salatstealer | df025008bab8a9d1b780276526007d60abaafb894af2cca82bc633c715945ec5

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

453d8a70001855e0de88f95920eecd22.exe
Size

3.7MB
MD5

453d8a70001855e0de88f95920eecd22
SHA1

01aeba5a239a5bec4a1028343d48692a5f75794b
SHA256

099ac5c59d32074a1883ef3f4e17796c1244b20f6ca311446062f493f80c8997
SHA512

e7b601043fdc65eb4667865fc55928ef0eb4e5693eb6cb1e1203a9351a44d18209ce652afb2ed86e0806a28d53bdbcc0f7687897b678600362d3d3460d73fe9a
SSDEEP

98304:WdLdnDeAr4fRH/o+2y90A+KyuqvkmNBNMWEUVH:Wdcq4ZfoltAiHvRmWZ

Score

10^/10

salatstealer discovery persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Detect SalatStealer payload 1 IoCs

resource	yara_rule
behavioral27/memory/2028-31-0x0000000001210000-0x0000000001D8D000-memory.dmp	family_salatstealer

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\xdwdUnity.exe"	ElysiumExeFree 1.exe

Salatstealer family
salatstealer
salatstealer
SalatStealer is a stealer that takes sceenshot written in Golang.
stealer salatstealer
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Executes dropped EXE 3 IoCs

