44caliber | 5ff3f3b3716a63575a4fd4ef65384341c2dd0a09310a4b6a0df18d8ced34ea81

General

Target

Client1.exe
Size

435KB
MD5

db41a85fb5d127502b98a520e0ec8107
SHA1

1ba0d60550a7eef401ce323c6c01f8547f5a9cd3
SHA256

5ff3f3b3716a63575a4fd4ef65384341c2dd0a09310a4b6a0df18d8ced34ea81
SHA512

df2052fe1cb49b00e70a6eff5d40793a1dce423c989e763a22a92221970cb14b5bf1c9ac3738a6b09c6d6bda201c026a94ca2fe6db89103134297b0f88108c11
SSDEEP

6144:XsVDeAnIUilHQU24Je6VlWT8b9UlP1ObiSX3q7Vb+Ia06fjp+2BHS:cZAQ/4JPVle82ZeiQoZirHS

Score

10^/10

44caliber evasion execution persistence spyware stealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1228959092572295179/zol6YJ2bwh5lmLGXkYg2G33z3qYjeTvdzyXLvgfVZAIQ67YWJuOjrxydQkablWLyTqUE

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Client1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\Documents\\Audacity Upgrade"	Client1.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 1 IoCs

evasion

Processes:

Client1.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Client1.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client1.exe

Executes dropped EXE 2 IoCs

Processes:

eei5anuy.eak.exeMicrosoft Dynamics

pid process

1540 eei5anuy.eak.exe
1152 Microsoft Dynamics

pid	process
1540	eei5anuy.eak.exe
1152	Microsoft Dynamics

Loads dropped DLL 64 IoCs

Processes:

WmiApSrv.exepowershell.exeeei5anuy.eak.exe

pid	process
4568
4816
2552
4460
2728	WmiApSrv.exe
3620
1504
3932
4520
3008
4500
4252
3328
3156
2572
2336
4100
1532
1388
2196
3100
1624
3372
1208
4280
1572
2344
1292	powershell.exe
1540	eei5anuy.eak.exe
1616
1924
2980
928
2224
3296
1968
3232
4276
2856
4376
1208
2808
4228
2852
3328
2368
4444
3116
1608
2464
2668
1124
3296
720
1624
1324
2216
4784
4920
4272
1992
1672
4000
2424

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

52 freegeoip.app
53 freegeoip.app
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Start PowerShell.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

1292 powershell.exe
Drops file in Windows directory 1 IoCs

Processes:

Client1.exe

description ioc process

File created C:\Windows\xdwd.dll Client1.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
52	freegeoip.app
53	freegeoip.app

pid	process
1292	powershell.exe

description	ioc	process
File created	C:\Windows\xdwd.dll	Client1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

eei5anuy.eak.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	eei5anuy.eak.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	eei5anuy.eak.exe

Creates scheduled task(s) 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2296	schtasks.exe
3828	schtasks.exe
2340	schtasks.exe
1340	schtasks.exe
1576	schtasks.exe
2800	schtasks.exe
5012	schtasks.exe
1388	schtasks.exe
4196	schtasks.exe
4576	schtasks.exe
3920	schtasks.exe
4100	schtasks.exe
3508	schtasks.exe
5108	schtasks.exe
4416	schtasks.exe
456	schtasks.exe
4620	schtasks.exe
4832	schtasks.exe
4996	schtasks.exe
4852	schtasks.exe
3980	schtasks.exe
4968	schtasks.exe
2712	schtasks.exe
1832	schtasks.exe
4348	schtasks.exe
2224	schtasks.exe
732	schtasks.exe
4348	schtasks.exe
3224	schtasks.exe
3252	schtasks.exe
2280	schtasks.exe
5084	schtasks.exe
3308	schtasks.exe
4600	schtasks.exe
3764	schtasks.exe
3716	schtasks.exe
4548	schtasks.exe
404	schtasks.exe
1656	schtasks.exe
4908	schtasks.exe
4860	schtasks.exe
2668	schtasks.exe
1792	schtasks.exe
4944	schtasks.exe
4276	schtasks.exe
2952	schtasks.exe
1332	schtasks.exe
3928	schtasks.exe
4412	schtasks.exe
4868	schtasks.exe
1616	schtasks.exe
2224	schtasks.exe
2948	schtasks.exe
1908	schtasks.exe
960	schtasks.exe
4388	schtasks.exe
3828	schtasks.exe
960	schtasks.exe
4236	schtasks.exe
1944	schtasks.exe
1616	schtasks.exe
4116	schtasks.exe
3756	schtasks.exe
4576	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Client1.exe

pid	process
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe
3276	Client1.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Client1.exepowershell.exeeei5anuy.eak.exeMicrosoft Dynamics

description	pid	process
Token: SeDebugPrivilege	3276	Client1.exe
Token: SeDebugPrivilege	1292	powershell.exe
Token: SeDebugPrivilege	1540	eei5anuy.eak.exe
Token: SeDebugPrivilege	1152	Microsoft Dynamics

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Client1.exe

pid process

3276 Client1.exe
3276 Client1.exe
3276 Client1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Client1.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exe

description	pid	process	target process
PID 3276 wrote to memory of 4380	3276	Client1.exe	CMD.exe
PID 3276 wrote to memory of 4380	3276	Client1.exe	CMD.exe
PID 4380 wrote to memory of 3224	4380	CMD.exe	schtasks.exe
PID 4380 wrote to memory of 3224	4380	CMD.exe	schtasks.exe
PID 3276 wrote to memory of 4024	3276	Client1.exe	CMD.exe
PID 3276 wrote to memory of 4024	3276	Client1.exe	CMD.exe
PID 4024 wrote to memory of 1548	4024	CMD.exe	schtasks.exe
PID 4024 wrote to memory of 1548	4024	CMD.exe	schtasks.exe
PID 3276 wrote to memory of 4892	3276	Client1.exe	CMD.exe
PID 3276 wrote to memory of 4892	3276	Client1.exe	CMD.exe
PID 3276 wrote to memory of 3480	3276	Client1.exe	CMD.exe
PID 3276 wrote to memory of 3480	3276	Client1.exe	CMD.exe
PID 4892 wrote to memory of 1944	4892	CMD.exe	schtasks.exe
PID 4892 wrote to memory of 1944	4892	CMD.exe	schtasks.exe
PID 3480 wrote to memory of 1388	3480	CMD.exe	schtasks.exe
PID 3480 wrote to memory of 1388	3480	CMD.exe	schtasks.exe
PID 3276 wrote to memory of 3116	3276	Client1.exe	CMD.exe
PID 3276 wrote to memory of 3116	3276	Client1.exe	CMD.exe
PID 3116 wrote to memory of 2296	3116	CMD.exe	schtasks.exe
PID 3116 wrote to memory of 2296	3116	CMD.exe	schtasks.exe
PID 3276 wrote to memory of 3308	3276	Client1.exe	CMD.exe
PID 3276 wrote to memory of 3308	3276	Client1.exe	CMD.exe
PID 3308 wrote to memory of 404	3308	CMD.exe	schtasks.exe
PID 3308 wrote to memory of 404	3308	CMD.exe	schtasks.exe
PID 3276 wrote to memory of 4364	3276	Client1.exe	CMD.exe
PID 3276 wrote to memory of 4364	3276	Client1.exe	CMD.exe
PID 4364 wrote to memory of 1616	4364	CMD.exe	schtasks.exe
PID 4364 wrote to memory of 1616	4364	CMD.exe	schtasks.exe
PID 3276 wrote to memory of 4484	3276	Client1.exe	CMD.exe
PID 3276 wrote to memory of 4484	3276	Client1.exe	CMD.exe
PID 4484 wrote to memory of 3252	4484	CMD.exe	schtasks.exe
PID 4484 wrote to memory of 3252	4484	CMD.exe	schtasks.exe
PID 3276 wrote to memory of 4716	3276	Client1.exe	CMD.exe
PID 3276 wrote to memory of 4716	3276	Client1.exe	CMD.exe
PID 4716 wrote to memory of 4792	4716	CMD.exe	schtasks.exe
PID 4716 wrote to memory of 4792	4716	CMD.exe	schtasks.exe
PID 3276 wrote to memory of 1388	3276	Client1.exe	CMD.exe
PID 3276 wrote to memory of 1388	3276	Client1.exe	CMD.exe
PID 1388 wrote to memory of 4816	1388	CMD.exe	schtasks.exe
PID 1388 wrote to memory of 4816	1388	CMD.exe	schtasks.exe
PID 3276 wrote to memory of 4660	3276	Client1.exe	CMD.exe
PID 3276 wrote to memory of 4660	3276	Client1.exe	CMD.exe
PID 4660 wrote to memory of 3052	4660	CMD.exe	schtasks.exe
PID 4660 wrote to memory of 3052	4660	CMD.exe	schtasks.exe
PID 3276 wrote to memory of 2424	3276	Client1.exe	CMD.exe
PID 3276 wrote to memory of 2424	3276	Client1.exe	CMD.exe
PID 2424 wrote to memory of 1832	2424	CMD.exe	schtasks.exe
PID 2424 wrote to memory of 1832	2424	CMD.exe	schtasks.exe
PID 3276 wrote to memory of 4936	3276	Client1.exe	CMD.exe
PID 3276 wrote to memory of 4936	3276	Client1.exe	CMD.exe
PID 4936 wrote to memory of 3980	4936	CMD.exe	schtasks.exe
PID 4936 wrote to memory of 3980	4936	CMD.exe	schtasks.exe
PID 3276 wrote to memory of 2500	3276	Client1.exe	CMD.exe
PID 3276 wrote to memory of 2500	3276	Client1.exe	CMD.exe
PID 2500 wrote to memory of 4364	2500	CMD.exe	schtasks.exe
PID 2500 wrote to memory of 4364	2500	CMD.exe	schtasks.exe
PID 3276 wrote to memory of 4104	3276	Client1.exe	CMD.exe
PID 3276 wrote to memory of 4104	3276	Client1.exe	CMD.exe
PID 4104 wrote to memory of 1576	4104	CMD.exe	schtasks.exe
PID 4104 wrote to memory of 1576	4104	CMD.exe	schtasks.exe
PID 3276 wrote to memory of 1720	3276	Client1.exe	CMD.exe
PID 3276 wrote to memory of 1720	3276	Client1.exe	CMD.exe
PID 1720 wrote to memory of 4792	1720	CMD.exe	schtasks.exe
PID 1720 wrote to memory of 4792	1720	CMD.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client1.exe
"C:\Users\Admin\AppData\Local\Temp\Client1.exe"
1⤵
- Modifies WinLogon for persistence
- Disables cmd.exe use via registry modification
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3276

C:\Windows\SYSTEM32\CMD.exe
"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Anydesk" /tr "C:\Users\Admin\Documents\Audacity Upgrade" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4380

C:\Windows\system32\schtasks.exe
SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Anydesk" /tr "C:\Users\Admin\Documents\Audacity Upgrade"
3⤵
- Creates scheduled task(s)
PID:3224

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4024

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:1548

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Skype" /tr "C:\Users\Public\Documents\Microsoft Dynamics" /RL HIGHEST & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4892

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo 5 /tn "Skype" /tr "C:\Users\Public\Documents\Microsoft Dynamics" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:1944

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:3480

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:1388

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:3116

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:2296

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:3308

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:404

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4364

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:1616

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4484

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:3252

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4716

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:4792

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:4816

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4660

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:3052

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2424

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:1832

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4936

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:3980

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2500

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:4364

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4104

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:1576

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:4792

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:1572

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:4944

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:1760

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:2280

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:3116

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:4812

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:3752

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:208

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:2708

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:4888

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:3584

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:3292

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:4104

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:2388

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:3904

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:4196

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\eei5anuy.eak.exe"' & exit
2⤵
PID:3600

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\eei5anuy.eak.exe"'
3⤵
- Loads dropped DLL
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1292

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\eei5anuy.eak.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\eei5anuy.eak.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:2292

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:4276

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:4504

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:3252

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:2008

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:1908

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:3696

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:1932

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:4448

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:5108

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:3720

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:4416

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:4612

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:468

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:4532

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:2892

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:1984

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:5084

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:2680

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:4628

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:4296

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:4404

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:4844

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:876

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:4624

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:3828

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:3732

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:3928

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:2468

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:4832

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:2132

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:4576

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:3008

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:4600

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:2252

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:3956

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:4324

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:5048

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:1656

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:3764

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:1548

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:1908

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:1368

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:4968

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:1384

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:2712

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:4656

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:960

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:3328

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:3716

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:2664

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:396

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:5100

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:1572

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:4528

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:4412

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:212

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:1656

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:636

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:4116

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:1964

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:2340

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:2200

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:3756

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:1816

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:4228

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:2736

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:960

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:1864

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:4084

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:4472

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:4868

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:2572

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:2224

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:1136

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:3236

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:760

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:2928

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:4796

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:4996

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:636

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:1392

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:1932

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:4548

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:4076

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:5108

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:3920

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:1816

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:2576

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:4560

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:2432

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:5092

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:3156

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:1624

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:4816

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:1340

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:3468

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:2928

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:4772

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:4388

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:2292

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:2800

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:1972

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:3828

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:3904

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:1740

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:4360

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:5012

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:1672

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:3920

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:4504

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:4236

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:1500

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:2952

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:4348

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:4908

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:4364

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:2224

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:3084

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:1668

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:4484

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:456

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:3556

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:3368

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:2464

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:5060

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:1964

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:1332

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:3940

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:732

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:2344

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:4100

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:1900

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:1672

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:1660

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:1212

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:1968

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:3308

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:3288

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:4348

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:4364

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:2356

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:3524

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:2680

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:3704

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:2552

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:4800

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:4964

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:2416

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:4876

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:2996

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:4860

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:992

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:2668

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:3104

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:4292

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:1760

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:4620

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:2536

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:696

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:1296

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:4140

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:1816

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:2948

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:4884

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:1440

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:1996

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:2228

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:1064

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:3420

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:4888

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:2444

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:2828

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:4576

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:2616

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:4208

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:1864

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:2084

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:2304

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
PID:1968

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:3716

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:1616

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:4472

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:4348

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:2100

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:3508

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:3052

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:1792

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Loads dropped DLL
PID:2728

C:\Users\Public\Documents\Microsoft Dynamics
"C:\Users\Public\Documents\Microsoft Dynamics"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1152

C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST & exit
2⤵
PID:1748

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "WPS Office" /tr "C:\Users\Admin\Documents\Audacity Upgrade" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:4852

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

Scheduled Task/Job

Defense Evasion

Modify Registry

2

T1112

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Process.txt
Filesize
1KB

MD5
e24ed58b840c122a46b42a2a9e24cdd9

SHA1
c8d8ee2ada5c2740d1bbef5ee2584a32e6d90604

SHA256
088e9133693b40e7df05fce763145dde33cdae7e3b29f2175b7b32e57e181575

SHA512
2ce6dfabdf1a1c89ff4f684f8de50089ee9c1a51b50c67cfafa6afbbe8dc61e6711a2b4fd7d7f61b5cb37f2930f7e0c5f9a72f5ab69c18c04211b9e58074e7fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
Filesize
588KB

MD5
908fa2dfb385771ecf5f8b2b3e7bff16

SHA1
1255fa1edbd2dbbcab6d9eb9f74b7d6783697a58

SHA256
60ff5131dba68a8ffe7ba0475bf3e192b432e1969e5ac52d7f217f6935f4035d

SHA512
573c9fde441fb8debaa44b6fa2d3763c3dc4714497089b82bedc8ef0720eea4a907f75cffb1c0ec4a77ac89cfecbef8e6182a2a8fea5b51a2e91920ceaad5f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1yliv4sh.e2f.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\eei5anuy.eak.exe
Filesize
274KB

MD5
96406557b6f20e403df1cab4e7f52f07

SHA1
43066fafa661d419d1012e0e32911d8d8b63fdca

SHA256
f1576641115afd65a6b1a2bee4f7c7118be3306337794bd0fe9d0ae82358a32d

SHA512
e74cd7f307183674b93886f67ce22705256d3a0ca8f96ee6def61e6b44117906f6c1fd20977e00641efad1216b11527ae5155f3c77b2d38006da16ad5719259a

Download Submit
C:\Windows\xdwd.dll
Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/1292-622-0x000002B320DE0000-0x000002B320E02000-memory.dmp

Filesize
136KB

Download
memory/1540-637-0x000001E2F9000000-0x000001E2F904A000-memory.dmp

Filesize
296KB

Download
memory/3276-120-0x000000001CB30000-0x000000001CBA6000-memory.dmp

Filesize
472KB

Download
memory/3276-178-0x000000001B6F0000-0x000000001B6FA000-memory.dmp

Filesize
40KB

Download
memory/3276-264-0x00007FFB83F30000-0x00007FFB849F1000-memory.dmp

Filesize
10.8MB

Download
memory/3276-617-0x000000001D140000-0x000000001D14C000-memory.dmp

Filesize
48KB

Download
memory/3276-150-0x00007FFB83F33000-0x00007FFB83F35000-memory.dmp

Filesize
8KB

Download
memory/3276-122-0x000000001CA60000-0x000000001CA7E000-memory.dmp

Filesize
120KB

Download
memory/3276-121-0x00000000026C0000-0x00000000026CC000-memory.dmp

Filesize
48KB

Download
memory/3276-0-0x0000000000410000-0x0000000000482000-memory.dmp

Filesize
456KB

Download
memory/3276-44-0x00007FFB83F30000-0x00007FFB849F1000-memory.dmp

Filesize
10.8MB

Download
memory/3276-1187-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/3276-2715-0x00007FFB83F30000-0x00007FFB849F1000-memory.dmp

Filesize
10.8MB

Download
memory/3276-1-0x00007FFB83F33000-0x00007FFB83F35000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads