5c63933553e1452d634beb2b295333e4db5742e571322d823648d4e5c94b2828

Analysis

max time kernel
148s
max time network
156s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8017678d87051c2e45053b891cb418b179422465541ebeeb8bbbd6cf24dc1dda.exe
Size

28.7MB
MD5

e1fab30f7a0dfbdc2a055e46529c46c0
SHA1

d582f641b44910227d748ae07e4ffc2a096a65ea
SHA256

8017678d87051c2e45053b891cb418b179422465541ebeeb8bbbd6cf24dc1dda
SHA512

0bf8882961deb2876aa86ffe409c3f0e459bd5a8b4020273e39c51c1b790a29db9a8af87305c79eb71241019de5b5643c7afb8c12325e24d4d35a494cb7a657e
SSDEEP

6144:78AVcrit0NZuJl1e6VlWT8b9vb+zE1P78doDbG5/4/1V1hQ:78A+GhPVle8Ezbdoup4tV1hQ

Score

10^/10

persistence privilege_escalation

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Program Files\\xdwdMATLAB.exe"	8017678d87051c2e45053b891cb418b179422465541ebeeb8bbbd6cf24dc1dda.exe

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\skkjkjjoiooi = "C:\\Users\\Admin\\Videos\\xdwdLightroom.exe"	8017678d87051c2e45053b891cb418b179422465541ebeeb8bbbd6cf24dc1dda.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\xdwdMATLAB.exe	8017678d87051c2e45053b891cb418b179422465541ebeeb8bbbd6cf24dc1dda.exe
File opened for modification	C:\Program Files\xdwdMATLAB.exe	8017678d87051c2e45053b891cb418b179422465541ebeeb8bbbd6cf24dc1dda.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\xdwd.dll	8017678d87051c2e45053b891cb418b179422465541ebeeb8bbbd6cf24dc1dda.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 41 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
692	schtasks.exe
3036	schtasks.exe
2224	schtasks.exe
2400	schtasks.exe
292	schtasks.exe
2100	schtasks.exe
2304	schtasks.exe
868	schtasks.exe
568	schtasks.exe
2016	schtasks.exe
2712	schtasks.exe
916	schtasks.exe
1956	schtasks.exe
2740	schtasks.exe
2112	schtasks.exe
2332	schtasks.exe
3000	schtasks.exe
2888	schtasks.exe
2064	schtasks.exe
2816	schtasks.exe
2572	schtasks.exe
2260	schtasks.exe
1828	schtasks.exe
2044	schtasks.exe
2424	schtasks.exe
1940	schtasks.exe
2216	schtasks.exe
3016	schtasks.exe
2868	schtasks.exe
1060	schtasks.exe
3056	schtasks.exe
2856	schtasks.exe
2916	schtasks.exe
772	schtasks.exe
2872	schtasks.exe
2712	schtasks.exe
2888	schtasks.exe
2416	schtasks.exe
2740	schtasks.exe
2112	schtasks.exe
3008	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3028	CMD.exe
292	schtasks.exe
1944	CMD.exe
2044	schtasks.exe
2056	CMD.exe
2064	schtasks.exe
356	CMD.exe
2100	schtasks.exe
2284	CMD.exe
2304	schtasks.exe
1868	CMD.exe
2424	schtasks.exe
2120	CMD.exe
2816	schtasks.exe
2824	CMD.exe
2740	schtasks.exe
1768	CMD.exe
2888	schtasks.exe
2612	CMD.exe
1940	schtasks.exe
2452	CMD.exe
2112	schtasks.exe
2300	CMD.exe
2332	schtasks.exe
620	CMD.exe
868	schtasks.exe
2240	CMD.exe
1060	schtasks.exe
1736	CMD.exe
2216	schtasks.exe
2976	CMD.exe
3008	schtasks.exe
1172	CMD.exe
2416	schtasks.exe
2812	CMD.exe
568	schtasks.exe
