modiloader | 1e61208319c73ce6b35383566c4657dafacbceaddc0b5da7edab1ebc7ce675c6

Analysis

max time kernel
368s
max time network
363s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
26/03/2025, 13:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nerestpc/NerestPC.exe
Size

9.0MB
MD5

145be6a19eae5c15f0f585a2f323e3d8
SHA1

4fe360bd989af506a349e78f181cffad0fdf63e1
SHA256

ee106efb13a2c8e570ae1965f3e6ebf25e76296e5bd311d90dff3f78aaab42a0
SHA512

8261499422e8d4d2f6b28bf31b13a63ad4cd8ead089b19bdf3fa14d0deb48a6629e289546f36b80b5bbc4c694434d7c5f4c3bcda6ea6ae589b7cecef90d01946
SSDEEP

196608:xaaKLgaeBMV1x2g5vrPnsvaH7ATG/3lVr99W7SONlmsQd4to:xangTBMfxXvrPdATGvRLOcyto

Score

10^/10

modiloader ramnit banker defense_evasion discovery execution persistence privilege_escalation spyware stealer trojan upx worm

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\xdwdCamtasia Upgrade.exe"	xclient.exe

Modiloader family
modiloader
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/files/0x001900000002b11d-1007.dat	modiloader_stage2
behavioral1/memory/844-1093-0x0000000000400000-0x000000000046A000-memory.dmp	modiloader_stage2

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Executes dropped EXE 15 IoCs

pid	Process
5076	NerestPCFree 0.32.3.exe
3400	xclient.exe
844	ubsyrd42.biw.exe
5328	msvdczr0.thi.exe
732	iuvf4gzw.zm0.exe
1760	qwamczbh.ydq.exe
5128	p0q4paky.2gq.exe
580	mwmo35ej.umk.exe
1040	xdwdMicrosoft Publisher.exe
780	kl4ycsfo.dwu.exe
3664	kl4ycsfo.dwuSrv.exe
464	xdwdCamtasia Upgrade.exe
5080	poa5cgck.cno.exe
3152	jfnqdhoe.ki0.exe
2468	jfnqdhoe.ki0Srv.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	ubsyrd42.biw.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	ubsyrd42.biw.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	ubsyrd42.biw.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	ubsyrd42.biw.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	ubsyrd42.biw.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	ubsyrd42.biw.exe

Loads dropped DLL 64 IoCs

pid	Process
6028	Process not Found
1608	Process not Found
2584	Process not Found
5892	Process not Found
1424	WmiApSrv.exe
5552	Process not Found
936	Process not Found
2772	Process not Found
1984	Process not Found
544	Process not Found
5656	Process not Found
1828	Process not Found
2200	Process not Found
4836	Process not Found
4424	Process not Found
4228	Process not Found
1480	Process not Found
2944	Process not Found
244	Process not Found
2128	Process not Found
5312	Process not Found
3420	Process not Found
1428	Process not Found
2536	Process not Found
1280	Process not Found
3124	Process not Found
3048	Process not Found
3904	Process not Found
5252	Process not Found
3424	Process not Found
472	Process not Found
2952	Process not Found
2108	Process not Found
340	Process not Found
4516	Process not Found
5316	Process not Found
4656	Process not Found
3820	Process not Found
2264	Process not Found
3888	Process not Found
5300	powershell.exe
5604	explorer.exe
5616	Process not Found
3340	Process not Found
4772	Process not Found
3464	Process not Found
4400	Process not Found
784	Process not Found
5032	Process not Found
1792	Process not Found
244	Process not Found
5500	Process not Found
2488	powershell.exe
1444	Process not Found
5868	Process not Found
1080	Process not Found
3652	Process not Found
4256	Process not Found
5900	Process not Found
2660	Process not Found
5988	Process not Found
992	Process not Found
4772	powershell.exe
3164	Process not Found

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\Windows\CurrentVersion\Run\xdwdfghfghfg = "C:\\Users\\Admin\\AppData\\Roaming\\xdwdMicrosoft Publisher.exe"	xclient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\Windows\CurrentVersion\Run\ubsyrd42.biw.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\ubsyrd42.biw.exe"	ubsyrd42.biw.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

pid	Process
4772	powershell.exe
5384	powershell.exe
1788	powershell.exe
5512	powershell.exe
5676	powershell.exe
5300	powershell.exe
2488	powershell.exe
3488	powershell.exe
4544	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
5076	NerestPCFree 0.32.3.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/5128-2024-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/5128-2048-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/780-2429-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/780-2434-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/780-2436-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/780-2438-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/780-2451-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/780-2454-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/780-2457-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/files/0x002000000002b139-2470.dat	upx
behavioral1/memory/780-2474-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/780-2479-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\xdwd.dll	xclient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4272	5128	WerFault.exe	330
3792	3664	WerFault.exe	401
4148	2468	WerFault.exe	473

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qwamczbh.ydq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	p0q4paky.2gq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kl4ycsfo.dwuSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	poa5cgck.cno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jfnqdhoe.ki0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NerestPCFree 0.32.3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mwmo35ej.umk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kl4ycsfo.dwu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jfnqdhoe.ki0Srv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ubsyrd42.biw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msvdczr0.thi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iuvf4gzw.zm0.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	xdwdMicrosoft Publisher.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1896	schtasks.exe
4836	schtasks.exe
2388	schtasks.exe
2140	schtasks.exe
1700	schtasks.exe
4888	schtasks.exe
936	schtasks.exe
5288	schtasks.exe
3568	schtasks.exe
4964	schtasks.exe
4400	schtasks.exe
5248	schtasks.exe
5088	schtasks.exe
1488	schtasks.exe
3144	schtasks.exe
6040	schtasks.exe
5484	schtasks.exe
2952	schtasks.exe
1152	schtasks.exe
2616	schtasks.exe
5744	schtasks.exe
3472	schtasks.exe
2456	schtasks.exe
3764	schtasks.exe
2768	schtasks.exe
4876	schtasks.exe
2448	schtasks.exe
492	schtasks.exe
5056	schtasks.exe
2864	schtasks.exe
2068	schtasks.exe
4532	schtasks.exe
5868	schtasks.exe
4272	schtasks.exe
5000	schtasks.exe
3116	schtasks.exe
4868	schtasks.exe
4508	schtasks.exe
5776	schtasks.exe
2960	schtasks.exe
5020	schtasks.exe
5276	schtasks.exe
3892	schtasks.exe
1220	schtasks.exe
5388	schtasks.exe
2564	schtasks.exe
5916	schtasks.exe
5960	schtasks.exe
5136	schtasks.exe
3888	schtasks.exe
1220	schtasks.exe
3672	schtasks.exe
1240	schtasks.exe
3808	schtasks.exe
1540	schtasks.exe
468	schtasks.exe
2128	schtasks.exe
2020	schtasks.exe
3876	schtasks.exe
3644	schtasks.exe
5404	schtasks.exe
4124	schtasks.exe
2404	schtasks.exe
4704	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe
3400	xclient.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	3400	xclient.exe
Token: SeDebugPrivilege	5300	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	4772	powershell.exe
Token: SeDebugPrivilege	5384	powershell.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	5512	powershell.exe
Token: 33	6124	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	6124	AUDIODG.EXE
Token: SeDebugPrivilege	1040	xdwdMicrosoft Publisher.exe
Token: SeDebugPrivilege	5676	powershell.exe
Token: SeDebugPrivilege	464	xdwdCamtasia Upgrade.exe
Token: SeDebugPrivilege	3488	powershell.exe
Token: SeDebugPrivilege	4544	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
580	mwmo35ej.umk.exe
5080	poa5cgck.cno.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
5328	msvdczr0.thi.exe
732	iuvf4gzw.zm0.exe
1760	qwamczbh.ydq.exe
580	mwmo35ej.umk.exe
580	mwmo35ej.umk.exe
580	mwmo35ej.umk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 5076	1488	NerestPC.exe	83
PID 1488 wrote to memory of 5076	1488	NerestPC.exe	83
PID 1488 wrote to memory of 5076	1488	NerestPC.exe	83
PID 1488 wrote to memory of 3400	1488	NerestPC.exe	84
PID 1488 wrote to memory of 3400	1488	NerestPC.exe	84
PID 3400 wrote to memory of 2960	3400	xclient.exe	87
PID 3400 wrote to memory of 2960	3400	xclient.exe	87
PID 2960 wrote to memory of 5136	2960	CMD.exe	89
PID 2960 wrote to memory of 5136	2960	CMD.exe	89
PID 3400 wrote to memory of 4520	3400	xclient.exe	90
PID 3400 wrote to memory of 4520	3400	xclient.exe	90
PID 4520 wrote to memory of 2140	4520	CMD.exe	92
PID 4520 wrote to memory of 2140	4520	CMD.exe	92
PID 3400 wrote to memory of 2108	3400	xclient.exe	93
PID 3400 wrote to memory of 2108	3400	xclient.exe	93
PID 2108 wrote to memory of 1700	2108	CMD.exe	95
PID 2108 wrote to memory of 1700	2108	CMD.exe	95
PID 3400 wrote to memory of 1888	3400	xclient.exe	96
PID 3400 wrote to memory of 1888	3400	xclient.exe	96
PID 1888 wrote to memory of 5484	1888	CMD.exe	98
PID 1888 wrote to memory of 5484	1888	CMD.exe	98
PID 3400 wrote to memory of 224	3400	xclient.exe	100
PID 3400 wrote to memory of 224	3400	xclient.exe	100
PID 224 wrote to memory of 3764	224	CMD.exe	102
PID 224 wrote to memory of 3764	224	CMD.exe	102
PID 3400 wrote to memory of 3200	3400	xclient.exe	105
PID 3400 wrote to memory of 3200	3400	xclient.exe	105
PID 3200 wrote to memory of 5312	3200	CMD.exe	107
PID 3200 wrote to memory of 5312	3200	CMD.exe	107
PID 3400 wrote to memory of 2716	3400	xclient.exe	108
PID 3400 wrote to memory of 2716	3400	xclient.exe	108
PID 2716 wrote to memory of 5868	2716	CMD.exe	110
PID 2716 wrote to memory of 5868	2716	CMD.exe	110
PID 3400 wrote to memory of 5808	3400	xclient.exe	111
PID 3400 wrote to memory of 5808	3400	xclient.exe	111
PID 5808 wrote to memory of 3568	5808	CMD.exe	113
PID 5808 wrote to memory of 3568	5808	CMD.exe	113
PID 3400 wrote to memory of 1692	3400	xclient.exe	114
PID 3400 wrote to memory of 1692	3400	xclient.exe	114
PID 1692 wrote to memory of 2164	1692	CMD.exe	116
PID 1692 wrote to memory of 2164	1692	CMD.exe	116
PID 3400 wrote to memory of 672	3400	xclient.exe	117
PID 3400 wrote to memory of 672	3400	xclient.exe	117
PID 672 wrote to memory of 5528	672	CMD.exe	119
PID 672 wrote to memory of 5528	672	CMD.exe	119
PID 3400 wrote to memory of 2132	3400	xclient.exe	120
PID 3400 wrote to memory of 2132	3400	xclient.exe	120
PID 2132 wrote to memory of 1896	2132	CMD.exe	122
PID 2132 wrote to memory of 1896	2132	CMD.exe	122
PID 3400 wrote to memory of 4676	3400	xclient.exe	123
PID 3400 wrote to memory of 4676	3400	xclient.exe	123
PID 4676 wrote to memory of 4544	4676	CMD.exe	125
PID 4676 wrote to memory of 4544	4676	CMD.exe	125
PID 3400 wrote to memory of 5888	3400	xclient.exe	126
PID 3400 wrote to memory of 5888	3400	xclient.exe	126
PID 5888 wrote to memory of 4904	5888	CMD.exe	128
PID 5888 wrote to memory of 4904	5888	CMD.exe	128
PID 3400 wrote to memory of 1952	3400	xclient.exe	129
PID 3400 wrote to memory of 1952	3400	xclient.exe	129
PID 1952 wrote to memory of 5072	1952	CMD.exe	131
PID 1952 wrote to memory of 5072	1952	CMD.exe	131
PID 3400 wrote to memory of 2432	3400	xclient.exe	132
PID 3400 wrote to memory of 2432	3400	xclient.exe	132
PID 2432 wrote to memory of 3028	2432	CMD.exe	134

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Nerestpc\NerestPC.exe
"C:\Users\Admin\AppData\Local\Temp\Nerestpc\NerestPC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Users\Admin\AppData\Local\Temp\NerestPCFree 0.32.3.exe
  "C:\Users\Admin\AppData\Local\Temp\NerestPCFree 0.32.3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:5076
- C:\Users\Admin\AppData\Local\Temp\xclient.exe
  "C:\Users\Admin\AppData\Local\Temp\xclient.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3400
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "TeamViewer Host" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "TeamViewer Host" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe"
      4⤵
      PID:5136
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4520
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:2140
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "7-Zip" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft Publisher.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo 5 /tn "7-Zip" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft Publisher.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1700
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1888
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5484
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:224
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3764
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3200
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:5312
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5868
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5808
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3568
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:2164
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:672
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:5528
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2132
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1896
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4676
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:4544
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5888
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:4904
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1952
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:5072
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:3028
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:2956
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2768
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:5912
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:5820
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:2112
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:236
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:4532
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3892
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:5804
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:936
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:2000
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2020
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:2556
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5288
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:4112
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1220
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:392
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5744
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:2660
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4876
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:5504
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:4792
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:1392
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4868
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:5888
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1488
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:4420
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4508
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:2260
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2864
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:2680
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5136
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:5516
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4272
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:1976
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:248
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:2096
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1240
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:1156
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:3960
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:2860
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:1884
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:1908
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:1928
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ubsyrd42.biw.exe"' & exit
    3⤵
    PID:2664
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ubsyrd42.biw.exe"'
      4⤵
      Loads dropped DLL
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:5300
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ubsyrd42.biw.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ubsyrd42.biw.exe"
        5⤵
        Executes dropped EXE
        Impair Defenses: Safe Mode Boot
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:844
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:672
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:1328
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:2896
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2068
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:2192
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:5400
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:5192
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4836
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:5428
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5404
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:748
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3876
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:4864
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3808
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:5912
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3144
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:1012
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5388
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\msvdczr0.thi.exe"' & exit
    3⤵
    PID:1988
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\msvdczr0.thi.exe"'
      4⤵
      Loads dropped DLL
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2488
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\msvdczr0.thi.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\msvdczr0.thi.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5328
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:5864
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:2744
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:3996
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:3512
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:2556
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2564
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:5520
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:6040
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:4960
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4964
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:5292
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:1016
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:4384
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:896
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:6036
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:4144
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\iuvf4gzw.zm0.exe"' & exit
    3⤵
    PID:5400
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\iuvf4gzw.zm0.exe"'
      4⤵
      Loads dropped DLL
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4772
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\iuvf4gzw.zm0.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\iuvf4gzw.zm0.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:732
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:8
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4888
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:2120
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2448
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:3028
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:2504
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:5136
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:4668
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:1188
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:3156
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:4496
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1540
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:960
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:692
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:1424
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:2800
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\qwamczbh.ydq.exe"' & exit
    3⤵
    PID:5376
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\qwamczbh.ydq.exe"'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:5384
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\qwamczbh.ydq.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\qwamczbh.ydq.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1760
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:3640
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:492
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:1108
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:2720
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:1196
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3472
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:3700
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:4244
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:3832
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:1088
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:5616
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:1268
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:4684
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:5504
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:3152
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:5476
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:4852
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4124
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:4976
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:5428
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:3440
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2404
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\p0q4paky.2gq.exe"' & exit
    3⤵
    PID:2260
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\p0q4paky.2gq.exe"'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1788
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\p0q4paky.2gq.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\p0q4paky.2gq.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5128
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5128 -s 320
        6⤵
        Program crash
        
        PID:4272
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:3500
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:2012
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:1372
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:4360
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:4340
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5776
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:5992
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5056
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:1852
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3644
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:3996
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:1928
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:800
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:1080
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:2920
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5000
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:3700
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2952
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\mwmo35ej.umk.exe"' & exit
    3⤵
    PID:4712
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\mwmo35ej.umk.exe"'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:5512
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\mwmo35ej.umk.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\mwmo35ej.umk.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:580
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:4236
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:6020
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:3980
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:1416
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:904
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2388
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:5192
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4532
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:1364
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:1840
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:2120
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4704
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:2144
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:2696
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:2248
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2960
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:3364
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:3156
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\kl4ycsfo.dwu.exe"' & exit
    3⤵
    PID:5516
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\kl4ycsfo.dwu.exe"'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:5676
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\kl4ycsfo.dwu.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\kl4ycsfo.dwu.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:780
      - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\kl4ycsfo.dwuSrv.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\kl4ycsfo.dwuSrv.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 324
        7⤵
        Program crash
        
        PID:3792
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:692
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5248
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:3184
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:468
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:5416
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3116
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:1092
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:424
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:1524
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:2860
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:3160
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2140
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:5804
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:5380
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:772
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1220
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:3660
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3672
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\poa5cgck.cno.exe"' & exit
    3⤵
    PID:5572
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\poa5cgck.cno.exe"'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3488
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\poa5cgck.cno.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\poa5cgck.cno.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:5080
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:4260
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5088
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:1408
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1152
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:5736
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2128
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:3360
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:1752
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:2688
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5916
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:6096
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5020
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:3104
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5960
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:4384
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2616
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\jfnqdhoe.ki0.exe"' & exit
    3⤵
    PID:4816
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\jfnqdhoe.ki0.exe"'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4544
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\jfnqdhoe.ki0.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\jfnqdhoe.ki0.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3152
      - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\jfnqdhoe.ki0Srv.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\jfnqdhoe.ki0Srv.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 320
        7⤵
        Program crash
        
        PID:4148
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:5788
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:5208
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:3464
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:1548
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:4380
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4400
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:2464
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5276
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:5980
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2456
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:4704
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:5896

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Loads dropped DLL
PID:1424

C:\Windows\explorer.exe
explorer.exe
1⤵
- Loads dropped DLL
PID:5604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5128 -ip 5128
1⤵
PID:5820

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004DC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6124

C:\Users\Admin\AppData\Roaming\xdwdMicrosoft Publisher.exe
"C:\Users\Admin\AppData\Roaming\xdwdMicrosoft Publisher.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1040
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
  2⤵
  PID:4660
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
    3⤵
    PID:5668
- C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe
  "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:464
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:916
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:1928
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:5868
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3888
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST & exit
    3⤵
    PID:6032
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\AppData\Roaming\xdwdCamtasia Upgrade.exe" /RL HIGHEST
      4⤵
      PID:1080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 3664 -ip 3664
1⤵
PID:2112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2468 -ip 2468
1⤵
PID:5112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
88dc70c361a22feac57b031dd9c1f02f

SHA1
a9b4732260c2a323750022a73480f229ce25d46d

SHA256
43244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59

SHA512
19c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a11402783a8686e08f8fa987dd07bca

SHA1
580df3865059f4e2d8be10644590317336d146ce

SHA256
9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

SHA512
5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\NerestPCFree 0.32.3.exe

Filesize
9.4MB

MD5
528865813ccd9f4993ebfaa940ffb508

SHA1
489edf8a9b2a3e8e7d9eebec4d1acd776b71e51b

SHA256
d873e0097be4144f1b23e3d932587a18d5600d8d64071d53763d27cafe58f8e8

SHA512
e6d55a53310640ff42d3bd7c01b1885773b38784e0c954112528dcd59ccbadbe986db95bb6c19b7c32177fa80c62880a5288b761f677510677cc605708fe7b85

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tzbqkgga.opz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\xclient.exe

Filesize
439KB

MD5
ad3c41feb952eb2cdeb2062289a31a57

SHA1
8eedb35c097ed90328eb7f8ab86e289605047c3c

SHA256
408f3ca49646b3100c90ec3cc1bf95c80aba7d963ca4e16e60affa022489a0e4

SHA512
7bdef6e8f05cff6eeeb9fd2bba4860fb34295deee4c15c6fa898d646598216cdc31880f8c5792cd4a1fa22852f47594a7b4cee7d0b5bfd9f6e2bbb47e1341f06

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\jfnqdhoe.ki0Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\msvdczr0.thi.exe

Filesize
20KB

MD5
19796e0d82a76be6dafa5cb7b80e2506

SHA1
ce7d0842683febfbc4e52278a25f75e29ccf6155

SHA256
65d4c633bf347ed4766dbb6e003776a017ccb632d73c6138c3e880a94c114c2d

SHA512
049111891524683fd63036355f02006ca1fd69478aa9597050f1bbeda256b25ce9f28684df80d169d50dcc01a8cbdb17e78b82ea4d49d71b9ee72588bd1e6fbb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ubsyrd42.biw.exe

Filesize
397KB

MD5
44389df0bb2ceb3fa78b427bea5b7bf7

SHA1
4cbcc4f402286fa9154557acb946ecc9094e6f2a

SHA256
438ffdcca6f1ebc960d322d290d03deb8d5e3812e29c8b77c18dbeeea5b6375a

SHA512
d0ba596ab0a9871ebb38a6c44d286f528c645394f9b68c39ef47fc03edd2feb95386a49b14fb77179214a262e6c4bf7b05b3bd22ba0c7a650e929e116f092518

Download Submit
C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/780-2436-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/780-2457-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/780-2454-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/780-2451-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/780-2438-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/780-2434-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/780-2429-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/780-2479-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/780-2474-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/844-1093-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1488-27-0x00007FFA709F0000-0x00007FFA714B2000-memory.dmp

Filesize
10.8MB

Download
memory/1488-1-0x0000000000730000-0x000000000102C000-memory.dmp

Filesize
9.0MB

Download
memory/1488-0-0x00007FFA709F3000-0x00007FFA709F5000-memory.dmp

Filesize
8KB

Download
memory/1488-3-0x00007FFA709F0000-0x00007FFA714B2000-memory.dmp

Filesize
10.8MB

Download
memory/3152-2475-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3152-2469-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3400-370-0x000000001D3E0000-0x000000001D526000-memory.dmp

Filesize
1.3MB

Download
memory/3400-33-0x00007FFA709F0000-0x00007FFA714B2000-memory.dmp

Filesize
10.8MB

Download
memory/3400-993-0x000000001BA10000-0x000000001BA1C000-memory.dmp

Filesize
48KB

Download
memory/3400-25-0x00000000006B0000-0x0000000000724000-memory.dmp

Filesize
464KB

Download
memory/3400-153-0x000000001BA60000-0x000000001BA7E000-memory.dmp

Filesize
120KB

Download
memory/3400-152-0x00000000028D0000-0x00000000028DC000-memory.dmp

Filesize
48KB

Download
memory/3400-151-0x000000001D160000-0x000000001D1D6000-memory.dmp

Filesize
472KB

Download
memory/3400-26-0x00007FFA709F0000-0x00007FFA714B2000-memory.dmp

Filesize
10.8MB

Download
memory/5076-29-0x000000007443E000-0x000000007443F000-memory.dmp

Filesize
4KB

Download
memory/5076-31-0x00000000040E0000-0x00000000040E1000-memory.dmp

Filesize
4KB

Download
memory/5076-30-0x0000000000B40000-0x0000000001D0E000-memory.dmp

Filesize
17.8MB

Download
memory/5080-2453-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5128-2024-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5128-2048-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5300-999-0x0000015D55000000-0x0000015D55022000-memory.dmp

Filesize
136KB

Download