Technical Information
- <SYSTEM32>\tasks\winlogonw
- <SYSTEM32>\tasks\csrssc
- <SYSTEM32>\tasks\spoolsv
- <SYSTEM32>\tasks\services
- <SYSTEM32>\tasks\spoolsvs
- <SYSTEM32>\tasks\idle
- <SYSTEM32>\tasks\csrss
- <SYSTEM32>\tasks\idlei
- <SYSTEM32>\tasks\servicess
- <SYSTEM32>\tasks\systems
- <SYSTEM32>\tasks\system
- <SYSTEM32>\tasks\mdm
- <SYSTEM32>\tasks\mdmm
- <SYSTEM32>\tasks\lsass
- <SYSTEM32>\tasks\conhostc
- <SYSTEM32>\tasks\conhost
- <SYSTEM32>\tasks\taskhost
- <SYSTEM32>\tasks\lsassl
- <SYSTEM32>\tasks\taskhostt
- <SYSTEM32>\tasks\wininitw
- <SYSTEM32>\tasks\wininit
- <SYSTEM32>\tasks\winlogon
- <SYSTEM32>\tasks\iexplorei
- <SYSTEM32>\tasks\iexplore
- C:\brokersvc\dl5u0qnlfvxaxokvg3if72u07wfuy.bat
- C:\far2\fexcept\services.exe
- C:\far2\fexcept\c5b4cb5e9653cc
- <Current directory>\csrss.exe
- <Current directory>\886983d96e3d3e
- C:\brokersvc\services.exe
- C:\brokersvc\c5b4cb5e9653cc
- C:\totalcmd\language\spoolsv.exe
- %ProgramFiles%\tmlisten\idle.exe
- %ProgramFiles%\tmlisten\6ccacd8608530f
- C:\totalcmd\language\f3b6ecef712a24
- C:\totalcmd\language\csrss.exe
- C:\totalcmd\language\886983d96e3d3e
- C:\brokersvc\iexplore.exe
- C:\brokersvc\9db6e019d4f04e
- C:\recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\spoolsv.exe
- C:\recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\f3b6ecef712a24
- %TEMP%\0go0vten0v
- %WINDIR%\serviceprofiles\localservice\saved games\spoolsv.exe
- %WINDIR%\serviceprofiles\localservice\saved games\f3b6ecef712a24
- %WINDIR%\schcache\27d1bcfc3c54e0
- %WINDIR%\schcache\system.exe
- C:\msocache\all users\{90140000-00a1-0409-1000-0000000ff1ce}-c\6203df4a6bafc7
- C:\brokersvc\wkcqxjeuaku1qnhngb6ouribqh8lr.vbe
- %WINDIR%\syswow64\ja-jp\winlogon.exe
- %WINDIR%\syswow64\ja-jp\cc11b995f2a76d
- <Current directory>\wininit.exe
- <Current directory>\56085415360792
- C:\far2\addons\setup\taskhost.exe
- C:\far2\addons\setup\b75386f1303e64
- %CommonProgramFiles(x86)%\adobe\acrobat\lsass.exe
- C:\brokersvc\msagentcomponent.exe
- %CommonProgramFiles(x86)%\adobe\acrobat\6203df4a6bafc7
- C:\recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\088424020bedd6
- %HOMEPATH%\favorites\links for united states\mdm.exe
- %HOMEPATH%\favorites\links for united states\559fba5f8e4410
- %ProgramFiles(x86)%\windows defender\winlogon.exe
- %ProgramFiles(x86)%\windows defender\cc11b995f2a76d
- <Current directory>\lsass.exe
- <Current directory>\6203df4a6bafc7
- C:\msocache\all users\{90140000-00a1-0409-1000-0000000ff1ce}-c\lsass.exe
- C:\recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\conhost.exe
- %TEMP%\dvbcradl0f.bat
- nul
- %TEMP%\0go0vten0v
- 'localhost':123
- ClassName: 'EDIT' WindowName: ''
- '%WINDIR%\syswow64\wscript.exe' "C:\BrokerSvc\wKCQxJEUAku1QNhnGB6ouRIBQH8Lr.vbe"
- 'C:\brokersvc\msagentcomponent.exe'
- 'C:\recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\conhost.exe'
- '%WINDIR%\syswow64\cmd.exe' /c ""C:\BrokerSvc\dL5U0qNLFvXaxokvg3iF72u07WFuY.bat" "' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C "%TEMP%\dvbCRaDL0f.bat"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c ""C:\BrokerSvc\dL5U0qNLFvXaxokvg3iF72u07WFuY.bat" "
- '<SYSTEM32>\schtasks.exe' /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'%ProgramFiles%\tmlisten\Idle.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Far2\FExcept\services.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "services" /sc ONLOGON /tr "'C:\Far2\FExcept\services.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Far2\FExcept\services.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'<Current directory>\csrss.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "csrss" /sc ONLOGON /tr "'<Current directory>\csrss.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'<Current directory>\csrss.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\BrokerSvc\services.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "services" /sc ONLOGON /tr "'C:\BrokerSvc\services.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\BrokerSvc\services.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\totalcmd\LANGUAGE\spoolsv.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'%ProgramFiles%\tmlisten\Idle.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "Idle" /sc ONLOGON /tr "'%ProgramFiles%\tmlisten\Idle.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "spoolsv" /sc ONLOGON /tr "'C:\totalcmd\LANGUAGE\spoolsv.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "spoolsv" /sc ONLOGON /tr "'%WINDIR%\ServiceProfiles\LocalService\Saved Games\spoolsv.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'%WINDIR%\ServiceProfiles\LocalService\Saved Games\spoolsv.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\totalcmd\LANGUAGE\csrss.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "csrss" /sc ONLOGON /tr "'C:\totalcmd\LANGUAGE\csrss.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\totalcmd\LANGUAGE\csrss.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "iexplorei" /sc MINUTE /mo 6 /tr "'C:\BrokerSvc\iexplore.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "iexplore" /sc ONLOGON /tr "'C:\BrokerSvc\iexplore.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "iexplorei" /sc MINUTE /mo 12 /tr "'C:\BrokerSvc\iexplore.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\spoolsv.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\spoolsv.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\spoolsv.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\totalcmd\LANGUAGE\spoolsv.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'%WINDIR%\ServiceProfiles\LocalService\Saved Games\spoolsv.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'%WINDIR%\SchCache\System.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "System" /sc ONLOGON /tr "'%WINDIR%\SchCache\System.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'%WINDIR%\SchCache\System.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "winlogon" /sc ONLOGON /tr "'%WINDIR%\SysWOW64\ja-JP\winlogon.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'%WINDIR%\SysWOW64\ja-JP\winlogon.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'<Current directory>\wininit.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "wininit" /sc ONLOGON /tr "'<Current directory>\wininit.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'<Current directory>\wininit.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Far2\Addons\SetUp\taskhost.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "taskhost" /sc ONLOGON /tr "'C:\Far2\Addons\SetUp\taskhost.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Far2\Addons\SetUp\taskhost.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'%CommonProgramFiles(x86)%\Adobe\Acrobat\lsass.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "lsass" /sc ONLOGON /tr "'%CommonProgramFiles(x86)%\Adobe\Acrobat\lsass.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'%CommonProgramFiles(x86)%\Adobe\Acrobat\lsass.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\conhost.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'%WINDIR%\SysWOW64\ja-JP\winlogon.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\conhost.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "mdmm" /sc MINUTE /mo 11 /tr "'%HOMEPATH%\Favorites\Links for United States\mdm.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "mdm" /sc ONLOGON /tr "'%HOMEPATH%\Favorites\Links for United States\mdm.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "mdmm" /sc MINUTE /mo 8 /tr "'%HOMEPATH%\Favorites\Links for United States\mdm.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'%ProgramFiles(x86)%\Windows Defender\winlogon.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "winlogon" /sc ONLOGON /tr "'%ProgramFiles(x86)%\Windows Defender\winlogon.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'%ProgramFiles(x86)%\Windows Defender\winlogon.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'<Current directory>\lsass.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "lsass" /sc ONLOGON /tr "'<Current directory>\lsass.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'<Current directory>\lsass.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\lsass.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\conhost.exe'" /rl HIGHEST /f
- '<SYSTEM32>\cmd.exe' /C "%TEMP%\dvbCRaDL0f.bat"
- '<SYSTEM32>\w32tm.exe' /stripchart /computer:localhost /period:5 /dataonly /samples:2