pid	Process
1268	ElysiumExeFree.exe
2028	cooocli.exe
2468	ElysiumExeFree 1.exe

Loads dropped DLL 5 IoCs

pid	Process
1788	WerFault.exe
1788	WerFault.exe
1788	WerFault.exe
1788	WerFault.exe
1788	WerFault.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\xdwdfghfghfg = "C:\\Program Files\\xdwdPutty.exe"	ElysiumExeFree 1.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral27/files/0x00080000000146e3-17.dat	upx
behavioral27/memory/2028-20-0x0000000001210000-0x0000000001D8D000-memory.dmp	upx
behavioral27/memory/2028-31-0x0000000001210000-0x0000000001D8D000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\xdwdPutty.exe	ElysiumExeFree 1.exe
File opened for modification	C:\Program Files\xdwdPutty.exe	ElysiumExeFree 1.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\xdwd.dll	ElysiumExeFree 1.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
1788	1268	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ElysiumExeFree.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2784	schtasks.exe
1044	schtasks.exe
2804	schtasks.exe
1708	schtasks.exe
2184	schtasks.exe
2592	schtasks.exe
2128	schtasks.exe
2444	schtasks.exe
2844	schtasks.exe
2160	schtasks.exe
1684	schtasks.exe
2868	schtasks.exe
2080	schtasks.exe
1488	schtasks.exe
1496	schtasks.exe
1948	schtasks.exe
2284	schtasks.exe
2304	schtasks.exe
1280	schtasks.exe
840	schtasks.exe
1072	schtasks.exe
2596	schtasks.exe
2604	schtasks.exe
2676	schtasks.exe
1480	schtasks.exe
2716	schtasks.exe
2768	schtasks.exe
1956	schtasks.exe
2344	schtasks.exe
2020	schtasks.exe
2788	schtasks.exe
1560	schtasks.exe
664	schtasks.exe
1612	schtasks.exe
1008	schtasks.exe
768	schtasks.exe
2312	schtasks.exe
2508	schtasks.exe
2640	schtasks.exe
2820	schtasks.exe
2880	schtasks.exe
2432	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1908	CMD.exe
2784	schtasks.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe
2788	CMD.exe
1496	schtasks.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe
2324	CMD.exe
2128	schtasks.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe
1120	CMD.exe
2468	ElysiumExeFree 1.exe
768	schtasks.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe
2468	ElysiumExeFree 1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2468	ElysiumExeFree 1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 1268	2456	453d8a70001855e0de88f95920eecd22.exe	28
PID 2456 wrote to memory of 1268	2456	453d8a70001855e0de88f95920eecd22.exe	28
PID 2456 wrote to memory of 1268	2456	453d8a70001855e0de88f95920eecd22.exe	28
PID 2456 wrote to memory of 1268	2456	453d8a70001855e0de88f95920eecd22.exe	28
PID 2456 wrote to memory of 2028	2456	453d8a70001855e0de88f95920eecd22.exe	30
PID 2456 wrote to memory of 2028	2456	453d8a70001855e0de88f95920eecd22.exe	30
PID 2456 wrote to memory of 2028	2456	453d8a70001855e0de88f95920eecd22.exe	30
PID 2456 wrote to memory of 2028	2456	453d8a70001855e0de88f95920eecd22.exe	30
PID 2456 wrote to memory of 2468	2456	453d8a70001855e0de88f95920eecd22.exe	31
PID 2456 wrote to memory of 2468	2456	453d8a70001855e0de88f95920eecd22.exe	31
PID 2456 wrote to memory of 2468	2456	453d8a70001855e0de88f95920eecd22.exe	31
PID 1268 wrote to memory of 1788	1268	ElysiumExeFree.exe	32
PID 1268 wrote to memory of 1788	1268	ElysiumExeFree.exe	32
PID 1268 wrote to memory of 1788	1268	ElysiumExeFree.exe	32
PID 1268 wrote to memory of 1788	1268	ElysiumExeFree.exe	32
PID 2468 wrote to memory of 2552	2468	ElysiumExeFree 1.exe	36
PID 2468 wrote to memory of 2552	2468	ElysiumExeFree 1.exe	36
PID 2468 wrote to memory of 2552	2468	ElysiumExeFree 1.exe	36
PID 2552 wrote to memory of 2604	2552	CMD.exe	38
PID 2552 wrote to memory of 2604	2552	CMD.exe	38
PID 2552 wrote to memory of 2604	2552	CMD.exe	38
PID 2468 wrote to memory of 532	2468	ElysiumExeFree 1.exe	39
PID 2468 wrote to memory of 532	2468	ElysiumExeFree 1.exe	39
PID 2468 wrote to memory of 532	2468	ElysiumExeFree 1.exe	39
PID 532 wrote to memory of 2880	532	CMD.exe	41
PID 532 wrote to memory of 2880	532	CMD.exe	41
PID 532 wrote to memory of 2880	532	CMD.exe	41
PID 2468 wrote to memory of 1908	2468	ElysiumExeFree 1.exe	129
PID 2468 wrote to memory of 1908	2468	ElysiumExeFree 1.exe	129
PID 2468 wrote to memory of 1908	2468	ElysiumExeFree 1.exe	129
PID 1908 wrote to memory of 2784	1908	CMD.exe	44
PID 1908 wrote to memory of 2784	1908	CMD.exe	44
PID 1908 wrote to memory of 2784	1908	CMD.exe	44
PID 2468 wrote to memory of 2788	2468	ElysiumExeFree 1.exe	74
PID 2468 wrote to memory of 2788	2468	ElysiumExeFree 1.exe	74
PID 2468 wrote to memory of 2788	2468	ElysiumExeFree 1.exe	74
PID 2788 wrote to memory of 1496	2788	CMD.exe	47
PID 2788 wrote to memory of 1496	2788	CMD.exe	47
PID 2788 wrote to memory of 1496	2788	CMD.exe	47
PID 2468 wrote to memory of 2324	2468	ElysiumExeFree 1.exe	48
PID 2468 wrote to memory of 2324	2468	ElysiumExeFree 1.exe	48
PID 2468 wrote to memory of 2324	2468	ElysiumExeFree 1.exe	48
PID 2324 wrote to memory of 2128	2324	CMD.exe	50
PID 2324 wrote to memory of 2128	2324	CMD.exe	50
PID 2324 wrote to memory of 2128	2324	CMD.exe	50
PID 2468 wrote to memory of 1120	2468	ElysiumExeFree 1.exe	51
PID 2468 wrote to memory of 1120	2468	ElysiumExeFree 1.exe	51
PID 2468 wrote to memory of 1120	2468	ElysiumExeFree 1.exe	51
PID 1120 wrote to memory of 768	1120	CMD.exe	53
PID 1120 wrote to memory of 768	1120	CMD.exe	53
PID 1120 wrote to memory of 768	1120	CMD.exe	53
PID 2468 wrote to memory of 1520	2468	ElysiumExeFree 1.exe	54
PID 2468 wrote to memory of 1520	2468	ElysiumExeFree 1.exe	54
PID 2468 wrote to memory of 1520	2468	ElysiumExeFree 1.exe	54
PID 1520 wrote to memory of 1948	1520	CMD.exe	56
PID 1520 wrote to memory of 1948	1520	CMD.exe	56
PID 1520 wrote to memory of 1948	1520	CMD.exe	56
PID 2468 wrote to memory of 2100	2468	ElysiumExeFree 1.exe	57
PID 2468 wrote to memory of 2100	2468	ElysiumExeFree 1.exe	57
PID 2468 wrote to memory of 2100	2468	ElysiumExeFree 1.exe	57
PID 2100 wrote to memory of 2444	2100	CMD.exe	59
PID 2100 wrote to memory of 2444	2100	CMD.exe	59
PID 2100 wrote to memory of 2444	2100	CMD.exe	59
PID 2468 wrote to memory of 1680	2468	ElysiumExeFree 1.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\453d8a70001855e0de88f95920eecd22.exe
"C:\Users\Admin\AppData\Local\Temp\453d8a70001855e0de88f95920eecd22.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Users\Admin\AppData\Local\Temp\ElysiumExeFree.exe
  "C:\Users\Admin\AppData\Local\Temp\ElysiumExeFree.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1268
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 544
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1788
- C:\Users\Admin\AppData\Local\Temp\cooocli.exe
  "C:\Users\Admin\AppData\Local\Temp\cooocli.exe"
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Users\Admin\AppData\Local\Temp\ElysiumExeFree 1.exe
  "C:\Users\Admin\AppData\Local\Temp\ElysiumExeFree 1.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\system32\CMD.exe
    "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Inkscape" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Inkscape" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2604
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:532
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2880
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Bitdefender Antivirus" /tr "C:\Program Files\xdwdPutty.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1908
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo 5 /tn "Bitdefender Antivirus" /tr "C:\Program Files\xdwdPutty.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      Suspicious behavior: EnumeratesProcesses
      PID:2784
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      Suspicious behavior: EnumeratesProcesses
      PID:1496
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2324
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      Suspicious behavior: EnumeratesProcesses
      PID:2128
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1120
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      Suspicious behavior: EnumeratesProcesses
      PID:768
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1948
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2100
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2444
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:1680
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2284
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:3020
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2844
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:2724
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2676
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:2792
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2868
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:112
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2788
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:3028
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2312
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:1952
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2160
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:1848
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1044
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:2968
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2432
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:2384
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1560
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:2856
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2080
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:2276
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2804
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:2548
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:664
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:1676
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1708
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:2912
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2304
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:2644
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2508
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:1780
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1480
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:2656
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1684
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:1884
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1280
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:1568
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:840
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:2392
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2184
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:2608
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2716
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:1672
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2768
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:1908
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1488
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:2064
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2592
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:2288
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1956
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:1352
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1612
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:2492
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1072
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:2532
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2344
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:1680
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2640
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:2708
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1008
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:2672
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2596
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:1640
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2820
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:1784
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2020

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1169666409570083421-13852679191496851819-10928922639935206811462953542108470010"
1⤵
PID:2676

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13081037241077817901100245679-1594219943-692947259-14693573255883389411754060166"
1⤵
PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ElysiumExeFree 1.exe

Filesize
464KB

MD5
e4b6094cd35d97423d00e3c683acafca

SHA1
8b8cb21a52ac2cbdee9692c170422dbf8f5bd170

SHA256
f4c28ca0c118da99941869afcaa5459820991cba54ffb9ff16bdf1a24c930eb5

SHA512
9a3150d6d48a67fc95963f72119fe54b7ddf6a2aacfc7dca668f28abb10ee99a8d6d15775140a372041e42d370c62c71c546ff92de7d93057d84c6dea0640ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ElysiumExeFree.exe

Filesize
335KB

MD5
f5786a239cc582cd4b8fb73308431398

SHA1
5e04df1cc0b1faac15184d29103c30b857334ecf

SHA256
494d94e2e8290c2222be743b777afc5e50cbd80b93966fa768ab54bdc75bf9b8

SHA512
9c440692d852457b49a19bc0add646a47c2bf5616b2daeff6eee285605a8cb5d46b08b5d219b5442f3bf7330a87312c8e4d4543db45af1a0cc9b1ad9a7456f92

Download Submit
C:\Users\Admin\AppData\Local\Temp\cooocli.exe

Filesize
3.1MB

MD5
f27ed810a051a5b4793789303e045e54

SHA1
798a26f92fb041b85d56c9c86ba39eac1586f5bb

SHA256
a0fdd5875161ea259febd8ea6a366e0caf5b39d65000ad7305915fe972b0e973

SHA512
586eb39314ffb846bd8d4f6fbcd33b0e87a79ed57d615153923400507c94c9489a0e0f67d4f71c53aa4ccfd979c13d5c71a88742eb9ecab2b9711a185c3909d9

Download Submit
C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/112-341-0x000007FEF6570000-0x000007FEF6592000-memory.dmp

Filesize
136KB

Download
memory/664-564-0x000007FEF6B60000-0x000007FEF6B82000-memory.dmp

Filesize
136KB

Download
memory/768-144-0x000007FEF6B60000-0x000007FEF6B82000-memory.dmp

Filesize
136KB

Download
memory/840-760-0x000007FEF7880000-0x000007FEF78A2000-memory.dmp

Filesize
136KB

Download
memory/1044-424-0x000007FEF6B60000-0x000007FEF6B82000-memory.dmp

Filesize
136KB

Download
memory/1120-145-0x000007FEF6B60000-0x000007FEF6B82000-memory.dmp

Filesize
136KB

Download
memory/1268-19-0x0000000001140000-0x000000000119E000-memory.dmp

Filesize
376KB

Download
memory/1268-18-0x000000007462E000-0x000000007462F000-memory.dmp

Filesize
4KB

Download
memory/1280-732-0x000007FEF6B60000-0x000007FEF6B82000-memory.dmp

Filesize
136KB

Download
memory/1480-676-0x000007FEF6B60000-0x000007FEF6B82000-memory.dmp

Filesize
136KB

Download
memory/1488-880-0x000007FEF7880000-0x000007FEF78A2000-memory.dmp

Filesize
136KB

Download
memory/1496-91-0x000007FEF6540000-0x000007FEF6562000-memory.dmp

Filesize
136KB

Download
memory/1520-173-0x000007FEF6570000-0x000007FEF6592000-memory.dmp

Filesize
136KB

Download
memory/1560-480-0x000007FEF6B60000-0x000007FEF6B82000-memory.dmp

Filesize
136KB

Download
memory/1568-761-0x000007FEF7880000-0x000007FEF78A2000-memory.dmp

Filesize
136KB

Download
memory/1672-845-0x000007FEF6B60000-0x000007FEF6B82000-memory.dmp

Filesize
136KB

Download
memory/1676-592-0x000007FEF7880000-0x000007FEF78A2000-memory.dmp

Filesize
136KB

Download
memory/1680-229-0x000007FEF6570000-0x000007FEF6592000-memory.dmp

Filesize
136KB

Download
memory/1684-703-0x000007FEF7880000-0x000007FEF78A2000-memory.dmp

Filesize
136KB

Download
memory/1708-591-0x000007FEF7880000-0x000007FEF78A2000-memory.dmp

Filesize
136KB

Download
memory/1780-677-0x000007FEF6B60000-0x000007FEF6B82000-memory.dmp

Filesize
136KB

Download
memory/1848-425-0x000007FEF6B60000-0x000007FEF6B82000-memory.dmp

Filesize
136KB

Download
memory/1884-733-0x000007FEF6B60000-0x000007FEF6B82000-memory.dmp

Filesize
136KB

Download
memory/1908-881-0x000007FEF7880000-0x000007FEF78A2000-memory.dmp

Filesize
136KB

Download
memory/1908-82-0x000007FEF6570000-0x000007FEF6592000-memory.dmp

Filesize
136KB

Download
memory/1948-172-0x000007FEF6570000-0x000007FEF6592000-memory.dmp

Filesize
136KB

Download
memory/1952-396-0x000007FEF6570000-0x000007FEF6592000-memory.dmp

Filesize
136KB

Download
memory/1956-928-0x000007FEF7880000-0x000007FEF78A2000-memory.dmp

Filesize
136KB

Download
memory/2028-20-0x0000000001210000-0x0000000001D8D000-memory.dmp

Filesize
11.5MB

Download
memory/2028-31-0x0000000001210000-0x0000000001D8D000-memory.dmp

Filesize
11.5MB

Download
memory/2064-906-0x000007FEF6B60000-0x000007FEF6B82000-memory.dmp

Filesize
136KB

Download
memory/2080-508-0x000007FEF6570000-0x000007FEF6592000-memory.dmp

Filesize
136KB

Download
memory/2100-201-0x000007FEF6B60000-0x000007FEF6B82000-memory.dmp

Filesize
136KB

Download
memory/2128-116-0x000007FEF6570000-0x000007FEF6592000-memory.dmp

Filesize
136KB

Download
memory/2160-395-0x000007FEF6570000-0x000007FEF6592000-memory.dmp

Filesize
136KB

Download
memory/2184-788-0x000007FEF6B60000-0x000007FEF6B82000-memory.dmp

Filesize
136KB

Download
memory/2276-537-0x000007FEF7880000-0x000007FEF78A2000-memory.dmp

Filesize
136KB

Download
memory/2284-228-0x000007FEF6570000-0x000007FEF6592000-memory.dmp

Filesize
136KB

Download
memory/2304-620-0x000007FEF6B60000-0x000007FEF6B82000-memory.dmp

Filesize
136KB

Download
memory/2312-368-0x000007FEF6B60000-0x000007FEF6B82000-memory.dmp

Filesize
136KB

Download
memory/2324-117-0x000007FEF6570000-0x000007FEF6592000-memory.dmp

Filesize
136KB

Download
memory/2384-481-0x000007FEF6B60000-0x000007FEF6B82000-memory.dmp

Filesize
136KB

Download
memory/2392-789-0x000007FEF6B60000-0x000007FEF6B82000-memory.dmp

Filesize
136KB

Download
memory/2432-452-0x000007FEF6570000-0x000007FEF6592000-memory.dmp

Filesize
136KB

Download
memory/2444-200-0x000007FEF6B60000-0x000007FEF6B82000-memory.dmp

Filesize
136KB

Download
memory/2456-0-0x000007FEF57D3000-0x000007FEF57D4000-memory.dmp

Filesize
4KB

Download
memory/2456-15-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

Filesize
9.9MB

Download
memory/2456-1-0x000000013F530000-0x000000013F8DE000-memory.dmp

Filesize
3.7MB

Download
memory/2456-25-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

Filesize
9.9MB

Download
memory/2468-24-0x0000000001060000-0x00000000010DA000-memory.dmp

Filesize
488KB

Download
memory/2508-648-0x000007FEF7880000-0x000007FEF78A2000-memory.dmp

Filesize
136KB

Download
memory/2548-565-0x000007FEF6B60000-0x000007FEF6B82000-memory.dmp

Filesize
136KB

Download
memory/2592-901-0x000007FEF6B60000-0x000007FEF6B82000-memory.dmp

Filesize
136KB

Download
memory/2608-817-0x000007FEF7880000-0x000007FEF78A2000-memory.dmp

Filesize
136KB

Download
memory/2644-649-0x000007FEF7880000-0x000007FEF78A2000-memory.dmp

Filesize
136KB

Download
memory/2656-704-0x000007FEF7880000-0x000007FEF78A2000-memory.dmp

Filesize
136KB

Download
memory/2676-284-0x000007FEF6570000-0x000007FEF6592000-memory.dmp

Filesize
136KB

Download
memory/2716-816-0x000007FEF7880000-0x000007FEF78A2000-memory.dmp

Filesize
136KB

Download
memory/2724-285-0x000007FEF6570000-0x000007FEF6592000-memory.dmp

Filesize
136KB

Download
memory/2768-844-0x000007FEF6B60000-0x000007FEF6B82000-memory.dmp

Filesize
136KB

Download
memory/2784-81-0x000007FEF6570000-0x000007FEF6592000-memory.dmp

Filesize
136KB

Download
memory/2788-92-0x000007FEF6540000-0x000007FEF6562000-memory.dmp

Filesize
136KB

Download
memory/2788-340-0x000007FEF6570000-0x000007FEF6592000-memory.dmp

Filesize
136KB

Download
memory/2792-313-0x000007FEF6B60000-0x000007FEF6B82000-memory.dmp

Filesize
136KB

Download
memory/2804-536-0x000007FEF7880000-0x000007FEF78A2000-memory.dmp

Filesize
136KB

Download
memory/2844-256-0x000007FEF6B60000-0x000007FEF6B82000-memory.dmp

Filesize
136KB

Download
memory/2856-509-0x000007FEF6570000-0x000007FEF6592000-memory.dmp

Filesize
136KB

Download
memory/2868-312-0x000007FEF6B60000-0x000007FEF6B82000-memory.dmp

Filesize
136KB

Download
memory/2912-621-0x000007FEF6B60000-0x000007FEF6B82000-memory.dmp

Filesize
136KB

Download
memory/2968-453-0x000007FEF6570000-0x000007FEF6592000-memory.dmp

Filesize
136KB

Download
memory/3020-257-0x000007FEF6B60000-0x000007FEF6B82000-memory.dmp

Filesize
136KB

Download
memory/3028-369-0x000007FEF6B60000-0x000007FEF6B82000-memory.dmp

Filesize
136KB

Download