redline | 05b9a94a8637357b01e46221ae85512910df3868987c9a893fb2e480d60681ee

Analysis

max time kernel
54s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2023, 16:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05b9a94a8637357b01e46221ae85512910df3868987c9a893fb2e480d60681ee.exe
Size

259KB
MD5

de4ccc518825994daf9f2033134ee0e0
SHA1

972b5359c0c00118736eea07d006138f5e656c45
SHA256

05b9a94a8637357b01e46221ae85512910df3868987c9a893fb2e480d60681ee
SHA512

6743d6b44c3f42f072b38eabb1aa47f6755ce19ac46015b145e865adb64e1f401efe6ec213f51667167bf4d6184d5526e77a1484f1a11b830687547f2a80bbb5
SSDEEP

6144:A0gegUj4MOqapvZHK+0pwx0zRxDTJCOCFPp:AM9jOqaJZHKEgxDFYtp

Score

10^/10

redline smokeloader xmrig logsdiller cloud (bot: @logsdillabot)pub1 summ backdoor evasion infostealer miner persistence spyware stealer themida trojan upx

Malware Config

Extracted

Family

smokeloader

Version

2022

http://onualituyrs.org/

http://sumagulituyo.org/

http://snukerukeutit.org/

http://lightseinsteniki.org/

http://liuliuoumumy.org/

http://stualialuyastrelia.net/

http://kumbuyartyty.net/

http://criogetikfenbut.org/

http://tonimiuyaytre.org/

http://tyiuiunuewqy.org/

http://stalagmijesarl.com/

http://ukdantist-sarl.com/

http://cpcorprotationltd.com/

http://humydrole.com/tmp/index.php

http://trunk-co.ru/tmp/index.php

http://weareelight.com/tmp/index.php

http://pirateking.online/tmp/index.php

http://piratia.pw/tmp/index.php

http://go-piratia.ru/tmp/index.php

rc4.i32

Extracted

Family

redline

Botnet

LogsDiller Cloud (Bot: @logsdillabot)

95.214.26.17:24714

Extracted

Family

smokeloader

Botnet

summ

Extracted

Family

smokeloader

Botnet

pub1

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/3140-52-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5D01.exe

XMRig Miner payload 13 IoCs

miner

resource	yara_rule
behavioral1/memory/3880-292-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3880-293-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3880-295-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3880-296-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3880-297-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3880-298-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3880-299-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3880-300-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3880-301-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3880-302-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3880-303-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3880-304-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3880-306-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5D01.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5D01.exe

Deletes itself 1 IoCs

pid	Process
3328	Process not Found

Executes dropped EXE 4 IoCs

pid	Process
3964	5D01.exe
4200	5EB7.exe
4508	61E5.exe
4148	9FBA.exe

Loads dropped DLL 1 IoCs

pid	Process
1596	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 19 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x0007000000022cdf-24.dat	themida
behavioral1/files/0x0007000000022cdf-26.dat	themida
behavioral1/memory/3964-47-0x00000000001E0000-0x0000000000AAE000-memory.dmp	themida
behavioral1/memory/3964-113-0x00000000001E0000-0x0000000000AAE000-memory.dmp	themida
behavioral1/files/0x0006000000022ce2-169.dat	themida
behavioral1/files/0x0006000000022ce2-176.dat	themida
behavioral1/files/0x0006000000022ce2-175.dat	themida
behavioral1/memory/4960-183-0x00007FF63ED80000-0x00007FF63FB34000-memory.dmp	themida
behavioral1/memory/4960-182-0x00007FF63ED80000-0x00007FF63FB34000-memory.dmp	themida
behavioral1/memory/4960-185-0x00007FF63ED80000-0x00007FF63FB34000-memory.dmp	themida
behavioral1/memory/4960-186-0x00007FF63ED80000-0x00007FF63FB34000-memory.dmp	themida
behavioral1/memory/4960-195-0x00007FF63ED80000-0x00007FF63FB34000-memory.dmp	themida
behavioral1/memory/4960-223-0x00007FF63ED80000-0x00007FF63FB34000-memory.dmp	themida
behavioral1/files/0x0006000000022ced-226.dat	themida
behavioral1/files/0x0006000000022ced-225.dat	themida
behavioral1/memory/3404-230-0x00007FF71FEB0000-0x00007FF720C64000-memory.dmp	themida
behavioral1/memory/3404-231-0x00007FF71FEB0000-0x00007FF720C64000-memory.dmp	themida
behavioral1/memory/3404-232-0x00007FF71FEB0000-0x00007FF720C64000-memory.dmp	themida
behavioral1/memory/3404-289-0x00007FF71FEB0000-0x00007FF720C64000-memory.dmp	themida

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3880-285-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3880-286-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3880-287-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3880-288-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3880-290-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3880-292-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3880-293-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3880-295-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3880-296-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3880-297-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3880-298-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3880-299-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3880-300-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3880-301-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3880-302-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3880-303-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3880-304-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3880-306-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5D01.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3964	5D01.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4508 set thread context of 3140	4508	sc.exe	100

