File name:

tnq092.exe

Full analysis: https://app.any.run/tasks/aaef408d-cbbd-4ac6-828c-7a87b5b9f848
Verdict: Malicious activity
Threats:

TrickBot is an advanced banking trojan that attackers can use to steal payment credentials from the victims. It can redirect the victim to a fake banking cabinet and retrieve credentials typed in on the webpage.

Analysis date: February 27, 2019, 06:03:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
evasion
trickbot
trojan
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

476CC8AB088196733C2752CB26DB2350

SHA1:

42994AB8B8CBE1E40D559F98D8032FC875EDF487

SHA256:

868A571010696E5A8CD5D1A0330F84708E402C879E726B4B76E42170D3DE5897

SSDEEP:

12288:tYwlwh1xRt5oRAfPaseDJqMsZemK3iV5HeIBv7p0/c:tYth5t5oRp5JlsZ7KyVdeIBTa/c

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Stops/Deletes Windows Defender service

      • cmd.exe (PID: 2328)
      • cmd.exe (PID: 2316)
      • cmd.exe (PID: 1772)
      • cmd.exe (PID: 2432)
    • Uses SVCHOST.EXE for hidden code execution

      • tor092.exe (PID: 2508)
      • tor092.exe (PID: 2080)
      • svchost.exe (PID: 2396)
    • Known privilege escalation attack

      • DllHost.exe (PID: 2872)
    • Loads the Task Scheduler COM API

      • mmc.exe (PID: 2996)
      • svchost.exe (PID: 2396)
      • svchost.exe (PID: 3068)
    • Connects to CnC server

      • svchost.exe (PID: 2396)
      • svchost.exe (PID: 3000)
    • TRICKBOT was detected

      • svchost.exe (PID: 3000)
    • Stealing of credential data

      • svchost.exe (PID: 3000)
    • Trickbot detected

      • svchost.exe (PID: 2396)
  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 1724)
      • powershell.exe (PID: 1716)
      • tnq092.exe (PID: 1708)
      • svchost.exe (PID: 2396)
    • Executes PowerShell scripts

      • cmd.exe (PID: 864)
      • cmd.exe (PID: 1816)
    • Starts CMD.EXE for commands execution

      • tor092.exe (PID: 2508)
      • tnq092.exe (PID: 1708)
    • Reads the machine GUID from the registry

      • explorer.exe (PID: 3048)
      • mmc.exe (PID: 2996)
      • svchost.exe (PID: 3000)
      • svchost.exe (PID: 2396)
    • Executable content was dropped or overwritten

      • tnq092.exe (PID: 1708)
    • Checks for external IP

      • svchost.exe (PID: 2396)
    • Connects to unusual port

      • svchost.exe (PID: 2396)
      • svchost.exe (PID: 3000)
    • Application launched itself

      • svchost.exe (PID: 2396)
    • Loads DLL from Mozilla Firefox

      • svchost.exe (PID: 3000)
    • Removes files from Windows directory

      • svchost.exe (PID: 2396)
    • Creates files in the Windows directory

      • svchost.exe (PID: 2396)
  • INFO

    • Reads settings of System Certificates

      • svchost.exe (PID: 2396)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (56.1)
.scr | Windows screen saver (26.6)
.exe | Win32 Executable (generic) (9.1)
.exe | Generic Win/DOS Executable (4)
.exe | DOS Executable Generic (4)

EXIF

EXE

SpecialBuild: Converter
ProductVersion: 1, 0, 0, 1
ProductName: EliteConv Application
PrivateBuild: EliteDecoder
OriginalFileName: EliteConv.EXE
LegalTrademarks: hAx Studios Ltd., Root-hack, fritz
LegalCopyright: Copyright (C) 2004
InternalName: EliteConverter
FileVersion: 1, 0, 0, 1
FileDescription: Elite Converter | hex, dec, bin, oct and ascii
CompanyName: hAx Studios Ltd.
Comments: Elite Character Conversion by: http://hax-studios.net && http://root-hack.org || fritzy
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: 0
ObjectFileType: Executable application
FileOS: Win32
FileFlags: Private build, Special build
FileFlagsMask: 0x003f
ProductVersionNumber: 1.0.0.1
FileVersionNumber: 1.0.0.1
Subsystem: Windows GUI
SubsystemVersion: 5
ImageVersion: 0
OSVersion: 5
EntryPoint: 0x2069f
UninitializedDataSize: 0
InitializedDataSize: 320000
CodeSize: 207872
LinkerVersion: 9
PEType: PE32
TimeStamp: 2019:02:26 18:06:54+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 26-Feb-2019 17:06:54
Detected languages:
  • English - United States
Comments: Elite Character Conversion by: http://hax-studios.net && http://root-hack.org || fritzy
CompanyName: hAx Studios Ltd.
FileDescription: Elite Converter | hex, dec, bin, oct and ascii
FileVersion: 1, 0, 0, 1
InternalName: EliteConverter
LegalCopyright: Copyright (C) 2004
LegalTrademarks: hAx Studios Ltd., Root-hack, fritz
OriginalFilename: EliteConv.EXE
PrivateBuild: EliteDecoder
ProductName: EliteConv Application
ProductVersion: 1, 0, 0, 1
SpecialBuild: Converter

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000100

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 4
Time date stamp: 26-Feb-2019 17:06:54
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00032B0E
0x00032C00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.56678
.rdata
0x00034000
0x0000C8FC
0x0000CA00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.04583
.data
0x00041000
0x0002FD5C
0x0002C200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.94181
.rsrc
0x00071000
0x00015494
0x00015600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.60822

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.79597
346
Latin 1 / Western European
English - United States
RT_MANIFEST
2
2.08441
296
Latin 1 / Western European
English - United States
RT_ICON
3
3.02695
308
Latin 1 / Western European
English - United States
RT_CURSOR
4
2.74274
180
Latin 1 / Western European
English - United States
RT_CURSOR
5
2.34038
308
Latin 1 / Western European
English - United States
RT_CURSOR
6
2.34004
308
Latin 1 / Western European
English - United States
RT_CURSOR
7
2.27047
92
Latin 1 / Western European
English - United States
RT_STRING
8
2.45401
308
Latin 1 / Western European
English - United States
RT_CURSOR
9
2.34864
308
Latin 1 / Western European
English - United States
RT_CURSOR
10
2.34505
308
Latin 1 / Western European
English - United States
RT_CURSOR
12
2.31114
308
Latin 1 / Western European
English - United States
RT_CURSOR
13
3.33609
308
Latin 1 / Western European
English - United States
RT_CURSOR
14
2.81313
308
Latin 1 / Western European
English - United States
RT_CURSOR
15
3.81491
308
Latin 1 / Western European
English - United States
RT_CURSOR
16
2.10016
308
Latin 1 / Western European
English - United States
RT_CURSOR
17
1.97052
308
Latin 1 / Western European
English - United States
RT_CURSOR
18
2.22699
308
Latin 1 / Western European
English - United States
RT_CURSOR
100
3.6642
1076
Latin 1 / Western European
English - United States
RT_DIALOG
102
3.37556
964
Latin 1 / Western European
English - United States
RT_DIALOG
128
2.37086
34
Latin 1 / Western European
English - United States
RT_GROUP_ICON
130
6.97106
3792
Latin 1 / Western European
English - United States
RT_BITMAP
132
7.43303
8226
Latin 1 / Western European
English - United States
RT_BITMAP
3841
2.81705
130
Latin 1 / Western European
English - United States
RT_STRING
3842
0.960953
42
Latin 1 / Western European
English - United States
RT_STRING
3843
3.08634
388
Latin 1 / Western European
English - United States
RT_STRING
3857
3.25779
1254
Latin 1 / Western European
English - United States
RT_STRING
3858
3.11275
612
Latin 1 / Western European
English - United States
RT_STRING
3859
3.16694
730
Latin 1 / Western European
English - United States
RT_STRING
3860
2.71087
138
Latin 1 / Western European
English - United States
RT_STRING
3865
2.63903
172
Latin 1 / Western European
English - United States
RT_STRING
3866
2.87807
222
Latin 1 / Western European
English - United States
RT_STRING
3867
3.24671
1192
Latin 1 / Western European
English - United States
RT_STRING
3868
3.10695
552
Latin 1 / Western European
English - United States
RT_STRING
3869
1.07875
44
Latin 1 / Western European
English - United States
RT_STRING
3887
1.95964
66
Latin 1 / Western European
English - United States
RT_STRING
30721
3.06676
232
Latin 1 / Western European
English - United States
RT_DIALOG
30734
2.41669
52
Latin 1 / Western European
English - United States
RT_DIALOG
30977
2.25451
34
Latin 1 / Western European
English - United States
RT_GROUP_CURSOR
30994
2.23666
184
Latin 1 / Western European
English - United States
RT_BITMAP
30996
2.87621
324
Latin 1 / Western European
English - United States
RT_BITMAP
30998
2.01924
20
Latin 1 / Western European
English - United States
RT_GROUP_CURSOR
30999
2.01924
20
Latin 1 / Western European
English - United States
RT_GROUP_CURSOR
31000
2.01924
20
Latin 1 / Western European
English - United States
RT_GROUP_CURSOR
31001
2.01924
20
Latin 1 / Western European
English - United States
RT_GROUP_CURSOR
31002
2.01924
20
Latin 1 / Western European
English - United States
RT_GROUP_CURSOR
31003
2.01924
20
Latin 1 / Western European
English - United States
RT_GROUP_CURSOR
31004
2.01924
20
Latin 1 / Western European
English - United States
RT_GROUP_CURSOR
31005
2.01924
20
Latin 1 / Western European
English - United States
RT_GROUP_CURSOR
31006
2.01924
20
Latin 1 / Western European
English - United States
RT_GROUP_CURSOR
31007
2.01924
20
Latin 1 / Western European
English - United States
RT_GROUP_CURSOR
31008
2.01924
20
Latin 1 / Western European
English - United States
RT_GROUP_CURSOR
31009
2.01924
20
Latin 1 / Western European
English - United States
RT_GROUP_CURSOR
31010
2.01924
20
Latin 1 / Western European
English - United States
RT_GROUP_CURSOR
31011
2.01924
20
Latin 1 / Western European
English - United States
RT_GROUP_CURSOR