2004	CMD.exe
2016	schtasks.exe
556	CMD.exe
692	schtasks.exe
1572	CMD.exe
2572	schtasks.exe
2352	CMD.exe
3036	schtasks.exe
2792	CMD.exe
3000	schtasks.exe
1868	CMD.exe
2856	schtasks.exe
2884	CMD.exe
2740	schtasks.exe
2416	CMD.exe
2888	schtasks.exe
2768	CMD.exe
2916	schtasks.exe
2016	CMD.exe
2112	schtasks.exe
408	CMD.exe
3016	schtasks.exe
1284	CMD.exe
2260	schtasks.exe
2720	CMD.exe
2224	schtasks.exe
3000	CMD.exe
3056	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1732	8017678d87051c2e45053b891cb418b179422465541ebeeb8bbbd6cf24dc1dda.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2148	1732	8017678d87051c2e45053b891cb418b179422465541ebeeb8bbbd6cf24dc1dda.exe	32
PID 1732 wrote to memory of 2148	1732	8017678d87051c2e45053b891cb418b179422465541ebeeb8bbbd6cf24dc1dda.exe	32
PID 1732 wrote to memory of 2148	1732	8017678d87051c2e45053b891cb418b179422465541ebeeb8bbbd6cf24dc1dda.exe	32
PID 2148 wrote to memory of 2872	2148	CMD.exe	34
PID 2148 wrote to memory of 2872	2148	CMD.exe	34
PID 2148 wrote to memory of 2872	2148	CMD.exe	34
PID 1732 wrote to memory of 2972	1732	8017678d87051c2e45053b891cb418b179422465541ebeeb8bbbd6cf24dc1dda.exe	35
PID 1732 wrote to memory of 2972	1732	8017678d87051c2e45053b891cb418b179422465541ebeeb8bbbd6cf24dc1dda.exe	35
PID 1732 wrote to memory of 2972	1732	8017678d87051c2e45053b891cb418b179422465541ebeeb8bbbd6cf24dc1dda.exe	35
PID 2972 wrote to memory of 2712	2972	CMD.exe	37
PID 2972 wrote to memory of 2712	2972	CMD.exe	37
PID 2972 wrote to memory of 2712	2972	CMD.exe	37
PID 1732 wrote to memory of 2140	1732	8017678d87051c2e45053b891cb418b179422465541ebeeb8bbbd6cf24dc1dda.exe	38
PID 1732 wrote to memory of 2140	1732	8017678d87051c2e45053b891cb418b179422465541ebeeb8bbbd6cf24dc1dda.exe	38
PID 1732 wrote to memory of 2140	1732	8017678d87051c2e45053b891cb418b179422465541ebeeb8bbbd6cf24dc1dda.exe	38
PID 2140 wrote to memory of 1956	2140	CMD.exe	40
PID 2140 wrote to memory of 1956	2140	CMD.exe	40
PID 2140 wrote to memory of 1956	2140	CMD.exe	40
PID 1732 wrote to memory of 3028	1732	8017678d87051c2e45053b891cb418b179422465541ebeeb8bbbd6cf24dc1dda.exe	69
PID 1732 wrote to memory of 3028	1732	8017678d87051c2e45053b891cb418b179422465541ebeeb8bbbd6cf24dc1dda.exe	69
PID 1732 wrote to memory of 3028	1732	8017678d87051c2e45053b891cb418b179422465541ebeeb8bbbd6cf24dc1dda.exe	69
PID 3028 wrote to memory of 292	3028	CMD.exe	43
PID 3028 wrote to memory of 292	3028	CMD.exe	43
PID 3028 wrote to memory of 292	3028	CMD.exe	43
PID 1732 wrote to memory of 1944	1732	8017678d87051c2e45053b891cb418b179422465541ebeeb8bbbd6cf24dc1dda.exe	44
PID 1732 wrote to memory of 1944	1732	8017678d87051c2e45053b891cb418b179422465541ebeeb8bbbd6cf24dc1dda.exe	44
PID 1732 wrote to memory of 1944	1732	8017678d87051c2e45053b891cb418b179422465541ebeeb8bbbd6cf24dc1dda.exe	44
PID 1944 wrote to memory of 2044	1944	CMD.exe	46
