Analysis

  • max time kernel
    149s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 20:15

General

  • Target

    JaffaCakes118_c63ae4c4dcfdd38a6d640df3e2690418450a01044e002401109ceffe59115f73.exe

  • Size

    1.3MB

  • MD5

    379b61eb87d6a4bad33cf07bfdfad5b5

  • SHA1

    cee4ff3948e36c4e51d7b075d177ab2b4ab0e403

  • SHA256

    c63ae4c4dcfdd38a6d640df3e2690418450a01044e002401109ceffe59115f73

  • SHA512

    7af42f2486111fc14ceffe8805746f49826f05fe267171caa161228166be19f194da877c15b056f5ea3588826060c70cd76a42de6824f95b70a6a8766aec1402

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 64 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 9 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 26 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 39 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c63ae4c4dcfdd38a6d640df3e2690418450a01044e002401109ceffe59115f73.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c63ae4c4dcfdd38a6d640df3e2690418450a01044e002401109ceffe59115f73.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2084
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2696
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2568
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2640
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:536
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2512
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:356
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1400
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\it-IT\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1592
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2900
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\de-DE\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2516
          • C:\providercommon\DllCommonsvc.exe
            "C:\providercommon\DllCommonsvc.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3060
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:696
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:952
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\conhost.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2784
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1588
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2220
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\DllCommonsvc.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2516
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsass.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:356
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Help\Windows\en-US\powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1636
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\smss.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2160
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\Aero\en-US\lsm.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1948
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2064
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\services.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2200
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\services.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2192
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2408
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1548
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1576
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2800
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:3012
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2492
            • C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe
              "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2720
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dekjrv1PTF.bat"
                7⤵
                  PID:1800
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:2392
                    • C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe
                      "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1248
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QY0o5k1hVk.bat"
                        9⤵
                          PID:1328
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            10⤵
                              PID:1900
                            • C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe
                              "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe"
                              10⤵
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1672
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YKuCD7w8Ue.bat"
                                11⤵
                                  PID:1884
                                  • C:\Windows\system32\w32tm.exe
                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    12⤵
                                      PID:1868
                                    • C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe
                                      "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe"
                                      12⤵
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1824
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cU7BGbiaqd.bat"
                                        13⤵
                                          PID:2144
                                          • C:\Windows\system32\w32tm.exe
                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                            14⤵
                                              PID:2816
                                            • C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe
                                              "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe"
                                              14⤵
                                              • Executes dropped EXE
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2528
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wKGJ2NUoAL.bat"
                                                15⤵
                                                  PID:2164
                                                  • C:\Windows\system32\w32tm.exe
                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                    16⤵
                                                      PID:1520
                                                    • C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe
                                                      "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe"
                                                      16⤵
                                                      • Executes dropped EXE
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:1720
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PliZKNaLvF.bat"
                                                        17⤵
                                                          PID:2200
                                                          • C:\Windows\system32\w32tm.exe
                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                            18⤵
                                                              PID:1608
                                                            • C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe
                                                              "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe"
                                                              18⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:2544
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zDWALPrpmL.bat"
                                                                19⤵
                                                                  PID:1668
                                                                  • C:\Windows\system32\w32tm.exe
                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                    20⤵
                                                                      PID:1636
                                                                    • C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe
                                                                      "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe"
                                                                      20⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:1916
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ctDgUbHuaY.bat"
                                                                        21⤵
                                                                          PID:1648
                                                                          • C:\Windows\system32\w32tm.exe
                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                            22⤵
                                                                              PID:2756
                                                                            • C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe
                                                                              "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe"
                                                                              22⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:2828
                                                                              • C:\Windows\System32\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SaOkt9ru2m.bat"
                                                                                23⤵
                                                                                  PID:1876
                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                    24⤵
                                                                                      PID:380
                                                                                    • C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe
                                                                                      "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe"
                                                                                      24⤵
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:1896
                                                                                      • C:\Windows\System32\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KxKP0srito.bat"
                                                                                        25⤵
                                                                                          PID:2912
                                                                                          • C:\Windows\system32\w32tm.exe
                                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                            26⤵
                                                                                              PID:2588
                                                                                            • C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe
                                                                                              "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe"
                                                                                              26⤵
                                                                                              • Executes dropped EXE
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:2904
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Windows\addins\OSPPSVC.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1880
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\addins\OSPPSVC.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:656
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Windows\addins\OSPPSVC.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2040
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\smss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2968
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\smss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2636
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\smss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2364
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1652
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1200
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1500
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\audiodg.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            PID:1280
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\it-IT\audiodg.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            PID:1908
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\audiodg.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1836
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\es-ES\winlogon.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            PID:812
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\es-ES\winlogon.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1776
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\es-ES\winlogon.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2628
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\dwm.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2044
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\dwm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            PID:796
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\dwm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:980
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\powershell.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            PID:2288
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\powershell.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2880
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\powershell.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1824
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\conhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1876
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            PID:1584
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2772
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\providercommon\services.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2876
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2664
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2788
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office14\1033\powershell.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3048
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\powershell.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2824
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Office14\1033\powershell.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2696
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\DllCommonsvc.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2552
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\DllCommonsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2616
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\DllCommonsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1760
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\lsass.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2168
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            PID:2544
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:376
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Windows\Help\Windows\en-US\powershell.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1480
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\Help\Windows\en-US\powershell.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2336
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Windows\Help\Windows\en-US\powershell.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2164
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\smss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2820
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\smss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2860
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\smss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:776
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Windows\Resources\Themes\Aero\en-US\lsm.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1268
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\Aero\en-US\lsm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2096
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\Resources\Themes\Aero\en-US\lsm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2252
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1504
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1680
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2968
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\services.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2580
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\services.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1992
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\services.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            PID:2364
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\Tasks\services.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2848
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Tasks\services.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1952
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\Tasks\services.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:904
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1104
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:780
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2268
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2056
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:956
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1908
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2208
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2456
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2356
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1736
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1796
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1060
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\providercommon\conhost.exe'" /f
                                            1⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:860
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3020
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1364
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\powershell.exe'" /f
                                            1⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2060
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\powershell.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2504
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\powershell.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2124

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\69ddcba757bf72

                                            Filesize

                                            395B

                                            MD5

                                            50134e4c947e3402fd0bcf98f88a16e6

                                            SHA1

                                            6c78fab2decc11a562935fbc5bcd63bf466899a4

                                            SHA256

                                            99b293a9d9644ec854a5c3e36c76406b94b3aa0cae3036fa35aef62a335fdcd8

                                            SHA512

                                            2bac6230ffc0c58a216dcd4b4b642f03a2ff5acb6177d38fc8421009c9f5e5325c4748438a8235441488ab276cd4cc76793e067d59da480df22be5582c4e0693

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            394fb8a980e573bceb62b89d94f218a9

                                            SHA1

                                            d68b41a07fc455b749b8ddfc37b1e3f1c007ee2c

                                            SHA256

                                            0af6d74eef2d88d081e4ec77c3c5643ab1c2dfd75ddc42ba8211e01f82ef159a

                                            SHA512

                                            51119339898d10a0441842d7d1acad5e66136824299c9e6fcbb187a625638a12139f4226d374b04c74522eaf9b13c007af1187a0621d79d91aca52d139319a67

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            161083f6042951c1a373dcd4e9133ab4

                                            SHA1

                                            5fffe4b7b6eeff78eef1442006787edfc9b38cd3

                                            SHA256

                                            33dda7dc41a21c0cfc024b04869627a675e73a563a847f8aebddf662386881d3

                                            SHA512

                                            07862a2dbaa02e9f8666cf5357a5bf171cc7672c5f2e619b8109ee66b64035ed9b1c38619c78d918f0170a82654b4d6d389972d48b2a57081f7b8eec28bec6f2

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            004f0cad44a6bdf784fbf0d3c26dea19

                                            SHA1

                                            dcd7a5af9cbabe0e064cc594bfe5b5eb6a7f4f96

                                            SHA256

                                            8dd42d739d2d749c61b0c7351d482a37b353edd955647ba4e6f1d7099231cbea

                                            SHA512

                                            736e082e2844e9b2ee0614c4f1e53b19051155bc1a96856a3593857cb117d7e4c80e67e5f5fdac07eb66420aa8d6df93b10c5fc844e8bd86feefc4bc5bf397ad

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            5dade110371e3db51310568c67e3b68e

                                            SHA1

                                            26545cd396028ffb8b8e181b57dad547d47e225e

                                            SHA256

                                            da6c1da82844452877e4f5014e2e9da10c43964054445d0a956bdd9771d60749

                                            SHA512

                                            42f8409f4cbb7c2feb38d887557ba3249804e65879ddd5a7ea7234f4d2bfc5e64e096d69c735a71168d89f9a0526e3bd21198ca0d23abcb8dcea6770d38e25d8

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            a081b786b6195c06d80d3760ae7fb4aa

                                            SHA1

                                            af276b61fe78deba4d452b7d1ca76b125ae56064

                                            SHA256

                                            10ee6c286d7577316cd9ab2d7d47f8f69001c44ccadfab578a3e6e6babdc471e

                                            SHA512

                                            afd98024abc528369f9f927c4e0aea43a742917da3c9118cb92ace8b21b52c70eca3b4e667228166921737d3869365f520eecbe2e3a1334f19ee9dee9589e6bf

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            48e3684406ee0dbaef4902090a5acd07

                                            SHA1

                                            e91046c81f6b7abd9c1148722a2c805976d29509

                                            SHA256

                                            f0c231de377fa48f5a0a08a1d3687c7a0b8865c4456bf6dd0335087340d1d446

                                            SHA512

                                            4befed4ec5e8d9091d4a6fe7484489b5a2f90142cbb242ccd52197e6c0bf4350d138e3e296b343b77741e7bd9cd7b25d53361969e635d4fb5969245cb77d21cd

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            fafe80d9b70e7b746bfc792a2f593dfb

                                            SHA1

                                            6aca96af41c14f163507e09afe096fd41500e9e5

                                            SHA256

                                            6b8d584b11ab1eedd4fcbc90431b545278a3f29c145b85b5d039ff96f5ec6bb8

                                            SHA512

                                            82157c0ee555e597bc4c23a335bc4112040ea8bba0a2427985f5ce9a6bd4adf936047ae8a48981e75e535be4e4a50fa18ac29f42fd50318925f3681533d76dc7

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            9c611fef017eff828d4d0ea90ee6dee5

                                            SHA1

                                            a57aae95e062dc49184d115e801302fcdde9e7fc

                                            SHA256

                                            9203f1f368adbf151d4ea5b08e4a994a4cd9fb0a2bbe946006161d8bcc1d29ee

                                            SHA512

                                            93ed0a998c9841f8c2f88c46cdc62a45a3ede38aa247c2f00c882df7cd1bb72b102158904a0f9e6fb4145edf9993b940044d2709ba1727247794901d9eb776f3

                                          • C:\Users\Admin\AppData\Local\Temp\Cab3FEF.tmp

                                            Filesize

                                            70KB

                                            MD5

                                            49aebf8cbd62d92ac215b2923fb1b9f5

                                            SHA1

                                            1723be06719828dda65ad804298d0431f6aff976

                                            SHA256

                                            b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                            SHA512

                                            bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                          • C:\Users\Admin\AppData\Local\Temp\PliZKNaLvF.bat

                                            Filesize

                                            225B

                                            MD5

                                            cac56f3a663e635dde196eca51a66707

                                            SHA1

                                            640faaf7e01742fd991f90020d6848fca4373b5e

                                            SHA256

                                            794d57efe9dc494fe5a27cf810a0eb647507328400335ea7681c020df860f6ad

                                            SHA512

                                            06264d6e502ed498c7b2e0218718cd36d67a071eaa542c52f3b3a0e0f8ac1450cb5a29361355c8d579feb5cf8c95b78b6127b2da8a376494b937b404da34e03b

                                          • C:\Users\Admin\AppData\Local\Temp\QY0o5k1hVk.bat

                                            Filesize

                                            225B

                                            MD5

                                            7e860b459ed16d8ab72f7fc001a24539

                                            SHA1

                                            5c0204d4bca44c81df34a10cd68f6a2c9b65c179

                                            SHA256

                                            1295948ae5b3aae97d9c1051e892665c5c7ff4c569f75d2f794d1de12d07fd6f

                                            SHA512

                                            52f3ba179e683804c31a2d778e3faf35b4aa248573f1cfd2f7b88ad79311fbb832df6cdf9797ef5b1a47726468cdc6c8fd9178fed7df9c98c3b644a66c6a7016

                                          • C:\Users\Admin\AppData\Local\Temp\SaOkt9ru2m.bat

                                            Filesize

                                            225B

                                            MD5

                                            2084b578dff7b3bb82b76baebd03ee56

                                            SHA1

                                            3a00731c25dea5cb7bf160cd31fc71fdcb1ed09a

                                            SHA256

                                            d035863e95b356a563a91e5e02f3f76fbf8d8fa85f6ce32bf77256e68bfb8fce

                                            SHA512

                                            1a4f4b68608d033b7336c2c7498afacb8fadf7602c654c5a2afaf5dbae141c53a71795394fa2460e4a8c12b9c3c68444d360b90dc4aafd8aedb65af0951d8017

                                          • C:\Users\Admin\AppData\Local\Temp\Tar4002.tmp

                                            Filesize

                                            181KB

                                            MD5

                                            4ea6026cf93ec6338144661bf1202cd1

                                            SHA1

                                            a1dec9044f750ad887935a01430bf49322fbdcb7

                                            SHA256

                                            8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                            SHA512

                                            6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                          • C:\Users\Admin\AppData\Local\Temp\YKuCD7w8Ue.bat

                                            Filesize

                                            225B

                                            MD5

                                            2899349e2670c0dc507c66edeb65ce34

                                            SHA1

                                            dfa07d7d2ed98493521ee6e85e3ee8bc2ed8a99c

                                            SHA256

                                            9c17043d6968ead32aab02e6449e2761961a1ece5a3f3e5ed93737e954c77c2b

                                            SHA512

                                            7b04ab68aca603aa78fc69d0940eb2a8885ffab3d0b28be9565189f7f7551bd8109614f7bc9aeb1ae61bb24c7ad7e22097e3e693aae1c3e2584dbfcf358a6523

                                          • C:\Users\Admin\AppData\Local\Temp\cU7BGbiaqd.bat

                                            Filesize

                                            225B

                                            MD5

                                            94e21149702d129a168cb8e41986056d

                                            SHA1

                                            23ee3778b4e6e1b23a388918506355a016416b9d

                                            SHA256

                                            2ac186827a929e4fc3f8c4a56f60d5036a1a2e51bc057b447c49435e5cd5f7fb

                                            SHA512

                                            b0c61edf5c841b4def5d71be7a06132847a826acb3b2cea9e46744694cd4193f867e9b67220c26e534a040cf4ceba81fec6959e724efaa9bcb44dff0ab86892c

                                          • C:\Users\Admin\AppData\Local\Temp\ctDgUbHuaY.bat

                                            Filesize

                                            225B

                                            MD5

                                            43ccdcafa5e1a90c15f5255698453dbb

                                            SHA1

                                            6ce18ccb4ad90867edf050862b102055151f8190

                                            SHA256

                                            40f5d052d993da344099f13c2830eede1e53c6dee70a92bf027ab77e832b66b3

                                            SHA512

                                            2773be536cb530eb49c55a4e1c863ad2243adb69df0a183bf45612b17411f7f39f59514a92c54a8cf4e1b890d2273198d4b63eb87654237433bbbf6ac3a0f5a7

                                          • C:\Users\Admin\AppData\Local\Temp\dekjrv1PTF.bat

                                            Filesize

                                            225B

                                            MD5

                                            fbf03a46cfe5ab249649cf4b1f2653c3

                                            SHA1

                                            e2fe2d16abd2d9c969b587e91db50e92364a8bf3

                                            SHA256

                                            81d3401cf67ef0545582ed08e1f9d595152fbf77dfc31d80745548538fea09a4

                                            SHA512

                                            92dfa5483f98d6f2016a73d1d28f207c56e6eb84c5f834e95c1815666d68b68cbce0ea4126b9f273881884c34305953b1bc8d8f12ddc89dae2a91e52792c5b56

                                          • C:\Users\Admin\AppData\Local\Temp\wKGJ2NUoAL.bat

                                            Filesize

                                            225B

                                            MD5

                                            2bd120cddeec4d637c05253b51a7f4f4

                                            SHA1

                                            41c7073a999df7059f8365bca4a4c110c2657875

                                            SHA256

                                            b9696efa1aef4b35a6e56a3b2d84266d6427965bdd3b00c97c717ea20198fe0c

                                            SHA512

                                            6dc1529b3b0a6b2584e6242b81eee0e719988612d9fe90fc14b1a20d748e552c20d814d56b2a67ea09ad68309028b39b1e15edccb333ef3821c17239b241c8bf

                                          • C:\Users\Admin\AppData\Local\Temp\zDWALPrpmL.bat

                                            Filesize

                                            225B

                                            MD5

                                            081da8ea43e45a75e2c85e8c2c9100bb

                                            SHA1

                                            dfb76e151d29a1fbc8253a7c6bf57cc28bcb9bc1

                                            SHA256

                                            16112a469ff0f9c6b3cb274f49fa054d8c31c8acc83f9787675c33c9f0880326

                                            SHA512

                                            717d592da31911e5bf35023aaec6559cd73fad07139e614390574b7e8d188e22fdaee05ddae001a938453e712991f77be68c4a3cfae4458310ffbf5a8e161cb0

                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                            Filesize

                                            7KB

                                            MD5

                                            32dd12cc58b583ded64787d6075ae992

                                            SHA1

                                            dacded7e1e1d7c9a0c20c5f082ed1c92e49131c9

                                            SHA256

                                            752086b9b09776bec69f56c6663172f6f95f8edef943616b4803ebb8c40b4296

                                            SHA512

                                            139427c38ce5054ca015bb9738ed38d53e231860b1b8e119be25e864fdb4e5bfa70520e05bd1c07cc03650387cce2f54a6b8048aea41b0851c57ed0c84654c6e

                                          • C:\providercommon\1zu9dW.bat

                                            Filesize

                                            36B

                                            MD5

                                            6783c3ee07c7d151ceac57f1f9c8bed7

                                            SHA1

                                            17468f98f95bf504cc1f83c49e49a78526b3ea03

                                            SHA256

                                            8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                            SHA512

                                            c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                          • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                            Filesize

                                            197B

                                            MD5

                                            8088241160261560a02c84025d107592

                                            SHA1

                                            083121f7027557570994c9fc211df61730455bb5

                                            SHA256

                                            2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                            SHA512

                                            20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                          • \providercommon\DllCommonsvc.exe

                                            Filesize

                                            1.0MB

                                            MD5

                                            bd31e94b4143c4ce49c17d3af46bcad0

                                            SHA1

                                            f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                            SHA256

                                            b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                            SHA512

                                            f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                          • memory/1248-270-0x00000000002A0000-0x00000000003B0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/1672-330-0x0000000000E90000-0x0000000000FA0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/1672-331-0x00000000003D0000-0x00000000003E2000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/1824-391-0x00000000000D0000-0x00000000001E0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/1824-392-0x00000000005E0000-0x00000000005F2000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2220-119-0x0000000002960000-0x0000000002968000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/2220-114-0x000000001B510000-0x000000001B7F2000-memory.dmp

                                            Filesize

                                            2.9MB

                                          • memory/2512-42-0x00000000028E0000-0x00000000028E8000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/2512-41-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

                                            Filesize

                                            2.9MB

                                          • memory/2528-453-0x0000000000250000-0x0000000000262000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2528-452-0x0000000000CD0000-0x0000000000DE0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2544-572-0x00000000010A0000-0x00000000011B0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2640-17-0x0000000000A90000-0x0000000000A9C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/2640-16-0x0000000000A70000-0x0000000000A7C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/2640-15-0x0000000000A80000-0x0000000000A8C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/2640-14-0x0000000000A60000-0x0000000000A72000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2640-13-0x0000000000AA0000-0x0000000000BB0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2720-181-0x00000000004E0000-0x00000000004F2000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2720-151-0x0000000000310000-0x0000000000420000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2904-806-0x0000000000270000-0x0000000000380000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/3060-48-0x0000000000350000-0x0000000000362000-memory.dmp

                                            Filesize

                                            72KB