dcrat | d56bc8947bd949294eeb0b4191b94beb2553e5972c72587ddd215ebaf899354b

System Information Discovery

Processes:

54c6b64cb242fc9e210578980c59c0ee.exeWScript.exeportcomponenthost.exedwm.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	54c6b64cb242fc9e210578980c59c0ee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	portcomponenthost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	dwm.exe

Executes dropped EXE 3 IoCs

Processes:

portcomponenthost.exedwm.exedwm.exe

pid process

4160 portcomponenthost.exe
3100 dwm.exe
14812 dwm.exe

Drops file in Program Files directory 8 IoCs

Processes:

portcomponenthost.exe

description	ioc	process
File created	C:\Program Files\Google\fontdrvhost.exe	portcomponenthost.exe
File created	C:\Program Files\Google\5b884080fd4f94	portcomponenthost.exe
File created	C:\Program Files\7-Zip\Lang\RuntimeBroker.exe	portcomponenthost.exe
File created	C:\Program Files\7-Zip\Lang\9e8d7a4ca61bd9	portcomponenthost.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Schema\unsecapp.exe	portcomponenthost.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Schema\29c1c3cc0f7685	portcomponenthost.exe
File created	C:\Program Files (x86)\Microsoft.NET\spoolsv.exe	portcomponenthost.exe
File created	C:\Program Files (x86)\Microsoft.NET\f3b6ecef712a24	portcomponenthost.exe

Drops file in Windows directory 7 IoCs

Processes:

portcomponenthost.exe

description	ioc	process
File created	C:\Windows\Provisioning\Autopilot\29c1c3cc0f7685	portcomponenthost.exe
File created	C:\Windows\Speech\dllhost.exe	portcomponenthost.exe
File created	C:\Windows\Speech\5940a34987c991	portcomponenthost.exe
File created	C:\Windows\fr-FR\dwm.exe	portcomponenthost.exe
File created	C:\Windows\fr-FR\6cb0b6c459d5d3	portcomponenthost.exe
File created	C:\Windows\Provisioning\Autopilot\unsecapp.exe	portcomponenthost.exe
File opened for modification	C:\Windows\Provisioning\Autopilot\unsecapp.exe	portcomponenthost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

15528 3100 WerFault.exe dwm.exe

pid	pid_target	process	target process
15528	3100	WerFault.exe	dwm.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

dwm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Creates scheduled task(s) 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

Processes:

pid	process
4380	schtasks.exe
3752	schtasks.exe
2948	schtasks.exe
3520	schtasks.exe
1972	schtasks.exe
3460	schtasks.exe
2808	schtasks.exe
4344	schtasks.exe
4104	schtasks.exe
3728	schtasks.exe
3108	schtasks.exe
4896	schtasks.exe
3936	schtasks.exe
376	schtasks.exe
2968	schtasks.exe
5008	schtasks.exe
3540	schtasks.exe
4396	schtasks.exe
1156	schtasks.exe
3156	schtasks.exe
548	schtasks.exe
2736	schtasks.exe
840	schtasks.exe
3748	schtasks.exe
2392	schtasks.exe
1412	schtasks.exe
736	schtasks.exe
4660	schtasks.exe
4224	schtasks.exe
2584	schtasks.exe
1520	schtasks.exe
1700	schtasks.exe
1516	schtasks.exe
408	schtasks.exe
1884	schtasks.exe
4864	schtasks.exe
1084	schtasks.exe
2104	schtasks.exe
4520	schtasks.exe
2548	schtasks.exe
2376	schtasks.exe
2892	schtasks.exe
3692	schtasks.exe
448	schtasks.exe
3308	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

dwm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

Processes:

dwm.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe

Modifies registry class 2 IoCs

Processes:

