quasar | cf09bc45a7101670e26f9468d7425a42880ee539626b1653216c4ceb4a89b7fb

Analysis

max time kernel
147s
max time network
84s
platform
windows7_x64
resource
win7
submitted
17-07-2020 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Timsistem_Product_Specifications - 2020.07.17.exe
Size

759KB
MD5

6998368a7e9f5e063f5b5a0090112545
SHA1

c7659c9e1b683d7044267b6960a30ca6473ca945
SHA256

cf09bc45a7101670e26f9468d7425a42880ee539626b1653216c4ceb4a89b7fb
SHA512

d5044c8d53cfa2483b9f923fd2eca3f9c50ff97712ac36a2d33792ef7fc5ee9cbf504128d9a280130668cadb49b132f6de278fdbbc58b18ee07b5ee0e3bc210e

Score

10^/10

quasar spyware trojan upx

Malware Config

Signatures

Quasar RAT 4 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
	31	api.ipify.org	Process not Found
	34	ip-api.com	Process not Found
	2	ip-api.com	Process not Found
File created		C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe:ZoneIdentifier	notepad.exe

Executes dropped EXE 64 IoCs

pid	Process
1600	taskmgr.exe
752	taskmgr.exe
1128	taskmgr.exe
1896	svchost.exe
1876	taskmgr.exe
1152	taskmgr.exe
1632	taskmgr.exe
1988	taskmgr.exe
2020	taskmgr.exe
2040	taskmgr.exe
1500	svchost.exe
1596	taskmgr.exe
864	taskmgr.exe
1036	taskmgr.exe
1852	taskmgr.exe
1060	taskmgr.exe
1908	taskmgr.exe
1652	svchost.exe
2024	taskmgr.exe
2016	taskmgr.exe
1564	taskmgr.exe
1056	taskmgr.exe
2020	taskmgr.exe
1048	taskmgr.exe
1692	svchost.exe
1128	taskmgr.exe
1852	taskmgr.exe
1576	taskmgr.exe
2004	taskmgr.exe
1556	taskmgr.exe
1584	taskmgr.exe
652	svchost.exe
1496	taskmgr.exe
1460	taskmgr.exe
792	taskmgr.exe
660	taskmgr.exe
1868	taskmgr.exe
1844	taskmgr.exe
1620	svchost.exe
1852	taskmgr.exe
1748	taskmgr.exe
1544	taskmgr.exe
1092	taskmgr.exe
1308	taskmgr.exe
1956	taskmgr.exe
1516	svchost.exe
1560	taskmgr.exe
1700	taskmgr.exe
1920	taskmgr.exe
1876	taskmgr.exe
1960	taskmgr.exe
468	taskmgr.exe
1332	svchost.exe
1476	taskmgr.exe
1464	taskmgr.exe
1164	taskmgr.exe
1044	taskmgr.exe
1460	taskmgr.exe
1412	taskmgr.exe
1128	svchost.exe
1808	taskmgr.exe
1844	taskmgr.exe
1568	taskmgr.exe
1672	taskmgr.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/752-12-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral1/memory/752-7-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral1/memory/752-13-0x0000000000400000-0x00000000004D0000-memory.dmp	upx

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update.vbs	notepad.exe

Loads dropped DLL 52 IoCs

pid	Process
240	notepad.exe
240	notepad.exe
752	taskmgr.exe
752	taskmgr.exe
2020	taskmgr.exe
1060	taskmgr.exe
2020	taskmgr.exe
1556	taskmgr.exe
1868	taskmgr.exe
1308	taskmgr.exe
1960	taskmgr.exe
1460	taskmgr.exe
1960	taskmgr.exe
1888	taskmgr.exe
1916	taskmgr.exe
1476	taskmgr.exe
2028	taskmgr.exe
2024	taskmgr.exe
1048	taskmgr.exe
1900	notepad.exe
1900	notepad.exe
1344	taskmgr.exe
1344	taskmgr.exe
1008	cmd.exe
1704	cmd.exe
960	cmd.exe
1052	cmd.exe
1844	cmd.exe
660	cmd.exe
1576	cmd.exe
1256	cmd.exe
1416	cmd.exe
1704	cmd.exe
888	cmd.exe
1816	cmd.exe
1584	cmd.exe
1484	cmd.exe
1212	cmd.exe
1136	cmd.exe
1340	cmd.exe
1920	cmd.exe
596	cmd.exe
1660	cmd.exe
1944	cmd.exe
1208	cmd.exe
1900	cmd.exe
1004	cmd.exe
1616	cmd.exe
944	cmd.exe
1780	cmd.exe
1256	cmd.exe
2240	cmd.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com
31	api.ipify.org
34	ip-api.com