Imports

ADVAPI32.dll
COMDLG32.dll
GDI32.dll
KERNEL32.dll
OLEACC.dll (delay-loaded)
OLEAUT32.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
WINMM.dll
ole32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
72
Monitored processes
24
Malicious processes
6
Suspicious processes
4

Behavior graph

Click at the process to see the details
start tnq092.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs sc.exe no specs sc.exe no specs powershell.exe no specs CMSTPLUA no specs tor092.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs svchost.exe no specs sc.exe no specs sc.exe no specs powershell.exe no specs explorer.exe no specs mmc.exe no specs mmc.exe tor092.exe no specs #TRICKBOT svchost.exe svchost.exe no specs svchost.exe no specs #TRICKBOT svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1708"C:\Users\admin\Desktop\tnq092.exe" C:\Users\admin\Desktop\tnq092.exe
explorer.exe
User:
admin
Company:
hAx Studios Ltd.
Integrity Level:
MEDIUM
Description:
Elite Converter | hex, dec, bin, oct and ascii
Exit code:
0
Version:
1, 0, 0, 1
1772/c sc stop WinDefendC:\Windows\SysWOW64\cmd.exetnq092.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
5
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2432/c sc delete WinDefendC:\Windows\SysWOW64\cmd.exetnq092.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
5
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
864/c powershell Set-MpPreference -DisableRealtimeMonitoring $trueC:\Windows\SysWOW64\cmd.exetnq092.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2300sc stop WinDefendC:\Windows\SysWOW64\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
A tool to aid in developing services for WindowsNT
Exit code:
5
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1420sc delete WinDefendC:\Windows\SysWOW64\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
A tool to aid in developing services for WindowsNT
Exit code:
5
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1724powershell Set-MpPreference -DisableRealtimeMonitoring $trueC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2872C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}C:\Windows\SysWOW64\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2508"C:\Users\admin\AppData\Roaming\appnet\tor092.exe" C:\Users\admin\AppData\Roaming\appnet\tor092.exeDllHost.exe
User:
admin
Company:
hAx Studios Ltd.
Integrity Level:
HIGH
Description:
Elite Converter | hex, dec, bin, oct and ascii
Exit code:
0
Version:
1, 0, 0, 1
2328/c sc stop WinDefendC:\Windows\SysWOW64\cmd.exetor092.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1062
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
9 404
Read events
9 258
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
15
Text files
2
Unknown types
2

Dropped files

PID
Process
Filename
Type
1724powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4AA6LPA5U1G36T70CUUT.temp
MD5:
SHA256:
1716powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2IIZ010PDPECIP20DDRQ.temp
MD5:
SHA256:
2396svchost.exeC:\Windows\TEMP\CabD49A.tmp
MD5:
SHA256:
2396svchost.exeC:\Windows\TEMP\TarD49B.tmp
MD5:
SHA256:
2396svchost.exeC:\Users\admin\AppData\Roaming\appnet\Data\injectDll64_configs\dpostbinary
MD5:951E985669A827F5713C220D10289691
SHA256:0790E8FFB428E00C01CD499EE4AB16EDAD974147C07EA1709DF23D6AD34EF417
2396svchost.exeC:\Users\admin\AppData\Roaming\appnet\Data\injectDll64_configs\dinjbinary
MD5:147C1049E25A408078C0ECB158B437C5
SHA256:3B033D79998BFB36D3ABEBD90A4EFD34BF9895CA1186BF4C7671D9F62E1F613E
1716powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1497ba.TMPbinary
MD5:68DDCD94095DE6B16893FEE00DD712C3
SHA256:7E40A9EAF34708FD6282E34227600C202529627BE7DF880792CB033B4D0CD835
1708tnq092.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3896776584-4254864009-862391680-1000\0f5007522459c86e95ffcc62f32308f1_eeeb5d54-7880-42a7-b542-739bbc26cf4bbinary
MD5:40C6FC72BC1FF6788A80BCAF4A2BA011
SHA256:6FAEB36C84C291C8DA1642372CE339091F9DE06D13BADC93803A6B17DFF317FA
2508tor092.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3896776584-4254864009-862391680-1000\0f5007522459c86e95ffcc62f32308f1_eeeb5d54-7880-42a7-b542-739bbc26cf4bbinary
MD5:E75BB15E84288378C1393C21714FB10E
SHA256:21ED7952772D8990F3F36B7AA3F9CBDD0DBC82B2C9B9C5F3F21EC6EF99A3D1AD
2396svchost.exeC:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:BB377DF27A55C05BB3793CD1E125C869
SHA256:3C4EC495F17D21CC236BC7238BC02728BD945C07157FBF875CAC340269AFC207
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
14
DNS requests
2
Threats
18

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2396
svchost.exe
GET
200
147.75.89.25:80
http://icanhazip.com/
US
text
14 b
shared
3000
svchost.exe
POST
190.146.112.216:8082
http://190.146.112.216:8082/ser0226us/USER-PC_W617601.CFBBC0882CE7C46266D13B3B474F8272/81/
CO
malicious
3000
svchost.exe
POST
190.146.112.216:8082
http://190.146.112.216:8082/ser0226us/USER-PC_W617601.CFBBC0882CE7C46266D13B3B474F8272/81/
CO
malicious
3000
svchost.exe
POST
200
190.146.112.216:8082
http://190.146.112.216:8082/ser0226us/USER-PC_W617601.CFBBC0882CE7C46266D13B3B474F8272/81/
CO
text
3 b
malicious
2396
svchost.exe
GET
200
8.248.237.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?02c541413bd76ae3
US
compressed
55.2 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2396
svchost.exe
147.75.89.25:80
icanhazip.com
Packet Host, Inc.
US
suspicious
2396
svchost.exe
36.89.85.103:449
ID
malicious
2396
svchost.exe
195.123.246.99:447
UA
suspicious
2396
svchost.exe
8.248.237.254:80
ctldl.windowsupdate.com
Level 3 Communications, Inc.
US
unknown
2396
svchost.exe
185.228.234.165:443
suspicious
3000
svchost.exe
190.146.112.216:8082
Telmex Colombia S.A.
CO
malicious

DNS requests

Domain
IP
Reputation
icanhazip.com
  • 147.75.89.25
  • 147.75.40.2
shared
ctldl.windowsupdate.com
  • 8.248.237.254
  • 8.248.241.254
  • 8.247.206.126
  • 8.247.202.126
  • 8.248.245.254
whitelisted

Threats

PID
Process
Class
Message
2396
svchost.exe
Attempted Information Leak
ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
2396
svchost.exe
A Network Trojan was detected
MALWARE [PTsecurity] Blacklist Malicious SSL certificate detected (Trickbot)
2396
svchost.exe
A Network Trojan was detected
ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)
2396
svchost.exe
A Network Trojan was detected
MALWARE [PTsecurity] Blacklist Malicious SSL certificate detected (Trickbot)
3000
svchost.exe
A Network Trojan was detected
ET TROJAN [PTsecurity] Trickbot Data Exfiltration
3000
svchost.exe
A Network Trojan was detected
MALWARE [PTsecurity] Trickbot Data Exfiltration
3000
svchost.exe
Potentially Bad Traffic
ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
3000
svchost.exe
A Network Trojan was detected
ET TROJAN [PTsecurity] Trickbot Data Exfiltration
3000
svchost.exe
A Network Trojan was detected
MALWARE [PTsecurity] Trickbot Data Exfiltration
3000
svchost.exe
Potentially Bad Traffic
ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
3000
svchost.exe
A Network Trojan was detected
ET TROJAN [PTsecurity] Trickbot Data Exfiltration
3000
svchost.exe
A Network Trojan was detected
MALWARE [PTsecurity] Trickbot Data Exfiltration
5 ETPRO signatures available at the full report
Process
Message
mmc.exe
Constructor: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
OnInitialize: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn