000007FEF8030000-0x000007FEF8052000-memory.dmp

Filesize
136KB

Download
memory/2640-359-0x000007FEFA9F0000-0x000007FEFAA12000-memory.dmp

Filesize
136KB

Download
memory/2680-80-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

Filesize
9.9MB

Download
memory/2680-1-0x0000000000EE0000-0x0000000000F3A000-memory.dmp

Filesize
360KB

Download
memory/2680-2-0x000007FEF5EB3000-0x000007FEF5EB4000-memory.dmp

Filesize
4KB

Download
memory/2680-0-0x000007FEF5EB3000-0x000007FEF5EB4000-memory.dmp

Filesize
4KB

Download
memory/2680-20-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

Filesize
9.9MB

Download
memory/2684-1001-0x000007FEF8030000-0x000007FEF8052000-memory.dmp

Filesize
136KB

Download
memory/2816-903-0x000007FEF8030000-0x000007FEF8052000-memory.dmp

Filesize
136KB

Download
memory/2824-550-0x000007FEFA9F0000-0x000007FEFAA12000-memory.dmp

Filesize
136KB

Download
memory/2880-620-0x000007FEF8030000-0x000007FEF8052000-memory.dmp

Filesize
136KB

Download
memory/2888-295-0x000007FEFA9F0000-0x000007FEFAA12000-memory.dmp

Filesize
136KB

Download
memory/2892-838-0x000007FEF8030000-0x000007FEF8052000-memory.dmp

Filesize
136KB

Download
memory/2900-294-0x000007FEFA9F0000-0x000007FEFAA12000-memory.dmp

Filesize
136KB

Download
memory/2948-103-0x000007FEFA9F0000-0x000007FEFAA12000-memory.dmp

Filesize
136KB

Download
memory/2948-646-0x000007FEF8030000-0x000007FEF8052000-memory.dmp

Filesize
136KB

Download
memory/2984-204-0x000007FEF7FD0000-0x000007FEF7FF2000-memory.dmp

Filesize
136KB

Download
memory/3056-268-0x000007FEF7FD0000-0x000007FEF7FF2000-memory.dmp

Filesize
136KB

Download