Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 00:28

General

  • Target

    JaffaCakes118_c5775316755148c1ef1649f010cf560a1aa0a61455470cc4a4081fcb90541ec3.exe

  • Size

    1.3MB

  • MD5

    b06e5273a5b927e2bb0ec418593825f0

  • SHA1

    6783c78181fa0d3cce62eabcad7625bc4ba99960

  • SHA256

    c5775316755148c1ef1649f010cf560a1aa0a61455470cc4a4081fcb90541ec3

  • SHA512

    da0d71abb833e373671ac49223e06d22aa269f4e6b47c74ef1eac359e27fa687cbb87d35e4edacd295ad7b46c36f2636fcd34ac878959ae96c2d11b04792470b

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 64 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 26 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
  • Drops file in Program Files directory 10 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious use of AdjustPrivilegeToken 38 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c5775316755148c1ef1649f010cf560a1aa0a61455470cc4a4081fcb90541ec3.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c5775316755148c1ef1649f010cf560a1aa0a61455470cc4a4081fcb90541ec3.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:276
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1344
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3064
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2096
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1648
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\inf\TermService\0409\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:316
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1356
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1412
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1688
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\it-IT\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1636
          • C:\providercommon\DllCommonsvc.exe
            "C:\providercommon\DllCommonsvc.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2880
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1484
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2580
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1580
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1556
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2212
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:400
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3052
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\conhost.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2904
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\WmiPrvSE.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1896
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Local Settings\WmiPrvSE.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1860
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:916
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\schtasks.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3068
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2512
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:588
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2100
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:668
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\schtasks.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2268
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\smss.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1216
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Speech\Engines\csrss.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2152
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:616
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TtorTJJJT1.bat"
              6⤵
                PID:1228
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  7⤵
                    PID:2488
                  • C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\powershell.exe
                    "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\powershell.exe"
                    7⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1832
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SK7IuFDp7o.bat"
                      8⤵
                        PID:960
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          9⤵
                            PID:1412
                          • C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\powershell.exe
                            "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\powershell.exe"
                            9⤵
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1316
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lHo4kC1bcD.bat"
                              10⤵
                                PID:2116
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  11⤵
                                    PID:2628
                                  • C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\powershell.exe
                                    "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\powershell.exe"
                                    11⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1964
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nc51i3GWIc.bat"
                                      12⤵
                                        PID:2056
                                        • C:\Windows\system32\w32tm.exe
                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                          13⤵
                                            PID:2924
                                          • C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\powershell.exe
                                            "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\powershell.exe"
                                            13⤵
                                            • Executes dropped EXE
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2052
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RaUzDWAd8R.bat"
                                              14⤵
                                                PID:2144
                                                • C:\Windows\system32\w32tm.exe
                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  15⤵
                                                    PID:1596
                                                  • C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\powershell.exe
                                                    "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\powershell.exe"
                                                    15⤵
                                                    • Executes dropped EXE
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2528
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mJIFszAWFu.bat"
                                                      16⤵
                                                        PID:696
                                                        • C:\Windows\system32\w32tm.exe
                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          17⤵
                                                            PID:1580
                                                          • C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\powershell.exe
                                                            "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\powershell.exe"
                                                            17⤵
                                                            • Executes dropped EXE
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:2628
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EtrZeLjFvq.bat"
                                                              18⤵
                                                                PID:580
                                                                • C:\Windows\system32\w32tm.exe
                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  19⤵
                                                                    PID:2932
                                                                  • C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\powershell.exe
                                                                    "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\powershell.exe"
                                                                    19⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:1536
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kQw8FYVnXF.bat"
                                                                      20⤵
                                                                        PID:1664
                                                                        • C:\Windows\system32\w32tm.exe
                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                          21⤵
                                                                            PID:484
                                                                          • C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\powershell.exe
                                                                            "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\powershell.exe"
                                                                            21⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:2436
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Db0hEHdXHW.bat"
                                                                              22⤵
                                                                                PID:1628
                                                                                • C:\Windows\system32\w32tm.exe
                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                  23⤵
                                                                                    PID:1016
                                                                                  • C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\powershell.exe
                                                                                    "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\powershell.exe"
                                                                                    23⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:2496
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wLA3izB53h.bat"
                                                                                      24⤵
                                                                                        PID:1868
                                                                                        • C:\Windows\system32\w32tm.exe
                                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                          25⤵
                                                                                            PID:1800
                                                                                          • C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\powershell.exe
                                                                                            "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\powershell.exe"
                                                                                            25⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:3052
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\inf\TermService\0409\spoolsv.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2700
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\inf\TermService\0409\spoolsv.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2836
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\inf\TermService\0409\spoolsv.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2764
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\lsass.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2652
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\lsass.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2536
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\lsass.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2584
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\conhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:580
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            PID:3008
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1212
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\providercommon\sppsvc.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1968
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            PID:2640
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1832
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\it-IT\winlogon.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1692
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\it-IT\winlogon.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2508
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\it-IT\winlogon.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2028
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2396
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:704
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2928
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2500
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2268
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3056
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\providercommon\winlogon.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1752
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2248
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1316
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1524
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1652
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1416
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:352
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:276
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1544
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2812
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2300
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3060
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\conhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2696
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2196
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2676
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\WmiPrvSE.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            PID:2660
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3012
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1560
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Local Settings\WmiPrvSE.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1736
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\WmiPrvSE.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2820
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Local Settings\WmiPrvSE.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            PID:3000
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\powershell.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            PID:892
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\powershell.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2568
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\powershell.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1968
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\schtasks.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            PID:2744
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\schtasks.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2804
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\schtasks.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2496
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:828
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1568
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1304
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\providercommon\Idle.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1740
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2940
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:356
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\providercommon\conhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2564
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2544
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2932
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2824
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2296
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2112
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 13 /tr "'C:\Windows\Offline Web Pages\schtasks.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1932
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\schtasks.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1912
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 8 /tr "'C:\Windows\Offline Web Pages\schtasks.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            PID:912
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\DVD Maker\smss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2396
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\smss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1444
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\DVD Maker\smss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2360
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Speech\Engines\csrss.exe'" /f
                                            1⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1664
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Speech\Engines\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:904
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Speech\Engines\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1760
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe'" /f
                                            1⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2976
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe'" /rl HIGHEST /f
                                            1⤵
                                              PID:3048
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:852

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\088424020bedd6

                                              Filesize

                                              797B

                                              MD5

                                              297937623fea081eabd4dc4cef747315

                                              SHA1

                                              1aef54e791d5b40fd6330b2639c7574aa84bd6c9

                                              SHA256

                                              495a4ddd497d35134f7f900803a3c62b6f372da99c227c73c4b839d83257fe99

                                              SHA512

                                              3acb4a79dfc9c26fa9069d7e8ecc9b55a3f19e1634a58f299894063a13645ae917bdf4deaeba468524f9c5ad6147a1ae1a0956c3bc0e02cca3f3fef5baec295d

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              4afd1f4067ac8e6585c86c95894311fd

                                              SHA1

                                              1e6efeccd2c995897aa1b85c2876f61ec4d0791c

                                              SHA256

                                              a9215619013ab0ebda4f53afd7aa83133b1a7b09d35f09c997c63429668ad761

                                              SHA512

                                              909e70e3c28a1388cb5efc9dbfc57ddd909f928de3cee46213a803a0f9a8c409f43d616bcb8af9e4e1b9b98e2337c07456c04f105239192bf7eac66ad7f98efb

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              7ea6c6a1c5766d49806c122053095c47

                                              SHA1

                                              ed2e952a562d1e719af459cbd9e2957a023098b5

                                              SHA256

                                              115a752a14878f24eb1b35c44c4a6223e9907cfd77aca1ff30cadcb4d0cbe89a

                                              SHA512

                                              19cacde35ce4f0e61c406114a6dc55d3794d5d640947551ad210acee0543bb398663704b13ff02f900334c88547c68520acf61930b470f5e586eb4194d9f011d

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              c30d68f6da60497375441d371c264bd3

                                              SHA1

                                              419e12d54d2a6a86c7b82e3e9b118b551f99bfad

                                              SHA256

                                              8734c2b93c1cbadecae62640b46a6cae11f97dcb55a1ebaa41dcc3045c5e7f81

                                              SHA512

                                              c80e874a5d169d5a9f442abf10e8ee34526c0a44a474b2f6007c698664c9d1c3cfde076b3e43539a52d2b5ea4796eef538e98c3f1287985748de5c0f331b7866

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              1f1707146b6bc7363273dda6096319eb

                                              SHA1

                                              166aaaefd93046db6c878396e69b34bbf2dd2665

                                              SHA256

                                              63a37aff48308b98513095c50be7260b8e3e8b1830ca0c225aaeeb00cf93d68e

                                              SHA512

                                              9a913f2d41f2349bfad880fa6c51d4119585b1861a97480e21b85a44a236501e0b15afe9556c0950ad3280581651782305b56e1bdb52996613a3ce235b75e652

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              ec287c644b52d87f6c71aebd5a411cde

                                              SHA1

                                              fdbd889acdd14ea4d836764e70010c983c289101

                                              SHA256

                                              fdde7951f38b90cf77f452ac5fa74d98f462b1f6ee607837d2bb62b59de1f808

                                              SHA512

                                              b8e0ad1cf0266bb7d27534f032c6edbaaef0c029eedf2043fc42ddc2778cddd10e16376db35bbb164f94c9803b76e7ba0ca2a14088d490acd50d0a121c622a05

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              2aad25428de0865b013b9fbf75d17898

                                              SHA1

                                              9a39c94932bb970408f6c5a077178d9ad9f06af7

                                              SHA256

                                              245842c91cb0d68a968e1b1c51f2603c3bc241b9112ea846514bc8903c477688

                                              SHA512

                                              ec64b88148a1af620ceb07de2b9fa57cb3997debe4c649385c7d83a262c492cbff9c13b4f61b88998d11f8b925df38fbe520f4180280acaddb9ab25f32f1a581

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              e29197c3eb7497fcb7262731632cb0c2

                                              SHA1

                                              a9146e8f5dcb8cb4b8f75df27d46972bbc631921

                                              SHA256

                                              83f152069edd899c6900b6466fc002ff07a540d7c8eb34e71a134ff9b5812006

                                              SHA512

                                              734c4434235ce96fa3e528270e24e5e49068d3113d739491165fb6c1a5241a9fd92bbbe37d201f8d5dbe2e099f7b9a534579daf14828eff97be0e7ed2b94bf6d

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              c13bbb7a92f9bbc7b676c1b4d016c963

                                              SHA1

                                              530ae46d59c3678e99353ba75b4b1f38bba136ce

                                              SHA256

                                              e4ba96ab0c0c44d60c184a0a3031a1b8aeb694272dcd1cd6e4f8c66eefefd4ce

                                              SHA512

                                              7d7008c881afc9b08d07e477536e36687f775d6fdea8504dff596dfc825f15b523fd78354dd84fbcc4c17ba51ad5d11e75cf64f007aa513a2c34444ba48ce5cb

                                            • C:\Users\Admin\AppData\Local\Temp\Cab30F2.tmp

                                              Filesize

                                              70KB

                                              MD5

                                              49aebf8cbd62d92ac215b2923fb1b9f5

                                              SHA1

                                              1723be06719828dda65ad804298d0431f6aff976

                                              SHA256

                                              b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                              SHA512

                                              bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                            • C:\Users\Admin\AppData\Local\Temp\Db0hEHdXHW.bat

                                              Filesize

                                              228B

                                              MD5

                                              692746246498a6b24b24863ec621b5d4

                                              SHA1

                                              22da34a80191ac84a951251f8130cb0fd000793b

                                              SHA256

                                              836e26a14c644753db2797699246ed6b7750a885a7a4943b819d2ad4cd7c90d2

                                              SHA512

                                              c3a95a3faa4109d41f3e77b3ada06c5988aaa15e1a7da05523d51e14eb8bdd94150611cd3693962f204de4eefaaed77a9067e9ccda6941a781af1b37d1c521aa

