Analysis

  • max time kernel
    145s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 20:07

General

  • Target

    JaffaCakes118_714db34e8628cd69be90dc3f7d9667ead56cf36cc905953619be1a720339398d.exe

  • Size

    1.3MB

  • MD5

    44463f70262232632b8df6fe85bedaa6

  • SHA1

    8d768325f168d80e73c473fa0379b2515913bbc4

  • SHA256

    714db34e8628cd69be90dc3f7d9667ead56cf36cc905953619be1a720339398d

  • SHA512

    b72eb57add3789d0932886e050ffb9b032d7ed5931b799d118ccc30d87108e10d06cb8a16c753a41521bee0d5b1c078cdbb5607c68bf87d0ccd823c900d664f8

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 64 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 29 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 41 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_714db34e8628cd69be90dc3f7d9667ead56cf36cc905953619be1a720339398d.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_714db34e8628cd69be90dc3f7d9667ead56cf36cc905953619be1a720339398d.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2612
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3024
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2772
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2884
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1652
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1988
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:912
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1084
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1808
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:404
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1140
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3056
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2288
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2540
          • C:\providercommon\DllCommonsvc.exe
            "C:\providercommon\DllCommonsvc.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1692
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2712
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1812
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\dllhost.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2392
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2988
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\de-DE\lsm.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2376
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2304
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\Assistance\Client\1.0\csrss.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1284
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\en-US\conhost.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1628
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1084
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\it-IT\Idle.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:672
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\it-IT\lsass.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2856
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2960
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\conhost.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2232
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\schtasks.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:548
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\WmiPrvSE.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2728
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\schtasks.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2900
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2464
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\conhost.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1868
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\PrintHood\lsm.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2440
            • C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe
              "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:1664
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9gNv7qRJ8U.bat"
                7⤵
                  PID:1384
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:2228
                    • C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe
                      "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1808
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uVUt9EuWwA.bat"
                        9⤵
                          PID:1788
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            10⤵
                              PID:2744
                            • C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe
                              "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe"
                              10⤵
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1044
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RnBkS9jGYw.bat"
                                11⤵
                                  PID:1148
                                  • C:\Windows\system32\w32tm.exe
                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    12⤵
                                      PID:2948
                                    • C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe
                                      "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe"
                                      12⤵
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1636
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lE88gYdR15.bat"
                                        13⤵
                                          PID:2780
                                          • C:\Windows\system32\w32tm.exe
                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                            14⤵
                                              PID:3036
                                            • C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe
                                              "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe"
                                              14⤵
                                              • Executes dropped EXE
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2456
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0uTXzTWsAa.bat"
                                                15⤵
                                                  PID:3008
                                                  • C:\Windows\system32\w32tm.exe
                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                    16⤵
                                                      PID:1608
                                                    • C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe
                                                      "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe"
                                                      16⤵
                                                      • Executes dropped EXE
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:1928
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FjqlTNZm6T.bat"
                                                        17⤵
                                                          PID:2392
                                                          • C:\Windows\system32\w32tm.exe
                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                            18⤵
                                                              PID:1364
                                                            • C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe
                                                              "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe"
                                                              18⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:1432
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a1lJXnITmE.bat"
                                                                19⤵
                                                                  PID:304
                                                                  • C:\Windows\system32\w32tm.exe
                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                    20⤵
                                                                      PID:2292
                                                                    • C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe
                                                                      "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe"
                                                                      20⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:1360
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yaFjl1awzE.bat"
                                                                        21⤵
                                                                          PID:1336
                                                                          • C:\Windows\system32\w32tm.exe
                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                            22⤵
                                                                              PID:2832
                                                                            • C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe
                                                                              "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe"
                                                                              22⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:2712
                                                                              • C:\Windows\System32\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat"
                                                                                23⤵
                                                                                  PID:2620
                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                    24⤵
                                                                                      PID:2156
                                                                                    • C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe
                                                                                      "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe"
                                                                                      24⤵
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:1948
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\wininit.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        PID:2660
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\wininit.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2112
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\wininit.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2692
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\dllhost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        PID:1996
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2720
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1804
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1720
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        PID:1048
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        PID:1560
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\OSPPSVC.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1240
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3008
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        PID:1508
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\explorer.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1328
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:484
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:280
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\LiveKernelReports\smss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2944
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\smss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2984
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\LiveKernelReports\smss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1356
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1444
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:864
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1676
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\providercommon\lsm.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2052
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2360
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2068
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:784
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1752
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        PID:2136
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2688
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        PID:560
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2808
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Application Data\dllhost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2764
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\dllhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2124
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Application Data\dllhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1940
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1804
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2940
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2372
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\lsm.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1160
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\lsm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3000
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\lsm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        PID:1328
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1152
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:344
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        PID:1544
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Microsoft\Assistance\Client\1.0\csrss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2852
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Assistance\Client\1.0\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2796
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft\Assistance\Client\1.0\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2868
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\en-US\conhost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        PID:1092
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\en-US\conhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:280
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\en-US\conhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2792
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        PID:1576
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        PID:1736
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1044
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Journal\it-IT\Idle.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1656
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\it-IT\Idle.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2388
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Journal\it-IT\Idle.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3028
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\lsass.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2268
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\it-IT\lsass.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1712
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\lsass.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1948
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\powershell.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1200
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\powershell.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        PID:2260
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\powershell.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:784
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        PID:2640
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2068
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2708
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Application Data\schtasks.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2408
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\schtasks.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:556
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Application Data\schtasks.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2564
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /f
                                        1⤵
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:892
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2288
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
                                        1⤵
                                          PID:1156
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Favorites\schtasks.exe'" /f
                                          1⤵
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2236
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Users\Default\Favorites\schtasks.exe'" /rl HIGHEST /f
                                          1⤵
                                            PID:1324
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Favorites\schtasks.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1708
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\providercommon\conhost.exe'" /f
                                            1⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1620
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1372
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2664
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\conhost.exe'" /f
                                            1⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2064
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1672
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1384
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\Default\PrintHood\lsm.exe'" /f
                                            1⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1612
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\lsm.exe'" /rl HIGHEST /f
                                            1⤵
                                              PID:2740
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\Default\PrintHood\lsm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:780