54c6b64cb242fc9e210578980c59c0ee.exedwm.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	54c6b64cb242fc9e210578980c59c0ee.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	dwm.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

portcomponenthost.exedwm.exedwm.exe

pid	process
4160	portcomponenthost.exe
4160	portcomponenthost.exe
4160	portcomponenthost.exe
4160	portcomponenthost.exe
4160	portcomponenthost.exe
4160	portcomponenthost.exe
4160	portcomponenthost.exe
4160	portcomponenthost.exe
4160	portcomponenthost.exe
4160	portcomponenthost.exe
4160	portcomponenthost.exe
3100	dwm.exe
3100	dwm.exe
3100	dwm.exe
3100	dwm.exe
3100	dwm.exe
3100	dwm.exe
3100	dwm.exe
3100	dwm.exe
3100	dwm.exe
14812	dwm.exe
14812	dwm.exe
14812	dwm.exe
14812	dwm.exe
14812	dwm.exe
14812	dwm.exe
14812	dwm.exe
14812	dwm.exe
14812	dwm.exe
14812	dwm.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dwm.exe

pid process

3100 dwm.exe

pid	process
3100	dwm.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

portcomponenthost.exedwm.exedwm.exedwm.exe

description	pid	process
Token: SeDebugPrivilege	4160	portcomponenthost.exe
Token: SeDebugPrivilege	3100	dwm.exe
Token: SeCreateGlobalPrivilege	14316	dwm.exe
Token: SeChangeNotifyPrivilege	14316	dwm.exe
Token: 33	14316	dwm.exe
Token: SeIncBasePriorityPrivilege	14316	dwm.exe
Token: SeDebugPrivilege	14812	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

