Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 21:00

General

  • Target

    JaffaCakes118_6afe87e10202ebcb0832444fd37af764a888e1080311107587df22bdc31abbb3.exe

  • Size

    1.3MB

  • MD5

    10c386e880209d4025bdf3b29ce4a48d

  • SHA1

    02d8babcffff08f5cf6da5b771045384bdc8036d

  • SHA256

    6afe87e10202ebcb0832444fd37af764a888e1080311107587df22bdc31abbb3

  • SHA512

    03c63901e6f13f6e446a017de6d0faa9d4cfd77146c48f2d1c22affd50ab6a2765199cf9e02e532c24dfc827e6816d6ba91442c7e88f5b909273a911c822a3da

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 42 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
  • Drops file in Program Files directory 9 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6afe87e10202ebcb0832444fd37af764a888e1080311107587df22bdc31abbb3.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6afe87e10202ebcb0832444fd37af764a888e1080311107587df22bdc31abbb3.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2788
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2844
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2584
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2720
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2272
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2148
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1920
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1740
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1960
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\Wallpaper\Landscapes\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1812
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\ja-JP\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3040
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2284
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2108
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Music\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2412
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2880
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2120
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3028
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2980
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3024
          • C:\Program Files (x86)\Windows Sidebar\ja-JP\conhost.exe
            "C:\Program Files (x86)\Windows Sidebar\ja-JP\conhost.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2564
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KRs2fZV4we.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1964
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:1624
                • C:\Program Files (x86)\Windows Sidebar\ja-JP\conhost.exe
                  "C:\Program Files (x86)\Windows Sidebar\ja-JP\conhost.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1804
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat"
                    8⤵
                      PID:3016
                      • C:\Windows\system32\w32tm.exe
                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        9⤵
                          PID:892
                        • C:\Program Files (x86)\Windows Sidebar\ja-JP\conhost.exe
                          "C:\Program Files (x86)\Windows Sidebar\ja-JP\conhost.exe"
                          9⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2948
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DGa94wSM8j.bat"
                            10⤵
                              PID:264
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                11⤵
                                  PID:2708
                                • C:\Program Files (x86)\Windows Sidebar\ja-JP\conhost.exe
                                  "C:\Program Files (x86)\Windows Sidebar\ja-JP\conhost.exe"
                                  11⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1876
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kOAwrWovpT.bat"
                                    12⤵
                                      PID:1532
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        13⤵
                                          PID:2580
                                        • C:\Program Files (x86)\Windows Sidebar\ja-JP\conhost.exe
                                          "C:\Program Files (x86)\Windows Sidebar\ja-JP\conhost.exe"
                                          13⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2056
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j5PKlq1uIo.bat"
                                            14⤵
                                              PID:1232
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                15⤵
                                                  PID:664
                                                • C:\Program Files (x86)\Windows Sidebar\ja-JP\conhost.exe
                                                  "C:\Program Files (x86)\Windows Sidebar\ja-JP\conhost.exe"
                                                  15⤵
                                                  • Executes dropped EXE
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:892
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZZzsG8LzQB.bat"
                                                    16⤵
                                                      PID:1032
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        17⤵
                                                          PID:2952
                                                        • C:\Program Files (x86)\Windows Sidebar\ja-JP\conhost.exe
                                                          "C:\Program Files (x86)\Windows Sidebar\ja-JP\conhost.exe"
                                                          17⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2584
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jClCs9nEU3.bat"
                                                            18⤵
                                                              PID:2564
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                19⤵
                                                                  PID:2620
                                                                • C:\Program Files (x86)\Windows Sidebar\ja-JP\conhost.exe
                                                                  "C:\Program Files (x86)\Windows Sidebar\ja-JP\conhost.exe"
                                                                  19⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:1588
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vFDRBKGR2C.bat"
                                                                    20⤵
                                                                      PID:676
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        21⤵
                                                                          PID:1544
                                                                        • C:\Program Files (x86)\Windows Sidebar\ja-JP\conhost.exe
                                                                          "C:\Program Files (x86)\Windows Sidebar\ja-JP\conhost.exe"
                                                                          21⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:2628
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VoHf0I0Wzs.bat"
                                                                            22⤵
                                                                              PID:2812
                                                                              • C:\Windows\system32\w32tm.exe
                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                23⤵
                                                                                  PID:2272
                                                                                • C:\Program Files (x86)\Windows Sidebar\ja-JP\conhost.exe
                                                                                  "C:\Program Files (x86)\Windows Sidebar\ja-JP\conhost.exe"
                                                                                  23⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:1944
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m1RNSv4oba.bat"
                                                                                    24⤵
                                                                                      PID:1872
                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                        25⤵
                                                                                          PID:2176
                                                                                        • C:\Program Files (x86)\Windows Sidebar\ja-JP\conhost.exe
                                                                                          "C:\Program Files (x86)\Windows Sidebar\ja-JP\conhost.exe"
                                                                                          25⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:2268
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1848
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1144
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1536
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2860
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2896
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1632
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Default\services.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2356
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\services.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:288
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Default\services.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1780
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:296
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1728
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1880
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\Web\Wallpaper\Landscapes\explorer.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2292
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Landscapes\explorer.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2616
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\Web\Wallpaper\Landscapes\explorer.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:776
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\ja-JP\conhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:532
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\ja-JP\conhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:780
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\ja-JP\conhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1944
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\DllCommonsvc.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1864
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2932
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1256
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\providercommon\dwm.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2256
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2248
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2344
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Music\Idle.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2260
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Music\Idle.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:440
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Music\Idle.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1436
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\twain_32\System.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1504
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\twain_32\System.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2532
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\twain_32\System.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2960
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1720
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:788
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:928
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\lsass.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1472
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\lsass.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1360
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\lsass.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1696
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:832
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:608
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1692
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Downloads\taskhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1232
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Public\Downloads\taskhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:568
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Downloads\taskhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1964

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          0dd8e9da9c203f5e0b1ed64291e7add3

                                          SHA1

                                          71719a738cd0d121af58621844aa5e99ee9e912f

                                          SHA256

                                          00c907dcc047ea39b69e13f355f1d29ee026e38022db68281d95a22ca1b3f5aa

                                          SHA512

                                          7e84fcc102b65030b0059b638338436e0251c7a49d1cdded29b131e60dc1d735525b37a9ad961a375389e857fbe7c8302b09dcccfeb2057cbde2bcdde765e8d8

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          543c9fcdbe31a572f03f3cb5b18089b5

                                          SHA1

                                          3c3aff846d9baf9bbb425a6d848db0976bef1439

                                          SHA256

                                          e42361903a71362dc75fdd4cf3b8e1b941e0d490d26713f866eca7b70643f125

                                          SHA512

                                          1e2de4840904667eaaecce76d245a9beb45c3198f1071dcf1156988ee6a34b1d64d146f328e1b02653175251f834c407c7b78dd3b745335983aa62272cf81d3c

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          ae0a9ad85478fde125f561ee837a416e

                                          SHA1

                                          e68c9e58d315dc04e24cdf58e117f3b1d237b36b

                                          SHA256

                                          ff81167ba9f8ac073abb2f787012c3e0dc1f2324a84a2a59055c6c4e778964a8

                                          SHA512

                                          e0b5896b0978f4edadf3413d48bd833302926014a5adfe453012f22d0b43c718ecfb741011bfc972391e42ed8d1cb6484456fe3fc43e04275d37d745b0af4556

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          21ffab3eb33bc422a3435eb5085aa0a3

                                          SHA1

                                          e208f630947ebd830c340f34a703025f93f2f6d6

                                          SHA256

                                          6e516c52910bb112369a91c7fac57f1be8e1dd3638df877eedd084dd6779637a

                                          SHA512

                                          228f2552d585b1ac4107b30bec41d6cb9d558b8fb4033025563792637df12fcf12a05afed3aaeec022e2014caaf9da35c79f87f5bd941385c090b335a7af1433

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          bb816a056199acf8b5b63850bc058213

                                          SHA1

                                          a62eefea7b3a323058738e585b6ccd3a3f722547

                                          SHA256

                                          2124cc96cbf2e9479d3fc390c5e23c0bcfcca8a3e98ad842f2fb6eb4ca6ce71b

                                          SHA512

                                          0ef0bdd533d18f7df236b7072d25f7fc81f62af4af5daa4ee31831fd01691cc6a0ba38b54b14e84d6039ec257c0644ad4f574b6f0ccaaa80cf392b9fef2a16c1

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          c85fada6d6bd425221bcb1c409449349

                                          SHA1

                                          e7e5b7c3788ce53db9e4085e16cf55b3a9aa0984

                                          SHA256

                                          61f39809cc7de20267076f5e1feb80af7d71983f6a410f448b079000ec0b8157

                                          SHA512

                                          b2477c05cf88b4618c3fa2fd129663949a424b632f1d5ac04759ee1fb37f9329c744db1aee48e484d706c1751996599000026a3cf6574a7814cf6b600d214e35

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          2c3213a36555b7e1a4388ebf9b3da64e

                                          SHA1

                                          6aaec55e1dadf79e3036717b87bf1613805cbee4

                                          SHA256

                                          5df5a532919601877614886527f8024ee8d3be45424a9ab4880ccc495167aad4

                                          SHA512

                                          fd8f9153cde609244bfab03e2b70eacfe1cdadfd9f5ab2f9087e90d07e7104612eea1d5af3140bb4198cfdd0d62457efb3f5729f200efc8b2993d05a05e9117d

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          5b3f063a601c0a55539d3e2de1d6fd72

                                          SHA1

                                          4f83072dac1c1740e6fa596d465f0b4e05700383

                                          SHA256

                                          daa54b97fd64be49accd4d549467205a0b4aadaaf16b9c162a48145a7deeaec1

                                          SHA512

                                          e7f59954336085dcedf47deef9908d25cd95235f8204129866a71f2ae4eb0afd9dcc30e5513147424d30874105e333b19e7b4064bd7fa1a03b832ed7acce8983

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          5c1b2d50452d2393f561b46b2f2980c1

                                          SHA1

                                          899200c29411cf29081cb891c20cb1aed254220e

                                          SHA256

                                          44fec87156ff29c7d3c7407b3fe709623fd53411428d40c89297d1beb3011fa7

                                          SHA512

                                          6beb6b6dee16ba620dfba9f3f94a0075da0ca860ad9be4ba8cf97ac0a78843b04a73c1ca1b2a65ae43343c89517fdcb725dba31974b7b116cb5948732c136b5d

                                        • C:\Users\Admin\AppData\Local\Temp\Cab2B08.tmp

                                          Filesize

                                          70KB

                                          MD5

                                          49aebf8cbd62d92ac215b2923fb1b9f5

                                          SHA1

                                          1723be06719828dda65ad804298d0431f6aff976

                                          SHA256

                                          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                          SHA512

                                          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                        • C:\Users\Admin\AppData\Local\Temp\DGa94wSM8j.bat

                                          Filesize

                                          221B

                                          MD5

                                          f35df4cfcba2bd8e5853626ac7074b7e

                                          SHA1

                                          ab7f4aaf4c9fba2465506f06707acadb62179e9d

                                          SHA256

                                          89715443ae066088b17a37e7233db87f29c534a0717d68c563a8f17a7eec5023

                                          SHA512

                                          7af1faf1826354a6cb1762793649f4dbc7025609b40d83d45a0b4287b3d93e742932970b50145a3cd95ebd21e572cedd7904c2ddf4436c6436633be3326d9d7f

                                        • C:\Users\Admin\AppData\Local\Temp\KRs2fZV4we.bat

                                          Filesize

                                          221B

                                          MD5

                                          a7e2e27a820b2fca9c659dbd2719b106

                                          SHA1

                                          cf0941d8eebba899b05dafce28b49fa4830af37e

                                          SHA256

                                          faf63ca251fde7b168a0db1e8c8dff41a6d9c2ba77b7e04391c8e1f3d9e765b1

                                          SHA512

                                          8ccb9e2805f39220fd70d032a0e1c67895707d8b0c5f96c852091f1e220317432523def4330aca2cf3350d5bba6f985360db3df014cc9700a2cc677624f731bd

                                        • C:\Users\Admin\AppData\Local\Temp\Tar2B1B.tmp

                                          Filesize

                                          181KB

                                          MD5

                                          4ea6026cf93ec6338144661bf1202cd1

                                          SHA1

                                          a1dec9044f750ad887935a01430bf49322fbdcb7

                                          SHA256

                                          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                          SHA512

                                          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                        • C:\Users\Admin\AppData\Local\Temp\VoHf0I0Wzs.bat

                                          Filesize

                                          221B

                                          MD5

                                          4790ab7ab6113e867946c6699330ef40

                                          SHA1

                                          41ab7cecdc2d6aa4fe9af8e45fb1c0101509b308

                                          SHA256

                                          ffb448b64f6c4932fc6e8e502f48a9101b7b2df4ce42e24b90d3152fc2aa20b1

                                          SHA512

                                          61208bf290d9b8136e616deafbf6f31f4122122213e8c4e7f18c6e62dc13ddf8a4db7983f8e31eb1c9acb3bf01b82dc0ee6c2e9689012d081fdbd9c8b110508d

                                        • C:\Users\Admin\AppData\Local\Temp\ZZzsG8LzQB.bat

                                          Filesize

                                          221B

                                          MD5

                                          d21a59a814a4c389a4b08dda168c9025

                                          SHA1

                                          b67ca899be28f095d35c10247e7c0d9b5587734a

                                          SHA256

                                          805281b3df128a18bcf1e1aa2877d50ccb43b8ed2e9893b1a6504051d245ab53

                                          SHA512

                                          47fafd3e90ed4f6948028d423be9aa97c0198f844bb3220668d2b505ab8f9b2953ecf0a4eb4f236d978b418a67468ea0c9e50a21bd6d70e57b8bc6e436d65e74

                                        • C:\Users\Admin\AppData\Local\Temp\j5PKlq1uIo.bat

                                          Filesize

                                          221B

                                          MD5

                                          ec46788b1b45a49b70ef6a854d253055

                                          SHA1

                                          335f97f6951bfe28c22bd1f265f7ec159020e308

                                          SHA256

                                          fe9283ba6afb913b5290ef37a46636fdcbfc2781cbe85378f825b0603cbca3db

                                          SHA512

                                          4ad0d591a73be035e7b478ea9f826edfdbce2b0908857996bcc47ea5ee3a97c50f672a049f0a26a50d663de0d847f50e30d05bec9ae436426756ad49b02a1088

                                        • C:\Users\Admin\AppData\Local\Temp\jClCs9nEU3.bat

                                          Filesize

                                          221B

                                          MD5

                                          6c8a4d15d88bce31169c15ac8a753b43

                                          SHA1

                                          18d663066cc0a433fc1a5450fbe9a1beccc45008

                                          SHA256

                                          d7fb4b1193c9feeef040292b4ff1d62e681f31d19d4062b7a77494fff7098cea

                                          SHA512

                                          a5afa905da7c4c4519b92d955c6ff2a50975ef439d31f7f106fdf41f46f158cad567d764298d1a20391a486d9f5be000efac5b3ceec4fbf1d9d20847c1ef500e

                                        • C:\Users\Admin\AppData\Local\Temp\kOAwrWovpT.bat

                                          Filesize

                                          221B

                                          MD5

                                          b4f857418d909e0bc710676b42b7479d

                                          SHA1

                                          a03e251c0dd6ae0809a7cf88a2cb14f722e27641

                                          SHA256

                                          f91fec3f09eec00c1b97a1c8d044ede780e8b5584fbe03146595126dc8d013c4

                                          SHA512

                                          f7f0ffbb12cc9d9b50f55ac817a340b83b99da5863cf556484dc1727d6bc8ea9c73c96f397e2a316971093fff65e8f9f7153ce521bd52f1e140d532f15e23b52

                                        • C:\Users\Admin\AppData\Local\Temp\m1RNSv4oba.bat

                                          Filesize

                                          221B

                                          MD5

                                          b9957006d843ca91d7d9d11ebc7c7bff

                                          SHA1

                                          9fe8890c37ef6735101207ee54410d458bc3761b

                                          SHA256

                                          89877c316927ad8086a57516a80af8a5322f5d5ca9ad9f4ec88f8f65045e8a1c

                                          SHA512

                                          65cbbf60e89b564829d9823e6163eb0011796f4966787c2fc6627a7c9f5ddf1e80e32b157f9b7243ed9c41911d93d7ed5d0403fedab5f29f84b35a279b5e8bfa

                                        • C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat

                                          Filesize

                                          221B

                                          MD5

                                          130534ce10f618635dad5229eb4c7263

                                          SHA1

                                          381128e06e94ecc5bea62abe943c7387b66363bc

                                          SHA256

                                          e3367f4c688a07a066a14e3147b77d197f17f37dbd3b80283e262a21e2f4a977

                                          SHA512

                                          3729f4cc25ce8c42988ca7b9caa91edfedfff871c2504fcfa2d9e89082112c522ae6f374263474b1605b5ff0c498885d64f24e5fda1c6ea52e7c8533a3230a25

                                        • C:\Users\Admin\AppData\Local\Temp\vFDRBKGR2C.bat

                                          Filesize

                                          221B

                                          MD5

                                          391110228ff0a1d31a2333274d0b888b

                                          SHA1

                                          8ec5651093a23bd24e5ac91776007604c9298669

                                          SHA256

                                          3b1594a9225d9b77e4a07d7f1f77a0bdc38dcad365c1923fdc0a270fa392e050

                                          SHA512

                                          352ecc6d76b64a99335193bcc38caff6dc6cb13a1aaf59868ec35702192d05e5786b7ee361984ad95dcfea256f8c38687141490a6289fb7d0d1ff4fda172ee60

                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                          Filesize

                                          7KB

                                          MD5

                                          19290715636f56e17353d7c5638e9311

                                          SHA1

                                          e6a9afdf0ed50051bf80837967f453f4d7f166c2

                                          SHA256

                                          7690e684ba422a2cf3c3a4f85d7f2b10679ef222f6abcbddd58193cb40fc468a

                                          SHA512

                                          2ca9e7a5edc0e03273cf601888d6d9e04da344355a8889bc0f09a3d8ce8e813c32e0701f0e663e0e03406930e4001d55460e4bc3e3bf9b64455eee09fcfc40be

                                        • C:\providercommon\1zu9dW.bat

                                          Filesize

                                          36B

                                          MD5

                                          6783c3ee07c7d151ceac57f1f9c8bed7

                                          SHA1

                                          17468f98f95bf504cc1f83c49e49a78526b3ea03

                                          SHA256

                                          8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                          SHA512

                                          c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                        • C:\providercommon\DllCommonsvc.exe

                                          Filesize

                                          1.0MB

                                          MD5

                                          bd31e94b4143c4ce49c17d3af46bcad0

                                          SHA1

                                          f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                          SHA256

                                          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                          SHA512

                                          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                        • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                          Filesize

                                          197B

                                          MD5

                                          8088241160261560a02c84025d107592

                                          SHA1

                                          083121f7027557570994c9fc211df61730455bb5

                                          SHA256

                                          2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                          SHA512

                                          20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                        • memory/1588-543-0x0000000000E30000-0x0000000000F40000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/1588-544-0x0000000000150000-0x0000000000162000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/1804-184-0x00000000011C0000-0x00000000012D0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/1920-56-0x0000000002860000-0x0000000002868000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/1920-55-0x000000001B630000-0x000000001B912000-memory.dmp

                                          Filesize

                                          2.9MB

                                        • memory/2564-77-0x0000000000A60000-0x0000000000B70000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2584-483-0x0000000000240000-0x0000000000252000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2584-482-0x0000000000250000-0x0000000000360000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2628-604-0x00000000012A0000-0x00000000013B0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2720-16-0x0000000000160000-0x000000000016C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2720-15-0x0000000000150000-0x000000000015C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2720-13-0x0000000000B30000-0x0000000000C40000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2720-14-0x0000000000140000-0x0000000000152000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2720-17-0x0000000000170000-0x000000000017C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2948-244-0x0000000001340000-0x0000000001450000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2948-245-0x00000000005B0000-0x00000000005C2000-memory.dmp

                                          Filesize

                                          72KB