PID 1944 wrote to memory of 2044	1944	CMD.exe	46
PID 1944 wrote to memory of 2044	1944	CMD.exe	46
PID 1732 wrote to memory of 2056	1732	8017678d87051c2e45053b891cb418b179422465541ebeeb8bbbd6cf24dc1dda.exe	47
PID 1732 wrote to memory of 2056	1732	8017678d87051c2e45053b891cb418b179422465541ebeeb8bbbd6cf24dc1dda.exe	47
PID 1732 wrote to memory of 2056	1732	8017678d87051c2e45053b891cb418b179422465541ebeeb8bbbd6cf24dc1dda.exe	47
PID 2056 wrote to memory of 2064	2056	CMD.exe	49
PID 2056 wrote to memory of 2064	2056	CMD.exe	49
PID 2056 wrote to memory of 2064	2056	CMD.exe	49
PID 1732 wrote to memory of 356	1732	8017678d87051c2e45053b891cb418b179422465541ebeeb8bbbd6cf24dc1dda.exe	50
PID 1732 wrote to memory of 356	1732	8017678d87051c2e45053b891cb418b179422465541ebeeb8bbbd6cf24dc1dda.exe	50
PID 1732 wrote to memory of 356	1732	8017678d87051c2e45053b891cb418b179422465541ebeeb8bbbd6cf24dc1dda.exe	50
PID 356 wrote to memory of 2100	356	CMD.exe	52
PID 356 wrote to memory of 2100	356	CMD.exe	52
PID 356 wrote to memory of 2100	356	CMD.exe	52
PID 1732 wrote to memory of 2284	1732	8017678d87051c2e45053b891cb418b179422465541ebeeb8bbbd6cf24dc1dda.exe	53
PID 1732 wrote to memory of 2284	1732	8017678d87051c2e45053b891cb418b179422465541ebeeb8bbbd6cf24dc1dda.exe	53
PID 1732 wrote to memory of 2284	1732	8017678d87051c2e45053b891cb418b179422465541ebeeb8bbbd6cf24dc1dda.exe	53
PID 2284 wrote to memory of 2304	2284	CMD.exe	55
PID 2284 wrote to memory of 2304	2284	CMD.exe	55
PID 2284 wrote to memory of 2304	2284	CMD.exe	55
PID 1732 wrote to memory of 1868	1732	8017678d87051c2e45053b891cb418b179422465541ebeeb8bbbd6cf24dc1dda.exe	56
PID 1732 wrote to memory of 1868	1732	8017678d87051c2e45053b891cb418b179422465541ebeeb8bbbd6cf24dc1dda.exe	56
PID 1732 wrote to memory of 1868	1732	8017678d87051c2e45053b891cb418b179422465541ebeeb8bbbd6cf24dc1dda.exe	56
PID 1868 wrote to memory of 2424	1868	CMD.exe	58
PID 1868 wrote to memory of 2424	1868	CMD.exe	58
PID 1868 wrote to memory of 2424	1868	CMD.exe	58
PID 1732 wrote to memory of 2120	1732	8017678d87051c2e45053b891cb418b179422465541ebeeb8bbbd6cf24dc1dda.exe	59
PID 1732 wrote to memory of 2120	1732	8017678d87051c2e45053b891cb418b179422465541ebeeb8bbbd6cf24dc1dda.exe	59
PID 1732 wrote to memory of 2120	1732	8017678d87051c2e45053b891cb418b179422465541ebeeb8bbbd6cf24dc1dda.exe	59
PID 2120 wrote to memory of 2816	2120	CMD.exe	61
PID 2120 wrote to memory of 2816	2120	CMD.exe	61
PID 2120 wrote to memory of 2816	2120	CMD.exe	61
PID 1732 wrote to memory of 2824	1732	8017678d87051c2e45053b891cb418b179422465541ebeeb8bbbd6cf24dc1dda.exe	62
PID 1732 wrote to memory of 2824	1732	8017678d87051c2e45053b891cb418b179422465541ebeeb8bbbd6cf24dc1dda.exe	62
PID 1732 wrote to memory of 2824	1732	8017678d87051c2e45053b891cb418b179422465541ebeeb8bbbd6cf24dc1dda.exe	62
PID 2824 wrote to memory of 2740	2824	CMD.exe	64