54c6b64cb242fc9e210578980c59c0ee.exeWScript.execmd.exeportcomponenthost.exedwm.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2644 wrote to memory of 2160	2644	54c6b64cb242fc9e210578980c59c0ee.exe	WScript.exe
PID 2644 wrote to memory of 2160	2644	54c6b64cb242fc9e210578980c59c0ee.exe	WScript.exe
PID 2644 wrote to memory of 2160	2644	54c6b64cb242fc9e210578980c59c0ee.exe	WScript.exe
PID 2160 wrote to memory of 5052	2160	WScript.exe	cmd.exe
PID 2160 wrote to memory of 5052	2160	WScript.exe	cmd.exe
PID 2160 wrote to memory of 5052	2160	WScript.exe	cmd.exe
PID 5052 wrote to memory of 4160	5052	cmd.exe	portcomponenthost.exe
PID 5052 wrote to memory of 4160	5052	cmd.exe	portcomponenthost.exe
PID 4160 wrote to memory of 3100	4160	portcomponenthost.exe	dwm.exe
PID 4160 wrote to memory of 3100	4160	portcomponenthost.exe	dwm.exe
PID 3100 wrote to memory of 2192	3100	dwm.exe	cmd.exe
PID 3100 wrote to memory of 2192	3100	dwm.exe	cmd.exe
PID 3100 wrote to memory of 3216	3100	dwm.exe	cmd.exe
PID 3100 wrote to memory of 3216	3100	dwm.exe	cmd.exe
PID 3100 wrote to memory of 4008	3100	dwm.exe	cmd.exe
PID 3100 wrote to memory of 4008	3100	dwm.exe	cmd.exe
PID 3100 wrote to memory of 2220	3100	dwm.exe	cmd.exe
PID 3100 wrote to memory of 2220	3100	dwm.exe	cmd.exe
PID 2192 wrote to memory of 2736	2192	cmd.exe	notepad.exe
PID 2192 wrote to memory of 2736	2192	cmd.exe	notepad.exe
PID 3100 wrote to memory of 2968	3100	dwm.exe	cmd.exe
PID 3100 wrote to memory of 2968	3100	dwm.exe	cmd.exe
PID 3100 wrote to memory of 3396	3100	dwm.exe	cmd.exe
PID 3100 wrote to memory of 3396	3100	dwm.exe	cmd.exe
PID 4008 wrote to memory of 5008	4008	cmd.exe	notepad.exe
PID 4008 wrote to memory of 5008	4008	cmd.exe	notepad.exe
PID 3100 wrote to memory of 836	3100	dwm.exe	cmd.exe
PID 3100 wrote to memory of 836	3100	dwm.exe	cmd.exe
PID 3216 wrote to memory of 4396	3216	cmd.exe	notepad.exe
PID 3216 wrote to memory of 4396	3216	cmd.exe	notepad.exe
PID 3100 wrote to memory of 4808	3100	dwm.exe	cmd.exe
PID 3100 wrote to memory of 4808	3100	dwm.exe	cmd.exe
PID 3100 wrote to memory of 4980	3100	dwm.exe	cmd.exe
PID 3100 wrote to memory of 4980	3100	dwm.exe	cmd.exe
PID 2220 wrote to memory of 460	2220	cmd.exe	notepad.exe
PID 2220 wrote to memory of 460	2220	cmd.exe	notepad.exe
PID 3100 wrote to memory of 4680	3100	dwm.exe	cmd.exe
PID 3100 wrote to memory of 4680	3100	dwm.exe	cmd.exe
PID 2968 wrote to memory of 3664	2968	cmd.exe	notepad.exe
PID 2968 wrote to memory of 3664	2968	cmd.exe	notepad.exe
PID 3100 wrote to memory of 4764	3100	dwm.exe	cmd.exe
PID 3100 wrote to memory of 4764	3100	dwm.exe	cmd.exe
PID 3100 wrote to memory of 1208	3100	dwm.exe	cmd.exe
PID 3100 wrote to memory of 1208	3100	dwm.exe	cmd.exe
PID 3100 wrote to memory of 1412	3100	dwm.exe	cmd.exe
PID 3100 wrote to memory of 1412	3100	dwm.exe	cmd.exe
PID 3100 wrote to memory of 3024	3100	dwm.exe	cmd.exe
PID 3100 wrote to memory of 3024	3100	dwm.exe	cmd.exe
PID 836 wrote to memory of 3648	836	cmd.exe	notepad.exe
PID 836 wrote to memory of 3648	836	cmd.exe	notepad.exe
PID 3396 wrote to memory of 3284	3396	cmd.exe	notepad.exe
PID 3396 wrote to memory of 3284	3396	cmd.exe	notepad.exe
PID 3100 wrote to memory of 4132	3100	dwm.exe	cmd.exe
PID 3100 wrote to memory of 4132	3100	dwm.exe	cmd.exe
PID 3100 wrote to memory of 3372	3100	dwm.exe	cmd.exe
PID 3100 wrote to memory of 3372	3100	dwm.exe	cmd.exe
PID 4980 wrote to memory of 3244	4980	cmd.exe	notepad.exe
PID 4980 wrote to memory of 3244	4980	cmd.exe	notepad.exe
PID 4680 wrote to memory of 2028	4680	cmd.exe	notepad.exe
PID 4680 wrote to memory of 2028	4680	cmd.exe	notepad.exe
PID 3100 wrote to memory of 3756	3100	dwm.exe	cmd.exe
PID 3100 wrote to memory of 3756	3100	dwm.exe	cmd.exe
PID 3100 wrote to memory of 1496	3100	dwm.exe	cmd.exe
PID 3100 wrote to memory of 1496	3100	dwm.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\54c6b64cb242fc9e210578980c59c0ee.exe
"C:\Users\Admin\AppData\Local\Temp\54c6b64cb242fc9e210578980c59c0ee.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\MsSurrogatesavesDllCommon\KNXxoYbYBPxFU.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\MsSurrogatesavesDllCommon\8EVty8tFPt0VqMZlz5bMQ6Tt5F96.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:5052

C:\MsSurrogatesavesDllCommon\portcomponenthost.exe
"C:\MsSurrogatesavesDllCommon\portcomponenthost.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4160

C:\Windows\fr-FR\dwm.exe
"C:\Windows\fr-FR\dwm.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:2192

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:2736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:3216

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:4396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:4008

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:5008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:2968

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:3664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:3396

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:3284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:3648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:4808

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:3436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:4980

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:3244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:4680

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:2028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:4764

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:1208

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:3488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:1412

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:4768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:3024

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:4132

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:2648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:3372

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:5260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:3756

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:5232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:1496

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:5140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:4880

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:5688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:1424

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:5356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:1764

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:5452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:4208

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:5532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:2948

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:6044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:1252

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:5992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:5152

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:5736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:5216

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:5720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:5288

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:5748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:5348

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:6192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:5428

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:5932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:5524

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:4116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:5600

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:6416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:5660

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:6572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:5728

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:6564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:5828

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:6584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:5872

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:6648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:5984

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:6308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:6096

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:6788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:4552

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:6396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:3316

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:6660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:5620

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:7092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:4348

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:6460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:6184

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:6852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:6224

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:6836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:6336

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:7444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:6364

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:6948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:6480

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:7388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:6548

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:7160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:6672

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:7312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:6780

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:7112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:6940

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:7200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:7028

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:7284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:7128

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:7908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:7084

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:7276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:6352

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:7900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:5124

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:7592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:6356

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:7496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:7172

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:1432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:7192

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:7948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:7372

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:7980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:7264

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:7684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:7472

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:8064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:7560

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:8104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:7636

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:8524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:7724

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:8072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:7780

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:8804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:7840

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:8212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:7928

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:8400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:8036

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:8656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:8164

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:8796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:7660

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:9188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:8224

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:8648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:8280

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:8252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:8332

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:8976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:8408

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:9304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:8448

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:7820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:8532

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:9400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:8620

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:9144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:8696

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:9096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:8776

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:7108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:8836

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:9788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:8936

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:9916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:9000

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:9408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:9052

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:10012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:9112

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:10232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:9172

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:9644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:3552

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:10284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:7156

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:9604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:9284

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:9980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:9072

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:10412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:9384

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:10628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:9460

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:10692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:9536

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:10736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:9652

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:10188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:9708

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:10948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:9592

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:10172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:9804

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:10308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:9868

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:11084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:9948

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:10460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:10076

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:10636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:10120

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:10500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:10152

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:9900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:10196

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:10804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:9684

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:11256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:10300

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:11212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:10472

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:11480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:10400

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:11068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:10532

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:11168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:10560

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:11488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:10676

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:10148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:10784

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:9028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:10904

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:11660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:10960

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:11796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:11008

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:4652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:11108

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:11904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:11184

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:11952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:11240

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:11464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:9488

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:12112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:11268

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:11944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:1188

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:11688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:11360

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:12212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:11424

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:12480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:11524

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:12028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:11596

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:12188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:11720

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:3084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:11644

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:11740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:11788

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:11824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:11848

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:12868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:11920

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:12972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:12040

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:13068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:12100

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:12696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:12176

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:13248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:12272

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:12852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:3984

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:12244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:12388

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:12788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:12444

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:12612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:12500

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:13408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:12572

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:13556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:12604

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:13588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:12636

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:13044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:12716

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:13220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:12800

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:13276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:12924

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:13320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:12988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:13036

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:13868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:13140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:13188

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:13500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:13304

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:13952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:11300

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:13776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:13344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:12536

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:13960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:13456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:13540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:13628

C:\Windows\system32\notepad.exe
notepad.exe
7⤵
PID:14280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:13676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:13732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat" "
6⤵
PID:13784

C:\Windows\fr-FR\dwm.exe
"C:\Windows\fr-FR\dwm.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:14812

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3100 -s 3492
6⤵
- Program crash
PID:15528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Windows\Provisioning\Autopilot\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\Provisioning\Autopilot\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Windows\Provisioning\Autopilot\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Google\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MsSurrogatesavesDllCommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MsSurrogatesavesDllCommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MsSurrogatesavesDllCommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Documents\My Music\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Documents\My Music\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\Speech\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Speech\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\Speech\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Libraries\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Public\Libraries\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Libraries\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\fr-FR\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\fr-FR\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Windows\fr-FR\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\odt\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MsSurrogatesavesDllCommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MsSurrogatesavesDllCommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MsSurrogatesavesDllCommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 13 /tr "'C:\MsSurrogatesavesDllCommon\TrustedInstaller.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\MsSurrogatesavesDllCommon\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 14 /tr "'C:\MsSurrogatesavesDllCommon\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1412

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:14316

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 3100 -ip 3100
1⤵
PID:15488

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery