44caliber | 5ff3f3b3716a63575a4fd4ef65384341c2dd0a09310a4b6a0df18d8ced34ea81

Analysis

max time kernel
442s
max time network
446s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2024 05:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client1.exe
Size

435KB
MD5

db41a85fb5d127502b98a520e0ec8107
SHA1

1ba0d60550a7eef401ce323c6c01f8547f5a9cd3
SHA256

5ff3f3b3716a63575a4fd4ef65384341c2dd0a09310a4b6a0df18d8ced34ea81
SHA512

df2052fe1cb49b00e70a6eff5d40793a1dce423c989e763a22a92221970cb14b5bf1c9ac3738a6b09c6d6bda201c026a94ca2fe6db89103134297b0f88108c11
SSDEEP

6144:XsVDeAnIUilHQU24Je6VlWT8b9UlP1ObiSX3q7Vb+Ia06fjp+2BHS:cZAQ/4JPVle82ZeiQoZirHS

Score

10^/10

44caliber evasion execution persistence spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1228959092572295179/zol6YJ2bwh5lmLGXkYg2G33z3qYjeTvdzyXLvgfVZAIQ67YWJuOjrxydQkablWLyTqUE

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\Documents\\Audacity Upgrade"	Client1.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Client1.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client1.exe

Executes dropped EXE 2 IoCs

pid	Process
1540	eei5anuy.eak.exe
1152	Microsoft Dynamics

Loads dropped DLL 64 IoCs

pid	Process
4568	Process not Found
4816	Process not Found
2552	Process not Found
4460	Process not Found
2728	WmiApSrv.exe
3620	Process not Found
1504	Process not Found
3932	Process not Found
4520	Process not Found
3008	Process not Found
4500	Process not Found
4252	Process not Found
3328	Process not Found
3156	Process not Found
2572	Process not Found
2336	Process not Found
4100	Process not Found
1532	Process not Found
1388	Process not Found
2196	Process not Found
3100	Process not Found
1624	Process not Found
3372	Process not Found
1208	Process not Found
4280	Process not Found
1572	Process not Found
2344	Process not Found
1292	powershell.exe
1540	eei5anuy.eak.exe
1616	Process not Found
1924	Process not Found
2980	Process not Found
928	Process not Found
2224	Process not Found
3296	Process not Found
1968	Process not Found
3232	Process not Found
4276	Process not Found
2856	Process not Found
4376	Process not Found
1208	Process not Found
2808	Process not Found
4228	Process not Found
2852	Process not Found
3328	Process not Found
2368	Process not Found
4444	Process not Found
3116	Process not Found
1608	Process not Found
2464	Process not Found
2668	Process not Found
1124	Process not Found
3296	Process not Found
720	Process not Found
1624	Process not Found
1324	Process not Found
2216	Process not Found
4784	Process not Found
4920	Process not Found
4272	Process not Found
1992	Process not Found
1672	Process not Found
4000	Process not Found
2424	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
52	freegeoip.app
53	freegeoip.app

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

pid	Process
1292	powershell.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\xdwd.dll	Client1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	eei5anuy.eak.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	eei5anuy.eak.exe

Creates scheduled task(s) 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2296	schtasks.exe
3828	schtasks.exe
2340	schtasks.exe
1340	schtasks.exe
1576	schtasks.exe
2800	schtasks.exe
5012	schtasks.exe
1388	schtasks.exe
4196	schtasks.exe
4576	schtasks.exe
3920	schtasks.exe
4100	schtasks.exe
3508	schtasks.exe
5108	schtasks.exe
4416	schtasks.exe
456	schtasks.exe
4620	schtasks.exe
4832	schtasks.exe
4996	schtasks.exe
4852	schtasks.exe
3980	schtasks.exe
4968	schtasks.exe
2712	schtasks.exe
1832	schtasks.exe
4348	schtasks.exe
2224	schtasks.exe
732	schtasks.exe
4348	schtasks.exe
3224	schtasks.exe
3252	schtasks.exe
2280	schtasks.exe
5084	schtasks.exe
3308	schtasks.exe
4600	schtasks.exe
3764	schtasks.exe
3716	schtasks.exe
4548	schtasks.exe
404	schtasks.exe
1656	schtasks.exe
4908	schtasks.exe
4860	schtasks.exe
2668	schtasks.exe
1792	schtasks.exe
4944	schtasks.exe
4276	schtasks.exe
2952	schtasks.exe
1332	schtasks.exe
3928	schtasks.exe
4412	schtasks.exe
4868	schtasks.exe
1616	schtasks.exe
2224	schtasks.exe
2948	schtasks.exe
1908	schtasks.exe
960	schtasks.exe
4388	schtasks.exe
3828	schtasks.exe
960	schtasks.exe
4236	schtasks.exe
1944	schtasks.exe
1616	schtasks.exe
4116	schtasks.exe
3756	schtasks.exe
4576	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3276	Client1.exe
Token: SeDebugPrivilege	1292	powershell.exe
Token: SeDebugPrivilege	1540	eei5anuy.eak.exe
Token: SeDebugPrivilege	1152	Microsoft Dynamics

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3276 wrote to memory of 4380	3276	Client1.exe	89
PID 3276 wrote to memory of 4380	3276	Client1.exe	89
PID 4380 wrote to memory of 3224	4380	CMD.exe	91
PID 4380 wrote to memory of 3224	4380	CMD.exe	91
PID 3276 wrote to memory of 4024	3276	Client1.exe	92
PID 3276 wrote to memory of 4024	3276	Client1.exe	92
PID 4024 wrote to memory of 1548	4024	CMD.exe	94
PID 4024 wrote to memory of 1548	4024	CMD.exe	94
PID 3276 wrote to memory of 4892	3276	Client1.exe	95
PID 3276 wrote to memory of 4892	3276	Client1.exe	95
PID 3276 wrote to memory of 3480	3276	Client1.exe	97
PID 3276 wrote to memory of 3480	3276	Client1.exe	97
PID 4892 wrote to memory of 1944	4892	CMD.exe	98
PID 4892 wrote to memory of 1944	4892	CMD.exe	98
PID 3480 wrote to memory of 1388	3480	CMD.exe	100
PID 3480 wrote to memory of 1388	3480	CMD.exe	100
PID 3276 wrote to memory of 3116	3276	Client1.exe	102
PID 3276 wrote to memory of 3116	3276	Client1.exe	102
PID 3116 wrote to memory of 2296	3116	CMD.exe	104
PID 3116 wrote to memory of 2296	3116	CMD.exe	104
PID 3276 wrote to memory of 3308	3276	Client1.exe	107
PID 3276 wrote to memory of 3308	3276	Client1.exe	107
PID 3308 wrote to memory of 404	3308	CMD.exe	109
PID 3308 wrote to memory of 404	3308	CMD.exe	109
PID 3276 wrote to memory of 4364	3276	Client1.exe	110
PID 3276 wrote to memory of 4364	3276	Client1.exe	110
PID 4364 wrote to memory of 1616	4364	CMD.exe	112
PID 4364 wrote to memory of 1616	4364	CMD.exe	112
PID 3276 wrote to memory of 4484	3276	Client1.exe	113
PID 3276 wrote to memory of 4484	3276	Client1.exe	113
PID 4484 wrote to memory of 3252	4484	CMD.exe	115
PID 4484 wrote to memory of 3252	4484	CMD.exe	115
PID 3276 wrote to memory of 4716	3276	Client1.exe	117
PID 3276 wrote to memory of 4716	3276	Client1.exe	117
PID 4716 wrote to memory of 4792	4716	CMD.exe	119
PID 4716 wrote to memory of 4792	4716	CMD.exe	119
PID 3276 wrote to memory of 1388	3276	Client1.exe	120
PID 3276 wrote to memory of 1388	3276	Client1.exe	120
PID 1388 wrote to memory of 4816	1388	CMD.exe	122
PID 1388 wrote to memory of 4816	1388	CMD.exe	122
PID 3276 wrote to memory of 4660	3276	Client1.exe	123
PID 3276 wrote to memory of 4660	3276	Client1.exe	123
PID 4660 wrote to memory of 3052	4660	CMD.exe	125
PID 4660 wrote to memory of 3052	4660	CMD.exe	125
PID 3276 wrote to memory of 2424	3276	Client1.exe	126
PID 3276 wrote to memory of 2424	3276	Client1.exe	126
PID 2424 wrote to memory of 1832	2424	CMD.exe	128
PID 2424 wrote to memory of 1832	2424	CMD.exe	128
PID 3276 wrote to memory of 4936	3276	Client1.exe	129
PID 3276 wrote to memory of 4936	3276	Client1.exe	129
PID 4936 wrote to memory of 3980	4936	CMD.exe	131
PID 4936 wrote to memory of 3980	4936	CMD.exe	131
PID 3276 wrote to memory of 2500	3276	Client1.exe	132
PID 3276 wrote to memory of 2500	3276	Client1.exe	132
PID 2500 wrote to memory of 4364	2500	CMD.exe	134
PID 2500 wrote to memory of 4364	2500	CMD.exe	134
PID 3276 wrote to memory of 4104	3276	Client1.exe	135
PID 3276 wrote to memory of 4104	3276	Client1.exe	135
PID 4104 wrote to memory of 1576	4104	CMD.exe	137
PID 4104 wrote to memory of 1576	4104	CMD.exe	137
PID 3276 wrote to memory of 1720	3276	Client1.exe	138
PID 3276 wrote to memory of 1720	3276	Client1.exe	138
PID 1720 wrote to memory of 4792	1720	CMD.exe	140
PID 1720 wrote to memory of 4792	1720	CMD.exe	140

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client1.exe
"C:\Users\Admin\AppData\Local\Temp\Client1.exe"
1⤵
- Modifies WinLogon for persistence
- Disables cmd.exe use via registry modification
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3276
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Anydesk" /tr "C:\Users\Admin\Documents\Audacity Upgrade" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4380
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Anydesk" /tr "C:\Users\Admin\Documents\Audacity Upgrade"
    3⤵
    - Creates scheduled task(s)
    PID:3224
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4024
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:1548
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Skype" /tr "C:\Users\Public\Documents\Microsoft Dynamics" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo 5 /tn "Skype" /tr "C:\Users\Public\Documents\Microsoft Dynamics" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1944
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3480
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1388
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3116
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2296
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3308
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:404
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4364
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1616
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3252
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4716
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:4792
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:4816
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4660
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:3052
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1832
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3980
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:4364
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4104
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1576
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:4792
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:1572
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4944
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:1760
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2280
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:3116
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:4812
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:3752
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:208
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:2708
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:4888
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:3584
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:3292
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:4104
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:2388
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:3904
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4196
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\eei5anuy.eak.exe"' & exit
  2⤵
  PID:3600
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\eei5anuy.eak.exe"'
    3⤵
    - Loads dropped DLL
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1292
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\eei5anuy.eak.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\eei5anuy.eak.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      PID:1540
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:2292
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4276
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:4504
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:3252
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:2008
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1908
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:3696
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:1932
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:4448
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:5108
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:3720
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4416
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:4612
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:468
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:4532
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:2892
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:1984
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:5084
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:2680
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:4628
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:4296
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:4404
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:4844
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:876
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:4624
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3828
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:3732
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3928
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:2468
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4832
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:2132
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4576
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:3008
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4600
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:2252
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:3956
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:4324
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:5048
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:1656
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3764
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:1548
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:1908
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:1368
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4968
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:1384
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2712
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:4656
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:960
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:3328
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3716
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:2664
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:396
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:5100
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:1572
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:4528
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4412
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:212
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1656
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:636
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4116
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:1964
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2340
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:2200
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3756
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:1816
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:4228
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:2736
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:960
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:1864
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:4084
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:4472
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4868
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:2572
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2224
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:1136
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:3236
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:760
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:2928
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:4796
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4996
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:636
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:1392
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:1932
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4548
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:4076
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:5108
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:3920
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:1816
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:2576
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:4560
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:2432
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:5092
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:3156
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:1624
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:4816
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1340
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:3468
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:2928
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:4772
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4388
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:2292
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2800
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:1972
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3828
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:3904
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:1740
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:4360
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:5012
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:1672
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3920
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:4504
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4236
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:1500
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2952
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:4348
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4908
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:4364
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2224
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:3084
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:1668
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:4484
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:456
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:3556
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:3368
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:2464
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:5060
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:1964
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1332
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:3940
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:732
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:2344
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4100
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:1900
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:1672
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:1660
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:1212
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:1968
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3308
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:3288
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4348
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:4364
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:2356
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:3524
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:2680
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:3704
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:2552
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:4800
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:4964
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:2416
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:4876
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:2996
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4860
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:992
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2668
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:3104
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:4292
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:1760
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4620
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:2536
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:696
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:1296
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:4140
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:1816
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2948
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:4884
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:1440
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:1996
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:2228
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:1064
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:3420
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:4888
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:2444
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:2828
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4576
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:2616
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:4208
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:1864
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:2084
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:2304
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    PID:1968
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:3716
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1616
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:4472
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4348
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:2100
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3508
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:3052
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1792

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Loads dropped DLL
PID:2728

C:\Users\Public\Documents\Microsoft Dynamics
"C:\Users\Public\Documents\Microsoft Dynamics"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1152
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
  2⤵
  PID:1748
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Process.txt

Filesize
1KB

MD5
e24ed58b840c122a46b42a2a9e24cdd9

SHA1
c8d8ee2ada5c2740d1bbef5ee2584a32e6d90604

SHA256
088e9133693b40e7df05fce763145dde33cdae7e3b29f2175b7b32e57e181575

SHA512
2ce6dfabdf1a1c89ff4f684f8de50089ee9c1a51b50c67cfafa6afbbe8dc61e6711a2b4fd7d7f61b5cb37f2930f7e0c5f9a72f5ab69c18c04211b9e58074e7fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
588KB

MD5
908fa2dfb385771ecf5f8b2b3e7bff16

SHA1
1255fa1edbd2dbbcab6d9eb9f74b7d6783697a58

SHA256
60ff5131dba68a8ffe7ba0475bf3e192b432e1969e5ac52d7f217f6935f4035d

SHA512
573c9fde441fb8debaa44b6fa2d3763c3dc4714497089b82bedc8ef0720eea4a907f75cffb1c0ec4a77ac89cfecbef8e6182a2a8fea5b51a2e91920ceaad5f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1yliv4sh.e2f.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\eei5anuy.eak.exe

Filesize
274KB

MD5
96406557b6f20e403df1cab4e7f52f07

SHA1
43066fafa661d419d1012e0e32911d8d8b63fdca

SHA256
f1576641115afd65a6b1a2bee4f7c7118be3306337794bd0fe9d0ae82358a32d

SHA512
e74cd7f307183674b93886f67ce22705256d3a0ca8f96ee6def61e6b44117906f6c1fd20977e00641efad1216b11527ae5155f3c77b2d38006da16ad5719259a

Download Submit
C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/1292-622-0x000002B320DE0000-0x000002B320E02000-memory.dmp

Filesize
136KB

Download
memory/1540-637-0x000001E2F9000000-0x000001E2F904A000-memory.dmp

Filesize
296KB

Download
memory/3276-120-0x000000001CB30000-0x000000001CBA6000-memory.dmp

Filesize
472KB

Download
memory/3276-178-0x000000001B6F0000-0x000000001B6FA000-memory.dmp

Filesize
40KB

Download
memory/3276-264-0x00007FFB83F30000-0x00007FFB849F1000-memory.dmp

Filesize
10.8MB

Download
memory/3276-617-0x000000001D140000-0x000000001D14C000-memory.dmp

Filesize
48KB

Download
memory/3276-150-0x00007FFB83F33000-0x00007FFB83F35000-memory.dmp

Filesize
8KB

Download
memory/3276-122-0x000000001CA60000-0x000000001CA7E000-memory.dmp

Filesize
120KB

Download
memory/3276-121-0x00000000026C0000-0x00000000026CC000-memory.dmp

Filesize
48KB

Download
memory/3276-0-0x0000000000410000-0x0000000000482000-memory.dmp

Filesize
456KB

Download
memory/3276-44-0x00007FFB83F30000-0x00007FFB849F1000-memory.dmp

Filesize
10.8MB

Download
memory/3276-1187-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/3276-2715-0x00007FFB83F30000-0x00007FFB849F1000-memory.dmp

Filesize
10.8MB

Download
memory/3276-1-0x00007FFB83F33000-0x00007FFB83F35000-memory.dmp

Filesize
8KB

Download