asyncrat | de7c7e2bd5041a2dfa106083d5742b29d0ae6b2a215f6d9a8407a82add97fbb0

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2024, 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Venom RAT + HVNC + Stealer + Grabber.exe
Size

6.8MB
MD5

03aa135fd7386c36c636dd780f579d68
SHA1

58efdd2ed92f8c63ea1409fb3a42164beeb14d9f
SHA256

de7c7e2bd5041a2dfa106083d5742b29d0ae6b2a215f6d9a8407a82add97fbb0
SHA512

e6b54eb7743329d20a6b75d41971a96f694273586f5c7a91a32ed363df23f94914ec1d979852e2e524c3f852766154f994780de3f8ed526c8154827e5c6a73b7
SSDEEP

196608:OFy4Ju//4s1xnnDQhuWUx+BKwWS+YdU30DR7Z:eBu4gnDFuESSED7

Score

10^/10

asyncrat discord discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Discord

181.47.208.50:4449

Mutex

yqhbuwfankgiktwqwmr

Attributes

delay
1
install
true
install_file
Microsoft Update.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000800000002343e-39.dat	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
412	powershell.exe
548	powershell.exe
3676	powershell.exe
3992	powershell.exe
3896	powershell.exe
740	powershell.exe
2368	powershell.exe
620	powershell.exe
4896	powershell.exe
1524	powershell.exe
804	powershell.exe
4416	powershell.exe
3368	powershell.exe
644	powershell.exe
4728	powershell.exe
1540	powershell.exe
4888	powershell.exe
872	powershell.exe
2380	powershell.exe
4840	powershell.exe
4592	powershell.exe
2472	powershell.exe
3068	powershell.exe
3904	powershell.exe
1692	powershell.exe
3876	powershell.exe
3540	powershell.exe
5000	powershell.exe
4116	powershell.exe
4888	powershell.exe
1564	powershell.exe
2996	powershell.exe
1180	powershell.exe
1424	powershell.exe
1596	powershell.exe
3632	powershell.exe
1232	powershell.exe
392	powershell.exe
2260	powershell.exe
64	powershell.exe
4408	powershell.exe
3048	powershell.exe
4048	powershell.exe
4964	powershell.exe
4376	powershell.exe
1956	powershell.exe
4860	powershell.exe
620	powershell.exe
3984	powershell.exe
1564	powershell.exe
1536	powershell.exe
680	powershell.exe
5112	powershell.exe
2860	powershell.exe
3304	powershell.exe
2180	powershell.exe
2040	powershell.exe
3708	powershell.exe
2556	powershell.exe
908	powershell.exe
448	powershell.exe
2796	powershell.exe
2396	powershell.exe
1560	powershell.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Microsoft Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Venom RAT + HVNC + Stealer + Grabber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Venom RAT + HVNC + Stealer + Grabber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Venom RAT + HVNC + Stealer + Grabber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Venom RAT + HVNC + Stealer + Grabber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Microsoft Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Microsoft Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Venom RAT + HVNC + Stealer + Grabber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Microsoft Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Microsoft Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Venom RAT + HVNC + Stealer + Grabber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Microsoft Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Venom RAT + HVNC + Stealer + Grabber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Microsoft Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Microsoft Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Venom RAT + HVNC + Stealer + Grabber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Microsoft Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Microsoft Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Venom RAT + HVNC + Stealer + Grabber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Venom RAT + HVNC + Stealer + Grabber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Microsoft Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Venom RAT + HVNC + Stealer + Grabber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Venom RAT + HVNC + Stealer + Grabber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Microsoft Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Venom RAT + HVNC + Stealer + Grabber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Venom RAT + HVNC + Stealer + Grabber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Venom RAT + HVNC + Stealer + Grabber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Microsoft Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Microsoft Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Microsoft Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Microsoft Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Microsoft Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Microsoft Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Venom RAT + HVNC + Stealer + Grabber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Microsoft Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Microsoft Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Venom RAT + HVNC + Stealer + Grabber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Venom RAT + HVNC + Stealer + Grabber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Venom RAT + HVNC + Stealer + Grabber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Venom RAT + HVNC + Stealer + Grabber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Microsoft Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Venom RAT + HVNC + Stealer + Grabber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Venom RAT + HVNC + Stealer + Grabber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Microsoft Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Venom RAT + HVNC + Stealer + Grabber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Venom RAT + HVNC + Stealer + Grabber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Microsoft Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Microsoft Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Venom RAT + HVNC + Stealer + Grabber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Venom RAT + HVNC + Stealer + Grabber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Venom RAT + HVNC + Stealer + Grabber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Venom RAT + HVNC + Stealer + Grabber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Microsoft Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Microsoft Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Microsoft Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Microsoft Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Microsoft Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Venom RAT + HVNC + Stealer + Grabber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Venom RAT + HVNC + Stealer + Grabber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Microsoft Update.exe

Executes dropped EXE 64 IoCs

pid	Process
2040	Microsoft Update.exe
220	Microsoft Update.exe
5064	Client.exe
4072	Microsoft Update.exe
400	Client.exe
1464	Microsoft Update.exe
1880	Client.exe
2620	Microsoft Update.exe
2020	Client.exe
4408	Microsoft Update.exe
2004	Client.exe
4696	Microsoft Update.exe
744	Client.exe
2116	Microsoft Update.exe
1560	Microsoft Update.exe
1108	Client.exe
4960	Microsoft Update.exe
4984	Client.exe
2808	Microsoft Update.exe
2052	Microsoft Update.exe
2152	Microsoft Update.exe
244	Client.exe
1552	Microsoft Update.exe
1204	Client.exe
1180	Microsoft Update.exe
3820	Client.exe
3876	Microsoft Update.exe
2356	Client.exe
4836	Microsoft Update.exe
1940	Client.exe
4072	Microsoft Update.exe
3064	Client.exe
4864	Microsoft Update.exe
4140	Client.exe
2256	Microsoft Update.exe
4564	Client.exe
2620	Microsoft Update.exe
1256	Client.exe
1448	Microsoft Update.exe
3944	Client.exe
4376	Microsoft Update.exe
64	Client.exe
1420	Microsoft Update.exe
3716	Client.exe
3196	Microsoft Update.exe
1752	Client.exe
4812	Microsoft Update.exe
4948	Client.exe
5044	Microsoft Update.exe
4360	Client.exe
1376	Microsoft Update.exe
3628	Client.exe
4104	Microsoft Update.exe
4292	Client.exe
620	Microsoft Update.exe
4568	Client.exe
4912	Microsoft Update.exe
1692	Client.exe
1176	Microsoft Update.exe
1772	Client.exe
3628	Microsoft Update.exe
3900	Client.exe
3876	Microsoft Update.exe
4456	Client.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Delays execution with timeout.exe 8 IoCs

evasion

pid	Process
852	timeout.exe
4948	timeout.exe
4200	timeout.exe
1932	timeout.exe
1628	timeout.exe
804	timeout.exe
4608	timeout.exe
1412	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
436	schtasks.exe
3944	schtasks.exe
1424	schtasks.exe
4420	schtasks.exe
4980	schtasks.exe
4964	schtasks.exe
1756	schtasks.exe
4592	schtasks.exe
844	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2368	powershell.exe
2368	powershell.exe
64	powershell.exe
64	powershell.exe
5064	Client.exe
5064	Client.exe
5064	Client.exe
5064	Client.exe
5064	Client.exe
5064	Client.exe
5064	Client.exe
5064	Client.exe
5064	Client.exe
5064	Client.exe
5064	Client.exe
5064	Client.exe
5064	Client.exe
5064	Client.exe
5064	Client.exe
5064	Client.exe
5064	Client.exe
3540	powershell.exe
5064	Client.exe
5064	Client.exe
5064	Client.exe
5064	Client.exe
5064	Client.exe
5064	Client.exe
3540	powershell.exe
5064	Client.exe
5064	Client.exe
1880	Client.exe
1880	Client.exe
1880	Client.exe
1880	Client.exe
1880	Client.exe
1880	Client.exe
1880	Client.exe
1880	Client.exe
1880	Client.exe
1880	Client.exe
1880	Client.exe
1880	Client.exe
1880	Client.exe
1880	Client.exe
1880	Client.exe
1880	Client.exe
1880	Client.exe
1880	Client.exe
1880	Client.exe
1880	Client.exe
1880	Client.exe
2996	powershell.exe
2996	powershell.exe
2020	Client.exe
2020	Client.exe
2020	Client.exe
2020	Client.exe
2020	Client.exe
2020	Client.exe
2020	Client.exe
2020	Client.exe
2020	Client.exe
2020	Client.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	5064	Client.exe
Token: SeDebugPrivilege	64	powershell.exe
Token: SeDebugPrivilege	400	Client.exe
Token: SeDebugPrivilege	5064	Client.exe
Token: SeDebugPrivilege	3540	powershell.exe
Token: SeDebugPrivilege	1880	Client.exe
Token: SeDebugPrivilege	1880	Client.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	2020	Client.exe
Token: SeDebugPrivilege	2020	Client.exe
Token: SeDebugPrivilege	5000	powershell.exe
Token: SeDebugPrivilege	2004	Client.exe
Token: SeDebugPrivilege	2004	Client.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeDebugPrivilege	744	Client.exe
Token: SeDebugPrivilege	2116	Microsoft Update.exe
Token: SeDebugPrivilege	744	Client.exe
Token: SeDebugPrivilege	1180	powershell.exe
Token: SeDebugPrivilege	1108	Client.exe
Token: SeDebugPrivilege	1108	Client.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	4984	Client.exe
Token: SeDebugPrivilege	2808	Microsoft Update.exe
Token: SeDebugPrivilege	4116	powershell.exe
Token: SeDebugPrivilege	2052	Microsoft Update.exe
Token: SeDebugPrivilege	244	Client.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	1204	Client.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	3820	Client.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	2356	Client.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	1940	Client.exe
Token: SeDebugPrivilege	620	powershell.exe
Token: SeDebugPrivilege	3064	Client.exe
Token: SeDebugPrivilege	4376	powershell.exe
Token: SeDebugPrivilege	4140	Client.exe
Token: SeDebugPrivilege	3420	taskmgr.exe
Token: SeSystemProfilePrivilege	3420	taskmgr.exe
Token: SeCreateGlobalPrivilege	3420	taskmgr.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	4564	Client.exe
Token: SeDebugPrivilege	680	powershell.exe
Token: SeDebugPrivilege	1256	Client.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	3944	Client.exe
Token: SeDebugPrivilege	412	powershell.exe
Token: SeDebugPrivilege	64	Client.exe
Token: SeDebugPrivilege	4408	powershell.exe
Token: SeDebugPrivilege	3716	Client.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: 33	3420	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3420	taskmgr.exe
Token: SeDebugPrivilege	1752	Client.exe
Token: SeDebugPrivilege	4888	powershell.exe
Token: SeDebugPrivilege	4948	Client.exe
Token: SeDebugPrivilege	1560	powershell.exe
Token: SeDebugPrivilege	4360	Client.exe
Token: SeDebugPrivilege	4896	powershell.exe
Token: SeDebugPrivilege	3628	Client.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	4292	Client.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe

Suspicious use of SendNotifyMessage 41 IoCs

pid	Process
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe
3420	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1108	Client.exe
3108	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 684 wrote to memory of 4008	684	Venom RAT + HVNC + Stealer + Grabber.exe	86
PID 684 wrote to memory of 4008	684	Venom RAT + HVNC + Stealer + Grabber.exe	86
PID 684 wrote to memory of 2040	684	Venom RAT + HVNC + Stealer + Grabber.exe	87
PID 684 wrote to memory of 2040	684	Venom RAT + HVNC + Stealer + Grabber.exe	87
PID 2040 wrote to memory of 2368	2040	Microsoft Update.exe	88
PID 2040 wrote to memory of 2368	2040	Microsoft Update.exe	88
PID 4008 wrote to memory of 212	4008	Venom RAT + HVNC + Stealer + Grabber.exe	89
PID 4008 wrote to memory of 212	4008	Venom RAT + HVNC + Stealer + Grabber.exe	89
PID 4008 wrote to memory of 220	4008	Venom RAT + HVNC + Stealer + Grabber.exe	90
PID 4008 wrote to memory of 220	4008	Venom RAT + HVNC + Stealer + Grabber.exe	90
PID 2040 wrote to memory of 5064	2040	Microsoft Update.exe	92
PID 2040 wrote to memory of 5064	2040	Microsoft Update.exe	92
PID 220 wrote to memory of 64	220	Microsoft Update.exe	93
PID 220 wrote to memory of 64	220	Microsoft Update.exe	93
PID 212 wrote to memory of 1824	212	Venom RAT + HVNC + Stealer + Grabber.exe	95
PID 212 wrote to memory of 1824	212	Venom RAT + HVNC + Stealer + Grabber.exe	95
PID 212 wrote to memory of 4072	212	Venom RAT + HVNC + Stealer + Grabber.exe	96
PID 212 wrote to memory of 4072	212	Venom RAT + HVNC + Stealer + Grabber.exe	96
PID 220 wrote to memory of 400	220	Microsoft Update.exe	97
PID 220 wrote to memory of 400	220	Microsoft Update.exe	97
PID 4072 wrote to memory of 3540	4072	Microsoft Update.exe	98
PID 4072 wrote to memory of 3540	4072	Microsoft Update.exe	98
PID 1824 wrote to memory of 3716	1824	Venom RAT + HVNC + Stealer + Grabber.exe	100
PID 1824 wrote to memory of 3716	1824	Venom RAT + HVNC + Stealer + Grabber.exe	100
PID 1824 wrote to memory of 1464	1824	Venom RAT + HVNC + Stealer + Grabber.exe	101
PID 1824 wrote to memory of 1464	1824	Venom RAT + HVNC + Stealer + Grabber.exe	101
PID 5064 wrote to memory of 2636	5064	Client.exe	102
PID 5064 wrote to memory of 2636	5064	Client.exe	102
PID 5064 wrote to memory of 4520	5064	Client.exe	103
PID 5064 wrote to memory of 4520	5064	Client.exe	103
PID 4520 wrote to memory of 1412	4520	cmd.exe	106
PID 4520 wrote to memory of 1412	4520	cmd.exe	106
PID 2636 wrote to memory of 4964	2636	cmd.exe	107
PID 2636 wrote to memory of 4964	2636	cmd.exe	107
PID 4072 wrote to memory of 1880	4072	Microsoft Update.exe	108
PID 4072 wrote to memory of 1880	4072	Microsoft Update.exe	108
PID 1880 wrote to memory of 784	1880	Client.exe	109
PID 1880 wrote to memory of 784	1880	Client.exe	109
PID 1464 wrote to memory of 2996	1464	Microsoft Update.exe	110
PID 1464 wrote to memory of 2996	1464	Microsoft Update.exe	110
PID 3716 wrote to memory of 1348	3716	Venom RAT + HVNC + Stealer + Grabber.exe	113
PID 3716 wrote to memory of 1348	3716	Venom RAT + HVNC + Stealer + Grabber.exe	113
PID 3716 wrote to memory of 2620	3716	Venom RAT + HVNC + Stealer + Grabber.exe	114
PID 3716 wrote to memory of 2620	3716	Venom RAT + HVNC + Stealer + Grabber.exe	114
PID 784 wrote to memory of 1756	784	cmd.exe	115
PID 784 wrote to memory of 1756	784	cmd.exe	115
PID 1464 wrote to memory of 2020	1464	Microsoft Update.exe	116
PID 1464 wrote to memory of 2020	1464	Microsoft Update.exe	116
PID 1880 wrote to memory of 704	1880	Client.exe	117
PID 1880 wrote to memory of 704	1880	Client.exe	117
PID 704 wrote to memory of 852	704	cmd.exe	119
PID 704 wrote to memory of 852	704	cmd.exe	119
PID 2620 wrote to memory of 5000	2620	Microsoft Update.exe	120
PID 2620 wrote to memory of 5000	2620	Microsoft Update.exe	120
PID 1348 wrote to memory of 4564	1348	Venom RAT + HVNC + Stealer + Grabber.exe	122
PID 1348 wrote to memory of 4564	1348	Venom RAT + HVNC + Stealer + Grabber.exe	122