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3816	sc.exe
2040	sc.exe
2344	sc.exe
5024	sc.exe
2956	sc.exe
564	sc.exe
828	sc.exe
4624	sc.exe
4556	sc.exe
656	sc.exe
32	sc.exe
4256	sc.exe
4508	sc.exe
1968	sc.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	05b9a94a8637357b01e46221ae85512910df3868987c9a893fb2e480d60681ee.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	05b9a94a8637357b01e46221ae85512910df3868987c9a893fb2e480d60681ee.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	05b9a94a8637357b01e46221ae85512910df3868987c9a893fb2e480d60681ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5EB7.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5EB7.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5EB7.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2976	05b9a94a8637357b01e46221ae85512910df3868987c9a893fb2e480d60681ee.exe
2976	05b9a94a8637357b01e46221ae85512910df3868987c9a893fb2e480d60681ee.exe
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found
3328	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3328	Process not Found

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2976	05b9a94a8637357b01e46221ae85512910df3868987c9a893fb2e480d60681ee.exe
4200	5EB7.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3328	Process not Found
Token: SeCreatePagefilePrivilege	3328	Process not Found
Token: SeShutdownPrivilege	3328	Process not Found
Token: SeCreatePagefilePrivilege	3328	Process not Found
Token: SeShutdownPrivilege	3328	Process not Found
Token: SeCreatePagefilePrivilege	3328	Process not Found
Token: SeShutdownPrivilege	3328	Process not Found
Token: SeCreatePagefilePrivilege	3328	Process not Found
Token: SeDebugPrivilege	3140	AppLaunch.exe
Token: SeDebugPrivilege	3964	5D01.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3328 wrote to memory of 3728	3328	Process not Found	94
PID 3328 wrote to memory of 3728	3328	Process not Found	94
PID 3728 wrote to memory of 1596	3728	regsvr32.exe	95
PID 3728 wrote to memory of 1596	3728	regsvr32.exe	95
PID 3728 wrote to memory of 1596	3728	regsvr32.exe	95
PID 3328 wrote to memory of 3964	3328	Process not Found	96
PID 3328 wrote to memory of 3964	3328	Process not Found	96
PID 3328 wrote to memory of 3964	3328	Process not Found	96
PID 3328 wrote to memory of 4200	3328	Process not Found	97
PID 3328 wrote to memory of 4200	3328	Process not Found	97
PID 3328 wrote to memory of 4200	3328	Process not Found	97
PID 3328 wrote to memory of 4508	3328	Process not Found	99
PID 3328 wrote to memory of 4508	3328	Process not Found	99
PID 3328 wrote to memory of 4508	3328	Process not Found	99
PID 4508 wrote to memory of 3140	4508	sc.exe	100
PID 4508 wrote to memory of 3140	4508	sc.exe	100
PID 4508 wrote to memory of 3140	4508	sc.exe	100
PID 4508 wrote to memory of 3140	4508	sc.exe	100
PID 4508 wrote to memory of 3140	4508	sc.exe	100
PID 4508 wrote to memory of 3140	4508	sc.exe	100
PID 4508 wrote to memory of 3140	4508	sc.exe	100
PID 4508 wrote to memory of 3140	4508	sc.exe	100
PID 3328 wrote to memory of 4148	3328	Process not Found	101
PID 3328 wrote to memory of 4148	3328	Process not Found	101
PID 3328 wrote to memory of 4148	3328	Process not Found	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\05b9a94a8637357b01e46221ae85512910df3868987c9a893fb2e480d60681ee.exe
"C:\Users\Admin\AppData\Local\Temp\05b9a94a8637357b01e46221ae85512910df3868987c9a893fb2e480d60681ee.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2976

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\585C.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3728
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\585C.dll
  2⤵
  - Loads dropped DLL
  PID:1596

C:\Users\Admin\AppData\Local\Temp\5D01.exe
C:\Users\Admin\AppData\Local\Temp\5D01.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3964

C:\Users\Admin\AppData\Local\Temp\5EB7.exe
C:\Users\Admin\AppData\Local\Temp\5EB7.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4200

C:\Users\Admin\AppData\Local\Temp\61E5.exe
C:\Users\Admin\AppData\Local\Temp\61E5.exe
1⤵
- Executes dropped EXE
PID:4508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3140
- - C:\Users\Admin\AppData\Local\Temp\mi.exe
    "C:\Users\Admin\AppData\Local\Temp\mi.exe"
    3⤵
    PID:4960
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      PID:4400
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:3816
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:3904
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:2692
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:2956
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:4624
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:2040
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:2344
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
      4⤵
      Launches sc.exe
      PID:4556
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      PID:4944
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:564
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      PID:4596
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      PID:4272
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
      4⤵
      Launches sc.exe
      PID:656
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:4256
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      PID:1332

C:\Users\Admin\AppData\Local\Temp\9FBA.exe
C:\Users\Admin\AppData\Local\Temp\9FBA.exe
1⤵
- Executes dropped EXE
PID:4148

C:\Users\Admin\AppData\Local\Temp\ACCA.exe
C:\Users\Admin\AppData\Local\Temp\ACCA.exe
1⤵
PID:4808
- C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
  "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
  2⤵
  PID:5100
- C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe"
  2⤵
  PID:396
- - C:\Users\Admin\AppData\Local\Temp\Broom.exe
    C:\Users\Admin\AppData\Local\Temp\Broom.exe
    3⤵
    PID:2596

C:\Users\Admin\AppData\Local\Temp\AF9A.exe
C:\Users\Admin\AppData\Local\Temp\AF9A.exe
1⤵
PID:1756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
  2⤵
  PID:3456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
  2⤵
  PID:4868
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    PID:2056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
  2⤵
  PID:2288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
  2⤵
  PID:3900

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4316

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4016

C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
1⤵
PID:3404
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  PID:1816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:4616
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:2704
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Suspicious use of SetThreadContext
  - Launches sc.exe
  - Suspicious use of WriteProcessMemory
  PID:4508
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:3880
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:4640
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  PID:464
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  PID:2248
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  PID:1840
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  PID:716
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:32
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:828
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:5024
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:1968

C:\Users\Admin\AppData\Roaming\jsjardd
C:\Users\Admin\AppData\Roaming\jsjardd
1⤵
PID:2164

C:\Users\Admin\AppData\Roaming\sfjardd
C:\Users\Admin\AppData\Roaming\sfjardd
1⤵
PID:1180

C:\Users\Admin\AppData\Local\Temp\5A52.exe
C:\Users\Admin\AppData\Local\Temp\5A52.exe
1⤵
PID:2520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  PID:2776

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:488

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:776

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3384

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4336

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3700

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4080

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2752

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4760

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Google\Chrome\updater.exe

Filesize
8.1MB

MD5
1d53fa0d6ca06764174716cc8b8d7a10

SHA1
73f669c966adb8a353d0551d797f91415a3db98f

SHA256
d981a98ffaba8f5c0d3edd55713a12285e696cdceb4153935563ed1739fc9c88

SHA512
31c4edbf23122bf39d8f62ecbbc861a4ec95c91cf69b2dad800a7c0829e358710db524168056651ac46c8b6091b7e76501361a5388ffec03a2dab81581b4a81e

Download Submit
C:\ProgramData\Google\Chrome\updater.exe

Filesize
8.1MB

MD5
1d53fa0d6ca06764174716cc8b8d7a10

SHA1
73f669c966adb8a353d0551d797f91415a3db98f

SHA256
d981a98ffaba8f5c0d3edd55713a12285e696cdceb4153935563ed1739fc9c88

SHA512
31c4edbf23122bf39d8f62ecbbc861a4ec95c91cf69b2dad800a7c0829e358710db524168056651ac46c8b6091b7e76501361a5388ffec03a2dab81581b4a81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
4.2MB

MD5
890bfdf3c7eecbb505c0fdc415f466b3

SHA1
90889e27be89519f23d85915956d989b75793c8d

SHA256
e617e19dce9f15496c331be6daf2006a03573d50e42b34f2ae9ee4aee2bc8c72

SHA512
e08f327a03ede89a8e8df0a50244458095ed8afd132be8f21323cb81cfe5fb09d18266d0f5186dfd12d48649ffbb2dd1c8ec35951702f2b99adb1075fd776ece

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
4.2MB

MD5
890bfdf3c7eecbb505c0fdc415f466b3

SHA1
90889e27be89519f23d85915956d989b75793c8d

SHA256
e617e19dce9f15496c331be6daf2006a03573d50e42b34f2ae9ee4aee2bc8c72

SHA512
e08f327a03ede89a8e8df0a50244458095ed8afd132be8f21323cb81cfe5fb09d18266d0f5186dfd12d48649ffbb2dd1c8ec35951702f2b99adb1075fd776ece

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
4.2MB

MD5
890bfdf3c7eecbb505c0fdc415f466b3

SHA1
90889e27be89519f23d85915956d989b75793c8d

SHA256
e617e19dce9f15496c331be6daf2006a03573d50e42b34f2ae9ee4aee2bc8c72

SHA512
e08f327a03ede89a8e8df0a50244458095ed8afd132be8f21323cb81cfe5fb09d18266d0f5186dfd12d48649ffbb2dd1c8ec35951702f2b99adb1075fd776ece

Download Submit
C:\Users\Admin\AppData\Local\Temp\585C.dll

Filesize
1.6MB

MD5
6805483db7959c39be29b74d9d69a8b8

SHA1
727c095dd6b87c9f8486f37cdca8c7884a2462ce

SHA256
dcc81448c6c616163d420628232cff928583f7326cbb2304e02ff236ed16f324

SHA512
be15e73da0b7fcd73dbd0a07a9a744f779f2e66b5961efc5b98d6c0182188769440e54d0a6fa31d99a947978379d784630b3cd51d8077a51c9ae0e29ea59660f

Download Submit
C:\Users\Admin\AppData\Local\Temp\585C.dll

Filesize
1.6MB

MD5
6805483db7959c39be29b74d9d69a8b8

SHA1
727c095dd6b87c9f8486f37cdca8c7884a2462ce

SHA256
dcc81448c6c616163d420628232cff928583f7326cbb2304e02ff236ed16f324

SHA512
be15e73da0b7fcd73dbd0a07a9a744f779f2e66b5961efc5b98d6c0182188769440e54d0a6fa31d99a947978379d784630b3cd51d8077a51c9ae0e29ea59660f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5A52.exe

Filesize
1.9MB

MD5
9d9904e7eb6759fbc3b88de3ee4ff0d2

SHA1
5ad7e12df264bbcb8219b3601e5f23221dae55f9

SHA256
11bc95ae86743d11f613ac499036c60695fd64d30a94702e03338b04b710722b

SHA512
8a6ee7f646fb30b097993cbc0a95d22ee9c943c1cc539eb53ec81cb13e79b4feef8997c90d0e0a9f0d6ab33269b1a3dc2175324162031573da4b1f26a08dabd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\5A52.exe

Filesize
1.9MB

MD5
9d9904e7eb6759fbc3b88de3ee4ff0d2

SHA1
5ad7e12df264bbcb8219b3601e5f23221dae55f9

SHA256
11bc95ae86743d11f613ac499036c60695fd64d30a94702e03338b04b710722b

SHA512
8a6ee7f646fb30b097993cbc0a95d22ee9c943c1cc539eb53ec81cb13e79b4feef8997c90d0e0a9f0d6ab33269b1a3dc2175324162031573da4b1f26a08dabd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\5D01.exe

Filesize
3.4MB

MD5
8d4d05a643dbab697faa314703888b3f

SHA1
7e83439787a7f86015dae18900c29176a4d16064

SHA256
a719b6410b2e125322b304e54d98ff5273d5e097aafce82f8acadca572d1c522

SHA512
fbae5ef4278394d81cb0b31c82665fa95a4e6f5d51c125418ee81af0edcb3eca4210ec7c00820d5a1f4c54c05586257443a3511f61b486fd490e723f671d5515

Download Submit
C:\Users\Admin\AppData\Local\Temp\5D01.exe

Filesize
3.4MB

MD5
8d4d05a643dbab697faa314703888b3f

SHA1
7e83439787a7f86015dae18900c29176a4d16064

SHA256
a719b6410b2e125322b304e54d98ff5273d5e097aafce82f8acadca572d1c522

SHA512
fbae5ef4278394d81cb0b31c82665fa95a4e6f5d51c125418ee81af0edcb3eca4210ec7c00820d5a1f4c54c05586257443a3511f61b486fd490e723f671d5515

Download Submit
C:\Users\Admin\AppData\Local\Temp\5EB7.exe

Filesize
257KB

MD5
325278bf03baf7920c1735ec09e502a5

SHA1
f04f4c8383a4f9aaf587974a68682e0b99834c64

SHA256
a081845915e3b8d17cb05016977634939ab726f8965ef6764e07dd7a0fbc0f03

SHA512
4f4f5974ae3919bb7fa53b8785673f93b8147619520546900f6b5f5ff812103ac8af84ce1905d8be489a43c74b6be28c04ef110e5ed2d3ee45712ae3e8c3534c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5EB7.exe

Filesize
257KB

MD5
325278bf03baf7920c1735ec09e502a5

SHA1
f04f4c8383a4f9aaf587974a68682e0b99834c64

SHA256
a081845915e3b8d17cb05016977634939ab726f8965ef6764e07dd7a0fbc0f03

SHA512
4f4f5974ae3919bb7fa53b8785673f93b8147619520546900f6b5f5ff812103ac8af84ce1905d8be489a43c74b6be28c04ef110e5ed2d3ee45712ae3e8c3534c

Download Submit
C:\Users\Admin\AppData\Local\Temp\61E5.exe

Filesize
403KB

MD5
18cf6fb3dbce88b6884d5884d98d1abf

SHA1
191e57948f77f477e63561316b6072b38d2bd388

SHA256
ad5e541ca9a78ca6800d6bda0b1153233ceca652d4a23ce6495d60abcc0285c0

SHA512
3d72866aeeb8c834d842faf6b5e66b7b787f328c704b14aadbaa4534a290e80c391fda026fe1c998d9d867fe8747fccf23518c262da56a31ef8166389d423683

Download Submit
C:\Users\Admin\AppData\Local\Temp\61E5.exe

Filesize
403KB

MD5
18cf6fb3dbce88b6884d5884d98d1abf

SHA1
191e57948f77f477e63561316b6072b38d2bd388

SHA256
ad5e541ca9a78ca6800d6bda0b1153233ceca652d4a23ce6495d60abcc0285c0

SHA512
3d72866aeeb8c834d842faf6b5e66b7b787f328c704b14aadbaa4534a290e80c391fda026fe1c998d9d867fe8747fccf23518c262da56a31ef8166389d423683

Download Submit
C:\Users\Admin\AppData\Local\Temp\7505447e

Filesize
5.3MB

MD5
bae4e382a0302185018af2b289bdc53d

SHA1
ffcb43f4efa3962bd826a6f21b2b890c745977d0

SHA256
f7f830bdbbc7a8fadf9a7ea4cb26c8371f9ccee26f826e87b06e8c2d047a840c

SHA512
1b5e948653c83dff8083a5b13033815ccc44a124b859766cf5402ec4ac6521a45b0f8e80bc56ae8239b1fe861f5bacf851f083bb05a1d845daf4ddd2666554ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\9FBA.exe

Filesize
259KB

MD5
bc9002a6f67eb73dea9acafa352caa2b

SHA1
3562b32fd64b0b18c6f7726cc2a97788bf7ebde2

SHA256
d23a11e66eaf6e9c4578639352816aed64119aa05e9188282fa38188ba2eb452

SHA512
d5b9bacfec0acc30d5fb425671dc20a71611dbae9e0e54c2eeed19be1e2cb6f083e8019bdfd37c2c9ddc4673ea7dc3eba42a46ab9ea111df2b25fee23c26f407

Download Submit
C:\Users\Admin\AppData\Local\Temp\9FBA.exe

Filesize
259KB

MD5
bc9002a6f67eb73dea9acafa352caa2b

SHA1
3562b32fd64b0b18c6f7726cc2a97788bf7ebde2

SHA256
d23a11e66eaf6e9c4578639352816aed64119aa05e9188282fa38188ba2eb452

SHA512
d5b9bacfec0acc30d5fb425671dc20a71611dbae9e0e54c2eeed19be1e2cb6f083e8019bdfd37c2c9ddc4673ea7dc3eba42a46ab9ea111df2b25fee23c26f407

Download Submit
C:\Users\Admin\AppData\Local\Temp\ACCA.exe

Filesize
6.4MB

MD5
faa78f58b4f091f8c56ea622d8576703

SHA1
2bd05e7cf298f79bc7408f400e2f2fd37fc8bdf1

SHA256
464c7ab944886103d617e334c94320344761a543de5395c6b541ae386b448ea0

SHA512
3037aef0866b9957fd9f56691baa0e6557a9f46cd3695016dc3c829fc270393360b05e39fba19dc10cac06c2f51998716b3c15c57c3f0afe8c11b2a3709d467b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ACCA.exe

Filesize
6.4MB

MD5
faa78f58b4f091f8c56ea622d8576703

SHA1
2bd05e7cf298f79bc7408f400e2f2fd37fc8bdf1

SHA256
464c7ab944886103d617e334c94320344761a543de5395c6b541ae386b448ea0

SHA512
3037aef0866b9957fd9f56691baa0e6557a9f46cd3695016dc3c829fc270393360b05e39fba19dc10cac06c2f51998716b3c15c57c3f0afe8c11b2a3709d467b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AF9A.exe

Filesize
994KB

MD5
ec11419f39a7376980ff9ee7909c9693

SHA1
047ceed2b766c9967554dad1452b8d2a09b3bbf1

SHA256
b4fc379cbf4b7a0505e37567b1aac25e34fc7996248f485c977b8222a82e3d24

SHA512
be286ed314b4577310bffe102f88ce38f4cf4ac49cb0c43f8a407c122603ef114a557988c15a2234fdb8c9bf9c6f72dda512da9dfd117edd94ca5d1a6c3e998e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AF9A.exe

Filesize
994KB

MD5
ec11419f39a7376980ff9ee7909c9693

SHA1
047ceed2b766c9967554dad1452b8d2a09b3bbf1

SHA256
b4fc379cbf4b7a0505e37567b1aac25e34fc7996248f485c977b8222a82e3d24

SHA512
be286ed314b4577310bffe102f88ce38f4cf4ac49cb0c43f8a407c122603ef114a557988c15a2234fdb8c9bf9c6f72dda512da9dfd117edd94ca5d1a6c3e998e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Broom.exe

Filesize
5.3MB

MD5
00e93456aa5bcf9f60f84b0c0760a212

SHA1
6096890893116e75bd46fea0b8c3921ceb33f57d

SHA256
ff3025f9cf19323c5972d14f00f01296d6d7a71547eca7e4016bfd0e1f27b504

SHA512
abd2be819c7d93bd6097155cf84eaf803e3133a7e0ca71f9d9cbc3c65e4e4a26415d2523a36adafdd19b0751e25ea1a99b8d060cad61cdfd1f79adf9cd4b4eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe

Filesize
2.3MB

MD5
d56df2995b539368495f3300e48d8e18

SHA1
8d2d02923afb5fb5e09ce1592104db17a3128246

SHA256
b87fd3c98383089618d2f66cbbecd2b0ed91db6923135235eb52a671f8dd7cb6

SHA512
2b25f9b2ff56abafcd8aa0a5fbae4ea78e9e95cec3d4cb832a7a3c5ec13af7d9ecf3ef26ec5c7144805868801aacb8de4113490c3bd665fda4e23ec05b9d8008

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe

Filesize
2.3MB

MD5
d56df2995b539368495f3300e48d8e18

SHA1
8d2d02923afb5fb5e09ce1592104db17a3128246

SHA256
b87fd3c98383089618d2f66cbbecd2b0ed91db6923135235eb52a671f8dd7cb6

SHA512
2b25f9b2ff56abafcd8aa0a5fbae4ea78e9e95cec3d4cb832a7a3c5ec13af7d9ecf3ef26ec5c7144805868801aacb8de4113490c3bd665fda4e23ec05b9d8008

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe

Filesize
2.3MB

MD5
d56df2995b539368495f3300e48d8e18

SHA1
8d2d02923afb5fb5e09ce1592104db17a3128246

SHA256
b87fd3c98383089618d2f66cbbecd2b0ed91db6923135235eb52a671f8dd7cb6

SHA512
2b25f9b2ff56abafcd8aa0a5fbae4ea78e9e95cec3d4cb832a7a3c5ec13af7d9ecf3ef26ec5c7144805868801aacb8de4113490c3bd665fda4e23ec05b9d8008

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uvppxuw2.anc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\mi.exe

Filesize
8.1MB

MD5
1d53fa0d6ca06764174716cc8b8d7a10

SHA1
73f669c966adb8a353d0551d797f91415a3db98f

SHA256
d981a98ffaba8f5c0d3edd55713a12285e696cdceb4153935563ed1739fc9c88

SHA512
31c4edbf23122bf39d8f62ecbbc861a4ec95c91cf69b2dad800a7c0829e358710db524168056651ac46c8b6091b7e76501361a5388ffec03a2dab81581b4a81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mi.exe

Filesize
8.1MB

MD5
1d53fa0d6ca06764174716cc8b8d7a10

SHA1
73f669c966adb8a353d0551d797f91415a3db98f

SHA256
d981a98ffaba8f5c0d3edd55713a12285e696cdceb4153935563ed1739fc9c88

SHA512
31c4edbf23122bf39d8f62ecbbc861a4ec95c91cf69b2dad800a7c0829e358710db524168056651ac46c8b6091b7e76501361a5388ffec03a2dab81581b4a81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mi.exe

Filesize
8.1MB

MD5
1d53fa0d6ca06764174716cc8b8d7a10

SHA1
73f669c966adb8a353d0551d797f91415a3db98f

SHA256
d981a98ffaba8f5c0d3edd55713a12285e696cdceb4153935563ed1739fc9c88

SHA512
31c4edbf23122bf39d8f62ecbbc861a4ec95c91cf69b2dad800a7c0829e358710db524168056651ac46c8b6091b7e76501361a5388ffec03a2dab81581b4a81e

Download Submit
C:\Users\Admin\AppData\Roaming\bcjardd

Filesize
259KB

MD5
bc9002a6f67eb73dea9acafa352caa2b

SHA1
3562b32fd64b0b18c6f7726cc2a97788bf7ebde2

SHA256
d23a11e66eaf6e9c4578639352816aed64119aa05e9188282fa38188ba2eb452

SHA512
d5b9bacfec0acc30d5fb425671dc20a71611dbae9e0e54c2eeed19be1e2cb6f083e8019bdfd37c2c9ddc4673ea7dc3eba42a46ab9ea111df2b25fee23c26f407

Download Submit
C:\Users\Admin\AppData\Roaming\jsjardd

Filesize
259KB

MD5
de4ccc518825994daf9f2033134ee0e0

SHA1
972b5359c0c00118736eea07d006138f5e656c45

SHA256
05b9a94a8637357b01e46221ae85512910df3868987c9a893fb2e480d60681ee

SHA512
6743d6b44c3f42f072b38eabb1aa47f6755ce19ac46015b145e865adb64e1f401efe6ec213f51667167bf4d6184d5526e77a1484f1a11b830687547f2a80bbb5

Download Submit
C:\Users\Admin\AppData\Roaming\jsjardd

Filesize
259KB

MD5
de4ccc518825994daf9f2033134ee0e0

SHA1
972b5359c0c00118736eea07d006138f5e656c45

SHA256
05b9a94a8637357b01e46221ae85512910df3868987c9a893fb2e480d60681ee

SHA512
6743d6b44c3f42f072b38eabb1aa47f6755ce19ac46015b145e865adb64e1f401efe6ec213f51667167bf4d6184d5526e77a1484f1a11b830687547f2a80bbb5

Download Submit
C:\Users\Admin\AppData\Roaming\sfjardd

Filesize
257KB

MD5
325278bf03baf7920c1735ec09e502a5

SHA1
f04f4c8383a4f9aaf587974a68682e0b99834c64

SHA256
a081845915e3b8d17cb05016977634939ab726f8965ef6764e07dd7a0fbc0f03

SHA512
4f4f5974ae3919bb7fa53b8785673f93b8147619520546900f6b5f5ff812103ac8af84ce1905d8be489a43c74b6be28c04ef110e5ed2d3ee45712ae3e8c3534c

Download Submit
C:\Users\Admin\AppData\Roaming\sfjardd

Filesize
257KB

MD5
325278bf03baf7920c1735ec09e502a5

SHA1
f04f4c8383a4f9aaf587974a68682e0b99834c64

SHA256
a081845915e3b8d17cb05016977634939ab726f8965ef6764e07dd7a0fbc0f03

SHA512
4f4f5974ae3919bb7fa53b8785673f93b8147619520546900f6b5f5ff812103ac8af84ce1905d8be489a43c74b6be28c04ef110e5ed2d3ee45712ae3e8c3534c

Download Submit
C:\Users\Admin\AppData\Roaming\sfjardd

Filesize
257KB

MD5
325278bf03baf7920c1735ec09e502a5

SHA1
f04f4c8383a4f9aaf587974a68682e0b99834c64

SHA256
a081845915e3b8d17cb05016977634939ab726f8965ef6764e07dd7a0fbc0f03

SHA512
4f4f5974ae3919bb7fa53b8785673f93b8147619520546900f6b5f5ff812103ac8af84ce1905d8be489a43c74b6be28c04ef110e5ed2d3ee45712ae3e8c3534c

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
2d29fd3ae57f422e2b2121141dc82253

SHA1
c2464c857779c0ab4f5e766f5028fcc651a6c6b7

SHA256
80a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4

SHA512
077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68

Download Submit
memory/488-311-0x00000000006D0000-0x00000000006DB000-memory.dmp

Filesize
44KB

Download
memory/1596-51-0x00000000025B0000-0x00000000026D6000-memory.dmp

Filesize
1.1MB

Download
memory/1596-64-0x0000000000BE0000-0x0000000000CE9000-memory.dmp

Filesize
1.0MB

Download
memory/1596-62-0x0000000000BE0000-0x0000000000CE9000-memory.dmp

Filesize
1.0MB

Download
memory/1596-57-0x0000000000BE0000-0x0000000000CE9000-memory.dmp

Filesize
1.0MB

Download
memory/1596-63-0x0000000000BE0000-0x0000000000CE9000-memory.dmp

Filesize
1.0MB

Download
memory/1596-19-0x0000000000600000-0x0000000000606000-memory.dmp

Filesize
24KB

Download
memory/1596-20-0x0000000010000000-0x00000000101A5000-memory.dmp

Filesize
1.6MB

Download
memory/1756-111-0x0000000004D20000-0x0000000004DBC000-memory.dmp

Filesize
624KB

Download
memory/1756-105-0x0000000000F00000-0x0000000000FFE000-memory.dmp

Filesize
1016KB

Download
memory/1756-107-0x0000000074690000-0x0000000074E40000-memory.dmp

Filesize
7.7MB

Download
memory/1756-116-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/2596-194-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/2596-166-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/2976-1-0x0000000000AA0000-0x0000000000BA0000-memory.dmp

Filesize
1024KB

Download
memory/2976-2-0x0000000000960000-0x000000000096B000-memory.dmp

Filesize
44KB

Download
memory/2976-9-0x0000000000960000-0x000000000096B000-memory.dmp

Filesize
44KB

Download
memory/2976-6-0x0000000000400000-0x00000000007CA000-memory.dmp

Filesize
3.8MB

Download
memory/2976-4-0x0000000000400000-0x00000000007CA000-memory.dmp

Filesize
3.8MB

Download
memory/2976-3-0x0000000000400000-0x00000000007CA000-memory.dmp

Filesize
3.8MB

Download
memory/3140-121-0x0000000074690000-0x0000000074E40000-memory.dmp

Filesize
7.7MB

Download
memory/3140-83-0x0000000009830000-0x00000000099F2000-memory.dmp

Filesize
1.8MB

Download
memory/3140-58-0x0000000007940000-0x0000000007950000-memory.dmp

Filesize
64KB

Download
memory/3140-84-0x000000000A4B0000-0x000000000A9DC000-memory.dmp

Filesize
5.2MB

Download
memory/3140-95-0x0000000006760000-0x00000000067B0000-memory.dmp

Filesize
320KB

Download
memory/3140-55-0x0000000074690000-0x0000000074E40000-memory.dmp

Filesize
7.7MB

Download
memory/3140-52-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3140-167-0x0000000007940000-0x0000000007950000-memory.dmp

Filesize
64KB

Download
memory/3140-181-0x0000000074690000-0x0000000074E40000-memory.dmp

Filesize
7.7MB

Download
memory/3328-72-0x0000000002500000-0x0000000002516000-memory.dmp

Filesize
88KB

Download
memory/3328-5-0x0000000002960000-0x0000000002976000-memory.dmp

Filesize
88KB

Download
memory/3328-188-0x00000000029A0000-0x00000000029B6000-memory.dmp

Filesize
88KB

Download
memory/3404-232-0x00007FF71FEB0000-0x00007FF720C64000-memory.dmp

Filesize
13.7MB

Download
memory/3404-231-0x00007FF71FEB0000-0x00007FF720C64000-memory.dmp

Filesize
13.7MB

Download
memory/3404-230-0x00007FF71FEB0000-0x00007FF720C64000-memory.dmp

Filesize
13.7MB

Download
memory/3404-289-0x00007FF71FEB0000-0x00007FF720C64000-memory.dmp

Filesize
13.7MB

Download
memory/3880-292-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3880-302-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3880-293-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3880-306-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3880-294-0x0000000000FE0000-0x0000000001000000-memory.dmp

Filesize
128KB

Download
memory/3880-288-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3880-295-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3880-304-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3880-303-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3880-290-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3880-301-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3880-296-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3880-297-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3880-287-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3880-298-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3880-286-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3880-300-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3880-285-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3880-299-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3964-80-0x00000000001E0000-0x0000000000AAE000-memory.dmp