                                            • C:\Users\Admin\AppData\Local\Temp\EtrZeLjFvq.bat

                                              Filesize

                                              228B

                                              MD5

                                              90216e36ebef85f39006c30d1c38881c

                                              SHA1

                                              2f330789f588be4d6a59b72ecd9c2efa7f959dd7

                                              SHA256

                                              90d7a65602b5c4a87204fcfad4187bdb38a79c426d79f396cd19173c62c9d3e8

                                              SHA512

                                              4edb9df1964e259e25207dd123adce1c3cc9baebf2f31006d2649cc7f12c7d81c4b4cd4a93ebd8f575155093db5d98695ab98ad25001db99d2a813ff6178b8cb

                                            • C:\Users\Admin\AppData\Local\Temp\Nc51i3GWIc.bat

                                              Filesize

                                              228B

                                              MD5

                                              854031f1c5e676d7f1e19b26d3d88a88

                                              SHA1

                                              7435c8aab0d49df71043e42e7e28fdf48bf6d102

                                              SHA256

                                              e424abba72886415ab3089aadf038a2679164abf48bd9452b8389ae4e2737539

                                              SHA512

                                              27913d9c477f8aea727f2adaaf995580954da034377c5bf2fa7e98a07315d23cd2f7c5b77b0e74534476d55a06d89cdb93bcb80699ce55212bf0cc7f4132eca1

                                            • C:\Users\Admin\AppData\Local\Temp\RaUzDWAd8R.bat

                                              Filesize

                                              228B

                                              MD5

                                              c4a700b0075ba3dd2050bbe3c80305be

                                              SHA1

                                              f5e75834a0efca863bdc30e7cecb965bd463bf1a

                                              SHA256

                                              3799e613fc0db0f4782a15a8c084c156d48923ccdfef52f377cde03e88c40c01

                                              SHA512

                                              7a9d74e91b01ca7fe3f84d432ba5cc978ba391b8b9a6ad0d673c961d13a07584f99cc942a484df80d8dbe35f8a932724c2df950344c90d8808d0e89958cf0867

                                            • C:\Users\Admin\AppData\Local\Temp\SK7IuFDp7o.bat

                                              Filesize

                                              228B

                                              MD5

                                              5dd9ac85159decacedafe337e52f93b5

                                              SHA1

                                              f477f2acdfe9d60ffab37d5ea7b4f8410eab768c

                                              SHA256

                                              8fb9f3e575e04470be2a2e0b7db1b8497b3f149a0949d255cb1fbbc5d63e6d65

                                              SHA512

                                              e62f258d4ebe31daf7006a6b98a00b04d705e3afa1b7354fae3fcfc9348731645591f0394b655d8d3c3b734b7f93d73114102a61c1e68aecff07658673cb565b

                                            • C:\Users\Admin\AppData\Local\Temp\Tar3114.tmp

                                              Filesize

                                              181KB

                                              MD5

                                              4ea6026cf93ec6338144661bf1202cd1

                                              SHA1

                                              a1dec9044f750ad887935a01430bf49322fbdcb7

                                              SHA256

                                              8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                              SHA512

                                              6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                            • C:\Users\Admin\AppData\Local\Temp\TtorTJJJT1.bat

                                              Filesize

                                              228B

                                              MD5

                                              c6ea9035e23a56d5540a74f5390cef71

                                              SHA1

                                              26d6688ece79b5f242830d6afc63eb7bf35f2bf9

                                              SHA256

                                              fd6cb32d4c41d8e11b7b73bebc5a51ecdb528d4fe682e3e0881f1f1bdd81e889

                                              SHA512

                                              572763a13c8c918c412e17928a5510ecaa080b79a5146d9179f006dc05b9bb60da5789ce6bfb56ca68e5ed1c1c8720f4f4ecb72f6f7acc252acf3ec242197dd5

                                            • C:\Users\Admin\AppData\Local\Temp\kQw8FYVnXF.bat

                                              Filesize

                                              228B

                                              MD5

                                              941346b9f2ae5a3f9eec76cde06da940

                                              SHA1

                                              7e0d1a2e0daf32f3f980c7f990b74b3e806ff854

                                              SHA256

                                              582b7186ac967aefab10f199310dcfafa2360412c08568365645c3716da64812

                                              SHA512

                                              4a5cf5a67f67f1de8397ab5403d27219fb095949216f8ed24d2e18d5326d6e8b270bb226ee811a584703bbab4fd841e7e2e5aecfcd2039dc105c8aad2b696668

                                            • C:\Users\Admin\AppData\Local\Temp\lHo4kC1bcD.bat

                                              Filesize

                                              228B

                                              MD5

                                              d7b33d32a4e376a3ef244d6737290a59

                                              SHA1

                                              e84f3b88c638e6223a0b029890bd2ee5648a2345

                                              SHA256

                                              f8e06c38b9bf03daa8468e0e0000fd6350563df88951663a25a99c70cfba6b86

                                              SHA512

                                              caa6a6c791e17bc9e608285d00835544d056a2126968e9612ceb17c8936af20d0b026232e98bc47605b15f397d675451a5f1cb6761d08b8381f1b0427812d6b9

                                            • C:\Users\Admin\AppData\Local\Temp\mJIFszAWFu.bat

                                              Filesize

                                              228B

                                              MD5

                                              d41f815a43d3dcccbe3758e57dfbd748

                                              SHA1

                                              a0030fcf6b1aa046b310da35fad44e9e52346ab9

                                              SHA256

                                              606e1f32ce184c29419bbfdf787094915c61a0f9a82337cdcef3e5d5ab8f1f46

                                              SHA512

                                              b9b3062a17959d21fa0d3cc7740f43be9cdff4b37dd5ae7049b93271f184281438d9061657b9ed0693c34d9c7c68959543d9de77e9dfbbbddd9d72b01a286843

                                            • C:\Users\Admin\AppData\Local\Temp\wLA3izB53h.bat

                                              Filesize

                                              228B

                                              MD5

                                              3dcf11df5525ec34038d7bb3aeeaa2d0

                                              SHA1

                                              0444cd55e8cc87ae8891d15b9edc7535b7450b60

                                              SHA256

                                              05a2b3f87f8b54e414f022d585942a9b294546e0e7e7547ae3d3cecdee001d54

                                              SHA512

                                              7ec43ee17522619694c0c96b9a7c4c840001743c116e155bba478fe07ad1267f55e326ff17bb3318bae45a25e471b565efc8707b60d050cfebfae96880b055f7

                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                              Filesize

                                              7KB

                                              MD5

                                              b584a580b4abdc5513ff32e65f80fba6

                                              SHA1

                                              0b1c102e4b3022f4b8c5ab39be627a0e6a80399f

                                              SHA256

                                              73ad0a14fb8efcc53089473f68747dcf8badf9160ec7e857fcd60fd5cd219a83

                                              SHA512

                                              f46d70ed6d275e65cffe7c7682054c0c99d3f8d4e46d45e3927742bd9c5ffbaf84ac44eb95d597a6ae4d7d9460bddebd93ccabe54787e8baac0fe90a96046f6a

                                            • C:\providercommon\1zu9dW.bat

                                              Filesize

                                              36B

                                              MD5

                                              6783c3ee07c7d151ceac57f1f9c8bed7

                                              SHA1

                                              17468f98f95bf504cc1f83c49e49a78526b3ea03

                                              SHA256

                                              8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                              SHA512

                                              c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                            • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                              Filesize

                                              197B

                                              MD5

                                              8088241160261560a02c84025d107592

                                              SHA1

                                              083121f7027557570994c9fc211df61730455bb5

                                              SHA256

                                              2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                              SHA512

                                              20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                            • \providercommon\DllCommonsvc.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • memory/1356-54-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/1484-112-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/1484-111-0x000000001B810000-0x000000001BAF2000-memory.dmp

                                              Filesize

                                              2.9MB

                                            • memory/1536-566-0x0000000000240000-0x0000000000252000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/1648-44-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

                                              Filesize

                                              2.9MB

                                            • memory/1832-210-0x00000000013E0000-0x00000000014F0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/1832-211-0x00000000002C0000-0x00000000002D2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2096-14-0x0000000000440000-0x0000000000452000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2096-15-0x0000000000450000-0x000000000045C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2096-13-0x0000000000EB0000-0x0000000000FC0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2096-17-0x0000000000480000-0x000000000048C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2096-16-0x0000000000470000-0x000000000047C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2628-506-0x0000000000140000-0x0000000000152000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2880-60-0x00000000002C0000-0x00000000002D2000-memory.dmp

                                              Filesize

                                              72KB