PID 1348 wrote to memory of 4408	1348	Venom RAT + HVNC + Stealer + Grabber.exe	123
PID 1348 wrote to memory of 4408	1348	Venom RAT + HVNC + Stealer + Grabber.exe	123
PID 2620 wrote to memory of 2004	2620	Microsoft Update.exe	124
PID 2620 wrote to memory of 2004	2620	Microsoft Update.exe	124
PID 2020 wrote to memory of 2388	2020	Client.exe	125
PID 2020 wrote to memory of 2388	2020	Client.exe	125
PID 2388 wrote to memory of 436	2388	cmd.exe	127
PID 2388 wrote to memory of 436	2388	cmd.exe	127

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
"C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:684
- C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
  "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4008
- - C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
    "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:212
  - - C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
      "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1824
    - - C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3716
      - C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        7⤵
        Checks computer location settings
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        8⤵
        Checks computer location settings
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        9⤵
        Checks computer location settings
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        10⤵
        Checks computer location settings
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        11⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        12⤵
        Checks computer location settings
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        13⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        14⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        15⤵
        Checks computer location settings
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        16⤵
        Checks computer location settings
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        17⤵
        
        PID:3324
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        18⤵
        Checks computer location settings
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        19⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        20⤵
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        21⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        22⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        23⤵
        Checks computer location settings
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        24⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        25⤵
        Checks computer location settings
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        26⤵
        Checks computer location settings
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        27⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        28⤵
        Checks computer location settings
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        29⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        30⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        31⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        32⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        33⤵
        Checks computer location settings
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        34⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        35⤵
        Checks computer location settings
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        36⤵
        Checks computer location settings
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        37⤵
        Checks computer location settings
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        38⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        39⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        40⤵
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        41⤵
        
        PID:3764
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        42⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        43⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        44⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        45⤵
        Checks computer location settings
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        46⤵
        Checks computer location settings
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        47⤵
        Checks computer location settings
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        48⤵
        Checks computer location settings
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        49⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        50⤵
        Checks computer location settings
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        51⤵
        Checks computer location settings
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        52⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        53⤵
        Checks computer location settings
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        54⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        55⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        56⤵
        Checks computer location settings
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        57⤵
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        58⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        59⤵
        Checks computer location settings
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        60⤵
        Checks computer location settings
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        61⤵
        Checks computer location settings
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        62⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        63⤵
        Checks computer location settings
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        64⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        65⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        66⤵
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        67⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        67⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        66⤵
        
        PID:4008
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        67⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        65⤵
        
        PID:2868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        66⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        66⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        64⤵
        Checks computer location settings
        
        PID:2244
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        65⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        65⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        63⤵
        Checks computer location settings
        
        PID:2040
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        64⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        64⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        62⤵
        Checks computer location settings
        
        PID:5036
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        63⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        63⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        61⤵
        
        PID:4224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        62⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        62⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        60⤵
        Checks computer location settings
        
        PID:4856
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        61⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        61⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        59⤵
        
        PID:4768
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        60⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        60⤵
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        58⤵
        
        PID:4692
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        59⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        59⤵
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        57⤵
        
        PID:4108
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        58⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        58⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        56⤵
        Checks computer location settings
        
        PID:1432
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        57⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        57⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        55⤵
        Checks computer location settings
        
        PID:548
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        56⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        56⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        54⤵
        
        PID:3364
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        55⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        55⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        53⤵
        
        PID:2532
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        54⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        54⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        52⤵
        Checks computer location settings
        
        PID:2260
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        53⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        53⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        51⤵
        
        PID:2012
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        52⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        52⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        50⤵
        
        PID:4308
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        51⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        51⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        49⤵
        
        PID:4564
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        50⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        50⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        48⤵
        Checks computer location settings
        
        PID:1408
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        49⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        49⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        47⤵
        Checks computer location settings
        
        PID:4324
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        48⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        48⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        46⤵
        Checks computer location settings
        
        PID:704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        47⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        47⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        45⤵
        
        PID:4360
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        46⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        46⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3108
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Update" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"' & exit
        47⤵
        
        PID:3212
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Update" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"'
        48⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        44⤵
        
        PID:680
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        45⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        45⤵
        Checks computer location settings
        
        PID:4724
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Update" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"' & exit
        46⤵
        
        PID:3680
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Update" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"'
        47⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4420
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp213A.tmp.bat""
        46⤵
        
        PID:1364
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        47⤵
        Delays execution with timeout.exe
        
        PID:4608
        
        C:\Users\Admin\AppData\Roaming\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"
        47⤵
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        43⤵
        Checks computer location settings
        
        PID:2368
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        44⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        44⤵
        
        PID:4856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Update" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"' & exit
        45⤵
        
        PID:5000
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Update" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"'
        46⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:844
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp191C.tmp.bat""
        45⤵
        
        PID:1484
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        46⤵
        Delays execution with timeout.exe
        
        PID:804
        
        C:\Users\Admin\AppData\Roaming\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"
        46⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        42⤵
        Checks computer location settings
        
        PID:3000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        43⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        43⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        41⤵
        
        PID:644
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        42⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        42⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        40⤵
        Checks computer location settings
        
        PID:1692
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        41⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        41⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        39⤵
        
        PID:3520
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        40⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        40⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        38⤵
        
        PID:536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        39⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        39⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        37⤵
        Checks computer location settings
        
        PID:2848
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        38⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        38⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        36⤵
        Checks computer location settings
        
        PID:3432
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        37⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        37⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        35⤵
        Checks computer location settings
        
        PID:944
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        36⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        36⤵
        
        PID:244
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        34⤵
        
        PID:3416
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        35⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        33⤵
        Checks computer location settings
        
        PID:4840
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        34⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        34⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        32⤵
        Executes dropped EXE
        
        PID:3876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        33⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3628
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        32⤵
        Executes dropped EXE
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1176
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        31⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        31⤵
        Executes dropped EXE
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        29⤵
        Executes dropped EXE
        
        PID:4912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        30⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        30⤵
        Executes dropped EXE
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:620
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        29⤵
        Executes dropped EXE
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4104
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        28⤵
        Executes dropped EXE
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        26⤵
        Executes dropped EXE
        
        PID:1376
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        27⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        25⤵
        Executes dropped EXE
        
        PID:5044
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        26⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4812
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        25⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        23⤵
        Executes dropped EXE
        
        PID:3196
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        24⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        22⤵
        Executes dropped EXE
        
        PID:1420
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        23⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        21⤵
        Executes dropped EXE
        
        PID:4376
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        22⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        20⤵
        Executes dropped EXE
        
        PID:1448
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        21⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:412
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:64
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2620
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        20⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        18⤵
        Executes dropped EXE
        
        PID:2256
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        19⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        17⤵
        Executes dropped EXE
        
        PID:4864
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        18⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        16⤵
        Executes dropped EXE
        
        PID:4072
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        17⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        15⤵
        Executes dropped EXE
        
        PID:4836
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        16⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        15⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1180
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        14⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        12⤵
        Executes dropped EXE
        
        PID:1552
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        13⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2152
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        10⤵
        Executes dropped EXE
        
        PID:4960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:244
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        9⤵
        Executes dropped EXE
        
        PID:1560
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4696
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1108
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Update" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"' & exit
        10⤵
        
        PID:2040
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Update" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"'
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Client"
        10⤵
        
        PID:536
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Client"
        11⤵
        
        PID:892
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEAC.tmp.bat""
        10⤵
        
        PID:2424
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        11⤵
        Delays execution with timeout.exe
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        7⤵
        Executes dropped EXE
        
        PID:4408
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Update" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"' & exit
        9⤵
        
        PID:2088
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Update" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"'
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3944
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD745.tmp.bat""
        9⤵
        
        PID:2060
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        10⤵
        Delays execution with timeout.exe
        
        PID:1932
        
        C:\Users\Admin\AppData\Roaming\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
      - C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Update" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"' & exit
        8⤵
        
        PID:4620
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Update" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"'
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCF37.tmp.bat""
        8⤵
        
        PID:4484
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        9⤵
        Delays execution with timeout.exe
        
        PID:4200
        
        C:\Users\Admin\AppData\Roaming\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
    - - C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1464
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
      - C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Update" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"' & exit
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Update" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"'
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC61F.tmp.bat""
        7⤵
        
        PID:4584
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        8⤵
        Delays execution with timeout.exe
        
        PID:4948
        
        C:\Users\Admin\AppData\Roaming\Microsoft Update.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
  - - C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
      "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4072
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3540
    - - C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1880
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Update" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"' & exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:784
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Update" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"'
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1756
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBAB5.tmp.bat""
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:704
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:852
- - C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
    "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:220
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:64
  - - C:\Users\Admin\AppData\Local\Temp\Client.exe
      "C:\Users\Admin\AppData\Local\Temp\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:400
- C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2368
- - C:\Users\Admin\AppData\Local\Temp\Client.exe
    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5064
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Update" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Update" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4964
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAF0C.tmp.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4520
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:1412

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Venom RAT + HVNC + Stealer + Grabber.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2744acde55ac66031f3c2bb05c328933

SHA1
6e088a0185664f0c73ab61c70cdb98270e71cfa4

SHA256
a2fdbffc4a1ca20c5e76ea0865799b48cfda2f593c6396499e968efa29e37634

SHA512
c42e709892bd3b8a81398fa43fddde8148cc135ee09e8e70270858498c63d8ff3697d779df6aff82edd9eedfa914a6b6ed0c5c8f901301b3e5d13e377fd6d90f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
da5c82b0e070047f7377042d08093ff4

SHA1
89d05987cd60828cca516c5c40c18935c35e8bd3

SHA256
77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5

SHA512
7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a2c8179aaa149c0b9791b73ce44c04d1

SHA1
703361b0d43ec7f669304e7c0ffbbfdeb1e484ff

SHA256
c1d30342a40a2b6e7553da30ceb85754d33820f6fbb3bbbed1ceb30d6390de4a

SHA512
2e201dd457d055baad86f68c15bcc7beb48d6dc2ffc10db7f304eb93f697e7b45991cbde857d25da2c9c60c23f3e13df8b5ed5809c1753737a23096e296cc9e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ef647504cf229a16d02de14a16241b90

SHA1
81480caca469857eb93c75d494828b81e124fda0

SHA256
47002672443e80410e55a0b6d683573ac27d70d803b57ee3c2818d1008669710

SHA512
a6d8c08c708eee6f7e700880ce79d2ba7cd0acbe8529d96e18f3e90ea1f3cf33fd801dd6eba6017cdd02769e968c48278c090c1deeac710124f79423cd862ee1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba169f4dcbbf147fe78ef0061a95e83b

SHA1
92a571a6eef49fff666e0f62a3545bcd1cdcda67

SHA256
5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

SHA512
8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2356e37ccd79ba772a49888c37a84565

SHA1
a1a2fc32970d77611f4204f825e2c9c14b5b02a5

SHA256
51ee7b30e217d66218396770f94327d4ec8fb02e9199466666cad388811c6bdf

SHA512
5a9ddfa2428c70e9d5af62674002223ed07d1a2785a5a73c4124acb29f011f12c88e8175c74844958c0cd78fd8d36ad9a12bf1e202d67c545610a4aeb47152b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b7189719e6df2c3dfc76197ec3f31f7a