Filesize
8.8MB

Download
memory/3964-31-0x0000000076360000-0x0000000076450000-memory.dmp

Filesize
960KB

Download
memory/3964-60-0x0000000007BF0000-0x0000000007C2C000-memory.dmp

Filesize
240KB

Download
memory/3964-53-0x0000000008A10000-0x0000000009028000-memory.dmp

Filesize
6.1MB

Download
memory/3964-93-0x0000000076360000-0x0000000076450000-memory.dmp

Filesize
960KB

Download
memory/3964-92-0x0000000076360000-0x0000000076450000-memory.dmp

Filesize
960KB

Download
memory/3964-56-0x0000000007B80000-0x0000000007B92000-memory.dmp

Filesize
72KB

Download
memory/3964-61-0x0000000007C30000-0x0000000007C7C000-memory.dmp

Filesize
304KB

Download
memory/3964-71-0x00000000084F0000-0x0000000008556000-memory.dmp

Filesize
408KB

Download
memory/3964-113-0x00000000001E0000-0x0000000000AAE000-memory.dmp

Filesize
8.8MB

Download
memory/3964-33-0x0000000076360000-0x0000000076450000-memory.dmp

Filesize
960KB

Download
memory/3964-32-0x0000000076360000-0x0000000076450000-memory.dmp

Filesize
960KB

Download
memory/3964-34-0x0000000076360000-0x0000000076450000-memory.dmp

Filesize
960KB

Download
memory/3964-91-0x0000000076360000-0x0000000076450000-memory.dmp

Filesize
960KB

Download
memory/3964-25-0x00000000001E0000-0x0000000000AAE000-memory.dmp

Filesize
8.8MB

Download
memory/3964-102-0x0000000076360000-0x0000000076450000-memory.dmp

Filesize
960KB

Download
memory/3964-50-0x0000000007910000-0x000000000791A000-memory.dmp

Filesize
40KB

Download
memory/3964-54-0x0000000007CC0000-0x0000000007DCA000-memory.dmp

Filesize
1.0MB

Download
memory/3964-49-0x0000000007930000-0x00000000079C2000-memory.dmp

Filesize
584KB

Download
memory/3964-48-0x0000000007E40000-0x00000000083E4000-memory.dmp

Filesize
5.6MB

Download
memory/3964-115-0x0000000076360000-0x0000000076450000-memory.dmp

Filesize
960KB

Download
memory/3964-47-0x00000000001E0000-0x0000000000AAE000-memory.dmp

Filesize
8.8MB

Download
memory/3964-42-0x00000000775B4000-0x00000000775B6000-memory.dmp

Filesize
8KB

Download
memory/3964-112-0x0000000076360000-0x0000000076450000-memory.dmp

Filesize
960KB

Download
memory/3964-82-0x0000000076360000-0x0000000076450000-memory.dmp

Filesize
960KB

Download
memory/3964-104-0x0000000076360000-0x0000000076450000-memory.dmp

Filesize
960KB

Download
memory/3964-41-0x0000000076360000-0x0000000076450000-memory.dmp

Filesize
960KB

Download
memory/3964-40-0x0000000076360000-0x0000000076450000-memory.dmp

Filesize
960KB

Download
memory/3964-38-0x0000000076360000-0x0000000076450000-memory.dmp

Filesize
960KB

Download
memory/3964-35-0x0000000076360000-0x0000000076450000-memory.dmp

Filesize
960KB

Download
memory/3964-81-0x0000000076360000-0x0000000076450000-memory.dmp

Filesize
960KB

Download
memory/4016-117-0x0000000000BE0000-0x0000000000BEC000-memory.dmp

Filesize
48KB

Download
memory/4016-118-0x0000000000BF0000-0x0000000000BF7000-memory.dmp

Filesize
28KB

Download
memory/4016-119-0x0000000000BE0000-0x0000000000BEC000-memory.dmp

Filesize
48KB

Download
memory/4148-191-0x0000000000400000-0x00000000007CA000-memory.dmp

Filesize
3.8MB

Download
memory/4148-180-0x0000000000400000-0x00000000007CA000-memory.dmp

Filesize
3.8MB

Download
memory/4148-174-0x0000000000400000-0x00000000007CA000-memory.dmp

Filesize
3.8MB

Download
memory/4148-178-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/4148-179-0x0000000000950000-0x000000000095B000-memory.dmp

Filesize
44KB

Download
memory/4200-67-0x0000000000A00000-0x0000000000B00000-memory.dmp

Filesize
1024KB

Download
memory/4200-73-0x0000000000400000-0x00000000007C9000-memory.dmp

Filesize
3.8MB

Download
memory/4200-69-0x0000000000400000-0x00000000007C9000-memory.dmp

Filesize
3.8MB

Download
memory/4200-68-0x0000000000850000-0x0000000000859000-memory.dmp

Filesize
36KB

Download
memory/4316-165-0x0000000001200000-0x000000000126B000-memory.dmp

Filesize
428KB

Download
memory/4316-108-0x0000000001270000-0x00000000012E5000-memory.dmp

Filesize
468KB

Download
memory/4316-114-0x0000000001200000-0x000000000126B000-memory.dmp

Filesize
428KB

Download
memory/4316-109-0x0000000001200000-0x000000000126B000-memory.dmp

Filesize
428KB

Download
memory/4640-278-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4640-277-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4640-274-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4640-275-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4640-281-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4640-276-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4808-97-0x0000000074690000-0x0000000074E40000-memory.dmp

Filesize
7.7MB

Download
memory/4808-159-0x0000000074690000-0x0000000074E40000-memory.dmp

Filesize
7.7MB

Download
memory/4808-90-0x0000000000EA0000-0x0000000001514000-memory.dmp

Filesize
6.5MB

Download
memory/4960-183-0x00007FF63ED80000-0x00007FF63FB34000-memory.dmp

Filesize
13.7MB

Download
memory/4960-186-0x00007FF63ED80000-0x00007FF63FB34000-memory.dmp

Filesize
13.7MB

Download
memory/4960-195-0x00007FF63ED80000-0x00007FF63FB34000-memory.dmp

Filesize
13.7MB

Download
memory/4960-223-0x00007FF63ED80000-0x00007FF63FB34000-memory.dmp

Filesize
13.7MB

Download
memory/4960-185-0x00007FF63ED80000-0x00007FF63FB34000-memory.dmp

Filesize
13.7MB

Download
memory/4960-182-0x00007FF63ED80000-0x00007FF63FB34000-memory.dmp

Filesize
13.7MB

Download