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\SubDir\svchost.exe\:ZoneIdentifier:$DATA	taskmgr.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe	taskmgr.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe	taskmgr.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe	taskmgr.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe	taskmgr.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\svchost.exe	taskmgr.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe	taskmgr.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe\:ZoneIdentifier:$DATA	taskmgr.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe\:ZoneIdentifier:$DATA	taskmgr.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\svchost.exe	taskmgr.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe	taskmgr.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe	taskmgr.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe	taskmgr.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe\:ZoneIdentifier:$DATA	taskmgr.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\svchost.exe	taskmgr.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe	taskmgr.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe	taskmgr.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe	taskmgr.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe	taskmgr.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe\:ZoneIdentifier:$DATA	taskmgr.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\svchost.exe	taskmgr.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe	taskmgr.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe\:ZoneIdentifier:$DATA	taskmgr.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe	taskmgr.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe\:ZoneIdentifier:$DATA	taskmgr.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe	taskmgr.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe\:ZoneIdentifier:$DATA	taskmgr.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe	taskmgr.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe	taskmgr.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\svchost.exe	taskmgr.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe\:ZoneIdentifier:$DATA	taskmgr.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\svchost.exe	taskmgr.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\svchost.exe	taskmgr.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe	taskmgr.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\svchost.exe	taskmgr.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe\:ZoneIdentifier:$DATA	taskmgr.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe\:ZoneIdentifier:$DATA	taskmgr.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\svchost.exe	taskmgr.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe	taskmgr.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe	taskmgr.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe	taskmgr.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe\:ZoneIdentifier:$DATA	taskmgr.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\svchost.exe	taskmgr.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe\:ZoneIdentifier:$DATA	taskmgr.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\svchost.exe	taskmgr.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe\:ZoneIdentifier:$DATA	taskmgr.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\svchost.exe	taskmgr.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe	taskmgr.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe\:ZoneIdentifier:$DATA	taskmgr.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\svchost.exe	taskmgr.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\svchost.exe	taskmgr.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe	taskmgr.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe\:ZoneIdentifier:$DATA	taskmgr.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\svchost.exe	taskmgr.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe	taskmgr.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe\:ZoneIdentifier:$DATA	taskmgr.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe	taskmgr.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe	taskmgr.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe	taskmgr.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\svchost.exe	taskmgr.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe	taskmgr.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe	taskmgr.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe	taskmgr.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe	taskmgr.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 1600 set thread context of 752	1600	taskmgr.exe	26
PID 1876 set thread context of 1152	1876	taskmgr.exe	34
PID 1988 set thread context of 2020	1988	taskmgr.exe	37
PID 1596 set thread context of 864	1596	taskmgr.exe	44
PID 1852 set thread context of 1060	1852	taskmgr.exe	47
PID 2024 set thread context of 2016	2024	taskmgr.exe	54
PID 1056 set thread context of 2020	1056	taskmgr.exe	57
PID 1128 set thread context of 1852	1128	taskmgr.exe	64
PID 2004 set thread context of 1556	2004	taskmgr.exe	67
PID 1496 set thread context of 1460	1496	taskmgr.exe	74
PID 660 set thread context of 1868	660	taskmgr.exe	77
PID 1852 set thread context of 1748	1852	taskmgr.exe	84
PID 1092 set thread context of 1308	1092	taskmgr.exe	87
PID 1560 set thread context of 1700	1560	taskmgr.exe	94
PID 1876 set thread context of 1960	1876	taskmgr.exe	97
PID 1476 set thread context of 1464	1476	taskmgr.exe	104
PID 1044 set thread context of 1460	1044	taskmgr.exe	107
PID 1808 set thread context of 1844	1808	taskmgr.exe	114
PID 1672 set thread context of 1960	1672	taskmgr.exe	117
PID 1824 set thread context of 1596	1824	taskmgr.exe	124
PID 1376 set thread context of 1888	1376	taskmgr.exe	127
PID 304 set thread context of 1448	304	taskmgr.exe	134
PID 1964 set thread context of 1916	1964	taskmgr.exe	137
PID 1992 set thread context of 1684	1992	taskmgr.exe	144
PID 1888 set thread context of 1476	1888	taskmgr.exe	147
PID 1560 set thread context of 1372	1560	taskmgr.exe	154
PID 1908 set thread context of 2028	1908	taskmgr.exe	157
PID 1816 set thread context of 1956	1816	taskmgr.exe	164
PID 828 set thread context of 2024	828	taskmgr.exe	167
PID 1584 set thread context of 1816	1584	taskmgr.exe	176
PID 1460 set thread context of 1048	1460	taskmgr.exe	179
PID 1964 set thread context of 1512	1964	taskmgr.exe	186
PID 1308 set thread context of 1344	1308	taskmgr.exe	189
PID 1172 set thread context of 1560	1172	taskmgr.exe	196
PID 292 set thread context of 1200	292	taskmgr.exe	209
PID 624 set thread context of 592	624	taskmgr.exe	212
PID 328 set thread context of 972	328	taskmgr.exe	221
PID 820 set thread context of 1792	820	taskmgr.exe	220
PID 1288 set thread context of 1888	1288	taskmgr.exe	230
PID 1612 set thread context of 1836	1612	taskmgr.exe	234
PID 580 set thread context of 1392	580	taskmgr.exe	240
PID 1924 set thread context of 1068	1924	taskmgr.exe	246
PID 796 set thread context of 1716	796	taskmgr.exe	250
PID 1624 set thread context of 1608	1624	taskmgr.exe	268
PID 992 set thread context of 1004	992	taskmgr.exe	272
PID 1264 set thread context of 536	1264	taskmgr.exe	275
PID 1860 set thread context of 1888	1860	taskmgr.exe	317
PID 1940 set thread context of 844	1940	taskmgr.exe	320
PID 1824 set thread context of 1068	1824	taskmgr.exe	333
PID 688 set thread context of 592	688	taskmgr.exe	336
PID 908 set thread context of 1464	908	taskmgr.exe	337
PID 276 set thread context of 1744	276	taskmgr.exe	339
PID 964 set thread context of 580	964	taskmgr.exe	340
PID 364 set thread context of 784	364	taskmgr.exe	346
PID 1492 set thread context of 1240	1492	taskmgr.exe	349
PID 1116 set thread context of 832	1116	taskmgr.exe	347
PID 1472 set thread context of 2024	1472	taskmgr.exe	355
PID 1996 set thread context of 1256	1996	taskmgr.exe	364
PID 828 set thread context of 1048	828	taskmgr.exe	363
PID 300 set thread context of 924	300	taskmgr.exe	365
PID 1012 set thread context of 948	1012	taskmgr.exe	374
PID 624 set thread context of 2032	624	taskmgr.exe	453
PID 1184 set thread context of 364	1184	taskmgr.exe	456
PID 592 set thread context of 984	592	taskmgr.exe	489

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 17 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1672	schtasks.exe
1884	schtasks.exe
1504	schtasks.exe
568	schtasks.exe
780	schtasks.exe
524	schtasks.exe
1932	schtasks.exe
1820	schtasks.exe
568	schtasks.exe
904	schtasks.exe
1164	schtasks.exe
1868	schtasks.exe
1460	schtasks.exe
1788	schtasks.exe
1472	schtasks.exe
1548	schtasks.exe
1496	schtasks.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe:ZoneIdentifier	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe:ZoneIdentifier	notepad.exe

Runs ping.exe 1 TTPs 45 IoCs

Remote System Discovery

T1018

pid	Process
1724	PING.EXE
840	PING.EXE
968	PING.EXE
2996	PING.EXE
672	PING.EXE
1596	PING.EXE
1208	PING.EXE
1268	PING.EXE
2308	PING.EXE
2928	PING.EXE
1992	PING.EXE
996	PING.EXE
1460	PING.EXE
1956	PING.EXE
1204	PING.EXE
836	PING.EXE
2360	PING.EXE
2692	PING.EXE
624	PING.EXE
1068	PING.EXE
296	PING.EXE
2948	PING.EXE
1412	PING.EXE
1184	PING.EXE
984	PING.EXE
1236	PING.EXE
1200	PING.EXE
604	PING.EXE
1352	PING.EXE
1716	PING.EXE
2996	PING.EXE
2304	PING.EXE
2304	PING.EXE
2452	PING.EXE
1188	PING.EXE
1880	PING.EXE
1860	PING.EXE
2604	PING.EXE
2872	PING.EXE
2064	PING.EXE
2008	PING.EXE
1708	PING.EXE
1788	PING.EXE
908	PING.EXE
1192	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1496	Timsistem_Product_Specifications - 2020.07.17.exe
1600	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1896	svchost.exe
1128	taskmgr.exe
1876	taskmgr.exe
1632	taskmgr.exe
1632	taskmgr.exe
1632	taskmgr.exe
1632	taskmgr.exe
1632	taskmgr.exe
1632	taskmgr.exe
1632	taskmgr.exe
1632	taskmgr.exe
1632	taskmgr.exe
1632	taskmgr.exe
1632	taskmgr.exe
1632	taskmgr.exe
1632	taskmgr.exe
1632	taskmgr.exe
1632	taskmgr.exe
1632	taskmgr.exe
1632	taskmgr.exe
1988	taskmgr.exe
2040	taskmgr.exe
2040	taskmgr.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
1600	taskmgr.exe
1876	taskmgr.exe
1988	taskmgr.exe
1596	taskmgr.exe
1852	taskmgr.exe
2024	taskmgr.exe
1056	taskmgr.exe
1128	taskmgr.exe
2004	taskmgr.exe
1496	taskmgr.exe
660	taskmgr.exe
1852	taskmgr.exe
1092	taskmgr.exe
1560	taskmgr.exe
1876	taskmgr.exe
1476	taskmgr.exe
1044	taskmgr.exe
1808	taskmgr.exe
1672	taskmgr.exe
1824	taskmgr.exe
1376	taskmgr.exe
304	taskmgr.exe
1964	taskmgr.exe
1992	taskmgr.exe
1888	taskmgr.exe
1560	taskmgr.exe
1908	taskmgr.exe
1816	taskmgr.exe
828	taskmgr.exe
1584	taskmgr.exe
1460	taskmgr.exe
1964	taskmgr.exe
1308	taskmgr.exe
1172	taskmgr.exe
292	taskmgr.exe
624	taskmgr.exe
820	taskmgr.exe
328	taskmgr.exe
1288	taskmgr.exe
1612	taskmgr.exe
580	taskmgr.exe
1924	taskmgr.exe
796	taskmgr.exe
1624	taskmgr.exe
992	taskmgr.exe
1264	taskmgr.exe
1860	taskmgr.exe
1940	taskmgr.exe
1824	taskmgr.exe
688	taskmgr.exe
908	taskmgr.exe
276	taskmgr.exe
964	taskmgr.exe
364	taskmgr.exe
1492	taskmgr.exe
1116	taskmgr.exe
1472	taskmgr.exe
1996	taskmgr.exe
828	taskmgr.exe
300	taskmgr.exe
1012	taskmgr.exe
624	taskmgr.exe
1184	taskmgr.exe
592	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	752	taskmgr.exe
Token: SeDebugPrivilege	1152	taskmgr.exe
Token: SeDebugPrivilege	2020	taskmgr.exe
Token: SeDebugPrivilege	864	taskmgr.exe
Token: SeDebugPrivilege	1060	taskmgr.exe
Token: SeDebugPrivilege	2016	taskmgr.exe
Token: SeDebugPrivilege	2020	taskmgr.exe
Token: SeDebugPrivilege	1852	taskmgr.exe
Token: SeDebugPrivilege	1556	taskmgr.exe
Token: SeDebugPrivilege	1460	taskmgr.exe
Token: SeDebugPrivilege	1868	taskmgr.exe
Token: SeDebugPrivilege	1748	taskmgr.exe
Token: SeDebugPrivilege	1308	taskmgr.exe
Token: SeDebugPrivilege	1700	taskmgr.exe
Token: SeDebugPrivilege	1960	taskmgr.exe
Token: SeDebugPrivilege	1464	taskmgr.exe
Token: SeDebugPrivilege	1460	taskmgr.exe
Token: SeDebugPrivilege	1844	taskmgr.exe
Token: SeDebugPrivilege	1960	taskmgr.exe
Token: SeDebugPrivilege	1596	taskmgr.exe
Token: SeDebugPrivilege	1888	taskmgr.exe
Token: SeDebugPrivilege	1448	taskmgr.exe
Token: SeDebugPrivilege	1916	taskmgr.exe
Token: SeDebugPrivilege	1684	taskmgr.exe
Token: SeDebugPrivilege	1476	taskmgr.exe
Token: SeDebugPrivilege	1372	taskmgr.exe
Token: SeDebugPrivilege	2028	taskmgr.exe
Token: SeDebugPrivilege	1956	taskmgr.exe
Token: SeDebugPrivilege	2024	taskmgr.exe
Token: SeDebugPrivilege	1816	taskmgr.exe
Token: SeDebugPrivilege	1048	taskmgr.exe
Token: SeDebugPrivilege	1344	taskmgr.exe
Token: SeDebugPrivilege	1512	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 240	1496	Timsistem_Product_Specifications - 2020.07.17.exe	24
PID 1496 wrote to memory of 240	1496	Timsistem_Product_Specifications - 2020.07.17.exe	24
PID 1496 wrote to memory of 240	1496	Timsistem_Product_Specifications - 2020.07.17.exe	24
PID 1496 wrote to memory of 240	1496	Timsistem_Product_Specifications - 2020.07.17.exe	24
PID 1496 wrote to memory of 240	1496	Timsistem_Product_Specifications - 2020.07.17.exe	24
PID 1496 wrote to memory of 240	1496	Timsistem_Product_Specifications - 2020.07.17.exe	24
PID 240 wrote to memory of 1600	240	notepad.exe	25
PID 240 wrote to memory of 1600	240	notepad.exe	25
PID 240 wrote to memory of 1600	240	notepad.exe	25
PID 240 wrote to memory of 1600	240	notepad.exe	25
PID 1600 wrote to memory of 752	1600	taskmgr.exe	26
PID 1600 wrote to memory of 752	1600	taskmgr.exe	26
PID 1600 wrote to memory of 752	1600	taskmgr.exe	26
PID 1600 wrote to memory of 752	1600	taskmgr.exe	26
PID 1600 wrote to memory of 1128	1600	taskmgr.exe	27
PID 1600 wrote to memory of 1128	1600	taskmgr.exe	27
PID 1600 wrote to memory of 1128	1600	taskmgr.exe	27
PID 1600 wrote to memory of 1128	1600	taskmgr.exe	27
PID 752 wrote to memory of 1868	752	taskmgr.exe	29
PID 752 wrote to memory of 1868	752	taskmgr.exe	29
PID 752 wrote to memory of 1868	752	taskmgr.exe	29
PID 752 wrote to memory of 1868	752	taskmgr.exe	29
PID 752 wrote to memory of 1896	752	taskmgr.exe	31
PID 752 wrote to memory of 1896	752	taskmgr.exe	31
PID 752 wrote to memory of 1896	752	taskmgr.exe	31
PID 752 wrote to memory of 1896	752	taskmgr.exe	31
PID 1896 wrote to memory of 1828	1896	svchost.exe	32
PID 1896 wrote to memory of 1828	1896	svchost.exe	32
PID 1896 wrote to memory of 1828	1896	svchost.exe	32
PID 1896 wrote to memory of 1828	1896	svchost.exe	32
PID 1896 wrote to memory of 1828	1896	svchost.exe	32
PID 1896 wrote to memory of 1828	1896	svchost.exe	32
PID 1128 wrote to memory of 1876	1128	taskmgr.exe	33
PID 1128 wrote to memory of 1876	1128	taskmgr.exe	33
PID 1128 wrote to memory of 1876	1128	taskmgr.exe	33
PID 1128 wrote to memory of 1876	1128	taskmgr.exe	33
PID 1876 wrote to memory of 1152	1876	taskmgr.exe	34
PID 1876 wrote to memory of 1152	1876	taskmgr.exe	34
PID 1876 wrote to memory of 1152	1876	taskmgr.exe	34
PID 1876 wrote to memory of 1152	1876	taskmgr.exe	34
PID 1876 wrote to memory of 1632	1876	taskmgr.exe	35
PID 1876 wrote to memory of 1632	1876	taskmgr.exe	35
PID 1876 wrote to memory of 1632	1876	taskmgr.exe	35
PID 1876 wrote to memory of 1632	1876	taskmgr.exe	35
PID 1632 wrote to memory of 1988	1632	taskmgr.exe	36
PID 1632 wrote to memory of 1988	1632	taskmgr.exe	36
PID 1632 wrote to memory of 1988	1632	taskmgr.exe	36
PID 1632 wrote to memory of 1988	1632	taskmgr.exe	36
PID 1988 wrote to memory of 2020	1988	taskmgr.exe	37
PID 1988 wrote to memory of 2020	1988	taskmgr.exe	37
PID 1988 wrote to memory of 2020	1988	taskmgr.exe	37
PID 1988 wrote to memory of 2020	1988	taskmgr.exe	37
PID 1988 wrote to memory of 2040	1988	taskmgr.exe	38
PID 1988 wrote to memory of 2040	1988	taskmgr.exe	38
PID 1988 wrote to memory of 2040	1988	taskmgr.exe	38
PID 1988 wrote to memory of 2040	1988	taskmgr.exe	38
PID 2020 wrote to memory of 1460	2020	taskmgr.exe	39
PID 2020 wrote to memory of 1460	2020	taskmgr.exe	39
PID 2020 wrote to memory of 1460	2020	taskmgr.exe	39
PID 2020 wrote to memory of 1460	2020	taskmgr.exe	39
PID 2020 wrote to memory of 1500	2020	taskmgr.exe	41
PID 2020 wrote to memory of 1500	2020	taskmgr.exe	41
PID 2020 wrote to memory of 1500	2020	taskmgr.exe	41
PID 2020 wrote to memory of 1500	2020	taskmgr.exe	41

C:\Users\Admin\AppData\Local\Temp\Timsistem_Product_Specifications - 2020.07.17.exe
"C:\Users\Admin\AppData\Local\Temp\Timsistem_Product_Specifications - 2020.07.17.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  - Quasar RAT
  - Drops startup file
  - Loads dropped DLL
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:240
- - C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:752
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:1868
    - - C:\Windows\SysWOW64\SubDir\svchost.exe
        
        "C:\Windows\SysWOW64\SubDir\svchost.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1896
      - C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        6⤵
        
        PID:1828
  - - C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 752 61308
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1128
    - - C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1876
      - C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1152
      - C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 1152 65723
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" /rl HIGHEST /f
        9⤵
        Creates scheduled task(s)
        
        PID:1460
        
        C:\Windows\SysWOW64\SubDir\svchost.exe
        
        "C:\Windows\SysWOW64\SubDir\svchost.exe"
        9⤵
        Executes dropped EXE
        
        PID:1500
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        10⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 2020 67517
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2040
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1596
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:864
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 864 69358
        10⤵
        Executes dropped EXE
        
        PID:1036
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1852
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1060
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" /rl HIGHEST /f
        13⤵
        Creates scheduled task(s)
        
        PID:1932
        
        C:\Windows\SysWOW64\SubDir\svchost.exe
        
        "C:\Windows\SysWOW64\SubDir\svchost.exe"
        13⤵
        Executes dropped EXE
        
        PID:1652
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        14⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 1060 71167
        12⤵
        Executes dropped EXE
        
        PID:1908
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2024
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 2016 73195
        14⤵
        Executes dropped EXE
        
        PID:1564
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1056
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" /rl HIGHEST /f
        17⤵
        Creates scheduled task(s)
        
        PID:1820
        
        C:\Windows\SysWOW64\SubDir\svchost.exe
        
        "C:\Windows\SysWOW64\SubDir\svchost.exe"
        17⤵
        Executes dropped EXE
        
        PID:1692
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        18⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 2020 75052
        16⤵
        Executes dropped EXE
        
        PID:1048
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1128
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1852
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 1852 76970
        18⤵
        Executes dropped EXE
        
        PID:1576
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2004
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" /rl HIGHEST /f
        21⤵
        Creates scheduled task(s)
        
        PID:1548
        
        C:\Windows\SysWOW64\SubDir\svchost.exe
        
        "C:\Windows\SysWOW64\SubDir\svchost.exe"
        21⤵
        Executes dropped EXE
        
        PID:652
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        22⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 1556 78811
        20⤵
        Executes dropped EXE
        
        PID:1584
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1496
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1460
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 1460 80902
        22⤵
        Executes dropped EXE
        
        PID:792
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:660
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" /rl HIGHEST /f
        25⤵
        Creates scheduled task(s)
        
        PID:568
        
        C:\Windows\SysWOW64\SubDir\svchost.exe
        
        "C:\Windows\SysWOW64\SubDir\svchost.exe"
        25⤵
        Executes dropped EXE
        
        PID:1620
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        26⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 1868 82758
        24⤵
        Executes dropped EXE
        
        PID:1844
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1852
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 1748 84474
        26⤵
        Executes dropped EXE
        
        PID:1544
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1092
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1308
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" /rl HIGHEST /f
        29⤵
        Creates scheduled task(s)
        
        PID:1504
        
        C:\Windows\SysWOW64\SubDir\svchost.exe
        
        "C:\Windows\SysWOW64\SubDir\svchost.exe"
        29⤵
        Executes dropped EXE
        
        PID:1516
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        30⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 1308 86221
        28⤵
        Executes dropped EXE
        
        PID:1956
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1560
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 1700 88031
        30⤵
        Executes dropped EXE
        
        PID:1920
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1876
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" /rl HIGHEST /f
        33⤵
        Creates scheduled task(s)
        
        PID:904
        
        C:\Windows\SysWOW64\SubDir\svchost.exe
        
        "C:\Windows\SysWOW64\SubDir\svchost.exe"
        33⤵
        Executes dropped EXE
        
        PID:1332
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        34⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 1960 89809
        32⤵
        Executes dropped EXE
        
        PID:468
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1476
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 1464 91588
        34⤵
        Executes dropped EXE
        
        PID:1164
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1044
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        36⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1460
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" /rl HIGHEST /f
        37⤵
        Creates scheduled task(s)
        
        PID:568
        
        C:\Windows\SysWOW64\SubDir\svchost.exe
        
        "C:\Windows\SysWOW64\SubDir\svchost.exe"
        37⤵
        Executes dropped EXE
        
        PID:1128
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        38⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 1460 93304
        36⤵
        Executes dropped EXE
        
        PID:1412
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1808
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 1844 94989
        38⤵
        Executes dropped EXE
        
        PID:1568
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1672
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        40⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" /rl HIGHEST /f
        41⤵
        Creates scheduled task(s)
        
        PID:1496
        
        C:\Windows\SysWOW64\SubDir\svchost.exe
        
        "C:\Windows\SysWOW64\SubDir\svchost.exe"
        41⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        42⤵
        
        PID:520
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 1960 96907
        40⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        41⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1824
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        42⤵
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 1596 98639
        42⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        43⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1376
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        44⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1888
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" /rl HIGHEST /f
        45⤵
        Creates scheduled task(s)
        
        PID:780
        
        C:\Windows\SysWOW64\SubDir\svchost.exe
        
        "C:\Windows\SysWOW64\SubDir\svchost.exe"
        45⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        46⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 1888 100495
        44⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        45⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:304
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        46⤵
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1448
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 1448 102118
        46⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        47⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1964
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        48⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" /rl HIGHEST /f
        49⤵
        Creates scheduled task(s)
        
        PID:524
        
        C:\Windows\SysWOW64\SubDir\svchost.exe
        
        "C:\Windows\SysWOW64\SubDir\svchost.exe"
        49⤵
        
        PID:568
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        50⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 1916 103865
        48⤵
        
        PID:308
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        49⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1992
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        50⤵
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 1684 105659
        50⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        51⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1888
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        52⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" /rl HIGHEST /f
        53⤵
        Creates scheduled task(s)
        
        PID:1788
        
        C:\Windows\SysWOW64\SubDir\svchost.exe
        
        "C:\Windows\SysWOW64\SubDir\svchost.exe"
        53⤵
        
        PID:792
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        54⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 1476 107375
        52⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        53⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1560
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        54⤵
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1372
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 1372 109169
        54⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        55⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1908
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        56⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" /rl HIGHEST /f
        57⤵
        Creates scheduled task(s)
        
        PID:1672
        
        C:\Windows\SysWOW64\SubDir\svchost.exe
        
        "C:\Windows\SysWOW64\SubDir\svchost.exe"
        57⤵
        
        PID:988
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        58⤵
        
        PID:268
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 2028 121150
        56⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        57⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1816
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        58⤵
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 1956 123100
        58⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        59⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:828
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        60⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" /rl HIGHEST /f
        61⤵
        Creates scheduled task(s)
        
        PID:1884
        
        C:\Windows\SysWOW64\SubDir\svchost.exe
        
        "C:\Windows\SysWOW64\SubDir\svchost.exe"
        61⤵
        
        PID:584
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        62⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 2024 124925
        60⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        61⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1584
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        62⤵
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1816
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 1816 126844
        62⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        63⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1460
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        64⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" /rl HIGHEST /f
        65⤵
        Creates scheduled task(s)
        
        PID:1472
        
        C:\Windows\SysWOW64\SubDir\svchost.exe
        
        "C:\Windows\SysWOW64\SubDir\svchost.exe"
        65⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        66⤵
        Drops startup file
        Loads dropped DLL
        NTFS ADS
        
        PID:1900
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        67⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1308
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        68⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1344
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" /rl HIGHEST /f
        69⤵
        Creates scheduled task(s)
        
        PID:1164
        
        C:\Windows\SysWOW64\SubDir\svchost.exe
        
        "C:\Windows\SysWOW64\SubDir\svchost.exe"
        69⤵
        
        PID:628
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        70⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 1344 130744
        68⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        69⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1172
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        70⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\8OiJL4WJP46M.bat" "
        71⤵
        Loads dropped DLL
        
        PID:1008
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        72⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        72⤵
        Runs ping.exe
        
        PID:1880
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        72⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:292
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        73⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YQSRBa1Qn6Uk.bat" "
        74⤵
        Loads dropped DLL
        
        PID:1704
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        75⤵
        
        PID:916
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        75⤵
        Runs ping.exe
        
        PID:1724
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        75⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:820
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        76⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JICzjauT420W.bat" "
        77⤵
        Loads dropped DLL
        
        PID:1576
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        78⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        78⤵
        Runs ping.exe
        
        PID:624
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        78⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:688
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        79⤵
        
        PID:592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4wK2yfBAZ1c.bat" "
        80⤵
        Loads dropped DLL
        
        PID:1136
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        81⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        81⤵
        Runs ping.exe
        
        PID:908
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        81⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        82⤵
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yfHGlIAadULa.bat" "
        83⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        84⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        84⤵
        Runs ping.exe
        
        PID:2604
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        84⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 828 178948
        82⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        83⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 592 152054
        79⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        80⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        81⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mb0UE7LKJnlA.bat" "
        82⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        83⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        83⤵
        Runs ping.exe
        
        PID:1412
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 1848 183644
        81⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 1792 137296
        76⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        77⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1940
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        78⤵
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\p8NOwmk8yeLP.bat" "
        79⤵
        Loads dropped DLL
        
        PID:596
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        80⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        80⤵
        Runs ping.exe
        
        PID:1788
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        80⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:592
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        81⤵
        
        PID:984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TrEjjjoe1QuX.bat" "
        82⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        83⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        83⤵
        Runs ping.exe
        
        PID:2996
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        83⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 984 178839
        81⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        82⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 844 151180
        78⤵
        
        PID:608
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        79⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        80⤵
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yFlh6r1PkHTx.bat" "
        81⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        82⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        82⤵
        Runs ping.exe
        
        PID:1992
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 820 178808
        80⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 1200 134894
        73⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        74⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:328
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        75⤵
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\saTn288hlVs4.bat" "
        76⤵
        Loads dropped DLL
        
        PID:1052
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        77⤵
        
        PID:360
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        77⤵
        Runs ping.exe
        
        PID:840
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        77⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:796
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        78⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ESjcPSuGwQkw.bat" "
        79⤵
        Loads dropped DLL
        
        PID:1416
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        80⤵
        
        PID:900
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        80⤵
        Runs ping.exe
        
        PID:1956
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        80⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:364
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        81⤵
        
        PID:784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fI1pJ7KOwnrL.bat" "
        82⤵
        Loads dropped DLL
        
        PID:1944
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        83⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        83⤵
        Runs ping.exe
        
        PID:1716
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        83⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        84⤵
        
        PID:684
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 684 188886
        84⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 784 154284
        81⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        82⤵
        
        PID:128
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        83⤵
        
        PID:280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZClbx4yk95id.bat" "
        84⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        85⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        85⤵
        Runs ping.exe
        
        PID:2452
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 280 184346
        83⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 1716 143208
        78⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        79⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:276
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        80⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PrnViU7lhFPF.bat" "
        81⤵
        Loads dropped DLL
        
        PID:1340
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        82⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        82⤵
        Runs ping.exe
        
        PID:1204
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        82⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        83⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qLJeqvjVEIJZ.bat" "
        84⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        85⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        85⤵
        Runs ping.exe
        
        PID:2996
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 916 183581
        83⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 1744 153068
        80⤵
        
        PID:292
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        81⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        82⤵
        
        PID:596
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 596 183737
        82⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 972 137452
        75⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        76⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1924
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        77⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\2M30PN1h7zuk.bat" "
        78⤵
        Loads dropped DLL
        
        PID:1704
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        79⤵
        
        PID:948
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        79⤵
        Runs ping.exe
        
        PID:1460
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        79⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1116
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        80⤵
        
        PID:832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Ug0tjLXPcgJs.bat" "
        81⤵
        Loads dropped DLL
        
        PID:1900
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        82⤵
        
        PID:964
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        82⤵
        Runs ping.exe
        
        PID:1268
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        82⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        83⤵
        
        PID:968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JdMq2siOPt26.bat" "
        84⤵
        
        PID:920
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        85⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        85⤵
        Runs ping.exe
        
        PID:1188
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 968 186639
        83⤵
        
        PID:984
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 832 154659
        80⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        81⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        82⤵
        
        PID:108
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 108 187513
        82⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 1068 141992
        77⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        78⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:964
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        79⤵
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\L1K9NN8Yad9f.bat" "
        80⤵
        Loads dropped DLL
        
        PID:1484
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        81⤵
        
        PID:108
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        81⤵
        Runs ping.exe
        
        PID:1352
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        81⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1184
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        82⤵
        
        PID:364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\atrCJE8H32IL.bat" "
        83⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        84⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        84⤵
        Runs ping.exe
        
        PID:2928
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        84⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 364 176265
        82⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        83⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 580 153161
        79⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        80⤵
        
        PID:380
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        81⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dDulYsxqHVJ3.bat" "
        82⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        83⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        83⤵
        Runs ping.exe
        
        PID:2692
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 1132 183472
        81⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 1560 132912
        70⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        71⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:624
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        72⤵
        
        PID:592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\2IfvKEVjIi8h.bat" "
        73⤵
        Loads dropped DLL
        
        PID:960
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        74⤵
        
        PID:892
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        74⤵
        Runs ping.exe
        
        PID:1184
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        74⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:580
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        75⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GXyHdYlWYy0h.bat" "
        76⤵
        Loads dropped DLL
        
        PID:660
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        77⤵
        
        PID:592
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        77⤵
        Runs ping.exe
        
        PID:996
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        77⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1824
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        78⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jSV8lJ3v9tNq.bat" "
        79⤵
        Loads dropped DLL
        
        PID:1920
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        80⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        80⤵
        Runs ping.exe
        
        PID:1596
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        80⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        81⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jQdUeu4zmca4.bat" "
        82⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        83⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        83⤵
        Runs ping.exe
        
        PID:2948
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        83⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 1508 178886
        81⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        82⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 1068 151960
        78⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        79⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        80⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\3Lo57h20rdQc.bat" "
        81⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        82⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        82⤵
        Runs ping.exe
        
        PID:2064
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 840 182942
        80⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 1392 140619
        75⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        76⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1264
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        77⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mX5DoTjzM3X8.bat" "
        78⤵
        Loads dropped DLL
        
        PID:1584
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        79⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        79⤵
        Runs ping.exe
        
        PID:1708
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        79⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:828
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        80⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Ypi5XMBsRwtF.bat" "
        81⤵
        Loads dropped DLL
        
        PID:1004
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        82⤵
        
        PID:528
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        82⤵
        Runs ping.exe
        
        PID:968
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        82⤵
        
        PID:528
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        83⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 2012 187840
        83⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 1048 163957
        80⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        81⤵
        
        PID:288
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        82⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 536 146672
        77⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        78⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1492
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        79⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FvHlMX7yTHC1.bat" "
        80⤵
        Loads dropped DLL
        
        PID:1208
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        81⤵
        
        PID:928
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        81⤵
        Runs ping.exe
        
        PID:296
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        81⤵
        
        PID:804
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        82⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 1240 154347
        79⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        80⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        81⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\w2x1fYWmRtEG.bat" "
        82⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        83⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        83⤵
        Runs ping.exe
        
        PID:2872
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        83⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 1460 180399
        81⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        82⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 592 135502
        72⤵
        
        PID:680
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        73⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1612
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        74⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\5GyHBqhsJLjA.bat" "
        75⤵
        Loads dropped DLL
        
        PID:1844
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        76⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        76⤵
        Runs ping.exe
        
        PID:984
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        76⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1624
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        77⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ItSWjJpNYe40.bat" "
        78⤵
        Loads dropped DLL
        
        PID:888
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        79⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        79⤵
        Runs ping.exe
        
        PID:1236
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        79⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1012
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        80⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\9Qyl0XVmetif.bat" "
        81⤵
        Loads dropped DLL
        
        PID:1780
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        82⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        82⤵
        Runs ping.exe
        
        PID:1860
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        82⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 948 167529
        80⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        81⤵
        
        PID:608
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        82⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 1608 146297
        77⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        78⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1472
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        79⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\B0dDI6Xh9aDH.bat" "
        80⤵
        Loads dropped DLL
        
        PID:1616
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        81⤵
        
        PID:956
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        81⤵
        Runs ping.exe
        
        PID:1192
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        81⤵
        
        PID:700
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        82⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 2024 160353
        79⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        80⤵
        
        PID:300
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        81⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\3yntOOr0SbeQ.bat" "
        82⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        83⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        83⤵
        Runs ping.exe
        
        PID:2304
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 1276 186233
        81⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 1836 139215
        74⤵
        
        PID:364
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        75⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:992
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        76⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\e8iXpwnw8bi5.bat" "
        77⤵
        Loads dropped DLL
        
        PID:1816
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        78⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        78⤵
        Runs ping.exe
        
        PID:1200
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        78⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:300
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        79⤵
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jCtGiOqasgsx.bat" "
        80⤵
        Loads dropped DLL
        
        PID:1256
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        81⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        81⤵
        Runs ping.exe
        
        PID:836
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        81⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 924 164877
        79⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        80⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        81⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 1004 146594
        76⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        77⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1996
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        78⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ANJxDLtuxz6w.bat" "
        79⤵
        Loads dropped DLL
        
        PID:944
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        80⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        80⤵
        Runs ping.exe
        
        PID:1068
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        80⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        81⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 1256 163723
        78⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        79⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        80⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 1048 128576
        64⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        65⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1964
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        66⤵
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 1512 130214
        66⤵
        
        PID:280
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        67⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1288
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        68⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\1yZWiNVBnmKB.bat" "
        69⤵
        Loads dropped DLL
        
        PID:1256
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        70⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        70⤵
        Runs ping.exe
        
        PID:2008
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        70⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:908
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        71⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mTJsY3DFfh4k.bat" "
        72⤵
        Loads dropped DLL
        
        PID:1660
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        73⤵
        
        PID:956
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        73⤵
        Runs ping.exe
        
        PID:1208
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        73⤵
        
        PID:980
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        74⤵
        
        PID:284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hLOpQoDiA4KJ.bat" "
        75⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        76⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        76⤵
        Runs ping.exe
        
        PID:2304
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        76⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 284 182302
        74⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        75⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 1464 152397
        71⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        72⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        73⤵
        
        PID:340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Lo77oLzVoAvY.bat" "
        74⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        75⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        75⤵
        Runs ping.exe
        
        PID:2360
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 340 178886
        73⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        74⤵
        
        PID:324
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 1888 138747
        68⤵
        
        PID:780
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        69⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1860
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        70⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bQ9dV6HsKSLz.bat" "
        71⤵
        Loads dropped DLL
        
        PID:1212
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        72⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        72⤵
        Runs ping.exe
        
        PID:604
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        72⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        73⤵
        
        PID:604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RUevAkrv2Jza.bat" "
        74⤵
        
        PID:924
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        75⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        75⤵
        Runs ping.exe
        
        PID:672
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 604 183191
        73⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 1888 151086
        70⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        71⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:624
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        72⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\1Q16DDo1KCwa.bat" "
        73⤵
        Loads dropped DLL
        
        PID:2240
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        74⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        74⤵
        Runs ping.exe
        
        PID:2308
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        74⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 2032 174721
        72⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        73⤵
        
        PID:2292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
1⤵
PID:1616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
1⤵
PID:580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
1⤵
PID:1648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:2036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:2324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:2360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:2428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:2592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:2788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:2984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
1⤵
PID:3060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:2196

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs
1⤵
PID:2276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:2368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:2444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
1⤵
PID:580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:2608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:2704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:2920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:2792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:2936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:3036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:2372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:2480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:2780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:2692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:2936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:2556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/108-1346-0x0000000000342000-0x0000000000343000-memory.dmp

Filesize
4KB

Download
memory/240-1-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/280-1270-0x0000000001C62000-0x0000000001C63000-memory.dmp

Filesize
4KB

Download
memory/280-1268-0x0000000001CE0000-0x0000000001D42000-memory.dmp

Filesize
392KB

Download
memory/284-1203-0x0000000000292000-0x0000000000293000-memory.dmp

Filesize
4KB

Download
memory/340-1160-0x0000000001DC2000-0x0000000001DC3000-memory.dmp

Filesize
4KB

Download
memory/340-1158-0x0000000001DD0000-0x0000000001E32000-memory.dmp

Filesize
392KB

Download
memory/364-1138-0x0000000001E82000-0x0000000001E83000-memory.dmp

Filesize
4KB

Download
memory/364-1137-0x0000000000300000-0x0000000000362000-memory.dmp

Filesize
392KB

Download
memory/536-759-0x0000000000622000-0x0000000000623000-memory.dmp

Filesize
4KB

Download
memory/580-891-0x0000000001CD0000-0x0000000001D32000-memory.dmp

Filesize
392KB

Download
memory/592-856-0x0000000001DE0000-0x0000000001E42000-memory.dmp

Filesize
392KB

Download
memory/592-857-0x0000000001F12000-0x0000000001F13000-memory.dmp

Filesize
4KB

Download
memory/592-598-0x0000000001D80000-0x0000000001DE2000-memory.dmp

Filesize
392KB

Download
memory/592-600-0x0000000001E32000-0x0000000001E33000-memory.dmp

Filesize
4KB

Download
memory/596-1271-0x0000000000252000-0x0000000000253000-memory.dmp

Filesize
4KB

Download
memory/596-1269-0x0000000001D90000-0x0000000001DF2000-memory.dmp

Filesize
392KB

Download
memory/604-1252-0x0000000001DB2000-0x0000000001DB3000-memory.dmp

Filesize
4KB

Download
memory/684-1371-0x00000000003B2000-0x00000000003B3000-memory.dmp

Filesize
4KB

Download
memory/752-16-0x0000000000260000-0x00000000002BC000-memory.dmp

Filesize
368KB

Download
memory/752-15-0x00000000002D2000-0x00000000002D3000-memory.dmp

Filesize
4KB

Download
memory/752-14-0x0000000001D00000-0x0000000001D62000-memory.dmp

Filesize
392KB

Download
memory/752-13-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/752-12-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/752-7-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/784-915-0x00000000003F2000-0x00000000003F3000-memory.dmp

Filesize
4KB

Download
memory/820-1176-0x0000000001F92000-0x0000000001F93000-memory.dmp

Filesize
4KB

Download
memory/828-1179-0x0000000001F42000-0x0000000001F43000-memory.dmp

Filesize
4KB

Download
memory/832-922-0x00000000001C2000-0x00000000001C3000-memory.dmp

Filesize
4KB

Download
memory/840-1220-0x0000000001F52000-0x0000000001F53000-memory.dmp

Filesize
4KB

Download
memory/844-837-0x0000000002022000-0x0000000002023000-memory.dmp

Filesize
4KB

Download
memory/844-835-0x00000000002F0000-0x0000000000352000-memory.dmp

Filesize
392KB

Download
memory/864-67-0x0000000001D40000-0x0000000001DA2000-memory.dmp

Filesize
392KB

Download
memory/864-68-0x00000000005F2000-0x00000000005F3000-memory.dmp

Filesize
4KB

Download
memory/916-1244-0x0000000000232000-0x0000000000233000-memory.dmp

Filesize
4KB

Download
memory/924-997-0x0000000001E20000-0x0000000001E82000-memory.dmp

Filesize
392KB

Download
memory/924-998-0x00000000003A2000-0x00000000003A3000-memory.dmp

Filesize
4KB

Download
memory/948-1021-0x00000000002C2000-0x00000000002C3000-memory.dmp

Filesize
4KB

Download
memory/968-1325-0x0000000001E02000-0x0000000001E03000-memory.dmp

Filesize
4KB

Download
memory/968-1324-0x0000000001CF0000-0x0000000001D52000-memory.dmp

Filesize
392KB

Download
memory/984-1172-0x0000000000252000-0x0000000000253000-memory.dmp

Filesize
4KB

Download
memory/1004-752-0x0000000001CC0000-0x0000000001D22000-memory.dmp

Filesize
392KB

Download
memory/1004-753-0x0000000001DC2000-0x0000000001DC3000-memory.dmp

Filesize
4KB

Download
memory/1048-511-0x0000000000262000-0x0000000000263000-memory.dmp

Filesize
4KB

Download
memory/1048-990-0x0000000000362000-0x0000000000363000-memory.dmp

Filesize
4KB

Download
memory/1048-989-0x0000000001D30000-0x0000000001D92000-memory.dmp

Filesize
392KB

Download
memory/1048-510-0x0000000001D10000-0x0000000001D72000-memory.dmp

Filesize
392KB

Download
memory/1060-82-0x0000000000282000-0x0000000000283000-memory.dmp

Filesize
4KB

Download
memory/1060-81-0x00000000004D0000-0x0000000000532000-memory.dmp

Filesize
392KB

Download
memory/1068-695-0x0000000002072000-0x0000000002073000-memory.dmp

Filesize
4KB

Download
memory/1068-852-0x00000000002E2000-0x00000000002E3000-memory.dmp

Filesize
4KB

Download
memory/1068-849-0x0000000000540000-0x00000000005A2000-memory.dmp

Filesize
392KB

Download
memory/1132-1238-0x00000000005B2000-0x00000000005B3000-memory.dmp

Filesize
4KB

Download
memory/1152-35-0x0000000001FE2000-0x0000000001FE3000-memory.dmp

Filesize
4KB

Download
memory/1152-34-0x0000000000540000-0x00000000005A2000-memory.dmp

Filesize
392KB

Download
memory/1184-1396-0x0000000000262000-0x0000000000263000-memory.dmp

Filesize
4KB

Download
memory/1200-586-0x0000000000370000-0x00000000003D2000-memory.dmp

Filesize
392KB

Download
memory/1200-587-0x0000000001F92000-0x0000000001F93000-memory.dmp

Filesize
4KB

Download
memory/1240-916-0x0000000001F02000-0x0000000001F03000-memory.dmp

Filesize
4KB

Download
memory/1240-913-0x0000000001D20000-0x0000000001D82000-memory.dmp

Filesize
392KB

Download
memory/1256-983-0x0000000001D02000-0x0000000001D03000-memory.dmp

Filesize
4KB

Download
memory/1276-1317-0x0000000000370000-0x00000000003D2000-memory.dmp

Filesize
392KB

Download
memory/1276-1318-0x00000000003E2000-0x00000000003E3000-memory.dmp

Filesize
4KB

Download
memory/1308-214-0x00000000005B2000-0x00000000005B3000-memory.dmp

Filesize
4KB

Download
memory/1308-213-0x0000000001E00000-0x0000000001E62000-memory.dmp

Filesize
392KB

Download
memory/1344-546-0x0000000001D62000-0x0000000001D63000-memory.dmp

Filesize
4KB

Download
memory/1344-545-0x0000000001CD0000-0x0000000001D32000-memory.dmp

Filesize
392KB

Download
memory/1372-431-0x0000000000302000-0x0000000000303000-memory.dmp

Filesize
4KB

Download
memory/1372-430-0x0000000000550000-0x00000000005B2000-memory.dmp

Filesize
392KB

Download
memory/1392-678-0x0000000001EA2000-0x0000000001EA3000-memory.dmp

Filesize
4KB

Download
memory/1392-676-0x0000000001D50000-0x0000000001DB2000-memory.dmp

Filesize
392KB

Download
memory/1448-364-0x00000000005E0000-0x0000000000642000-memory.dmp

Filesize
392KB

Download
memory/1448-365-0x00000000005D2000-0x00000000005D3000-memory.dmp

Filesize
4KB

Download
memory/1460-1189-0x0000000001DE2000-0x0000000001DE3000-memory.dmp

Filesize
4KB

Download
memory/1460-166-0x0000000001D90000-0x0000000001DF2000-memory.dmp

Filesize
392KB

Download
memory/1460-280-0x0000000002002000-0x0000000002003000-memory.dmp

Filesize
4KB

Download
memory/1460-167-0x0000000001E32000-0x0000000001E33000-memory.dmp

Filesize
4KB

Download
memory/1464-266-0x00000000002B2000-0x00000000002B3000-memory.dmp

Filesize
4KB

Download
memory/1464-865-0x0000000002032000-0x0000000002033000-memory.dmp

Filesize
4KB

Download
memory/1464-265-0x00000000004D0000-0x0000000000532000-memory.dmp

Filesize
392KB

Download
memory/1464-864-0x0000000001E60000-0x0000000001EC2000-memory.dmp

Filesize
392KB

Download
memory/1476-412-0x00000000005A2000-0x00000000005A3000-memory.dmp

Filesize
4KB

Download
memory/1508-1161-0x0000000000272000-0x0000000000273000-memory.dmp

Filesize
4KB

Download
memory/1508-1159-0x0000000001E10000-0x0000000001E72000-memory.dmp

Filesize
392KB

Download
memory/1512-533-0x0000000000300000-0x0000000000362000-memory.dmp

Filesize
392KB

Download
memory/1512-535-0x0000000001E72000-0x0000000001E73000-memory.dmp

Filesize
4KB

Download
memory/1556-148-0x0000000000302000-0x0000000000303000-memory.dmp

Filesize
4KB

Download
memory/1556-147-0x0000000001D80000-0x0000000001DE2000-memory.dmp

Filesize
392KB

Download
memory/1560-567-0x0000000000252000-0x0000000000253000-memory.dmp

Filesize
4KB

Download
memory/1560-565-0x0000000000360000-0x00000000003C2000-memory.dmp

Filesize
392KB

Download
memory/1596-332-0x00000000005F2000-0x00000000005F3000-memory.dmp

Filesize
4KB

Download
memory/1608-748-0x0000000002002000-0x0000000002003000-memory.dmp

Filesize
4KB

Download
memory/1684-397-0x0000000001D20000-0x0000000001D82000-memory.dmp

Filesize
392KB

Download
memory/1684-398-0x0000000001D12000-0x0000000001D13000-memory.dmp

Filesize
4KB

Download
memory/1700-233-0x0000000001ED2000-0x0000000001ED3000-memory.dmp

Filesize
4KB

Download
memory/1700-232-0x0000000001D30000-0x0000000001D92000-memory.dmp

Filesize
392KB

Download
memory/1716-709-0x0000000001F12000-0x0000000001F13000-memory.dmp

Filesize
4KB

Download
memory/1744-880-0x0000000000570000-0x00000000005D2000-memory.dmp

Filesize
392KB

Download
memory/1744-881-0x0000000000352000-0x0000000000353000-memory.dmp

Filesize
4KB

Download
memory/1748-200-0x00000000005E2000-0x00000000005E3000-memory.dmp

Filesize
4KB

Download
memory/1748-199-0x0000000000540000-0x00000000005A2000-memory.dmp

Filesize
392KB

Download
memory/1792-685-0x00000000002E2000-0x00000000002E3000-memory.dmp

Filesize
4KB

Download
memory/1792-683-0x0000000001D30000-0x0000000001D92000-memory.dmp

Filesize
392KB

Download
memory/1816-494-0x0000000000380000-0x00000000003E2000-memory.dmp

Filesize
392KB

Download
memory/1836-660-0x0000000001FE2000-0x0000000001FE3000-memory.dmp

Filesize
4KB

Download
memory/1836-656-0x0000000000550000-0x00000000005B2000-memory.dmp

Filesize
392KB

Download
memory/1844-299-0x00000000007F2000-0x00000000007F3000-memory.dmp

Filesize
4KB

Download
memory/1848-1259-0x0000000001FE2000-0x0000000001FE3000-memory.dmp

Filesize
4KB

Download
memory/1852-134-0x0000000001F12000-0x0000000001F13000-memory.dmp

Filesize
4KB

Download
memory/1852-133-0x00000000004D0000-0x0000000000532000-memory.dmp

Filesize
392KB

Download
memory/1868-180-0x00000000004D0000-0x0000000000532000-memory.dmp

Filesize
392KB

Download
memory/1868-181-0x0000000002112000-0x0000000002113000-memory.dmp

Filesize
4KB

Download
memory/1888-646-0x0000000001DD0000-0x0000000001E32000-memory.dmp

Filesize
392KB

Download
memory/1888-346-0x0000000001F92000-0x0000000001F93000-memory.dmp

Filesize
4KB

Download
memory/1888-824-0x0000000000252000-0x0000000000253000-memory.dmp

Filesize
4KB

Download
memory/1888-648-0x0000000001F92000-0x0000000001F93000-memory.dmp

Filesize
4KB

Download
memory/1888-822-0x0000000000380000-0x00000000003E2000-memory.dmp

Filesize
392KB

Download
memory/1916-378-0x00000000004D0000-0x0000000000532000-memory.dmp

Filesize
392KB

Download
memory/1916-379-0x0000000002072000-0x0000000002073000-memory.dmp

Filesize
4KB

Download
memory/1956-464-0x0000000001E12000-0x0000000001E13000-memory.dmp

Filesize
4KB

Download
memory/1956-463-0x0000000001D50000-0x0000000001DB2000-memory.dmp

Filesize
392KB

Download
memory/1960-247-0x0000000001EC2000-0x0000000001EC3000-memory.dmp

Filesize
4KB

Download
memory/1960-313-0x00000000002A2000-0x00000000002A3000-memory.dmp

Filesize
4KB

Download
memory/2012-1345-0x0000000001D22000-0x0000000001D23000-memory.dmp

Filesize
4KB

Download
memory/2016-100-0x0000000000380000-0x00000000003E2000-memory.dmp

Filesize
392KB

Download
memory/2016-101-0x0000000002122000-0x0000000002123000-memory.dmp

Filesize
4KB

Download
memory/2020-114-0x0000000000390000-0x00000000003F2000-memory.dmp

Filesize
392KB

Download
memory/2020-115-0x0000000001F52000-0x0000000001F53000-memory.dmp

Filesize
4KB

Download
memory/2020-48-0x0000000000530000-0x0000000000592000-memory.dmp

Filesize
392KB

Download
memory/2024-478-0x0000000001F92000-0x0000000001F93000-memory.dmp

Filesize
4KB

Download
memory/2024-953-0x0000000001D40000-0x0000000001DA2000-memory.dmp

Filesize
392KB

Download
memory/2024-477-0x0000000000350000-0x00000000003B2000-memory.dmp

Filesize
392KB

Download
memory/2024-955-0x0000000001DB2000-0x0000000001DB3000-memory.dmp

Filesize
4KB

Download
memory/2028-445-0x00000000003D2000-0x00000000003D3000-memory.dmp

Filesize
4KB

Download
memory/2032-1105-0x0000000001FC2000-0x0000000001FC3000-memory.dmp

Filesize
4KB

Download
memory/2112-1435-0x0000000001D52000-0x0000000001D53000-memory.dmp

Filesize
4KB

Download
memory/2112-1433-0x0000000001E00000-0x0000000001E62000-memory.dmp

Filesize
392KB

Download
memory/2152-1432-0x0000000001F72000-0x0000000001F73000-memory.dmp

Filesize
4KB

Download
memory/2204-1460-0x0000000000812000-0x0000000000813000-memory.dmp

Filesize
4KB

Download