SHA1
effd91412deadc87cc10ef76cdecc1e0b54b6d41

SHA256
1c72fa37d078b92c7e900b2e3d17c43c34d936a696a8ddf6c519f4a80308b892

SHA512
2df1f1d45844da7ffb17cdfb411f223e9c614c00f5cf7eb5ba92bf7ba174875af2a515371208286c95c0479c934ae2c6a83dfc0b54380be89db1eddd19faf978

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
caae66b2d6030f85188e48e4ea3a9fa6

SHA1
108425bd97144fa0f92ff7b2109fec293d14a461

SHA256
a6c642eaf80247e9682be60ab5ae9ece4d042af56013d164d8047b6fd1aefa1d

SHA512
189119a2390e51a49ea0fb8ad1427279cc2bf85f220f3212957c50b33387623b42ab7736fb5a717757b5c4b99c570e7ed2e5e6a578424aafb5c126cdf129ea15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d8cb3e9459807e35f02130fad3f9860d

SHA1
5af7f32cb8a30e850892b15e9164030a041f4bd6

SHA256
2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

SHA512
045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f8fe7584164edcdbe4299d351d7faa88

SHA1
cb2d2ed13ec6c9dd87eaf16b76bf164de48dca22

SHA256
d7a6457635a7c8b2614f5b0662c8e21d49813426c085158c53d5073d8bd1e1bf

SHA512
f3a7d1b1cfe5832d8dc72a903bfedbb1de08a4ca894c51810753b382da75d6cb4704d1eaaf5e0eb660604951909682c6ae18273452f04f4ba6a3e1407237613b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
144KB

MD5
735308830d5d034971c6010708d8e86a

SHA1
7e6b2ad74f5b3f94c01bd0b12641a009f503fefa

SHA256
103b6e19cf47fe2f3e28f1ad2a12ddcf34287d30e0e887f9907086de379864de

SHA512
bb51f8b1166af8a827bc6559710329938b07f1663ee7fadd782f56913c51719de65b028371d64f063e970ede14b857bcddd24f7f60c56aa7899a74a338f7c3ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe

Filesize
163KB

MD5
39ec49dbf7fb74a21606065f713cd881

SHA1
9ddaedd9c820b2fad1534a65bed5d61611838468

SHA256
b834c4796e9073fcf3e9eccfa7034b26fc0ea94783ce111221a6b44f9e015e14

SHA512
12d24d9a79b882d4d54e42eca8673c6d78de7e6800d77ea5535deeeafa7448c0525bba767e69c1755dd36258724d7d583d121b0e9e97590925d5772f59e2f96f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vahm1kko.kcr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAF0C.tmp.bat

Filesize
160B

MD5
dec4dc9352c55f35d60c8502d7e7ef89

SHA1
98e192ca4370a52c910767cb18850034a3bb7960

SHA256
631d9902ef58b34dfc4e50d8495c30268a97f00b19c74ede21ad63d4d472f341

SHA512
ff22c9b6d1ce96971c3f334a379217ea8eb56325eaca49b2748ba7d3841f2add2a65a652aa299c65cdffb17e587b400e053a237d57b8680b3ffe7b8524b67437

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBAB5.tmp.bat

Filesize
160B

MD5
d9063f7b5cb24a65d8651070dfa87052

SHA1
de8bc79593d42eba95168030a5a51156e4d36ead

SHA256
46fc2ee79f94d267cbb9d6cae55394d8f78d05c8fec3e2f49f19ae6debd6e496

SHA512
07539b4ffcd21d4a8cb4f7c80851c0471ec6c755d5586457dd6b6df9b4e2a54282b0eb7c90125b41f1cdf36f9fac77270024aebae1138d62a8b8e24e42c83934

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC61F.tmp.bat

Filesize
160B

MD5
531d9851f396d923d1f880108dc8df5a

SHA1
d84686b272e66d188f424fdbd3bf07b9bff4db89

SHA256
f66098796c469e58b9b89e894c67e363561ae5a5b0dffbe5b2ff31c12c2c66d2

SHA512
db3316a4763a5ad93717854301e1ad7b2da2c8457bc2bf4954fce2cbc5d319c696a66c896e90c7118865b98bb9c7dee560c4bbd7d951b76372ac6438706872eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCF37.tmp.bat

Filesize
160B

MD5
bdd43de5046eb679530e0458792621e1

SHA1
2220b2d85231aba5c8cae6d578c1c85370c56e91

SHA256
74b974b4e980ad96a6e2b4b1ef41baee8529e546997f34196e5ef8be5f558599

SHA512
af957560b687bdeafdb5b1a6f868d3b6e39667e585db67344cee57a0ec3650c386e00382965d0fbc68eda8f7186b4200f5851044a66b7edb46da16d5a78936ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD745.tmp.bat

