Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
19-07-2024 10:56
Behavioral task
behavioral1
Sample
SolaraBootstrapper.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
SolaraBootstrapper.exe
Resource
win10v2004-20240709-en
General
-
Target
SolaraBootstrapper.exe
-
Size
1.5MB
-
MD5
fc883c9c23018f529b6df57a37752ee2
-
SHA1
5f144d9aa5c24c309baf6b2a6b9975795bfc5795
-
SHA256
84f0cb45e1f9d6f73ff0033ecc509cf19648a546966e381f227d89bd2ab5882a
-
SHA512
5c29d4ef5194455d662d04be687c5fd7923071991ec792e623bf58e299cd4a64a60d3193699eb16cd3f4395a87f579f19f3925d948cd8bcaf37a28439d1e5ca4
-
SSDEEP
24576:U2G/nvxW3Ww0tAcd/ADwvjwqeGOu98QhwrY//TgvCsOtZl8PeZUY:UbA30AG/ADp5G38U7xsOtZl8GH
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 2948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2736 2948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2768 2948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 2948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 2948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1700 2948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3032 2948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 540 2948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1476 2948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1920 2948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1656 2948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 332 2948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1332 2948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2876 2948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2320 2948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2888 2948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1620 2948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1460 2948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1416 2948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1308 2948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 2948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1940 2948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1400 2948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1876 2948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1000 2948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1144 2948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2580 2948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2924 2948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1200 2948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1336 2948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1976 2948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2256 2948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1432 2948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1504 2948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1932 2948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 908 2948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2904 2948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2456 2948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2668 2948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2356 2948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 2948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2068 2948 schtasks.exe -
Processes:
resource yara_rule \bridgeChainPortRuntimesvc\blockWebmonitor.exe dcrat behavioral1/memory/2804-13-0x0000000000E60000-0x0000000000F92000-memory.dmp dcrat behavioral1/memory/2264-52-0x0000000000230000-0x0000000000362000-memory.dmp dcrat -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
blockWebmonitor.exeblockWebmonitor.execsrss.exepid process 2804 blockWebmonitor.exe 1864 blockWebmonitor.exe 2264 csrss.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2704 cmd.exe 2704 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 7 IoCs
Processes:
blockWebmonitor.exeblockWebmonitor.exedescription ioc process File opened for modification C:\Program Files\Internet Explorer\fr-FR\dllhost.exe blockWebmonitor.exe File created C:\Program Files\Internet Explorer\fr-FR\5940a34987c991 blockWebmonitor.exe File created C:\Program Files\Windows Portable Devices\smss.exe blockWebmonitor.exe File created C:\Program Files\Windows Portable Devices\69ddcba757bf72 blockWebmonitor.exe File created C:\Program Files (x86)\Windows Sidebar\winlogon.exe blockWebmonitor.exe File created C:\Program Files (x86)\Windows Sidebar\cc11b995f2a76d blockWebmonitor.exe File created C:\Program Files\Internet Explorer\fr-FR\dllhost.exe blockWebmonitor.exe -
Drops file in Windows directory 2 IoCs
Processes:
blockWebmonitor.exedescription ioc process File created C:\Windows\it-IT\886983d96e3d3e blockWebmonitor.exe File created C:\Windows\it-IT\csrss.exe blockWebmonitor.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1308 schtasks.exe 1940 schtasks.exe 1504 schtasks.exe 2904 schtasks.exe 2668 schtasks.exe 1920 schtasks.exe 2320 schtasks.exe 1416 schtasks.exe 1400 schtasks.exe 1432 schtasks.exe 1932 schtasks.exe 2260 schtasks.exe 2612 schtasks.exe 1200 schtasks.exe 2068 schtasks.exe 2664 schtasks.exe 1700 schtasks.exe 2492 schtasks.exe 1876 schtasks.exe 1976 schtasks.exe 2776 schtasks.exe 1620 schtasks.exe 1460 schtasks.exe 1000 schtasks.exe 2356 schtasks.exe 2768 schtasks.exe 2888 schtasks.exe 1336 schtasks.exe 1476 schtasks.exe 540 schtasks.exe 1656 schtasks.exe 1332 schtasks.exe 2876 schtasks.exe 1144 schtasks.exe 2580 schtasks.exe 3032 schtasks.exe 332 schtasks.exe 2924 schtasks.exe 2256 schtasks.exe 908 schtasks.exe 2456 schtasks.exe 2736 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
blockWebmonitor.exeblockWebmonitor.execsrss.exepid process 2804 blockWebmonitor.exe 1864 blockWebmonitor.exe 1864 blockWebmonitor.exe 1864 blockWebmonitor.exe 1864 blockWebmonitor.exe 1864 blockWebmonitor.exe 2264 csrss.exe 2264 csrss.exe 2264 csrss.exe 2264 csrss.exe 2264 csrss.exe 2264 csrss.exe 2264 csrss.exe 2264 csrss.exe 2264 csrss.exe 2264 csrss.exe 2264 csrss.exe 2264 csrss.exe 2264 csrss.exe 2264 csrss.exe 2264 csrss.exe 2264 csrss.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
csrss.exepid process 2264 csrss.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
blockWebmonitor.exeblockWebmonitor.execsrss.exedescription pid process Token: SeDebugPrivilege 2804 blockWebmonitor.exe Token: SeDebugPrivilege 1864 blockWebmonitor.exe Token: SeDebugPrivilege 2264 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
SolaraBootstrapper.exeWScript.execmd.exeblockWebmonitor.exeblockWebmonitor.execsrss.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2112 wrote to memory of 1896 2112 SolaraBootstrapper.exe WScript.exe PID 2112 wrote to memory of 1896 2112 SolaraBootstrapper.exe WScript.exe PID 2112 wrote to memory of 1896 2112 SolaraBootstrapper.exe WScript.exe PID 2112 wrote to memory of 1896 2112 SolaraBootstrapper.exe WScript.exe PID 1896 wrote to memory of 2704 1896 WScript.exe cmd.exe PID 1896 wrote to memory of 2704 1896 WScript.exe cmd.exe PID 1896 wrote to memory of 2704 1896 WScript.exe cmd.exe PID 1896 wrote to memory of 2704 1896 WScript.exe cmd.exe PID 2704 wrote to memory of 2804 2704 cmd.exe blockWebmonitor.exe PID 2704 wrote to memory of 2804 2704 cmd.exe blockWebmonitor.exe PID 2704 wrote to memory of 2804 2704 cmd.exe blockWebmonitor.exe PID 2704 wrote to memory of 2804 2704 cmd.exe blockWebmonitor.exe PID 2804 wrote to memory of 1864 2804 blockWebmonitor.exe blockWebmonitor.exe PID 2804 wrote to memory of 1864 2804 blockWebmonitor.exe blockWebmonitor.exe PID 2804 wrote to memory of 1864 2804 blockWebmonitor.exe blockWebmonitor.exe PID 1864 wrote to memory of 2264 1864 blockWebmonitor.exe csrss.exe PID 1864 wrote to memory of 2264 1864 blockWebmonitor.exe csrss.exe PID 1864 wrote to memory of 2264 1864 blockWebmonitor.exe csrss.exe PID 2264 wrote to memory of 2600 2264 csrss.exe cmd.exe PID 2264 wrote to memory of 2600 2264 csrss.exe cmd.exe PID 2264 wrote to memory of 2600 2264 csrss.exe cmd.exe PID 2264 wrote to memory of 3036 2264 csrss.exe cmd.exe PID 2264 wrote to memory of 3036 2264 csrss.exe cmd.exe PID 2264 wrote to memory of 3036 2264 csrss.exe cmd.exe PID 2264 wrote to memory of 3028 2264 csrss.exe cmd.exe PID 2264 wrote to memory of 3028 2264 csrss.exe cmd.exe PID 2264 wrote to memory of 3028 2264 csrss.exe cmd.exe PID 2600 wrote to memory of 1356 2600 cmd.exe notepad.exe PID 2600 wrote to memory of 1356 2600 cmd.exe notepad.exe PID 2600 wrote to memory of 1356 2600 cmd.exe notepad.exe PID 2264 wrote to memory of 2140 2264 csrss.exe cmd.exe PID 2264 wrote to memory of 2140 2264 csrss.exe cmd.exe PID 2264 wrote to memory of 2140 2264 csrss.exe cmd.exe PID 3036 wrote to memory of 2636 3036 cmd.exe notepad.exe PID 3036 wrote to memory of 2636 3036 cmd.exe notepad.exe PID 3036 wrote to memory of 2636 3036 cmd.exe notepad.exe PID 3028 wrote to memory of 2660 3028 cmd.exe notepad.exe PID 3028 wrote to memory of 2660 3028 cmd.exe notepad.exe PID 3028 wrote to memory of 2660 3028 cmd.exe notepad.exe PID 2264 wrote to memory of 1748 2264 csrss.exe cmd.exe PID 2264 wrote to memory of 1748 2264 csrss.exe cmd.exe PID 2264 wrote to memory of 1748 2264 csrss.exe cmd.exe PID 2264 wrote to memory of 1872 2264 csrss.exe cmd.exe PID 2264 wrote to memory of 1872 2264 csrss.exe cmd.exe PID 2264 wrote to memory of 1872 2264 csrss.exe cmd.exe PID 2264 wrote to memory of 2960 2264 csrss.exe cmd.exe PID 2264 wrote to memory of 2960 2264 csrss.exe cmd.exe PID 2264 wrote to memory of 2960 2264 csrss.exe cmd.exe PID 2264 wrote to memory of 2488 2264 csrss.exe cmd.exe PID 2264 wrote to memory of 2488 2264 csrss.exe cmd.exe PID 2264 wrote to memory of 2488 2264 csrss.exe cmd.exe PID 2264 wrote to memory of 2728 2264 csrss.exe cmd.exe PID 2264 wrote to memory of 2728 2264 csrss.exe cmd.exe PID 2264 wrote to memory of 2728 2264 csrss.exe cmd.exe PID 1748 wrote to memory of 1484 1748 cmd.exe notepad.exe PID 1748 wrote to memory of 1484 1748 cmd.exe notepad.exe PID 1748 wrote to memory of 1484 1748 cmd.exe notepad.exe PID 2140 wrote to memory of 1912 2140 cmd.exe notepad.exe PID 2140 wrote to memory of 1912 2140 cmd.exe notepad.exe PID 2140 wrote to memory of 1912 2140 cmd.exe notepad.exe PID 2264 wrote to memory of 812 2264 csrss.exe cmd.exe PID 2264 wrote to memory of 812 2264 csrss.exe cmd.exe PID 2264 wrote to memory of 812 2264 csrss.exe cmd.exe PID 1872 wrote to memory of 1656 1872 cmd.exe notepad.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeChainPortRuntimesvc\KYWZumt8BUk9utkyDTH3KdoPURzn.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeChainPortRuntimesvc\NzJd90omClmvnpBTnUNvAmh.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe"C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe"C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\it-IT\csrss.exe"C:\Windows\it-IT\csrss.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:1356
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:2636
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:2660
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:1912
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:1484
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:1656
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:2960
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:496
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:2488
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:584
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:2728
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:2436
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:812
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:796
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:1460
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:1952
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:2532
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:1376
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:2132
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:2964
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:1940
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:1668
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:1020
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:1648
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:2352
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:1112
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:400
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:1428
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:1304
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:2448
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:2020
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:2904
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:1772
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:3060
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:1192
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:1984
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:2348
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:2200
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:2460
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:1864
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:2004
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:3016
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:1848
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:2360
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:2316
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:2692
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:688
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:1896
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:2484
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:2996
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:884
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:1008
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:1924
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:852
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:2268
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:2148
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:2848
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:1672
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:2572
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:940
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:856
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:2764
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:1228
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:2632
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:2052
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:2420
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:880
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:1116
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:2392
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:576
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:2884
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:1608
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:2868
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:1308
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:320
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:1504
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:1700
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:1552
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:2652
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:2188
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:2064
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:3064
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:2976
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:3096
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:700
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:3132
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:2840
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:3168
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:3024
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:3204
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:3076
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:3240
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:3112
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:3276
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:3148
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:3312
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:3184
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:3348
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:3220
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:3384
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:3256
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:3420
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:3292
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:3456
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:3328
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:3492
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:3364
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:3528
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:3400
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:3564
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:3436
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:3600
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:3472
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:3636
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:3508
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:3672
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:3544
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:3708
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:3580
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:3744
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:3616
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:3780
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:3652
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:3816
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:3688
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:3852
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:3724
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:3888
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:3760
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:3924
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:3796
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:3960
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:3832
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:3996
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:3868
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:4032
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:3904
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:4068
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:3940
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:3160
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:3976
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:3484
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:4012
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:2932
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:4048
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:2452
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:4084
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:1336
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:3304
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:2232
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:3628
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:1704
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:2056
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:2100
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:2784
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:3360
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:1796
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:3684
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:2380
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:3088
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:3008
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:3288
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:3180
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:4120
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:3504
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:4156
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:3880
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:4192
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:2796
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:4228
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:4100
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:4268
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:4136
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:4304
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:4172
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:4340
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:4208
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:4376
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:4248
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:4412
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:4284
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:4448
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:4320
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:4484
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:4356
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:4520
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:4392
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:4556
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:4428
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:4592
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:4464
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:4632
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:4500
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:4664
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:4536
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:4700
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:4572
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:4736
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:4608
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:4772
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:4644
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:4808
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:4680
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:4844
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:4716
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:4880
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:4752
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:4916
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:4788
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:4952
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:4824
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:4988
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:4860
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:5024
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:4896
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:5060
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:4932
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:5096
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:4968
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:4220
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:5004
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:4548
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:5040
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:3900
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:5076
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:1220
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:5112
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:4132
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:4368
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:4836
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:4692
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:4604
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:4044
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:4784
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:3144
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:4476
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:4280
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:5128
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:4424
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:5164
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:2676
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:5204
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:4980
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:5240
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:4764
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:5284
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:5144
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:5316
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:5180
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:5352
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:5220
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:5388
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:5260
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:5424
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:5296
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:5460
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:5332
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:5496
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:5368
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:5532
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:5404
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:5572
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:5440
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:5608
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:5476
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:5644
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:5512
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:5680
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:5548
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:5716
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:5588
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:5752
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:5624
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:5788
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:5660
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:5824
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:5696
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:5860
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:5732
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:5904
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:5768
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:5936
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:5804
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:5972
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:5840
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:6008
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:5876
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:6044
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:5916
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:6080
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:5952
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:6116
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:5988
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:5192
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:6024
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:4332
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:6060
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:5176
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:6096
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:4892
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:6132
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:5568
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:4964
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:5544
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:4388
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:5928
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:5344
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:6036
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:5364
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:5452
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:5708
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:5328
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:5692
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:6164
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:5836
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:6200
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:6072
-
C:\Windows\system32\notepad.exenotepad.exe8⤵PID:6236
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:6092
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:2656
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:6180
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:6216
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "7⤵PID:6252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\fr-FR\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\fr-FR\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\fr-FR\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\bridgeChainPortRuntimesvc\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\bridgeChainPortRuntimesvc\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\bridgeChainPortRuntimesvc\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Recent\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Recent\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Recent\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft\schtasks.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\schtasks.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft\schtasks.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\it-IT\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\it-IT\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\it-IT\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19B
MD52020ae7235e4ca2d098b2a6acfd6a923
SHA1b390363f25cf5539bbaefffe4805893a3fd4f016
SHA256caec56565830252605e355886227771736c3d40808a423e97f93a2dcb632a34e
SHA51213a3b1ebec1f09d0eee9866e8c403c66a29fb530b0c9056246d623e495fac915b5868471b51d95c869636eded94b6115d234a645971d27e7b14eeeda5ecbf9fa
-
Filesize
225B
MD5ba25eeb03e04ab1178271aaef7bf5ddf
SHA18545d635a9399f59cf14b906f94f9ab477bade13
SHA25627c70f4f1d7f74e55c64bbc362517f9e1747ff088bbc8c39d0d863dd97ce2e1b
SHA512902de5ed4d696a4f68e5325fd658c14b1919f2c8335d25fc8711a0f6648c1734f3883ece711121741fe6c213e17c4710c8a2f0142a901792d8e2f39f388994e9
-
Filesize
50B
MD5454b0a8c65b51ac0f6943432a048286b
SHA1dcd28039faf373d530675b26cf3a129af123a372
SHA2562a24e0ba60aadef03e44ae2426da5f004b2c38aa954294a600a84ca7c09d61f0
SHA51218d3428fd739f556b15617b1f755590220acbd8049155443f9d8501162dfb79e9c82cabebe6a72a6dcdd19b6b45e234207ae18cce60c02c179f979ef3c932460
-
Filesize
1.2MB
MD58af54f49a06f90d75b53c959e2cf18c4
SHA17b9eb10069a742536269e4cf774f2dabb55621d3
SHA256c931d6645fe8fcc0a50a65e0a2ba3d12eaa3f1e0e3081a7556dc31d2e55c133e
SHA512deb24679a1c6cf20886f32db035d30a4cf97f6c572cc473923b68092e9ed3ebcf86ba35f5f1624d3c64ff008fdfd9c01f1d581203a84d947cfc5cfe43eaeb25b