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              8923978079ca2fdcde06b7ef79079f8e

                                              SHA1

                                              9ce35e3accec667162a182785c792e42da05e59c

                                              SHA256

                                              7d40ca513814bd530e857952a97a97213218de080b30cedf9c23997381fef89c

                                              SHA512

                                              e71d3adc7f1a8fdd461fcb3334073bf3e5c92b1f5623dd94b6b0c7565abfdf90c191d28a9d7aa1aaef5f60e0582b986c698005874cadb428366aa52d3970e26e

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              6306165e543a62165fba5e3ac5a71e8b

                                              SHA1

                                              5068d678f8f4d7a8abea79cc552b2bb185dafa5a

                                              SHA256

                                              598d6c4e5bb6a4628cec40806f610e125fbba78ef64459c39a00cfd4ab5eebc6

                                              SHA512

                                              ead0ec2078fe3e87398ccaeaa08645b08174e76655850d7fae928b394ea4802e6b910f3db3770cd9fe0a396c089cf1393b690de929d932e541b1c7a84103bb80

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              2fb6a275ba617769c26df51ea513dc4f

                                              SHA1

                                              175dc83b82ff58cd28be36927129d1e9ccad827c

                                              SHA256

                                              cbc5ad920a1aaf4f09326af32839df963315ca4fb514a3928cd9a56d57b5f8ed

                                              SHA512

                                              137eaa011abbff9c098e423133d6b397dd4f2d7f2598668a57fd6c9c82babf774bb82678c5ffaf640ac8bb53e2a6749572f3533290770b26678b9f538ecd6882

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              0c9113a9433c0123cfe4d5ebe0730014

                                              SHA1

                                              2c3bc0fb69db0819e662d50f74e7bdb47d400a38

                                              SHA256

                                              bc9b2613d37ff1742b86d3cf64bf40c4807a597e39da3bb17be84c1febc25759

                                              SHA512

                                              8b0d70b74f38e83d071ea45cbf3c129d3421bd49ca49ebd3b268f1ce1ede9640f49ef575ae934cae65e55be43ddf62bd450ad7ad7717494c34a3b42cd6d46f2b

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              fb7c9b796d9ed3ad43369e7c66e1adbd

                                              SHA1

                                              ed0960c2912c9e08497d00dcd86fcfa921881a6d

                                              SHA256

                                              e8e4d0bcef4a9f7ff14e1c68b3469028fba733fa32a8a1b2793cfea1e32a7858

                                              SHA512

                                              529ef11fde775b1e9b0d9545623927918c862711cd5622e553ff47f8d0795ad1c7125c974252f76d9db067285ab6c134641cf317463ab764b09dc48b1318738a

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              991f6b8b5f770a9e32288cf907b6c70a

                                              SHA1

                                              0fa72721577d08bc990b812a165e274052735e53

                                              SHA256

                                              cf795060fedee17a84cd2a76f5a76a9ef9851bff421667e85b84140796c02354

                                              SHA512

                                              898867b367bc8f9d7ffef98907ea095348ca03ecd47a9f5f8a1321a204ced2677f2864a07069c9ce1441a2c31875f195b45b978f3b6e12d5bba6dc6741a1c6aa

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              b918ad6d2f30846f0bd32f69a4ef9643

                                              SHA1

                                              786ef7fb11b85d430aa00ceb6d0a09a0aced6929

                                              SHA256

                                              cf6b1ba3e1743c3ed0543895538254aa3e27ede0e0d91dfdbb9978f85c582235

                                              SHA512

                                              25128e5a2533065c0e84933964663fa99bc1db80071ed8a9e9efc09648f8397bdb35e770d524339ca814e4a77736b0185b33d3e3ada7f23de39ab1a2ae440c22

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              7d1da2a199c16b07645abfaaa0eadaea

                                              SHA1

                                              7225df8db01ab317c3312ffa5ce9ccbcb210119e

                                              SHA256

                                              5bb39bd0a0be86f736eb3ba89cd244620468c9b6ed99eb1f93a21912f8f66558

                                              SHA512

                                              cd89ef007a654cb3bbd5073395085dc3a3758fb0be4ff614418c6d780f515cc41083e00aab15c20bec8eb6b7bac6ffba36e52e653c9010c168606d22259ae8e2

                                            • C:\Users\Admin\AppData\Local\Temp\0uTXzTWsAa.bat

                                              Filesize

                                              226B

                                              MD5

                                              889b5adff70b39dae91aecdede7eeb12

                                              SHA1

                                              ede5dc283dade7e5aecb641324bdee69c9911882

                                              SHA256

                                              a4281bc9acbd5f2a128eaa72868e102ff44292f0ec51c84681762a53a83900a2

                                              SHA512

                                              1b3f41e8f0ba5bc3d53d042d3f7e9cfec881345475cc83bcd56c3ac89774c512047a70b5b0833133dbf4ba9afbfd8c54eff81bb997066dcc15e78da22488455d

                                            • C:\Users\Admin\AppData\Local\Temp\9gNv7qRJ8U.bat

                                              Filesize

                                              226B

                                              MD5

                                              9bb9b3d69a9674a9fb6a219b8a5a8806

                                              SHA1

                                              38c906a723a673e99f7cbe276a5bda5972aeb83f

                                              SHA256

                                              f8b39b7e9952aaea3a6381c1e7c715febc2c2fe53e4dbaae7422a236aa6a182e

                                              SHA512

                                              d9d19e8c64963aa589cdf48a0205192816b3bc6daf3ebf5404c5141bd4d6b0ffb519ed1693a1ca797c5595b64424ce0fe48f10b5602d64b4cf375853dd00a753

                                            • C:\Users\Admin\AppData\Local\Temp\CabEFFC.tmp

                                              Filesize

                                              70KB

                                              MD5

                                              49aebf8cbd62d92ac215b2923fb1b9f5

                                              SHA1

                                              1723be06719828dda65ad804298d0431f6aff976

                                              SHA256

                                              b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                              SHA512

                                              bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                            • C:\Users\Admin\AppData\Local\Temp\FjqlTNZm6T.bat

                                              Filesize

                                              226B

                                              MD5

                                              ddeeca7fbec6b47b46a4c283e5dee373

                                              SHA1

                                              c88908ae64353b192817e6f9d27c056d9c8f35c0

                                              SHA256

                                              2fe62a06597f14dec529264ad951702e159f84d55fd61b3216e8c6e07a09fcdc

                                              SHA512

                                              597e3a96a6924a5112bb2d2ec3307b1a50378fd62ee9033905153da6e6ad389958cdd854a9de747750c3355090c3dd3fe7066e9b4b7fef66f345aa270992b075

                                            • C:\Users\Admin\AppData\Local\Temp\RnBkS9jGYw.bat

                                              Filesize

                                              226B

                                              MD5

                                              59435549eb60be39624e1a09508d9388

                                              SHA1

                                              2d86ba8deea68df146f86836e9c1981e5853eca2

                                              SHA256

                                              693c16794c2a4a33f647d19de359d04327c227cbf78ee74a1a6e22ac98b316b2

                                              SHA512

                                              454b8af2e02785421d150087f9d91545297e99ae3939526af0a41b1930cc3812c6c8a946a2fcb1b2cbe523a3d75b8c3c3f036128ea92967bba69ae428acd424c

                                            • C:\Users\Admin\AppData\Local\Temp\TarF01E.tmp

                                              Filesize

                                              181KB

                                              MD5

                                              4ea6026cf93ec6338144661bf1202cd1

                                              SHA1

                                              a1dec9044f750ad887935a01430bf49322fbdcb7

                                              SHA256

                                              8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                              SHA512

                                              6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                            • C:\Users\Admin\AppData\Local\Temp\a1lJXnITmE.bat

                                              Filesize

                                              226B

                                              MD5

                                              4939a74e08decaab58f4e116db3ffc68

                                              SHA1

                                              9c816318df02b2a9615e90c5c7ecde56568ca06f

                                              SHA256

                                              dd1687a0c8b2295fa7e005ee511da379dc12ff63de9880ed72a54a53a2bb247e

                                              SHA512

                                              6a6d7cbc15442391b0454035888d4f84a0dde6f8e60a6c1789fa79834eddbc6c5a021665f0ab9f229621064d382b27c0ecaae5e6811eb35e7e4dc692d4d1ea34

                                            • C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat

                                              Filesize

                                              226B

                                              MD5

                                              7fcc1fad2432f57e4bf1ced7f0b29ea1

                                              SHA1

                                              fab1c5a54beb4aaba8544f8803509efbf786168e

                                              SHA256

                                              964698e6396773714043e19a825a93500d2dc88a4752ef3953fc6113776b0c38

                                              SHA512

                                              c22c3e6543dc74d96ea8770a10ba68b57a3fd81cd387822d180818f8ba983f205082e70ecbaceb0ac75a4ac7a67b28cbbda81948e8a26833cc935655f529bb46

                                            • C:\Users\Admin\AppData\Local\Temp\lE88gYdR15.bat

                                              Filesize

                                              226B

                                              MD5

                                              3515df03746acd24dddb9cc2e94f679e

                                              SHA1

                                              1fabc40318857583f7abc6d7f835181deb801433

                                              SHA256

                                              2be4e256361bd79d6fd6bca8cd64fc19e07f98be45c5392c72eab445b162ba5e

                                              SHA512

                                              f7fc4a2d9f5f75ed4c569c072d3c1507a2913e48c0390ad9878aa2651a67fa62daa5a6e15cfdfee6f908786dc84b9f945dc28ae5826598e2aa3fb02ae3e29094

                                            • C:\Users\Admin\AppData\Local\Temp\uVUt9EuWwA.bat

                                              Filesize

                                              226B

                                              MD5

                                              1003f4dc17015e038df19de32974f85b

                                              SHA1

                                              2aca46dc99405ddb8b9a21dfe5e8ecf846afd929

                                              SHA256

                                              37f0318cb2cf51447ef65832ec90db17fc7d51325b6feb792d74876e02758c1e

                                              SHA512

                                              fe94b03b90a9a2cb7a33579a2ff7e871720f32e4d35857bba1e91d3734a0a1739ff2feefcfe366cfa90d205b63e82d8675afd293717c017e53de3f61160dbd82

                                            • C:\Users\Admin\AppData\Local\Temp\yaFjl1awzE.bat

                                              Filesize

                                              226B

                                              MD5

                                              83f0829f817013ed22a32d5ca2b9d2ee

                                              SHA1

                                              6d603f63867041defdf9ea1eb9c4a1bb32c653ea

                                              SHA256

                                              312f8a89f2a22c283bd4e0dc5074b435658e60362c7da2b9f48b559af495b7ce

                                              SHA512

                                              188982560179d078b995c8263df6cb9c4ce70430ac70900c2b2bdd72b750f181fd1fc35a49f9528a8cde409065cbff8e1c3c84784fd7b8e6f4cb45fbe5de430c

                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                              Filesize

                                              7KB

                                              MD5

                                              39ff4e3cd3b1cd2c0e02b9b4c16d6afe

                                              SHA1

                                              6b84a391444da3ce5637e0771f534bc550c146e9

                                              SHA256

                                              087b329f887365d8821e2d19518d021232ac73c5e1b186e907fbdb7a91e97b56

                                              SHA512

                                              a8089fb65dce906749ed7474c98c81b1184782fe6b26edbb25b96cd853bc7a0f5d88f3ad8a1a7e87dba63a050ac99d83d6740af7533cfdb1f15f1d1f18c54d51

                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                              Filesize

                                              7KB

                                              MD5

                                              14887623ea4723bad5c833c1d18d9b8b

                                              SHA1

                                              f64c22a324257b5eff7759b6430e2f269d13d210

                                              SHA256

                                              c1ff2386a79de4ea186911cbff8d251ddd813c8ed6ad53d7303e7b331e8aae05

                                              SHA512

                                              f400f6ba8d2fa387f5a58c78aa5f18e045f14870aa2121bd4656554c87a1ecd03b148e76d9d61d869f09c3682013286b23a6c0e50dcaeaa626ab25447f71d976

                                            • C:\providercommon\1zu9dW.bat

                                              Filesize

                                              36B

                                              MD5

                                              6783c3ee07c7d151ceac57f1f9c8bed7

                                              SHA1

                                              17468f98f95bf504cc1f83c49e49a78526b3ea03

                                              SHA256

                                              8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                              SHA512

                                              c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                            • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                              Filesize

                                              197B

                                              MD5

                                              8088241160261560a02c84025d107592

                                              SHA1

                                              083121f7027557570994c9fc211df61730455bb5

                                              SHA256

                                              2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                              SHA512

                                              20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                            • \providercommon\DllCommonsvc.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • memory/1044-343-0x0000000001030000-0x0000000001140000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/1084-42-0x000000001B730000-0x000000001BA12000-memory.dmp

                                              Filesize

                                              2.9MB

                                            • memory/1084-43-0x00000000022D0000-0x00000000022D8000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/1360-640-0x0000000000040000-0x0000000000150000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/1360-641-0x00000000004D0000-0x00000000004E2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/1636-403-0x0000000001300000-0x0000000001410000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/1664-152-0x0000000000B20000-0x0000000000C30000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/1808-283-0x0000000000230000-0x0000000000340000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2712-133-0x00000000027D0000-0x00000000027D8000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/2712-131-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

                                              Filesize

                                              2.9MB

                                            • memory/2712-701-0x0000000000DC0000-0x0000000000ED0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2884-14-0x0000000000250000-0x0000000000262000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2884-13-0x0000000000E80000-0x0000000000F90000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2884-15-0x0000000000260000-0x000000000026C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2884-16-0x0000000000270000-0x000000000027C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2884-17-0x0000000000580000-0x000000000058C000-memory.dmp

                                              Filesize

                                              48KB