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8017678d87051c2e45053b891cb418b179422465541ebeeb8bbbd6cf24dc1dda.exe
"C:\Users\Admin\AppData\Local\Temp\8017678d87051c2e45053b891cb418b179422465541ebeeb8bbbd6cf24dc1dda.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\system32\CMD.exe
  "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Visual Studio Code" /tr "C:\Program Files\xdwdMATLAB.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Visual Studio Code" /tr "C:\Program Files\xdwdMATLAB.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2872
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2712
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Microsoft Hyper-V" /tr "C:\Users\Admin\Videos\xdwdLightroom.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo 5 /tn "Microsoft Hyper-V" /tr "C:\Users\Admin\Videos\xdwdLightroom.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1956
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:292
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2044
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2064
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:356
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2100
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2304
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2424
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2816
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2740
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1768
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2888
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2612
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1940
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2452
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2112
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2300
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2332
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:620
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:868
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2240
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1060
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1736
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2216
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2976
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:3008
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1172
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2416
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2812
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:568
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2004
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2016
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:556
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:692
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1572
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2572
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2352
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:3036
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2792
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:3000
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1868
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2856
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2884
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2740
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2416
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2888
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2768
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2916
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2016
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2112
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:408
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:3016
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1284
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2260
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2720
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2224
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3000
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:3056
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST & exit
  2⤵
  PID:2632
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2868
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST & exit
  2⤵
  PID:2492
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2712
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST & exit
  2⤵
  PID:2344
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:772
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST & exit
  2⤵
  PID:1276
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1828
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST & exit
  2⤵
  PID:2076
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2400
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST & exit
  2⤵
  PID:768
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Visio Host" /tr "C:\Program Files\xdwdMATLAB.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:916

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "598789124-348928217-1808467318-211395876520649001351446823171231413741969081835"
1⤵
PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/292-59-0x000007FEF1FA0000-0x000007FEF1FC2000-memory.dmp

Filesize
136KB

Download
memory/356-159-0x000007FEF1F70000-0x000007FEF1F92000-memory.dmp

Filesize
136KB

Download
memory/408-959-0x000007FEF7BF0000-0x000007FEF7C12000-memory.dmp

Filesize
136KB

Download
memory/556-676-0x000007FEF6D40000-0x000007FEF6D62000-memory.dmp

Filesize
136KB

Download
memory/568-611-0x000007FEF6D40000-0x000007FEF6D62000-memory.dmp

Filesize
136KB

Download
memory/620-452-0x000007FEF1FA0000-0x000007FEF1FC2000-memory.dmp

Filesize
136KB

Download
memory/692-675-0x000007FEF6D40000-0x000007FEF6D62000-memory.dmp

Filesize
136KB

Download
memory/868-451-0x000007FEF1FA0000-0x000007FEF1FC2000-memory.dmp

Filesize
136KB

Download
memory/1060-483-0x000007FEF1F70000-0x000007FEF1F92000-memory.dmp

Filesize
136KB

Download
memory/1172-575-0x000007FEF7BF0000-0x000007FEF7C12000-memory.dmp

Filesize
136KB

Download
memory/1284-996-0x000007FEF6D40000-0x000007FEF6D62000-memory.dmp

Filesize
136KB

Download
memory/1572-703-0x000007FEF7BF0000-0x000007FEF7C12000-memory.dmp

Filesize
136KB

Download
memory/1732-0-0x000007FEF5B73000-0x000007FEF5B74000-memory.dmp

Filesize
4KB

Download
memory/1732-18-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/1732-106-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/1732-2-0x000007FEF5B73000-0x000007FEF5B74000-memory.dmp

Filesize
4KB

Download
memory/1732-1-0x0000000000330000-0x000000000039A000-memory.dmp

Filesize
424KB

Download
memory/1736-511-0x000007FEF7BF0000-0x000007FEF7C12000-memory.dmp

Filesize
136KB

Download
memory/1768-319-0x000007FEF1FA0000-0x000007FEF1FC2000-memory.dmp

Filesize
136KB

Download
memory/1868-223-0x000007FEF1F70000-0x000007FEF1F92000-memory.dmp

Filesize
136KB

Download
memory/1868-805-0x000007FEF6D40000-0x000007FEF6D62000-memory.dmp

Filesize
136KB

Download
memory/1940-350-0x000007FEF1F70000-0x000007FEF1F92000-memory.dmp

Filesize
136KB

Download
memory/1944-93-0x000007FEF1F70000-0x000007FEF1F92000-memory.dmp

Filesize
136KB

Download
memory/2004-642-0x000007FEF7BF0000-0x000007FEF7C12000-memory.dmp

Filesize
136KB

Download
memory/2016-932-0x000007FEF6D40000-0x000007FEF6D62000-memory.dmp

Filesize
136KB

Download
memory/2016-640-0x000007FEF7BF0000-0x000007FEF7C12000-memory.dmp

Filesize
136KB

Download
memory/2044-92-0x000007FEF1F70000-0x000007FEF1F92000-memory.dmp

Filesize
136KB

Download
memory/2056-126-0x000007FEF1FA0000-0x000007FEF1FC2000-memory.dmp

Filesize
136KB

Download
memory/2064-125-0x000007FEF1FA0000-0x000007FEF1FC2000-memory.dmp

Filesize
136KB

Download
memory/2100-158-0x000007FEF1F70000-0x000007FEF1F92000-memory.dmp

Filesize
136KB

Download
memory/2112-931-0x000007FEF6D40000-0x000007FEF6D62000-memory.dmp

Filesize
136KB

Download
memory/2112-382-0x000007FEF1FA0000-0x000007FEF1FC2000-memory.dmp

Filesize
136KB

Download
memory/2120-255-0x000007FEF1FA0000-0x000007FEF1FC2000-memory.dmp

Filesize
136KB

Download
memory/2216-510-0x000007FEF7BF0000-0x000007FEF7C12000-memory.dmp

Filesize
136KB

Download
memory/2224-1024-0x000007FEF7BF0000-0x000007FEF7C12000-memory.dmp

Filesize
136KB

Download
memory/2240-484-0x000007FEF1F70000-0x000007FEF1F92000-memory.dmp

Filesize
136KB

Download
memory/2260-990-0x000007FEF6D40000-0x000007FEF6D62000-memory.dmp

Filesize
136KB

Download
memory/2284-191-0x000007FEF1FA0000-0x000007FEF1FC2000-memory.dmp

Filesize
136KB

Download
memory/2300-420-0x000007FEF1F70000-0x000007FEF1F92000-memory.dmp

Filesize
136KB

Download
memory/2304-190-0x000007FEF1FA0000-0x000007FEF1FC2000-memory.dmp

Filesize
136KB

Download
memory/2332-414-0x000007FEF1F70000-0x000007FEF1F92000-memory.dmp

Filesize
136KB

Download
memory/2352-735-0x000007FEF6D40000-0x000007FEF6D62000-memory.dmp

Filesize
136KB

Download
memory/2416-574-0x000007FEF7BF0000-0x000007FEF7C12000-memory.dmp

Filesize
136KB

Download
memory/2416-869-0x000007FEF6D40000-0x000007FEF6D62000-memory.dmp

Filesize
136KB

Download
memory/2424-222-0x000007FEF1F70000-0x000007FEF1F92000-memory.dmp

Filesize
136KB

Download
memory/2452-383-0x000007FEF1FA0000-0x000007FEF1FC2000-memory.dmp

Filesize
136KB

Download
memory/2572-702-0x000007FEF7BF0000-0x000007FEF7C12000-memory.dmp

Filesize
136KB

Download
memory/2612-351-0x000007FEF1F70000-0x000007FEF1F92000-memory.dmp

Filesize
136KB

Download
memory/2720-1026-0x000007FEF7BF0000-0x000007FEF7C12000-memory.dmp

Filesize
136KB

Download
memory/2740-830-0x000007FEF7BF0000-0x000007FEF7C12000-memory.dmp

Filesize
136KB

Download
memory/2740-286-0x000007FEF1F70000-0x000007FEF1F92000-memory.dmp

Filesize
136KB

Download
memory/2768-895-0x000007FEF7BF0000-0x000007FEF7C12000-memory.dmp

Filesize
136KB

Download
memory/2792-767-0x000007FEF7BF0000-0x000007FEF7C12000-memory.dmp

Filesize
136KB

Download
memory/2812-612-0x000007FEF6D40000-0x000007FEF6D62000-memory.dmp

Filesize
136KB

Download
memory/2816-254-0x000007FEF1FA0000-0x000007FEF1FC2000-memory.dmp

Filesize
136KB

Download
memory/2824-287-0x000007FEF1F70000-0x000007FEF1F92000-memory.dmp

Filesize
136KB

Download
memory/2856-803-0x000007FEF6D40000-0x000007FEF6D62000-memory.dmp

Filesize
136KB

Download
memory/2884-831-0x000007FEF7BF0000-0x000007FEF7C12000-memory.dmp

Filesize
136KB

Download
memory/2888-318-0x000007FEF1FA0000-0x000007FEF1FC2000-memory.dmp

Filesize
136KB

Download
memory/2888-867-0x000007FEF6D40000-0x000007FEF6D62000-memory.dmp

Filesize
136KB

Download
memory/2916-894-0x000007FEF7BF0000-0x000007FEF7C12000-memory.dmp

Filesize
136KB

Download
memory/2976-549-0x000007FEF1FA0000-0x000007FEF1FC2000-memory.dmp

Filesize
136KB

Download
memory/3000-766-0x000007FEF7BF0000-0x000007FEF7C12000-memory.dmp

Filesize
136KB

Download
memory/3000-1055-0x000007FEF6D40000-0x000007FEF6D62000-memory.dmp

Filesize
136KB

Download
memory/3008-547-0x000007FEF1FA0000-0x000007FEF1FC2000-memory.dmp

Filesize
136KB

Download
memory/3016-958-0x000007FEF7BF0000-0x000007FEF7C12000-memory.dmp

Filesize
136KB

Download
memory/3028-139-0x00000000777B0000-0x0000000077959000-memory.dmp

Filesize
1.7MB

Download
memory/3028-58-0x0000000077801000-0x0000000077802000-memory.dmp

Filesize
4KB

Download
memory/3028-66-0x00000000777B0000-0x0000000077959000-memory.dmp

Filesize
1.7MB

Download
memory/3028-60-0x000007FEF1FA0000-0x000007FEF1FC2000-memory.dmp

Filesize
136KB

Download
memory/3036-734-0x000007FEF6D40000-0x000007FEF6D62000-memory.dmp

Filesize
136KB

Download
memory/3056-1054-0x000007FEF6D40000-0x000007FEF6D62000-memory.dmp

Filesize
136KB

Download