Filesize
160B

MD5
3c8f5c865e5f9d3d4219cb37d1315303

SHA1
e478652dcd4311c3fc95600ebcdfee687ea4e70a

SHA256
8590eebc0e1900fd079c3826fd2d7c5838d790959d783942e7a6b19a5957d865

SHA512
a0c2513f1ebb9725707ad45fc9ea2e8f872d903d8553702528f299ef5e04f83a82dbce03cf48df0476bf71b2f73d968f577b07b843d9131de5524cc279db6be9

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
memory/412-333-0x000001BEC1680000-0x000001BEC189C000-memory.dmp

Filesize
2.1MB

Download
memory/680-311-0x000001B1ED3E0000-0x000001B1ED5FC000-memory.dmp

Filesize
2.1MB

Download
memory/684-1-0x0000000000630000-0x0000000000CFE000-memory.dmp

Filesize
6.8MB

Download
memory/684-0-0x00007FFDB43D3000-0x00007FFDB43D5000-memory.dmp

Filesize
8KB

Download
memory/684-2-0x00007FFDB43D0000-0x00007FFDB4E91000-memory.dmp

Filesize
10.8MB

Download
memory/684-18-0x00007FFDB43D0000-0x00007FFDB4E91000-memory.dmp

Filesize
10.8MB

Download
memory/1108-240-0x000000001B860000-0x000000001B87E000-memory.dmp

Filesize
120KB

Download
memory/1108-565-0x000000001BF30000-0x000000001BF96000-memory.dmp

Filesize
408KB

Download
memory/1108-238-0x000000001CB30000-0x000000001CBA6000-memory.dmp

Filesize
472KB

Download
memory/1108-239-0x000000001B6A0000-0x000000001B6B0000-memory.dmp

Filesize
64KB

Download
memory/1956-354-0x0000025CC8300000-0x0000025CC851C000-memory.dmp

Filesize
2.1MB

Download
memory/2040-16-0x00007FFDB43D0000-0x00007FFDB4E91000-memory.dmp

Filesize
10.8MB

Download
memory/2040-17-0x0000000000B10000-0x0000000000B3E000-memory.dmp

Filesize
184KB

Download
memory/2040-47-0x00007FFDB43D0000-0x00007FFDB4E91000-memory.dmp

Filesize
10.8MB

Download
memory/2368-23-0x0000028E30DB0000-0x0000028E30DD2000-memory.dmp

Filesize
136KB

Download
memory/3068-322-0x00000286B92B0000-0x00000286B94CC000-memory.dmp

Filesize
2.1MB

Download
memory/3420-279-0x000001CEB1EF0000-0x000001CEB1EF1000-memory.dmp

Filesize
4KB

Download
memory/3420-287-0x000001CEB1EF0000-0x000001CEB1EF1000-memory.dmp

Filesize
4KB

Download
memory/3420-290-0x000001CEB1EF0000-0x000001CEB1EF1000-memory.dmp

Filesize
4KB

Download
memory/3420-289-0x000001CEB1EF0000-0x000001CEB1EF1000-memory.dmp

Filesize
4KB

Download
memory/3420-288-0x000001CEB1EF0000-0x000001CEB1EF1000-memory.dmp

Filesize
4KB

Download
memory/3420-286-0x000001CEB1EF0000-0x000001CEB1EF1000-memory.dmp

Filesize
4KB

Download
memory/3420-284-0x000001CEB1EF0000-0x000001CEB1EF1000-memory.dmp

Filesize
4KB

Download
memory/3420-280-0x000001CEB1EF0000-0x000001CEB1EF1000-memory.dmp

Filesize
4KB

Download
memory/3420-285-0x000001CEB1EF0000-0x000001CEB1EF1000-memory.dmp

Filesize
4KB

Download
memory/3420-278-0x000001CEB1EF0000-0x000001CEB1EF1000-memory.dmp

Filesize
4KB

Download
memory/4008-22-0x00007FFDB43D0000-0x00007FFDB4E91000-memory.dmp

Filesize
10.8MB

Download
memory/4008-19-0x00007FFDB43D0000-0x00007FFDB4E91000-memory.dmp

Filesize
10.8MB

Download
memory/4008-15-0x00007FFDB43D0000-0x00007FFDB4E91000-memory.dmp

Filesize
10.8MB

Download
memory/5064-48-0x0000000000E60000-0x0000000000E8A000-memory.dmp

Filesize
168KB

Download